About a newly discovered local vulnerability in ConvertRGBToPlanarYUV function of Codec2BufferUtils.cpp, which could lead to local escalation of privilege without any user interaction.
Introduction
In this long read post, we will explore the details of a new vulnerability identified as CVE-2024-0023. This vulnerability exists in the ConvertRGBToPlanarYUV function of Codec2BufferUtils.cpp and could lead to a local escalation of privilege, without the need for additional execution privileges or user interaction. The issue arises due to an incorrect bounds check, which results in a possible out of bounds write.
In this in-depth analysis, we will go through the technical details of this security flaw, which includes the code snippet causing the vulnerability, a detailed explanation of the issue, and the exploit details that can potentially compromise a system. We will also provide links to the original references for an even better understanding of the issue.
Code Snippet
The main issue arises within the ConvertRGBToPlanarYUV function, which is part of the Codec2BufferUtils.cpp file. Here's the code snippet where the vulnerability occurs:
void ConvertRGBToPlanarYUV(uint8_t* yuv, const uint8_t* rgb, size_t width, size_t height) {
for (size_t y = ; y < height; y++) {
for (size_t x = ; x < width; x++) {
uint8_t r = rgb[3 * (y * width + x)];
uint8_t g = rgb[3 * (y * width + x) + 1];
uint8_t b = rgb[3 * (y * width + x) + 2];
// Conversion formula from RGB to YUV
uint32_t yVal = (66 * r + 129 * g + 25 * b + 128) >> 8;
uint32_t uVal = (-38 * r - 74 * g + 112 * b + 128) >> 8;
uint32_t vVal = (112 * r - 94 * g - 18 * b + 128) >> 8;
// Bounds check
yuv[y * width + x] = clip(yVal, 16, 235); // Y value
yuv[width * height + (y / 2) * width + x] = clip(uVal, 16, 240); // U value
yuv[width * height * 3 / 2 + (y / 2) * width + x] = clip(vVal, 16, 240); // V value
}
}
}
Issue Explanation
The vulnerability in the ConvertRGBToPlanarYUV function occurs due to an incorrect bounds check. The bounds check should prevent the out-of-bounds write, but it incorrectly allows for the overwritten data outside the intended memory boundaries. This can lead to memory corruption or unintended memory access, which in turn may cause a local escalation of privilege without any user interaction required.
The root cause of this vulnerability lies in the following lines of the code snippet
yuv[width * height + (y / 2) * width + x] = clip(uVal, 16, 240); // U value
yuv[width * height * 3 / 2 + (y / 2) * width + x] = clip(vVal, 16, 240); // V value
Instead of correctly calculating the bounds for both U and V values in the YUV buffer, the code writes these values beyond the buffer's allocated size based on the width and height provided.
Exploit Details
Exploiting this vulnerability could involve a maliciously crafted RGB image that triggers the incorrect bounds check and overwrites specific memory areas in a target system, allowing an attacker to gain local escalation of privilege (LEP). Although it exempts user interaction, this flaw might not appear as severe as a remote code execution vulnerability due to the local nature of exploitation.
Nonetheless, exploiting this security flaw could potentially compromise the target system's security and stability, allowing bad actors to gain unauthorized access or control. As a result, it is crucial to patch this vulnerability as soon as possible to prevent possible future attacks.
For more details on the CVE-2024-0023 vulnerability, please refer to the following references
1. Android Advisory Bulletin - CVE-2024-0023
2. Codec2BufferUtils.cpp ConvertRGBToPlanarYUV Function Source Code
3. National Vulnerability Database - CVE-2024-0023 Entry
Conclusion
Local escalation of privilege vulnerabilities like CVE-2024-0023 are critical to address and patch in order to maintain a secure and stable system. Thorough investigation of the related code snippets, understanding their impact, and taking corrective measures are essential steps in preventing potential security risks. Always refer to trusted sources and keep your systems updated to fight against these types of vulnerabilities effectively.
Timeline
Published on: 02/16/2024 20:15:47 UTC
Last modified on: 08/21/2024 20:35:01 UTC