Bug 1752702 (CVE-2019-16249)

Summary: CVE-2019-16249 opencv: Out-of-bounds read in hal_baseline::v_load in core/hal/intrin_sse.hpp
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: andrew, databases-maint, hhorak, jkucera, jmlich83, jridky, karlthered, kwizart, pkajaba, rakesh.pandit, sergio, viktor.vix.jancik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: opencv 4.1.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-26 19:04:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1752703, 1777240    
Bug Blocks: 1752704    

Description Pedro Sampaio 2019-09-17 03:13:58 UTC
OpenCV 4.1.1 has an out-of-bounds read in hal_baseline::v_load in core/hal/intrin_sse.hpp when called from computeSSDMeanNorm in modules/video/src/dis_flow.cpp.

Upstream issue:


Comment 1 Pedro Sampaio 2019-09-17 03:14:11 UTC
Created opencv tracking bugs for this issue:

Affects: fedora-all [bug 1752703]

Comment 3 Mauro Matteo Cascella 2019-11-26 13:32:52 UTC
Upstream fix:

Comment 4 Mauro Matteo Cascella 2019-11-26 16:33:54 UTC

This issue did not affect the versions of OpenCV as shipped with Red Hat Enterprise Linux 6, and 7 as they did not include support for DIS optflow algorithm.
This issue did not affect the versions of OpenCV as shipped with Red Hat Enterprise Linux 8 as DIS optflow algorithm did not include support for Single Instruction, Multiple Data (SIMD).

Comment 5 Mauro Matteo Cascella 2019-11-26 16:35:06 UTC
For the DIS optflow algorithm to be vulnerable the CV_SIMD128 macro has to be defined, as the vulnerable code in computeSSDMeanNorm function is conditionally compiled based on the value of that macro. Specifically, CV_SIMD128 is defined in the header file intrin_sse.hpp which, in turn, is included by intrin.hpp if SSE support is enabled. Despite the support of SSE, the version of OpenCV shipped with Red Hat Enterprise Linux 8 is not affected by this flaw due to the header file "opencv2/core/hal/intrin.hpp" not being included in the source file dis_flow.cpp.
The commit that removed the include statement from dis_flow.cpp is https://github.com/opencv/opencv_contrib/commit/64b3bbb6201b183db37ec3d6bc47c595c150b0d3. Please note that the commit refers to opencv_contrib repository, as optflow algorithm was an "extra" module under development. The optflow algorithm has been successively moved to the central OpenCV repository in release 4.0.0 (Pull Request https://github.com/opencv/opencv/pull/13084). The missing header has been reintroduced later with a fix in commit https://github.com/opencv/opencv/commit/c96850ba599ada02dad6bd1a4271ce8f4f20e246.

Comment 6 Mauro Matteo Cascella 2019-11-26 16:39:16 UTC
Function DISOpticalFlowImpl::PatchInverseSearch_ParBody::operator() in dis_flow.cpp wrongly computes the index of the uchar array I1_ptr. Consequently, a pointer to the last 12 bytes is passed as second argument to function computeSSDMeanNorm which reads 16 bytes from it through the HAL_PROCESS_BILINEAR_8x8_PATCH_EXTRACTION macro. This leads to a 4-byte out-of-bound read in v_load function defined in intrin_sse.hpp.

Upstream fix replaces the v_load() call in HAL_PROCESS_BILINEAR_8x8_PATCH_EXTRACTION macro with v_load_expand() which only reads 8 bytes from the pointer passed as argument.

Comment 7 Product Security DevOps Team 2019-11-26 19:04:56 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):