Bug 1752702 (CVE-2019-16249)
| Summary: | CVE-2019-16249 opencv: Out-of-bounds read in hal_baseline::v_load in core/hal/intrin_sse.hpp | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | andrew, databases-maint, hhorak, jkucera, jmlich83, jridky, karlthered, kwizart, pkajaba, rakesh.pandit, sergio, viktor.vix.jancik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | opencv 4.1.2 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-26 19:04:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1752703, 1777240 | ||
| Bug Blocks: | 1752704 | ||
|
Description
Pedro Sampaio
2019-09-17 03:13:58 UTC
Created opencv tracking bugs for this issue: Affects: fedora-all [bug 1752703] Statement: This issue did not affect the versions of OpenCV as shipped with Red Hat Enterprise Linux 6, and 7 as they did not include support for DIS optflow algorithm. This issue did not affect the versions of OpenCV as shipped with Red Hat Enterprise Linux 8 as DIS optflow algorithm did not include support for Single Instruction, Multiple Data (SIMD). For the DIS optflow algorithm to be vulnerable the CV_SIMD128 macro has to be defined, as the vulnerable code in computeSSDMeanNorm function is conditionally compiled based on the value of that macro. Specifically, CV_SIMD128 is defined in the header file intrin_sse.hpp which, in turn, is included by intrin.hpp if SSE support is enabled. Despite the support of SSE, the version of OpenCV shipped with Red Hat Enterprise Linux 8 is not affected by this flaw due to the header file "opencv2/core/hal/intrin.hpp" not being included in the source file dis_flow.cpp. The commit that removed the include statement from dis_flow.cpp is https://github.com/opencv/opencv_contrib/commit/64b3bbb6201b183db37ec3d6bc47c595c150b0d3. Please note that the commit refers to opencv_contrib repository, as optflow algorithm was an "extra" module under development. The optflow algorithm has been successively moved to the central OpenCV repository in release 4.0.0 (Pull Request https://github.com/opencv/opencv/pull/13084). The missing header has been reintroduced later with a fix in commit https://github.com/opencv/opencv/commit/c96850ba599ada02dad6bd1a4271ce8f4f20e246. Function DISOpticalFlowImpl::PatchInverseSearch_ParBody::operator() in dis_flow.cpp wrongly computes the index of the uchar array I1_ptr. Consequently, a pointer to the last 12 bytes is passed as second argument to function computeSSDMeanNorm which reads 16 bytes from it through the HAL_PROCESS_BILINEAR_8x8_PATCH_EXTRACTION macro. This leads to a 4-byte out-of-bound read in v_load function defined in intrin_sse.hpp. Upstream fix replaces the v_load() call in HAL_PROCESS_BILINEAR_8x8_PATCH_EXTRACTION macro with v_load_expand() which only reads 8 bytes from the pointer passed as argument. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16249 |