One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8591384 |
| Date de publication | 2024-10-03 10:01:18 (vue: 2024-10-03 17:16:44) |
| Titre | Fuzzing efficace: une étude de cas DAV1D Effective Fuzzing: A Dav1d Case Study |
| Texte | Guest post by Nick Galloway, Senior Security Engineer, 20% time on Project Zero Late in 2023, while working on a 20% project with Project Zero, I found an integer overflow in the dav1d AV1 video decoder. That integer overflow leads to an out-of-bounds write to memory. Dav1d 1.4.0 patched this, and it was assigned CVE-2024-1580. After the disclosure, I received some questions about how this issue was discovered, since dav1d is already being fuzzed by at least oss-fuzz. This blog post explains what happened. It’s a useful case study in how to construct fuzzers to exercise as much code as possible. But first, some background...BackgroundDav1d Dav1d is a highly-optimized AV1 decoder. AV1 is a royalty-free video coding format developed by the Alliance for Open Media, and achieves improved data compression compared to older formats. AV1 is widely supported by web browsers, and a significant parsing vulnerability in AV1 decoders could be used as part of an attack to gain remote code execution. In the right context, where AV1 is parsed in a received message, this could allow a 0-click exploit. Testing some popular messaging clients by sending AV1 videos and AVIF images (which uses the AV1 codec) yielded the following results:AVIF images are displayed in iMessageAVIF images are NOT displayed in Android Messages when sent as an MMSAVIF images are displayed in Google ChatAV1 videos are not immediately displaye |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | #define dav1d #elif defined #else #endif #if #ifdef dav1d &f &settings “fuzzing 8 && s * * f / 64 / 8 0 || 0 || sf 1 >= 8192 * 8192 : : 0 = row above by c const dav1dframecontext *const f const int tile const size const uint8 data f for is probability this tile to ts * 4; * size *const data + b / 2; 000 000x50 1580 2023 2024 4096 * 4096 5gb 8192*8192 = = 0; = 1; = 4; = 8192 * 8192; = dav1d = f = max = n = settings = sf > > 1 > 31 > dav1d >frame >hbd >sb >seq >tiling >ts about achieves added addition additionally address addresses after all alliance alloc allocations allow already also although always amount android another any anything applied apply architectures are area arm arm32 arm64 armv7 armv8 array artificial assembly assert asserts asserts do assigned attack attacker av1 av1 is available avenues avif avoid away background backgrounddav1d based because been being believe below better bit blog bounds browsers bug bughunters build building but calculate calculating calculations can case cases catch cause cbi cf are chat chatav1 chosen click clients code codec coding col col++ compared compliance compliance; compression concepts conclusion configuration configurations configure configured consider construct containing contains context continue corpus correspond corruption could couple coverage coverage in covered create critical cve data dav1d dav1d 1 dav1d av1 dav1d is dav1d’s dav1dsettings dav1dsettings newsettings dav1dsettings settings dav1dtilestate *const ts declarations decode decodeframetype decoder decoders decoding default defaults: define defined defines definition delay delay; depending depth desire despite details detected developed did diff differ different differently disclosure discovered discovering discovery displayed dockerfile does downloaded downscaled due effective either enabled enables enforcing engine engineer enough enum dav1ddecodeframetype enum dav1dinloopfiltertype errors especially eventually examine example excellent excerpt execute executed execution exercise exhausting exist existed expect expected explains explanation exploit exploitable explore explored extremely fail field file shows filters filters; finally first fitting following format formats found four frame frames frames is frames; free from fruitful full fully function future fuzz fuzzed fuzzer fuzzer’s fuzzers fuzzing fuzzing: gain galloway generates github given good google grain grain; guest had happened has have hdr high higher highlights highly hope how huge i might idx idx++ if images imessageavif immediately implementation implements improved improving including increase influenced initial initialize inloop instantiating instead instructions int int all int apply int decode int inloop int max int n int operating int output int strict integer interesting internal internally invisible issue issues it’s items that itself key large larger largest late later layers layers; lead leads least led lesson libfuzzer library like likely limit limit configuration limit; limited limiting limits line lines llvmfuzzertestoneinput log look looking machines malloc many mathematical max maximize maximum mean means measured media memory mention meson message messages messaging might missed mmsavif mode modified more most mostly much mul multi multiple multithreaded nick nonzero normal not notably note noted now null; number obu occasionally occur occuring off off are off parameter offset older one ongoing only open operating optimized option |
| Tags | Vulnerability Threat Studies Mobile |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.