obs 30.2.0 or later: double-free on exit

obs 30.2.0 or later: double-free on exit

[Đoàn Trần Công Danh]

Hello distributions@

I'm not sure if this mail should be sent to distros@
If yes, please help me forward it!

Project: obs-studio

URL: https://github.com/obsproject/obs-studio

Version: 30.2.0 or later

Summary: obs-studio will load the its builtin plugins twice, then
double-free on unloading the plugins.  I've reported the problem and
finding to obs-studio projects but they're hostile to external
analysis.  See https://github.com/obsproject/obs-studio/issues/11029

Analysis:

Before going into the detail, we will see that obs-studio has a plugins
system to support extending its functionality.  I won't go into detail,
but in those loading steps, obs-studio will allocate some memory for
 the plugins, then, free them on exit.  If the loading of plugins isn't
controlled carefully, a double loading of plugins with a double unloading
later will make obs-studio run into double-free on exit, which would open
some doors for exploit there.

Now, before read on, we have this cmake code in cmake/Modules/ObsDefaults_Linux.cmake,
 it will be relevant later:

	set(OBS_PLUGIN_PATH "${OBS_PLUGIN_DESTINATION}") 

In the initialisation of obs-studio, it will try to load its plugins,
see libobs/obs-nix.c:add_default_module_paths(void).

In that function, it will try to first load plugins from a directory
that is relative to its binaries:

	char *module_bin_path =
		os_get_executable_path_ptr("../" OBS_PLUGIN_PATH);
	char *module_data_path = os_get_executable_path_ptr(
		"../" OBS_DATA_PATH "/obs-plugins/%module%");

	if (module_bin_path && module_data_path) {
		char *abs_module_bin_path =
			os_get_abs_path_ptr(module_bin_path);

		if (abs_module_bin_path &&
		    strcmp(abs_module_bin_path, OBS_INSTALL_PREFIX
			   "/" OBS_PLUGIN_DESTINATION) != 0) {
			obs_add_module_path(module_bin_path, module_data_path);
		}
		bfree(abs_module_bin_path);
	}

The path expansion at build-time will be:

	code: os_get_executable_path_ptr("../" OBS_PLUGIN_PATH) 
	=>    os_get_executable_path_ptr("../${OBS_PLUGIN_DESTINATION}")

And, at runtime, it will be expanded to:
(PREFIX and OBS_PLUGIN_DESTINATION doesn't matter, read on):

	${PREFIX}/bin/../${OBS_PLUGIN_DESTINATION}

Then, later in that very same function, it will try to load plugins from the configured
plugins directory:

	for (int i = 0; i < module_patterns_size; i++) { 
		obs_add_module_path(module_bin[i], module_data[i]); 
	} 

with `module_bin` defined earlier as:

	static const char *module_bin[] = {
		"../../obs-plugins/64bit",
		OBS_INSTALL_PREFIX "/" OBS_PLUGIN_DESTINATION,
		FLATPAK_PLUGIN_PATH "/" OBS_PLUGIN_DESTINATION,
	};

with the second path will be expanded to:

	code: OBS_INSTALL_PREFIX "/" OBS_PLUGIN_DESTINATION
	=>    ${PREFIX}/${OBS_PLUGIN_DESTINATION}

Effectively the same with the path in first step.
Thus, all builtin plugins there will be loaded twice.
Then, on exit, those plugins will be free-d twice, thus double-free.

-- 
Danh

Re: obs 30.2.0 or later: double-free on exit

[Alan Coopersmith]

On 7/26/24 01:28, Đoàn Trần Công Danh wrote:
> I'm not sure if this mail should be sent to distros@
> If yes, please help me forward it!

If you mean distros@vs.openwall.com, then no, this mail should not be sent
there.   That mailing list is only for non-public, temporarily-embargoed
security information to be shared a short time before it goes public.

Since you've already made this public at
  https://github.com/obsproject/obs-studio/issues/11029
  https://lore.kernel.org/distributions/ZqNeHWDimc2VH-id@danh.dev/T/#u
it doesn't belong on the non-public distros list.

You could instead share it with the oss-security list that is the public
counterpart to distros (one of the requirements for sending to the distros
list is that the information be sent to the oss-security list after the
embargo ends).

But since I'm not familiar with obs-studio, I don't know if there's any
actual security exposure here to make it on-topic for the oss-security
mailing list.  While you've described a bug that can crash the program,
what can an attacker do to exploit it?  What will the attacker be able
to do that they couldn't already do?

-- 
         -Alan Coopersmith-                 alan.coopersmith@oracle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Re: obs 30.2.0 or later: double-free on exit

[Đoàn Trần Công Danh]

On 2024-07-26 10:41:21-0700, Alan Coopersmith <alan.coopersmith@oracle.com> wrote:
> On 7/26/24 01:28, Đoàn Trần Công Danh wrote:
> > I'm not sure if this mail should be sent to distros@
> > If yes, please help me forward it!
> 
> If you mean distros@vs.openwall.com, then no, this mail should not be sent
> there.   That mailing list is only for non-public, temporarily-embargoed
> security information to be shared a short time before it goes public.

Understood!

> But since I'm not familiar with obs-studio, I don't know if there's any
> actual security exposure here to make it on-topic for the oss-security
> mailing list.  While you've described a bug that can crash the program,
> what can an attacker do to exploit it?  What will the attacker be able
> to do that they couldn't already do?

The double-free also happens with built-in plugins, (IOW, the plugins
that must be shipped together with obs-studio).  Hence, the
double-free will happens with all installation of obs-studio.

The obs-studio is used to process and broadcast audio files, which
could be used as an attack vector, I think.

-- 
Danh