Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Email to this user bounced
Closed: Nov 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Nasty looking crash on internal pdf-reader
Reported by attek...@gmail.com, Nov 21 2011 Back to list


Nasty looking crash with high crash address with some variation between multiple runs. Crash address seems to change more between program re-runs but there is some variation if the page is refreshed multiple times.

chrome: segfault at 7fff787cbcb3 ip 00007fffe8880b58 sp 00007fffffffc7f0 error 4 in libpdf.so
chrome: segfault at 7fff787cacb3 ip 00007fffe8880b58 sp 00007fffffffc7f0 error 4 in libpdf.so

VERSION
Chrome Version: 17.0.942.0 (Official Build 110446) dev
                Reproduces on stable, beta and dev-channel versions.

Operating System: Ubuntu x86_64 11.04

Doesn't reproduce on Windows x64

Reproducing case as attachment. I tried to reduce it as much as possible. Before the reduction there was some odd behavior in stack.

Type of crash: tab-crash
Crash State: Cannot provide much information.

Program received signal SIGSEGV, Segmentation fault.
0x00007fffe93e33f8 in ?? () from /opt/google/chrome/libpdf.so
(gdb) i r 
rax            0x7fff7876b773   140735214434163
rbx            0x1      1
rcx            0x0      0
rdx            0x0      0
rsi            0x7fff7876b774   140735214434164
rdi            0x3      3
rbp            0x7ffff8714280   0x7ffff8714280
rsp            0x7fffffffc020   0x7fffffffc020
r8             0x1      1
r9             0x0      0
r10            0x1      1
r11            0x7fffffffbf1c   140737488338716
r12            0x80000000       2147483648
r13            0x7fff7876b773   140735214434163
r14            0x1      1
r15            0x1      1
rip            0x7fffe92e6b58   0x7fffe92e6b58
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0




 
segfault-at-7fff787bc153-pdf.pdf
577 bytes Download
Comment 1 by attek...@gmail.com, Nov 21 2011
Some additional info.
(gdb) bt 10
#0  0x00007fffe92e6b58 in ?? () from /opt/google/chrome/libpdf.so
#1  0x00007fffe92e7035 in ?? () from /opt/google/chrome/libpdf.so
#2  0x00007fffe92e8d66 in ?? () from /opt/google/chrome/libpdf.so
#3  0x00007fffe9262975 in ?? () from /opt/google/chrome/libpdf.so
#4  0x00007fffe9247d31 in ?? () from /opt/google/chrome/libpdf.so
#5  0x00007fffe92481a5 in ?? () from /opt/google/chrome/libpdf.so
#6  0x00007fffe9229242 in ?? () from /opt/google/chrome/libpdf.so
#7  0x00007fffe922b11d in ?? () from /opt/google/chrome/libpdf.so
#8  0x00007fffe92281a9 in ?? () from /opt/google/chrome/libpdf.so
#9  0x00007ffff65bde47 in ?? ()
(More stack frames follow...)
(gdb) x/i $rip
=> 0x7fffe92e6b58:      movzbl (%rax),%edx
(gdb) 

Comment 2 by cdn@chromium.org, Nov 21 2011
When I run this it looks like a dup of  http://crbug.com/104602 

I can't tell from your two comments whether the registers listed in comment 1 are for the instruction listed in comment 2. This crashes in a null deref for me though.
Comment 3 by cdn@chromium.org, Nov 21 2011
Cc: cevans@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals Feature-PDF Mstone-15 OS-All
cevans do you see anything other than a null deref for this?
Comment 4 by attek...@gmail.com, Nov 21 2011
They should be from same but just for sure that I didn't refresh between I'll look for it again.
Comment 5 by attek...@gmail.com, Nov 21 2011
Program received signal SIGSEGV, Segmentation fault.
0x00007fffe91c3b58 in ?? () from /opt/google/chrome/libpdf.so
(gdb) bt 10
#0  0x00007fffe91c3b58 in ?? () from /opt/google/chrome/libpdf.so
#1  0x00007fffe91c4035 in ?? () from /opt/google/chrome/libpdf.so
#2  0x00007fffe91c5d66 in ?? () from /opt/google/chrome/libpdf.so
#3  0x00007fffe913f975 in ?? () from /opt/google/chrome/libpdf.so
#4  0x00007fffe9124d31 in ?? () from /opt/google/chrome/libpdf.so
#5  0x00007fffe91251a5 in ?? () from /opt/google/chrome/libpdf.so
#6  0x00007fffe9106242 in ?? () from /opt/google/chrome/libpdf.so
#7  0x00007fffe910811d in ?? () from /opt/google/chrome/libpdf.so
#8  0x00007fffe91051a9 in ?? () from /opt/google/chrome/libpdf.so
#9  0x00007ffff65bde47 in ?? ()
(More stack frames follow...)
(gdb) i r
rax            0x7fff787637e3   140735214401507
rbx            0x1      1
rcx            0x0      0
rdx            0x0      0
rsi            0x7fff787637e4   140735214401508
rdi            0x3      3
rbp            0x7ffff86f1500   0x7ffff86f1500
rsp            0x7fffffffbfa0   0x7fffffffbfa0
r8             0x1      1
r9             0x0      0
r10            0x1      1
r11            0x7fffffffbe9c   140737488338588
r12            0x80000000       2147483648
r13            0x7fff787637e3   140735214401507
r14            0x1      1
r15            0x1      1
rip            0x7fffe91c3b58   0x7fffe91c3b58
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) x/i $rip
=> 0x7fffe91c3b58:      movzbl (%rax),%edx
Status: Untriaged
I see a different crash with a pending fix for  bug 104602  in my tree.
Comment 7 by cdn@chromium.org, Nov 21 2011
Yeah I think this may have just been an issue with my checkout. cevans has verified this bug and will update it shortly.
Cc: -cevans@chromium.org
Owner: cevans@chromium.org
Status: Started
Could also be a 64-bit thing. I have easy repro on my M16 PDF checkout, 64-bit Linux.
I can also repro it with 32-bit. I hit the same crash with or without my pending fix for  bug 104602 .
Labels: -Restrict-View-SecurityTeam -Mstone-15 Restrict-View-SecurityNotify Mstone-16 Merge-Approved SecImpacts-Stable SecImpacts-Beta SecSeverity-Medium reward-topanel
Status: FixUnreleased
Fixed at PDF r1172, rolled DEPS on trunk in r1173.

@attekett: another nice bug, keep 'em coming :)

It's basically a wild read -- I don't see the possibility of memory corruption. We rate these as Medium. I can't rule about the ability to recover the OOB content via an evil PDF, so we'll put this bug to the panel.
Comment 11 by attek...@gmail.com, Nov 21 2011
Glad you liked it. Lost some hair while minimizing the repro-file, but I think that I will add more effort/computing power on the PDF-testing. ;) Again I appreciate your fast response to the issue. 
Labels: -Merge-Approved Merge-Merged
Merged to M16 at PDF r1175
I have now found few more files reproducing this crash and there seems to be some way to control the crash address via pdf-content. Just wanted to add the info.
Labels: -reward-topanel reward-500 reward-unpaid
@attekett: thanks for your interesting PDF fuzzing. For this particular bug, it is a "medium" severity out-of-bounds read, however it seems likely that the OOB content might be recovered by the attacker. Hence a $500 Chromium Security Reward, good work :)

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Comment 15 by attek...@gmail.com, Dec 10 2011
Cool. Thanks. :) 
Labels: -reward-unpaid
Payment in system.
Comment 17 by cdn@chromium.org, May 15 2012
Status: Fixed
Marking old security bugs Fixed..
Cc: emily.zh...@gmail.com
Project Member Comment 19 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 20 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-Internals -Feature-PDF -Mstone-16 -SecImpacts-Stable -SecImpacts-Beta -SecSeverity-Medium Cr-Content-Plugins-PDF Security-Impact-Beta Security-Severity-Medium Cr-Internals Security-Impact-Stable Type-Bug-Security M-16
Project Member Comment 21 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 22 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 24 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 25 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member Comment 26 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 27 by bugdroid1@chromium.org, Apr 6 2013
Labels: Cr-Blink
Project Member Comment 28 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content-Plugins-PDF Cr-Internals-Plugins-PDF
Project Member Comment 29 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 30 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 31 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment