diff options
author | Nikhil R <nikhilar2410@gmail.com> | 2023-05-25 12:11:54 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-06-13 04:00:10 -1000 |
commit | f51b7f407d9dcb55f641003d6bdfa746b00100b8 (patch) | |
tree | f22f120954b33d6569d5b6befd66ca7ab042588f | |
parent | cd4656d9b25e45e232b381028eb925b5a8d06d11 (diff) | |
download | poky-f51b7f407d9dcb55f641003d6bdfa746b00100b8.tar.gz |
ffmpeg: Fix CVE-2022-48434
Add a patch to fix CVE-2022-48434 which allows attackers to trigger a
use-after-free and execute arbitrary code in some circumstances
Link: https://ubuntu.com/security/CVE-2022-48434
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-48434
(From OE-Core rev: 51c8ffc49d03b231ce76fa00f923e5f3f833f6fc)
Signed-off-by: Nikhil R <nikhilar2410@gmail.com>
Signed-off-by: Ranjitsinh Rathod ranjitsinh.rathod@kpit.com
Signed-off-by: Nikhil R <nikhilar2410@gmail.com>
Signed-off-by: Nikhil R <nikhilar2410@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch | 136 | ||||
-rw-r--r-- | meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb | 1 |
2 files changed, 137 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch new file mode 100644 index 0000000000..707073709a --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch | |||
@@ -0,0 +1,136 @@ | |||
1 | From d4b7b3c03ee2baf0166ce49dff17ec9beff684db Mon Sep 17 00:00:00 2001 | ||
2 | From: Anton Khirnov <anton@khirnov.net> | ||
3 | Date: Fri, 2 Sep 2022 22:21:27 +0200 | ||
4 | Subject: [PATCH] lavc/pthread_frame: avoid leaving stale hwaccel state in | ||
5 | worker threads | ||
6 | |||
7 | This state is not refcounted, so make sure it always has a well-defined | ||
8 | owner. | ||
9 | |||
10 | Remove the block added in 091341f2ab5bd35ca1a2aae90503adc74f8d3523, as | ||
11 | this commit also solves that issue in a more general way. | ||
12 | |||
13 | (cherry picked from commit cc867f2c09d2b69cee8a0eccd62aff002cbbfe11) | ||
14 | Signed-off-by: Anton Khirnov <anton@khirnov.net> | ||
15 | (cherry picked from commit 35aa7e70e7ec350319e7634a30d8d8aa1e6ecdda) | ||
16 | Signed-off-by: Anton Khirnov <anton@khirnov.net> | ||
17 | (cherry picked from commit 3bc28e9d1ab33627cea3c632dd6b0c33e22e93ba) | ||
18 | Signed-off-by: Anton Khirnov <anton@khirnov.net> | ||
19 | |||
20 | CVE: CVE-2022-48434 | ||
21 | Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db] | ||
22 | Signed-off-by: Ranjitsinh Rathod ranjitsinh.rathod@kpit.com | ||
23 | Comment: Hunk#6 refreshed to backport changes and other to remove patch-fuzz warnings | ||
24 | --- | ||
25 | libavcodec/pthread_frame.c | 46 +++++++++++++++++++++++++++++--------- | ||
26 | 1 file changed, 35 insertions(+), 11 deletions(-) | ||
27 | |||
28 | diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c | ||
29 | index 36ac0ac..bbc5ba6 100644 | ||
30 | --- a/libavcodec/pthread_frame.c | ||
31 | +++ b/libavcodec/pthread_frame.c | ||
32 | @@ -135,6 +135,12 @@ typedef struct FrameThreadContext { | ||
33 | * Set for the first N packets, where N is the number of threads. | ||
34 | * While it is set, ff_thread_en/decode_frame won't return any results. | ||
35 | */ | ||
36 | + | ||
37 | + /* hwaccel state is temporarily stored here in order to transfer its ownership | ||
38 | + * to the next decoding thread without the need for extra synchronization */ | ||
39 | + const AVHWAccel *stash_hwaccel; | ||
40 | + void *stash_hwaccel_context; | ||
41 | + void *stash_hwaccel_priv; | ||
42 | } FrameThreadContext; | ||
43 | |||
44 | #define THREAD_SAFE_CALLBACKS(avctx) \ | ||
45 | @@ -211,9 +217,17 @@ static attribute_align_arg void *frame_worker_thread(void *arg) | ||
46 | ff_thread_finish_setup(avctx); | ||
47 | |||
48 | if (p->hwaccel_serializing) { | ||
49 | + /* wipe hwaccel state to avoid stale pointers lying around; | ||
50 | + * the state was transferred to FrameThreadContext in | ||
51 | + * ff_thread_finish_setup(), so nothing is leaked */ | ||
52 | + avctx->hwaccel = NULL; | ||
53 | + avctx->hwaccel_context = NULL; | ||
54 | + avctx->internal->hwaccel_priv_data = NULL; | ||
55 | + | ||
56 | p->hwaccel_serializing = 0; | ||
57 | pthread_mutex_unlock(&p->parent->hwaccel_mutex); | ||
58 | } | ||
59 | + av_assert0(!avctx->hwaccel); | ||
60 | |||
61 | if (p->async_serializing) { | ||
62 | p->async_serializing = 0; | ||
63 | @@ -275,14 +289,10 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src, | ||
64 | dst->color_range = src->color_range; | ||
65 | dst->chroma_sample_location = src->chroma_sample_location; | ||
66 | |||
67 | - dst->hwaccel = src->hwaccel; | ||
68 | - dst->hwaccel_context = src->hwaccel_context; | ||
69 | - | ||
70 | dst->channels = src->channels; | ||
71 | dst->sample_rate = src->sample_rate; | ||
72 | dst->sample_fmt = src->sample_fmt; | ||
73 | dst->channel_layout = src->channel_layout; | ||
74 | - dst->internal->hwaccel_priv_data = src->internal->hwaccel_priv_data; | ||
75 | |||
76 | if (!!dst->hw_frames_ctx != !!src->hw_frames_ctx || | ||
77 | (dst->hw_frames_ctx && dst->hw_frames_ctx->data != src->hw_frames_ctx->data)) { | ||
78 | @@ -415,6 +425,12 @@ static int submit_packet(PerThreadContext *p, AVCodecContext *user_avctx, | ||
79 | pthread_mutex_unlock(&p->mutex); | ||
80 | return err; | ||
81 | } | ||
82 | + | ||
83 | + /* transfer hwaccel state stashed from previous thread, if any */ | ||
84 | + av_assert0(!p->avctx->hwaccel); | ||
85 | + FFSWAP(const AVHWAccel*, p->avctx->hwaccel, fctx->stash_hwaccel); | ||
86 | + FFSWAP(void*, p->avctx->hwaccel_context, fctx->stash_hwaccel_context); | ||
87 | + FFSWAP(void*, p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv); | ||
88 | } | ||
89 | |||
90 | av_packet_unref(&p->avpkt); | ||
91 | @@ -616,6 +632,14 @@ void ff_thread_finish_setup(AVCodecContext *avctx) { | ||
92 | async_lock(p->parent); | ||
93 | } | ||
94 | |||
95 | + /* save hwaccel state for passing to the next thread; | ||
96 | + * this is done here so that this worker thread can wipe its own hwaccel | ||
97 | + * state after decoding, without requiring synchronization */ | ||
98 | + av_assert0(!p->parent->stash_hwaccel); | ||
99 | + p->parent->stash_hwaccel = avctx->hwaccel; | ||
100 | + p->parent->stash_hwaccel_context = avctx->hwaccel_context; | ||
101 | + p->parent->stash_hwaccel_priv = avctx->internal->hwaccel_priv_data; | ||
102 | + | ||
103 | pthread_mutex_lock(&p->progress_mutex); | ||
104 | if(atomic_load(&p->state) == STATE_SETUP_FINISHED){ | ||
105 | av_log(avctx, AV_LOG_WARNING, "Multiple ff_thread_finish_setup() calls\n"); | ||
106 | @@ -657,13 +681,6 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) | ||
107 | |||
108 | park_frame_worker_threads(fctx, thread_count); | ||
109 | |||
110 | - if (fctx->prev_thread && fctx->prev_thread != fctx->threads) | ||
111 | - if (update_context_from_thread(fctx->threads->avctx, fctx->prev_thread->avctx, 0) < 0) { | ||
112 | - av_log(avctx, AV_LOG_ERROR, "Final thread update failed\n"); | ||
113 | - fctx->prev_thread->avctx->internal->is_copy = fctx->threads->avctx->internal->is_copy; | ||
114 | - fctx->threads->avctx->internal->is_copy = 1; | ||
115 | - } | ||
116 | - | ||
117 | for (i = 0; i < thread_count; i++) { | ||
118 | PerThreadContext *p = &fctx->threads[i]; | ||
119 | |||
120 | @@ -713,6 +730,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) | ||
121 | pthread_mutex_destroy(&fctx->async_mutex); | ||
122 | pthread_cond_destroy(&fctx->async_cond); | ||
123 | |||
124 | + /* if we have stashed hwaccel state, move it to the user-facing context, | ||
125 | + * so it will be freed in avcodec_close() */ | ||
126 | + av_assert0(!avctx->hwaccel); | ||
127 | + FFSWAP(const AVHWAccel*, avctx->hwaccel, fctx->stash_hwaccel); | ||
128 | + FFSWAP(void*, avctx->hwaccel_context, fctx->stash_hwaccel_context); | ||
129 | + FFSWAP(void*, avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv); | ||
130 | + | ||
131 | av_freep(&avctx->internal->thread_ctx); | ||
132 | |||
133 | if (avctx->priv_data && avctx->codec && avctx->codec->priv_class) | ||
134 | -- | ||
135 | 2.25.1 | ||
136 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb index 1e000dddfa..f12052548f 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb | |||
@@ -32,6 +32,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ | |||
32 | file://CVE-2022-1475.patch \ | 32 | file://CVE-2022-1475.patch \ |
33 | file://CVE-2022-3109.patch \ | 33 | file://CVE-2022-3109.patch \ |
34 | file://CVE-2022-3341.patch \ | 34 | file://CVE-2022-3341.patch \ |
35 | file://CVE-2022-48434.patch \ | ||
35 | " | 36 | " |
36 | SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3" | 37 | SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3" |
37 | SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c" | 38 | SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c" |