obs 30.2.0 or later: double-free on exit

["Đoàn Trần Công Danh" <congdanhqx@gmail.com>]

Hello distributions@

I'm not sure if this mail should be sent to distros@
If yes, please help me forward it!

Project: obs-studio

URL: https://github.com/obsproject/obs-studio

Version: 30.2.0 or later

Summary: obs-studio will load the its builtin plugins twice, then
double-free on unloading the plugins.  I've reported the problem and
finding to obs-studio projects but they're hostile to external
analysis.  See https://github.com/obsproject/obs-studio/issues/11029

Analysis:

Before going into the detail, we will see that obs-studio has a plugins
system to support extending its functionality.  I won't go into detail,
but in those loading steps, obs-studio will allocate some memory for
 the plugins, then, free them on exit.  If the loading of plugins isn't
controlled carefully, a double loading of plugins with a double unloading
later will make obs-studio run into double-free on exit, which would open
some doors for exploit there.

Now, before read on, we have this cmake code in cmake/Modules/ObsDefaults_Linux.cmake,
 it will be relevant later:

	set(OBS_PLUGIN_PATH "${OBS_PLUGIN_DESTINATION}") 

In the initialisation of obs-studio, it will try to load its plugins,
see libobs/obs-nix.c:add_default_module_paths(void).

In that function, it will try to first load plugins from a directory
that is relative to its binaries:

	char *module_bin_path =
		os_get_executable_path_ptr("../" OBS_PLUGIN_PATH);
	char *module_data_path = os_get_executable_path_ptr(
		"../" OBS_DATA_PATH "/obs-plugins/%module%");

	if (module_bin_path && module_data_path) {
		char *abs_module_bin_path =
			os_get_abs_path_ptr(module_bin_path);

		if (abs_module_bin_path &&
		    strcmp(abs_module_bin_path, OBS_INSTALL_PREFIX
			   "/" OBS_PLUGIN_DESTINATION) != 0) {
			obs_add_module_path(module_bin_path, module_data_path);
		}
		bfree(abs_module_bin_path);
	}

The path expansion at build-time will be:

	code: os_get_executable_path_ptr("../" OBS_PLUGIN_PATH) 
	=>    os_get_executable_path_ptr("../${OBS_PLUGIN_DESTINATION}")

And, at runtime, it will be expanded to:
(PREFIX and OBS_PLUGIN_DESTINATION doesn't matter, read on):

	${PREFIX}/bin/../${OBS_PLUGIN_DESTINATION}

Then, later in that very same function, it will try to load plugins from the configured
plugins directory:

	for (int i = 0; i < module_patterns_size; i++) { 
		obs_add_module_path(module_bin[i], module_data[i]); 
	} 

with `module_bin` defined earlier as:

	static const char *module_bin[] = {
		"../../obs-plugins/64bit",
		OBS_INSTALL_PREFIX "/" OBS_PLUGIN_DESTINATION,
		FLATPAK_PLUGIN_PATH "/" OBS_PLUGIN_DESTINATION,
	};

with the second path will be expanded to:

	code: OBS_INSTALL_PREFIX "/" OBS_PLUGIN_DESTINATION
	=>    ${PREFIX}/${OBS_PLUGIN_DESTINATION}

Effectively the same with the path in first step.
Thus, all builtin plugins there will be loaded twice.
Then, on exit, those plugins will be free-d twice, thus double-free.

-- 
Danh