[Security] Pulseaudio crash with module-role-cork loaded and matching stream played
Warning
Missing data may cause bugs to languish.
Summary
With module-role-cork
loaded in a certain way, it can causes a stack overflow when a media with matching role is played.
environment
This issue is reproducible on Ubuntu 18.04 (11.1), 20.04 (13.99.1), 22.04 (15.99.1), 22.10 (16.1), Fedora 37 (16.1), Arch Linux as of 6 Jan 2023 (16.1).
The following file is collected from Arch Linux: pa-info.txt (one example of reproducible environment)
Steps to reproduce
- Make the following config and name it
test.pa
:
load-module module-native-protocol-unix
load-module module-null-source
load-module module-null-sink
# This comes straight from Ubuntu Touch's config.
load-module module-role-cork trigger_roles=phone,alarm cork_roles=alarm,multimedia global=true
The most important thing is the last line. Note that as pacmd
isn't really protected, an attacker could load this module dynamically as well.
- Stop any running Pulseaudio, then run the Pulseaudio as:
pulseaudio -nF test.pa
- Just to produce some wav file, run
parec --file-format=wav test.wav
just for a second. - Run
paplay --property='media.role=alarm' test.wav
What is the current bug behavior?
Pulseaudio crash with Segmentation fault
. Backtrace containing this, frame 3 to frame 12 repeating:
#0 0x00007ffff7eaf44e in pa_log_levelv_meta (level=PA_LOG_DEBUG, file=0x7ffff21022b0 "../pulseaudio/src/modules/stream-interaction.c",
line=179, func=0x7ffff2102920 <__func__.5> "uncork_or_unduck",
format=0x7ffff2102388 "Found a '%s' stream that should be uncorked/unmuted.", ap=ap@entry=0x7fffff803240)
at ../pulseaudio/src/pulsecore/log.c:377
#1 0x00007ffff7eb001a in pa_log_level_meta (level=level@entry=PA_LOG_DEBUG,
file=file@entry=0x7ffff21022b0 "../pulseaudio/src/modules/stream-interaction.c", line=line@entry=179,
func=func@entry=0x7ffff2102920 <__func__.5> "uncork_or_unduck",
format=format@entry=0x7ffff2102388 "Found a '%s' stream that should be uncorked/unmuted.") at ../pulseaudio/src/pulsecore/log.c:585
#2 0x00007ffff20fe6db in uncork_or_unduck (i=0x5555555c8120, interaction_role=<optimized out>, corked=<optimized out>, g=<optimized out>,
u=<optimized out>) at ../pulseaudio/src/modules/stream-interaction.c:179
#3 0x00007ffff20feae6 in uncork_or_unduck (g=0x5555555afdb0, corked=false, interaction_role=0x5555555c70d0 "alarm", i=0x5555555c8120,
u=0x5555555afcf0) at ../pulseaudio/src/modules/stream-interaction.c:233
#4 apply_interaction_to_sink (u=u@entry=0x5555555afcf0, s=<optimized out>, new_trigger=new_trigger@entry=0x0,
ignore_stream=ignore_stream@entry=0x0, new_stream=new_stream@entry=false, g=g@entry=0x5555555afdb0)
at ../pulseaudio/src/modules/stream-interaction.c:233
#5 0x00007ffff20fede4 in apply_interaction_global (g=<optimized out>, new_stream=<optimized out>, ignore_stream=<optimized out>,
trigger_role=<optimized out>, u=<optimized out>) at ../pulseaudio/src/modules/stream-interaction.c:245
#6 process (u=0x5555555afcf0, stream=0x5555555c8120, create=true, new_stream=false) at ../pulseaudio/src/modules/stream-interaction.c:293
#7 0x00007ffff7f3835b in pa_hook_fire (hook=0x55555559ac40, data=0x5555555c8120) at ../pulseaudio/src/pulsecore/hook-list.c:104
#8 0x00007ffff20feb38 in cork_or_duck (g=<optimized out>, interaction_applied=<optimized out>, trigger_role=<optimized out>,
interaction_role=<optimized out>, i=<optimized out>, u=<optimized out>) at ../pulseaudio/src/modules/stream-interaction.c:167
#9 apply_interaction_to_sink (u=u@entry=0x5555555afcf0, s=<optimized out>, new_trigger=new_trigger@entry=0x5555555afe50 "alarm",
ignore_stream=ignore_stream@entry=0x0, new_stream=new_stream@entry=false, g=g@entry=0x5555555afdb0)
at ../pulseaudio/src/modules/stream-interaction.c:228
#10 0x00007ffff20fede4 in apply_interaction_global (g=<optimized out>, new_stream=<optimized out>, ignore_stream=<optimized out>,
trigger_role=<optimized out>, u=<optimized out>) at ../pulseaudio/src/modules/stream-interaction.c:245
#11 process (u=0x5555555afcf0, stream=0x5555555c8120, create=true, new_stream=false) at ../pulseaudio/src/modules/stream-interaction.c:293
#12 0x00007ffff7f3835b in pa_hook_fire (hook=0x55555559ac40, data=0x5555555c8120) at ../pulseaudio/src/pulsecore/hook-list.c:104
What is the expected correct behavior?
Pulseaudio should not crash.