ASTERISK-29539: Segmentation fault at ast_writestream() when write handler not defined (happens with OGG/Speex)

[Home]

Summary: ASTERISK-29539: Segmentation fault at ast_writestream() when write handler not defined (happens with OGG/Speex)

Reporter: Ernani José Camargo Azevedo (ernaniaz) Labels: security

Date Opened: 2021-08-02 10:55:12 Date Closed: 2021-08-05 14:29:40

Priority: Minor Regression?

Status: Closed/Complete Components: Formats/General Resources/res_convert

Versions: 16.19.1 17.9.4 18.5.1 Frequency of
Occurrence Constant

Related
Issues:

Environment: Tested only using Linux, but can be reproduced at any platform. Attachments:

Description: Asterisk "file convert" resource can cause a segmentation fault when the output file format format didn't support seeking. This occurs on OGG/Speex format.

It's simple to reproduce this bug. You need to have any audio file at sound directory (I'm using "audio.wav" file) and issue a *file convert audio.wav audio.spx* at Asterisk console, or using any other way to execute this console command (through AMI, shell using "-x", etc).

Due to OGG/Speex doesn't support seeking, it issues a warning, and after that the daemon crashes.

Using gdb, we got this backtrace:

{noformat}
*CLI> file convert audio.wav audio.spx
[Aug 2 12:33:50] WARNING[6821]: format_ogg_speex.c:266 ogg_speex_seek: Seeking is not supported on OGG/Speex streams!

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0 0x0000000000000000 in ?? ()
#1 0x00000000004d300f in ast_writestream (fs=fs@entry=0x255f480, f=f@entry=0x246ce40) at file.c:257
#2 0x00007fffb7d4fe93 in handle_cli_file_convert (e=<optimized out>, cmd=<optimized out>, a=0x7fffffffbfb0) at res_convert.c:118
#3 0x00000000004ad2f9 in ast_cli_command_full (uid=uid@entry=-1, gid=gid@entry=-1, fd=fd@entry=1, s=s@entry=0x255eb00 "file convert x/welcome.wav x/welcome.spx") at cli.c:2986
#4 0x000000000043a2d4 in consolehandler (s=0x255eb00 "file convert x/welcome.wav x/welcome.spx") at asterisk.c:2259
#5 asterisk_daemon (isroot=<optimized out>, rungroup=0x0, runuser=0x0) at asterisk.c:4240
#6 main (argc=<optimized out>, argv=<optimized out>) at asterisk.c:3927
(gdb) frame 1
#1 0x00000000004d300f in ast_writestream (fs=fs@entry=0x255f480, f=f@entry=0x246ce40) at file.c:257
257 if ((res = fs->fmt->write(fs, trf))) {
(gdb) frame 2
#2 0x00007fffb7d4fe93 in handle_cli_file_convert (e=<optimized out>, cmd=<optimized out>, a=0x7fffffffbfb0) at res_convert.c:118
118 if (ast_writestream(fs_out, f)) {
{noformat}

The only format I found that can cause this bug is the OGG/Speex (formats spx, spx16 and spx32). Any other file format will convert successfully.

Note that other file fomats that didn't support seeking issue the warning but didn't crashes the server. For example, the OGG/Vorbis format:

{noformat}
*CLI> file convert audio.wav audio.ogg
Converted audio.wav to audio.ogg in 7ms
[Aug 2 12:40:20] WARNING[7045]: format_ogg_vorbis.c:384 ogg_vorbis_seek: Seeking is not supported on OGG/Vorbis streams in writing mode!
{noformat}

The above command converted the file and wrote a valid audio.ogg file.

Comments: By: Asterisk Team (asteriskteam) 2021-08-02 10:55:19.051-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. Please note that log messages and other files should not be sent to the Sangoma Asterisk Team unless explicitly asked for. All files should be placed on this issue in a sanitized fashion as needed.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur.

Please note that by submitting data, code, or documentation to Sangoma through JIRA, you accept the Terms of Use present at [https://www.asterisk.org/terms-of-use/|https://www.asterisk.org/terms-of-use/].
By: Asterisk Team (asteriskteam) 2021-08-02 10:55:20.406-0500

This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged.

Please DO NOT put a code review up for this change at this time. Attach any applicable patches to this issue.
By: Kevin Harwell (kharwell) 2021-08-02 15:07:23.458-0500

This is happening because the speex format def. implementations ({{speex_f}}, {{speex_f16}}, and {{speex_f32}}) do not have defined "write" handlers, and {{ast_streamwrite}} does not check the callback for NULL. From _main/file.c_:
{code}
...
for (cur = trf; cur; cur = AST_LIST_NEXT(cur, frame_list)) {
if ((res = fs->fmt->write(fs, trf))) { <------- Crash here if write = NULL or not defined
ast_log(LOG_WARNING, "Translated frame write failed\n");
break;
}
}
...
{code}
By: Kevin Harwell (kharwell) 2021-08-02 16:15:08.263-0500

This is not limited to _res_convert_, but any code that calls {{ast_writestream}}, and attempts to convert to the "ogg speex" format. For instance I was able to cause it to crash with mixmonitor using the following dialplan:
{noformat}
exten => 960,1,NoOp()
same => n,Answer()
same => n,MixMonitor(/tmp/mixmonitor.spx)
same => n,Playback(demo-congrats)
same => n,Hangup()
{noformat}
And then originating a call to my local linphone:
{noformat}
*CLI> originate Local/960 extension linphone
{noformat}
A similar crash occurred:
{noformat}
#0 0x0000000000000000 in ()
#1 0x000056345f4a5b83 in ast_writestream (fs=0x7f39c8001650, f=0x7f39c8009a90) at file.c:258
#2 0x00007f3a8a9ee7fa in mixmonitor_thread (obj=0x7f39c00044b0) at app_mixmonitor.c:790
#3 0x000056345f5b1984 in dummy_start (data=0x7f39c0001320) at utils.c:1428
#4 0x00007f3aa33ce609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#5 0x00007f3aa300b293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
{noformat}
By: Kevin Harwell (kharwell) 2021-08-02 16:21:44.160-0500

From what I can tell _format_ogg_speex_ seems to currently be the only format module that does not implement the "write" call, so should be the only one affected. Note too _format_ogg_speex_ is in extended support:
{noformat}
/*! \file
*
* \brief OGG/Speex streams.
* \arg File name extension: spx
* \ingroup formats
*/

/*** MODULEINFO
<depend>speex</depend>
<depend>ogg</depend>
<support_level>extended</support_level>
***/
{noformat}

By: Kevin Harwell (kharwell) 2021-08-03 10:52:58.831-0500

[~ernaniaz] thanks for the report.

After investigating some, due to there being no external attack vector we do not think this particular bug is a security issue. Just in case we missed something do you have, or know of a way this could be exploited externally (unauthenticated)?
By: Ernani José Camargo Azevedo (ernaniaz) 2021-08-03 11:21:24.577-0500

[~kharwell] thanks for your investigation.

I don't know any way to exploit it unauthenticated, and can't figure a way other than some very specific user implementation (like some SIP extra variable used in the call specifying audio filename to be monitored).
By: Kevin Harwell (kharwell) 2021-08-03 11:29:59.822-0500

Okay thanks, that being the case I'm going to open this up as a regular bug then (non security).
By: Kevin Harwell (kharwell) 2021-08-03 11:43:38.591-0500

Patch up if you want to give it a try:

16 - https://gerrit.asterisk.org/c/asterisk/+/16229
18 - https://gerrit.asterisk.org/c/asterisk/+/16258

Note, all the patch does now is avoid the crash, and output a "Writing is not supported on OGG/Speex streams!" warning when trying to write to an ogg speex format. It does not actually support writing to ogg speex.
By: Ernani José Camargo Azevedo (ernaniaz) 2021-08-03 15:36:39.473-0500

Patch worked fine, now it gives:

{noformat}
*CLI> file convert audio.wav audio.spx
Failed to convert audio.wav to audio.spx!
Command 'file convert audio.wav audio.spx' failed.
[Aug 3 17:31:39] WARNING[17436]: format_ogg_speex.c:279 ogg_speex_seek: Seeking is not supported on OGG/Speex streams!
[Aug 3 17:31:39] WARNING[17436]: format_ogg_speex.c:266 ogg_speex_write: Writing is not supported on OGG/Speex streams!
[Aug 3 17:31:39] WARNING[17436]: file.c:258 ast_writestream: Translated frame write failed
{noformat}

Note that this bug happens on all versions of Asterisk. I've confirmed at 17.9.4.
By: Kevin Harwell (kharwell) 2021-08-03 15:47:51.965-0500

Thanks for testing the patch out!

This patch will not go into Asterisk 17. Asterisk 17 no longer receives bug fixes (currently security fixes only), and will reach "end of life" this Oct. [1].

Seems like you were just testing things out, but wanted to mention it just in case you are actually running that version.

[1] https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions
By: Friendly Automation (friendly-automation) 2021-08-05 14:29:41.277-0500

Change 16259 merged by Friendly Automation:
format_ogg_speex: Implement a "not supported" write handler

[https://gerrit.asterisk.org/c/asterisk/+/16259|https://gerrit.asterisk.org/c/asterisk/+/16259]
By: Friendly Automation (friendly-automation) 2021-08-06 07:52:04.842-0500

Change 16260 merged by George Joseph:
format_ogg_speex: Implement a "not supported" write handler

[https://gerrit.asterisk.org/c/asterisk/+/16260|https://gerrit.asterisk.org/c/asterisk/+/16260]
By: Friendly Automation (friendly-automation) 2021-08-06 07:52:31.136-0500

Change 16229 merged by George Joseph:
format_ogg_speex: Implement a "not supported" write handler

[https://gerrit.asterisk.org/c/asterisk/+/16229|https://gerrit.asterisk.org/c/asterisk/+/16229]
By: Friendly Automation (friendly-automation) 2021-08-06 07:53:01.671-0500

Change 16258 merged by George Joseph:
format_ogg_speex: Implement a "not supported" write handler

[https://gerrit.asterisk.org/c/asterisk/+/16258|https://gerrit.asterisk.org/c/asterisk/+/16258]