MachOImageReader chokes on Java .class files |
||
Issue descriptionVersion: 51.0.2664.0 OS: Mac Split out of bug 582002 . What steps will reproduce the problem? The DMG analyzer is failing to process the file "KNIME 3.1.1.app/Contents/Eclipse/plugins/org.apache.commons.compress_1.5.0/org/apache/commons/compress/archivers/dump/DumpArchiveSummary.class" from the DMG linked in that bug (copied here: https://drive.google.com/open?id=0B4kReKV-OI17Z2VNWVdqNnJ5OGM). Java .class files and Mach-O fat files share the same magic (0xCAFEBABE). The file provided is crafted in such a way that MachOImageReader gets stuck in an infinite Initialize recursion. MachOImageReader should handle this situation better. The other thing is that the next u32 after the magic, nfat_arch, is pathologically large (0x39), which shouldn't ever be possible. Example stack: * frame #0: 0x00007fff930ca5f9 libsystem_malloc.dylib`szone_malloc_should_clear + 8 frame #1: 0x00000001037c750f Chromium Framework`base::(anonymous namespace)::oom_killer_malloc(zone=0x000000010189f000, size=8) + 47 at memory_mac.mm:134 frame #2: 0x00007fff930ca5b1 libsystem_malloc.dylib`malloc_zone_malloc + 71 frame #3: 0x00007fff930c90dc libsystem_malloc.dylib`malloc + 42 frame #4: 0x0000000113d28d4a Chromium Framework`operator new(unsigned long) + 42 frame #5: 0x0000000101ccdfb7 Chromium Framework`std::__1::__split_buffer<safe_browsing::MachOImageReader*, std::__1::allocator<safe_browsing::MachOImageReader*>&>::__split_buffer(unsigned long, unsigned long, std::__1::allocator<safe_browsing::MachOImageReader*>&) [inlined] std::__1::__allocate(__size=8) + 375 at new:168 frame #6: 0x0000000101ccdfae Chromium Framework`std::__1::__split_buffer<safe_browsing::MachOImageReader*, std::__1::allocator<safe_browsing::MachOImageReader*>&>::__split_buffer(unsigned long, unsigned long, std::__1::allocator<safe_browsing::MachOImageReader*>&) [inlined] std::__1::allocator<safe_browsing::MachOImageReader*>::allocate(this=0x00007f81c3b40b40, __n=1, (null)=0x0000000000000000) + 12 at memory:1729 frame #7: 0x0000000101ccdfa2 Chromium Framework`std::__1::__split_buffer<safe_browsing::MachOImageReader*, std::__1::allocator<safe_browsing::MachOImageReader*>&>::__split_buffer(unsigned long, unsigned long, std::__1::allocator<safe_browsing::MachOImageReader*>&) [inlined] std::__1::allocator_traits<std::__1::allocator<safe_browsing::MachOImageReader*> >::allocate(__a=0x00007f81c3b40b40, __n=1) + 24 at memory:1488 frame #8: 0x0000000101ccdf8a Chromium Framework`std::__1::__split_buffer<safe_browsing::MachOImageReader*, std::__1::allocator<safe_browsing::MachOImageReader*>&>::__split_buffer(this=0x00007fff5db65378, __cap=1, __start=0, __a=0x00007f81c3b40b40) + 330 at __split_buffer:311 frame #9: 0x0000000101ccd98b Chromium Framework`std::__1::__split_buffer<safe_browsing::MachOImageReader*, std::__1::allocator<safe_browsing::MachOImageReader*>&>::__split_buffer(this=0x00007fff5db65378, __cap=1, __start=0, __a=0x00007f81c3b40b40) + 59 at __split_buffer:310 frame #10: 0x0000000101ccd816 Chromium Framework`void std::__1::vector<safe_browsing::MachOImageReader*, std::__1::allocator<safe_browsing::MachOImageReader*> >::__push_back_slow_path<safe_browsing::MachOImageReader* const&>(this=0x00007f81c3b40b30 size=0, __x=0x00007fff5db65498) + 598 at vector:1572 frame #11: 0x0000000101cc94bb Chromium Framework`ScopedVector<safe_browsing::MachOImageReader>::push_back(safe_browsing::MachOImageReader*) [inlined] std::__1::vector<safe_browsing::MachOImageReader*, std::__1::allocator<safe_browsing::MachOImageReader*> >::push_back(this=0x00007f81c3b40b30 size=0, __x=0x00007fff5db65498) + 395 at vector:1593 frame #12: 0x0000000101cc9374 Chromium Framework`ScopedVector<safe_browsing::MachOImageReader>::push_back(this=0x00007f81c3b40b30, elem=0x00007f81c3b40b90) + 68 at scoped_vector.h:71 frame #13: 0x0000000101cc89f2 Chromium Framework`safe_browsing::MachOImageReader::Initialize(this=0x00007f81c3b40b20, image="????", image_size=1000) + 722 at mach_o_image_reader_mac.cc:129 (…snip…) frame #26170: 0x0000000101cc8a3e Chromium Framework`safe_browsing::MachOImageReader::Initialize(this=0x00007f81baf1bd90, image="????", image_size=1000) + 798 at mach_o_image_reader_mac.cc:130 frame #26171: 0x0000000101cc8a3e Chromium Framework`safe_browsing::MachOImageReader::Initialize(this=0x00007f81baf1c8c0, image="????", image_size=1000) + 798 at mach_o_image_reader_mac.cc:130 frame #26172: 0x0000000101cc8a3e Chromium Framework`safe_browsing::MachOImageReader::Initialize(this=0x00007fff5e361528, image="????", image_size=4169) + 798 at mach_o_image_reader_mac.cc:130 frame #26173: 0x0000000101cc623b Chromium Framework`safe_browsing::BinaryFeatureExtractor::ExtractImageFeaturesFromData(this=0x00007f81bd302690, data="????", data_size=4169, options=0, image_headers=0x00007f81baf1bfe0, signed_data=0x00007f81baf1b9d0) + 107 at binary_feature_extractor_mac.cc:21 frame #26174: 0x00000001035444ae Chromium Framework`safe_browsing::dmg::(anonymous namespace)::MachOFeatureExtractor::ExtractFeatures(this=0x00007fff5e361710, stream=0x00007f81baf18a20, result=0x00007f81baf18ab0) + 254 at dmg_analyzer.cc:78 frame #26175: 0x000000010354411c Chromium Framework`safe_browsing::dmg::AnalyzeDMGFile(dmg_file=File @ 0x00007fff5e3617e0, results=0x00007fff5e361810) + 428 at dmg_analyzer.cc:139 frame #26176: 0x00000001034c5f97 Chromium Framework`ChromeContentUtilityClient::OnAnalyzeDmgFileForDownloadProtection(this=0x000000011892caa0, dmg_file=0x00007fff5e361a30) + 71 at chrome_content_utility_client.cc:385 frame #26177: 0x00000001034cfa0f Chromium Framework`void base::DispatchToMethodImpl<ChromeContentUtilityClient*, void (ChromeContentUtilityClient::*)(base::FileDescriptor const&), base::FileDescriptor, 0ul>(obj=0x00007fff5e361980, method=0x00000001034c5f50, arg=0x00007fff5e361a30, (null)=IndexSequence<0> @ 0x00007fff5e3618a0)(base::FileDescriptor const&), std::__1::tuple<base::FileDescriptor> const&, base::IndexSequence<0ul>) + 175 at tuple.h:203 frame #26178: 0x00000001034cf933 Chromium Framework`void base::DispatchToMethod<ChromeContentUtilityClient*, void (ChromeContentUtilityClient::*)(base::FileDescriptor const&), base::FileDescriptor>(obj=0x00007fff5e361980, method=0x00000001034c5f50, arg=0x00007fff5e361a30)(base::FileDescriptor const&), std::__1::tuple<base::FileDescriptor> const&) + 83 at tuple.h:210 frame #26179: 0x00000001034cf8bd Chromium Framework`void IPC::DispatchToMethod<ChromeContentUtilityClient, void (ChromeContentUtilityClient::*)(base::FileDescriptor const&), void, std::__1::tuple<base::FileDescriptor> >(obj=0x000000011892caa0, method=0x00000001034c5f50, (null)=0x0000000000000000, tuple=0x00007fff5e361a30)(base::FileDescriptor const&), void*, std::__1::tuple<base::FileDescriptor> const&) + 93 at ipc_message_templates.h:24 frame #26180: 0x00000001034c5efe Chromium Framework`bool IPC::MessageT<ChromeUtilityMsg_AnalyzeDmgFileForDownloadProtection_Meta, std::__1::tuple<base::FileDescriptor>, void>::Dispatch<ChromeContentUtilityClient, ChromeContentUtilityClient, void, void (msg=0x00007f81bd700478, obj=0x000000011892caa0, sender=0x000000011892caa0, parameter=0x0000000000000000, func=0x00000001034c5f50)(base::FileDescriptor const&)>(IPC::Message const*, ChromeContentUtilityClient*, ChromeContentUtilityClient*, void*, void (ChromeContentUtilityClient::*)(base::FileDescriptor const&)) + 206 at ipc_message_templates.h:118 frame #26181: 0x00000001034c4c1c Chromium Framework`ChromeContentUtilityClient::OnMessageReceived(this=0x000000011892caa0, message=0x00007f81bd700478) + 1484 at chrome_content_utility_client.cc:179 (lldb) frame var (safe_browsing::MachOImageReader *) this = 0x00007fff5e361528 (const uint8_t *) image = 0x000000013ba2b000 "????" (size_t) image_size = 4169 (const uint32_t *) magic = 0x000000013ba2b000 (bool) do_swap = true (size_t) load_command_size = 140734773989520 (size_t) offset = 792751006472377840 (uint32_t) num_commands = 32767 (const fat_header *) header = 0x000000013ba2b000 (bool) do_swap = true (uint32_t) nfat_arch = 49 (size_t) offset = 8 (uint32_t) i = 0 (const fat_arch *) arch = 0x000000013ba2b008 (uint32_t) arch_offset = 0 (uint32_t) arch_size = 1000 (safe_browsing::ByteSlice) slice = (data_ = "????", size_ = 1000) What is the expected output? What do you see instead? MachOImageReader shouldn't Initialize itself on .class files. Better validation of fat headers should occur. Please use labels and text to provide additional information.
,
Mar 3 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a9a251104615db1e032a4173f6e9c6a53c317bce commit a9a251104615db1e032a4173f6e9c6a53c317bce Author: rsesek <rsesek@chromium.org> Date: Thu Mar 03 00:35:08 2016 Protect against recursive processing of the fat header in MachOImageReader. BUG= 591194 Review URL: https://codereview.chromium.org/1763443002 Cr-Commit-Position: refs/heads/master@{#378894} [modify] https://crrev.com/a9a251104615db1e032a4173f6e9c6a53c317bce/chrome/common/safe_browsing/mach_o_image_reader_mac.cc [modify] https://crrev.com/a9a251104615db1e032a4173f6e9c6a53c317bce/chrome/common/safe_browsing/mach_o_image_reader_mac_unittest.cc
,
Mar 3 2016
|
||
►
Sign in to add a comment |
||
Comment 1 by rsesek@chromium.org
, Mar 2 2016Status: Started (was: Assigned)