Stagefright vulnerability (CVE-2015-6603) exists in lib_mp4_parser_arm11_elinux.3.0.so

The latest CTS release for Lollipop (5.1_r10) has add a new security test for stagefright:

class: android.security.cts.StagefrightTest

method: testStagefright_cve_2015_6603

The lib_mp4_parser_arm11_elinux.3.0.so library released with L5.1.1_2.0.0 GA along with the latest library released with M6.0.1_2.1.0 GA fails this test!

The associated android bug is: ANDROID-23227354

Our platform is based off the SabreSD imx6q reference platform with Lollipop L5.1.1_2.0.0 GA (LMY47V) running on it.

The security vulnerability is identified in this Security Bulletin by Google:

https://source.android.com/security/bulletin/2015-10-01.html

The patch for their stagefright code is here: https://android.googlesource.com/platform%2Fframeworks%2Fav/+/c37f7f6fa0cb7f55cdc5b2d4ccbf2c87c3bc6c...

The patch is a simple one line change ensuring that dataSize is not less than 4. Hopefully it can be ported to the NXP mp4 parser library easily.

We would like this patch to be applied to the mp4 parser library specifically for L5.1.1_2.0.0 GA (upgrading to Marshmallow is not an option for us) so that we can pass CTS and improve the BSP's security. Ideally, that new library would be posted directly to this forum.

Below I have provided the device logcat output showing the crash leading to the failed CTS test. It is using the L5.1.1_2.0.0 mp4 parser library. The CTS test fails with the latest Marshmallow (M6.0.1_2.1.0) mp4 parser library too.

09-26 11:54:53.799 23370 23386 I TestRunner: run started: 1 tests

09-26 11:54:53.823 23370 23386 I TestRunner: started: testStagefright_cve_2015_6603(android.security.cts.StagefrightTest)

09-26 11:54:53.827 23370 23386 D CtsTestRunListener: Now executing : android.security.cts.StagefrightTest

09-26 11:54:53.921 22805 22867 I OMXPlayer: Loading content: sharedfd://13:2096212:297050:0

09-26 11:54:53.921 22805 22867 I OMXPlayer: LEVEL: 1 FUNCTION: MediaTypeInspect LINE: 1967

09-26 11:54:53.921 22805 22867 I OMXPlayer: Can't inspect media content type by subfix.

09-26 11:54:53.922 22805 22867 I OMXPlayer: MediaTypeInspectByContent role: parser.mp4

09-26 11:54:53.944 22805 23390 I OMXPlayer: Core parser MPEG4PARSER_06.09.16 build on Jun 29 2015 13:20:04

--------- beginning of crash

09-26 11:54:53.985 22805 23390 F libc : Fatal signal 11 (SIGSEGV), code 1, fault addr 0xb5000000 in tid 23390 (Binder_1)

09-26 11:54:54.089 169 169 I DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***

09-26 11:54:54.089 169 169 I DEBUG : Revision: '0'

09-26 11:54:54.089 169 169 I DEBUG : ABI: 'arm'

09-26 11:54:54.089 169 169 I DEBUG : pid: 22805, tid: 23390, name: Binder_1 >>> /system/bin/mediaserver <<<

09-26 11:54:54.089 169 169 I DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xb5000000

09-26 11:54:54.097 450 1094 W NativeCrashListener: Couldn't find ProcessRecord for pid 22805

09-26 11:54:54.131 169 169 I DEBUG : r0 ffffffff r1 80000000 r2 ffffffff r3 b4c700f0

09-26 11:54:54.131 169 169 E DEBUG : AM write failure (32 / Broken pipe)

09-26 11:54:54.131 169 169 I DEBUG : r4 b44656d0 r5 00000000 r6 0038ff10 r7 0000000e

09-26 11:54:54.131 169 169 I DEBUG : r8 0000000f r9 00000008 sl 0038ff07 fp 00000004

09-26 11:54:54.131 169 169 I DEBUG : ip 00000000 sp b4465660 lr 0038ff06 pc b435d3e4 cpsr 000f0030

09-26 11:54:54.132 169 169 I DEBUG :

09-26 11:54:54.132 169 169 I DEBUG : backtrace:

09-26 11:54:54.132 169 169 I DEBUG : #00 pc 0001f3e4 /system/lib/lib_mp4_parser_arm11_elinux.3.0.so (UnsyncRemoveV2_4+151)

09-26 11:54:54.132 169 169 I DEBUG : #01 pc 0001f539 /system/lib/lib_mp4_parser_arm11_elinux.3.0.so (ID3V2Parse+164)

09-26 11:54:54.132 169 169 I DEBUG : #02 pc 0001dc99 /system/lib/lib_mp4_parser_arm11_elinux.3.0.so

09-26 11:54:54.132 169 169 I DEBUG : #03 pc 0000b6a7 /system/lib/lib_mp4_parser_arm11_elinux.3.0.so (MP4ParseAtomUsingProtoList+534)

09-26 11:54:54.132 169 169 I DEBUG : #04 pc 00009eed /system/lib/lib_mp4_parser_arm11_elinux.3.0.so

09-26 11:54:54.132 169 169 I DEBUG : #05 pc 0000b6a7 /system/lib/lib_mp4_parser_arm11_elinux.3.0.so (MP4ParseAtomUsingProtoList+534)

09-26 11:54:54.132 169 169 I DEBUG : #06 pc 0000f815 /system/lib/lib_mp4_parser_arm11_elinux.3.0.so

09-26 11:54:54.132 169 169 I DEBUG : #07 pc 0000fabf /system/lib/lib_mp4_parser_arm11_elinux.3.0.so (MP4OpenMovieFile+48)

09-26 11:54:54.133 169 169 I DEBUG : #08 pc 00012619 /system/lib/lib_mp4_parser_arm11_elinux.3.0.so

09-26 11:54:54.133 169 169 I DEBUG : #09 pc 00012d15 /system/lib/lib_mp4_parser_arm11_elinux.3.0.so (MP4CreateParser2+236)

09-26 11:54:54.133 169 169 I DEBUG : #10 pc 00003fcd /system/lib/lib_omx_fsl_parser_v2_arm11_elinux.so (_ZN9FslParser14InitCoreParserEv+104)

09-26 11:54:54.133 169 169 I DEBUG : #11 pc 000063d5 /system/lib/lib_omx_fsl_parser_v2_arm11_elinux.so (_ZN9FslParser12InstanceInitEv+112)

09-26 11:54:54.133 169 169 I DEBUG : #12 pc 0000f693 /system/lib/lib_omx_common_v2_arm11_elinux.so (_ZN9IdleState7ToPauseEv+10)

09-26 11:54:54.133 169 169 I DEBUG : #13 pc 0001130d /system/lib/lib_omx_common_v2_arm11_elinux.so (_ZN5State10ProcessCmdEv+136)

09-26 11:54:54.133 169 169 I DEBUG : #14 pc 0000f001 /system/lib/lib_omx_common_v2_arm11_elinux.so (_Z8DoThreadPv+72)

09-26 11:54:54.133 169 169 I DEBUG : #15 pc 00016eb7 /system/lib/libc.so (_ZL15__pthread_startPv+30)

09-26 11:54:54.133 169 169 I DEBUG : #16 pc 00014df3 /system/lib/libc.so (__start_thread+6)