New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Nov 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Stack-buffer-overflow in CPDF_Function::Call

Project Member Reported by ClusterFuzz, Nov 4 2015

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4782372984193024

Uploader: mjurczyk@google.com
Job Type: linux_asan_pdfium
Platform Id: linux

Crash Type: Stack-buffer-overflow READ 4
Crash Address: 0x7fb29ac4d1e4
Crash State:
  CPDF_Function::Call
  CPDF_StitchFunc::v_Call
  CPDF_Function::Call
  

Minimized Testcase (5.07 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95mrgjJYyqrl49OX2oOiWJ-DAB_A_D2_dc-_QfmndPHmJDg4J9hCcagreg9jGrlcaIDGFDjUJLoVVnCFpV8V8cwOUw9-4hDlI9e7rJySk61wmaCUT0RwM7IO-ISiNYe0t6nuzX01m6xyoYDybLIvxlKXXUgYg

Filer: mjurczyk

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by j00ru...@gmail.com, Nov 4 2015

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Whoops. The above note was accidentally sent from my private e-mail.
The issue is tracked in https://code.google.com/p/google-security-research/issues/detail?id=612 on the Project Zero side.
Owner: och...@chromium.org
I'll take this one, thanks for the report!
Project Member

Comment 5 by ClusterFuzz, Nov 4 2015

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4782372984193024

Uploader: mjurczyk@google.com
Job Type: linux_asan_pdfium
Platform Id: linux

Crash Type: Stack-buffer-overflow READ 4
Crash Address: 0x7fb29ac4d1e4
Crash State:
  CPDF_Function::Call
  CPDF_StitchFunc::v_Call
  CPDF_Function::Call
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=350971:350997

Minimized Testcase (5.07 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95mrgjJYyqrl49OX2oOiWJ-DAB_A_D2_dc-_QfmndPHmJDg4J9hCcagreg9jGrlcaIDGFDjUJLoVVnCFpV8V8cwOUw9-4hDlI9e7rJySk61wmaCUT0RwM7IO-ISiNYe0t6nuzX01m6xyoYDybLIvxlKXXUgYg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Status: Started
BTW, over the summer the parser code was in a broken state, so lots of PDFs just didn't parse/render. Once Jun fixed that, we "regressed" and this triggered.
Project Member

Comment 8 by ClusterFuzz, Nov 4 2015

Labels: Pri-1 M-46
Labels: M-47
We can definitely merge to M47, not sure about M46.
Project Member

Comment 11 by ClusterFuzz, Nov 5 2015

Labels: -Restrict-View-SecurityTeam Merge-Triage Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: Merge-Request-47

Comment 14 by tin...@google.com, Nov 5 2015

Labels: -Merge-Request-47 Merge-Review-47 Hotlist-Merge-Review
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
Labels: -Merge-Review-47 -Hotlist-Merge-Review Merge-Approved-47 Hotlist-Merge-Approved
Approved for M47 (branch 2526)
Project Member

Comment 16 by bugdroid1@chromium.org, Nov 5 2015

Labels: -Merge-Approved-47 merge-merged-2526
The following revision refers to this bug:
  http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=80302

------------------------------------------------------------------
r80302 | thestig@google.com | 2015-11-05T23:19:08.328192Z

-----------------------------------------------------------------
ochang: Do you think we should go for a M46 merge? The rejected M46 merges say: "M46 Stable and Stable refresh have both launched, the merge bar for M46 is very high as we only consider 0-day level of critical Security/ Stability/ Critical regressions"
Cc: infe...@chromium.org
The seems pretty bad to me but I'm not sure if it meets the bar for M46.

I'm fairly sure this can be turned into an almost arbitrary relative write onto the stack (because of the input value clamping), although any attempts to overwrite the return address would probably result in clobbering the stack cookie. 

However, this is certainly not critical in the sense that we'll get full code execution out of the sandbox.

Abhishek, I'm not too experienced with what meets the bar. What do you think?

Comment 19 by aarya@google.com, Nov 6 2015

Yes, high severity bugs do get merged to stable release after some bake time (1-2 weeks). Since M47 is still a month away, we should get another M46 patch to merge this in. Get it merged soon.
Cc: tinazh@chromium.org
Has the position of TPMs changed? I thought we merged high severity security bugs into the current stable milestone too, but it seems that merge requests for M46 are rejected now for these, and only "critical" bugs are merged now.



Cc: -tinazh@chromium.org tin...@google.com
Cc: timwillis@chromium.org
No it hasn't changed, i think Tina is not aware of security severity guidelines. Tina, please don't reject M46 merges. If you want to talk about process, please talk to Tim and me.
Can we make a decision and possibly merge this in time for next week's stable update? If it's already too late for that, then no rush.
Labels: Merge-Request-46
Requesting a merge (based on email thread with timwillis@ and tinazh@)

Comment 25 by tin...@google.com, Nov 6 2015

Labels: -Merge-Request-46 Merge-Approved-46
We're doing a Flash Player respin of M46 Stable, can pick this up together.
Project Member

Comment 26 by bugdroid1@chromium.org, Nov 6 2015

Labels: -Merge-Approved-46 merge-merged-2490
The following revision refers to this bug:
  http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=80339

------------------------------------------------------------------
r80339 | thestig@google.com | 2015-11-06T23:06:59.777006Z

-----------------------------------------------------------------
Project Member

Comment 27 by ClusterFuzz, Nov 7 2015

ClusterFuzz has detected this issue as fixed in range 357565:358520.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4782372984193024

Uploader: mjurczyk@google.com
Job Type: linux_asan_pdfium
Platform Id: linux

Crash Type: Stack-buffer-overflow READ 4
Crash Address: 0x7fb29ac4d1e4
Crash State:
  CPDF_Function::Call
  CPDF_StitchFunc::v_Call
  CPDF_Function::Call
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=350971:350997
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=357565:358520

Minimized Testcase (5.07 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95mrgjJYyqrl49OX2oOiWJ-DAB_A_D2_dc-_QfmndPHmJDg4J9hCcagreg9jGrlcaIDGFDjUJLoVVnCFpV8V8cwOUw9-4hDlI9e7rJySk61wmaCUT0RwM7IO-ISiNYe0t6nuzX01m6xyoYDybLIvxlKXXUgYg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect,try re-doing that job on the test case report page.
Labels: -Merge-Triage Release-0-M47
Even though this shipped with a M46 patch, we'll acknowledge it formally in the M47 release notes under internally discovered bugs.
Project Member

Comment 29 by ClusterFuzz, Feb 10 2016

Labels: -Restrict-View-SecurityNotify
This security bug has been closed for more than 14 weeks. Removing view restrictions.

- Your friendly ClusterFuzz
Project Member

Comment 30 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 31 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment