|Summary:||CVE-2019-16249 opencv: Out-of-bounds read in hal_baseline::v_load in core/hal/intrin_sse.hpp|
|Product:||[Other] Security Response||Reporter:||Pedro Sampaio <psampaio>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED NOTABUG||QA Contact:|
|Version:||unspecified||CC:||andrew, databases-maint, hhorak, jkucera, jmlich83, jridky, karlthered, kwizart, pkajaba, rakesh.pandit, sergio, viktor.vix.jancik|
|Fixed In Version:||opencv 4.1.2||Doc Type:||If docs needed, set a value|
|Doc Text:||Story Points:||---|
|Last Closed:||2019-11-26 19:04:56 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1752703, 1777240|
Description Pedro Sampaio 2019-09-17 03:13:58 UTC
OpenCV 4.1.1 has an out-of-bounds read in hal_baseline::v_load in core/hal/intrin_sse.hpp when called from computeSSDMeanNorm in modules/video/src/dis_flow.cpp. Upstream issue: https://github.com/opencv/opencv/issues/15481
Comment 1 Pedro Sampaio 2019-09-17 03:14:11 UTC
Created opencv tracking bugs for this issue: Affects: fedora-all [bug 1752703]
Comment 3 Mauro Matteo Cascella 2019-11-26 13:32:52 UTC
Comment 4 Mauro Matteo Cascella 2019-11-26 16:33:54 UTC
Statement: This issue did not affect the versions of OpenCV as shipped with Red Hat Enterprise Linux 6, and 7 as they did not include support for DIS optflow algorithm. This issue did not affect the versions of OpenCV as shipped with Red Hat Enterprise Linux 8 as DIS optflow algorithm did not include support for Single Instruction, Multiple Data (SIMD).
Comment 5 Mauro Matteo Cascella 2019-11-26 16:35:06 UTC
For the DIS optflow algorithm to be vulnerable the CV_SIMD128 macro has to be defined, as the vulnerable code in computeSSDMeanNorm function is conditionally compiled based on the value of that macro. Specifically, CV_SIMD128 is defined in the header file intrin_sse.hpp which, in turn, is included by intrin.hpp if SSE support is enabled. Despite the support of SSE, the version of OpenCV shipped with Red Hat Enterprise Linux 8 is not affected by this flaw due to the header file "opencv2/core/hal/intrin.hpp" not being included in the source file dis_flow.cpp. The commit that removed the include statement from dis_flow.cpp is https://github.com/opencv/opencv_contrib/commit/64b3bbb6201b183db37ec3d6bc47c595c150b0d3. Please note that the commit refers to opencv_contrib repository, as optflow algorithm was an "extra" module under development. The optflow algorithm has been successively moved to the central OpenCV repository in release 4.0.0 (Pull Request https://github.com/opencv/opencv/pull/13084). The missing header has been reintroduced later with a fix in commit https://github.com/opencv/opencv/commit/c96850ba599ada02dad6bd1a4271ce8f4f20e246.
Comment 6 Mauro Matteo Cascella 2019-11-26 16:39:16 UTC
Function DISOpticalFlowImpl::PatchInverseSearch_ParBody::operator() in dis_flow.cpp wrongly computes the index of the uchar array I1_ptr. Consequently, a pointer to the last 12 bytes is passed as second argument to function computeSSDMeanNorm which reads 16 bytes from it through the HAL_PROCESS_BILINEAR_8x8_PATCH_EXTRACTION macro. This leads to a 4-byte out-of-bound read in v_load function defined in intrin_sse.hpp. Upstream fix replaces the v_load() call in HAL_PROCESS_BILINEAR_8x8_PATCH_EXTRACTION macro with v_load_expand() which only reads 8 bytes from the pointer passed as argument.
Comment 7 Product Security DevOps Team 2019-11-26 19:04:56 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16249