AnsweredAssumed Answered

Stagefright vulnerability (CVE-2015-6603,CVE-2015_3871) failures in lib_mp4_parser_arm11_elinux.3.0.so

Question asked by steven sherk on May 2, 2017
Latest reply on May 11, 2017 by steven sherk

The latest CTS release for Lollipop (5.1_r18) has added additional security tests for stagefright:

class: android.security.cts.StagefrightTest

method: testStagefright_cve_2015_6603

method: testStagefright_cve_2015_3871

 

The updated lib_mp4_parser_arm11_elinux.3.0.so library build on Oct 12 2016 fails these tests for reasons stated below.

 

There was an additional CTS test method (doStagefrightTestMediaMetadataRetriever) added for bug is 33137046:

Diff - ee968d99c389fffab974684604b99139980c2e5a^! - platform/cts - Git at Google 

 

Our platform is based off the SabreSD imx6q reference platform with Lollipop L5.1.1_2.0.0 GA (LMY47V) running on it.

 

The CTS failure is happening due to a failure when creating parser.

 

Below I have provided the device logcat output showing the crash leading to the failed CTS test. It is using the L5.1.1_2.0.0 mp4 parser library - dated Oct 12 2016 .

 

05-02 12:59:49.773 11753 11769 I StagefrightTest: MediaMetadataRetriever: fdFileDescriptor[24], fd-start-offset 6994884 fd-length 297036
05-02 12:59:49.777   165 10264 I OMXPlayer: Loading content: sharedfd://25:6994884:297036:0
05-02 12:59:49.778   165 10264 I OMXPlayer: LEVEL: 1 FUNCTION: MediaTypeInspect LINE: 1967
05-02 12:59:49.778   165 10264 I OMXPlayer: Can't inspect media content type by subfix.
05-02 12:59:49.778   165 10264 I OMXPlayer: MediaTypeInspectByContent role: parser.mp4
05-02 12:59:49.799   165 11773 I OMXPlayer: Core parser MPEG4PARSER_06.09.38  build on Oct 12 2016 14:43:08  
05-02 12:59:49.970   165 11773 I OMXPlayer: LEVEL: 1 FUNCTION: InitCoreParser LINE: 1055
05-02 12:59:49.970   165 11773 I OMXPlayer: fail to create the parser: -11
05-02 12:59:49.970   165 11772 I OMXPlayer: LEVEL: 1 FUNCTION: SysEventHandler LINE: 1806
05-02 12:59:49.970   165 11772 I OMXPlayer: OMX.Freescale.std.parser.fsl.sw-based report Error 8000100b.
05-02 12:59:49.970   165 11772 I OMXPlayer: LEVEL: 1 FUNCTION: SysEventHandler LINE: 1806
05-02 12:59:49.970   165 11772 I OMXPlayer: OMX.Freescale.std.parser.fsl.sw-based report Error 8000100b.
05-02 12:59:49.982   165 10264 I OMXPlayer: LEVEL: 1 FUNCTION: loadMetadataExtractor LINE: 5199
05-02 12:59:49.982   165 10264 I OMXPlayer: Can't load content sharedfd://25:6994884:297036:0
05-02 12:59:49.982   165 10264 I OMXPlayer: LEVEL: 1 FUNCTION: ExtractorLoad LINE: 130
05-02 12:59:49.982   165 10264 I OMXPlayer: load contentURI sharedfd://25:6994884:297036:0 failed.
05-02 12:59:49.995  1275  1679 I Icing   : Indexing D2B60B2D7E7CF9DB7D8799582E78B60507C7BFDE from com.google.android.gms
05-02 12:59:50.006  1275  1679 I Icing   : Indexing done D2B60B2D7E7CF9DB7D8799582E78B60507C7BFDE
05-02 12:59:50.029 11753 11769 I art     : Explicit concurrent mark sweep GC freed 12029(624KB) AllocSpace objects, 1(16KB) LOS objects, 39% free, 3MB/6MB, paused 912us total 43.133ms
05-02 12:59:50.067 11753 11769 I art     : Explicit concurrent mark sweep GC freed 1309(62KB) AllocSpace objects, 0(0B) LOS objects, 40% free, 3MB/6MB, paused 948us total 26.299ms
05-02 12:59:50.070 11753 11769 I TestRunner: failed: testStagefright_cve_2015_3871(android.security.cts.StagefrightTest)
05-02 12:59:50.070 11753 11769 I TestRunner: ----- begin exception -----
05-02 12:59:50.072 11753 11769 I TestRunner: java.lang.RuntimeException: setDataSource failed: status = 0xFFFFFFEA
05-02 12:59:50.072 11753 11769 I TestRunner:     at android.media.MediaMetadataRetriever.setDataSource(Native Method)
05-02 12:59:50.072 11753 11769 I TestRunner:     at android.security.cts.StagefrightTest.doStagefrightTestMediaMetadataRetriever(StagefrightTest.java:508)
05-02 12:59:50.072 11753 11769 I TestRunner:     at android.security.cts.StagefrightTest.doStagefrightTest(StagefrightTest.java:185)
05-02 12:59:50.072 11753 11769 I TestRunner:     at android.security.cts.StagefrightTest.testStagefright_cve_2015_3871(StagefrightTest.java:171)
05-02 12:59:50.072 11753 11769 I TestRunner:     at java.lang.reflect.Method.invoke(Native Method)
05-02 12:59:50.072 11753 11769 I TestRunner:     at java.lang.reflect.Method.invoke(Method.java:372)
05-02 12:59:50.072 11753 11769 I TestRunner:     at android.test.InstrumentationTestCase.runMethod(InstrumentationTestCase.java:214)
05-02 12:59:50.072 11753 11769 I TestRunner:     at android.test.InstrumentationTestCase.runTest(InstrumentationTestCase.java:199)
05-02 12:59:50.072 11753 11769 I TestRunner:     at junit.framework.TestCase.runBare(TestCase.java:134)
05-02 12:59:50.072 11753 11769 I TestRunner:     at junit.framework.TestResult$1.protect(TestResult.java:115)
05-02 12:59:50.072 11753 11769 I TestRunner:     at junit.framework.TestResult.runProtected(TestResult.java:133)
05-02 12:59:50.072 11753 11769 I TestRunner:     at android.support.test.internal.runner.junit3.DelegatingTestResult.runProtected(DelegatingTestResult.java:90)
05-02 12:59:50.072 11753 11769 I TestRunner:     at junit.framework.TestResult.run(TestResult.java:118)
05-02 12:59:50.072 11753 11769 I TestRunner:     at android.support.test.internal.runner.junit3.AndroidTestResult.run(AndroidTestResult.java:52)
05-02 12:59:50.072 11753 11769 I TestRunner:     at junit.framework.TestCase.run(TestCase.java:124)
05-02 12:59:50.072 11753 11769 I TestRunner:     at android.support.test.internal.runner.junit3.NonLeakyTestSuite$NonLeakyTest.run(NonLeakyTestSuite.java:63)
05-02 12:59:50.072 11753 11769 I TestRunner:     at junit.framework.TestSuite.runTest(TestSuite.java:243)
05-02 12:59:50.072 11753 11769 I TestRunner:     at junit.framework.TestSuite.run(TestSuite.java:238)
05-02 12:59:50.072 11753 11769 I TestRunner:     at android.support.test.internal.runner.junit3.DelegatingTestSuite.run(DelegatingTestSuite.java:103)
05-02 12:59:50.072 11753 11769 I TestRunner:     at android.support.test.internal.runner.junit3.AndroidTestSuite.run(AndroidTestSuite.java:52)
05-02 12:59:50.072 11753 11769 I TestRunner:     at android.support.test.internal.runner.junit3.JUnit38ClassRunner.run(JUnit38ClassRunner.java:90)
05-02 12:59:50.072 11753 11769 I TestRunner:     at org.junit.runners.Suite.runChild(Suite.java:128)
05-02 12:59:50.072 11753 11769 I TestRunner:     at org.junit.runners.Suite.runChild(Suite.java:24)
05-02 12:59:50.072 11753 11769 I TestRunner:     at org.junit.runners.ParentRunner$3.run(ParentRunner.java:231)
05-02 12:59:50.072 11753 11769 I TestRunner:     at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:60)
05-02 12:59:50.072 11753 11769 I TestRunner:     at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:229)
05-02 12:59:50.072 11753 11769 I TestRunner:     at org.junit.runners.ParentRunner.access$000(ParentRunner.java:50)
05-02 12:59:50.072 11753 11769 I TestRunner:     at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:222)
05-02 12:59:50.072 11753 11769 I TestRunner:     at org.junit.runners.ParentRunner.run(ParentRunner.java:300)
05-02 12:59:50.072 11753 11769 I TestRunner:     at org.junit.runner.JUnitCore.run(JUnitCore.java:157)
05-02 12:59:50.072 11753 11769 I TestRunner:     at org.junit.runner.JUnitCore.run(JUnitCore.java:136)
05-02 12:59:50.072 11753 11769 I TestRunner:     at android.support.test.runner.AndroidJUnitRunner.onStart(AndroidJUnitRunner.java:245)
05-02 12:59:50.072 11753 11769 I TestRunner:     at android.app.Instrumentation$InstrumentationThread.run(Instrumentation.java:1853)
05-02 12:59:50.072 11753 11769 I TestRunner: ----- end exception -----

Outcomes