Issue metadata
Sign in to add a comment
|
Security: [FG-VD-16-031] Illegal Instruction Violation exception triggered in Pdfium_test
Reported by
kushal89...@gmail.com,
May 9 2016
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36 Steps to reproduce the problem: 1. Open PoC .pdf file using pdfium_test.exe 2. 3. What is the expected behavior? Normally expected to render the pdf file and display number of rendered pages and skipped bad pages. What went wrong? VULNERABILITY DETAILS The attached testcase crashes the latest pdfium_test displaying the message FATAL error: The crash info in windbg is as shown below: - CommandLine: pdfium_test.exe "PoC.pdf" Symbol search path is: srv* Executable search path is: ModLoad: 00000000`01090000 00000000`049ab000 pdfium_test.exe ModLoad: 00000000`76da0000 00000000`76f4a000 ntdll.dll ModLoad: 00000000`76f80000 00000000`77100000 ntdll32.dll ModLoad: 00000000`74710000 00000000`7474f000 C:\Windows\SYSTEM32\wow64.dll ModLoad: 00000000`746b0000 00000000`7470c000 C:\Windows\SYSTEM32\wow64win.dll ModLoad: 00000000`746a0000 00000000`746a8000 C:\Windows\SYSTEM32\wow64cpu.dll (10e0.3908): Break instruction exception - code 80000003 (first chance) ntdll!LdrpDoDebuggerBreak+0x30: 00000000`76e495a0 cc int 3 0:000> g ModLoad: 00000000`76c80000 00000000`76d9f000 WOW64_IMAGE_SECTION ModLoad: 00000000`767e0000 00000000`768f0000 WOW64_IMAGE_SECTION ModLoad: 00000000`76c80000 00000000`76d9f000 NOT_AN_IMAGE ModLoad: 00000000`76b80000 00000000`76c7a000 NOT_AN_IMAGE ModLoad: 00000000`767e0000 00000000`768f0000 C:\Windows\syswow64\kernel32.dll ModLoad: 00000000`76200000 00000000`76247000 C:\Windows\syswow64\KERNELBASE.dll ModLoad: 00000000`725b0000 00000000`725e2000 C:\Windows\SysWOW64\WINMM.dll ModLoad: 00000000`766c0000 00000000`7676c000 C:\Windows\syswow64\msvcrt.dll ModLoad: 00000000`769b0000 00000000`76ab0000 C:\Windows\syswow64\USER32.dll ModLoad: 00000000`768f0000 00000000`76980000 C:\Windows\syswow64\GDI32.dll ModLoad: 00000000`764a0000 00000000`764aa000 C:\Windows\syswow64\LPK.dll ModLoad: 00000000`76ab0000 00000000`76b4d000 C:\Windows\syswow64\USP10.dll ModLoad: 00000000`75870000 00000000`75911000 C:\Windows\syswow64\ADVAPI32.dll ModLoad: 00000000`75b90000 00000000`75ba9000 C:\Windows\SysWOW64\sechost.dll ModLoad: 00000000`75930000 00000000`75a20000 C:\Windows\syswow64\RPCRT4.dll ModLoad: 00000000`748d0000 00000000`74930000 C:\Windows\syswow64\SspiCli.dll ModLoad: 00000000`748c0000 00000000`748cc000 C:\Windows\syswow64\CRYPTBASE.dll (10e0.3908): WOW64 breakpoint - code 4000001f (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. ntdll32!LdrpDoDebuggerBreak+0x2c: 77021cf4 cc int 3 0:000:x86> g ModLoad: 75e90000 75ef0000 C:\Windows\SysWOW64\IMM32.DLL ModLoad: 74990000 74a5c000 C:\Windows\syswow64\MSCTF.dll ModLoad: 5f3d0000 5f3d3000 C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.DLL ModLoad: 00000000`64cf0000 00000000`64e80000 C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\GDIPLUS.DLL ModLoad: 00000000`75710000 00000000`7586c000 C:\Windows\syswow64\ole32.dll ModLoad: 00000000`66cf0000 00000000`66d70000 C:\Windows\SysWOW64\uxtheme.dll (10e0.3908): Illegal instruction - code c000001d (first chance) (10e0.3908): Illegal instruction - code c000001d (!!! second chance !!!) wow64!Wow64NotifyDebugger+0x1d: 00000000`7471cb49 654c8b1c2530000000 mov r11,qword ptr gs:[30h] gs:00000000`00000030=???????????????? 0:000> r rax=00000000fffdb000 rbx=00000000000eea80 rcx=00000000000ed350 rdx=0000000000000000 rsi=00000000747186cb rdi=0000000000000000 rip=000000007471cb49 rsp=00000000000ed830 rbp=00000000000edcf0 r8=00000000000ed818 r9=00000000000edcf0 r10=0000000000000000 r11=0000000000000246 r12=00000000000ee1f0 r13=00000000000efd00 r14=00000000000eea80 r15=ffffffffffffffff iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000204 wow64!Wow64NotifyDebugger+0x1d: 00000000`7471cb49 654c8b1c2530000000 mov r11,qword ptr gs:[30h] gs:00000000`00000030=???????????????? 0:000> kb # RetAddr : Args to Child : Call Site 00 00000000`7471cc6a : 00000000`000ed880 00000000`0001007f 00000000`00000000 00000000`00000003 : wow64!Wow64NotifyDebugger+0x1d 01 00000000`7471ce4a : 00000000`0001007f 00000000`fffdb000 00000000`003ad974 00000000`00000003 : wow64!HandleRaiseException+0xee 02 00000000`74736c2d : 00000000`003ad918 00000000`fffdb000 00000000`fffdd000 00000000`7472050c : wow64!Wow64NtRaiseException+0x132 03 00000000`7471d18f : 00000000`00000000 00000000`003ae17c 00000000`fffdb000 00000000`fffdd000 : wow64!whNtRaiseException+0x15 04 00000000`746a2776 : 00000000`769d453f 00000000`74710023 00000000`00000246 00000000`003aee60 : wow64!Wow64SystemServiceEx+0xd7 05 00000000`7471d286 : 00000000`00000000 00000000`746a1920 00000000`76eb2440 00000000`76dcdb01 : wow64cpu!ServiceNoTurbo+0x2d 06 00000000`7471c69e : 00000000`00000000 00000000`00000000 00000000`74714b10 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa 07 00000000`76de10d6 : 00000000`00233d00 00000000`00000000 00000000`76ecf670 00000000`76ea2950 : wow64!Wow64LdrpInitialize+0x42a 08 00000000`76e3dc30 : 00000000`00000000 00000000`76de07e1 00000000`000ef760 00000000`00000000 : ntdll!LdrpInitializeProcess+0x17e3 09 00000000`76dcb17e : 00000000`000ef760 00000000`00000000 00000000`fffdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x25730 0a 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe 1:019:x86> !exploitable !exploitable 1.6.0.0 Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Illegal Instruction Violation starting at wow64!Wow64NotifyDebugger+0x000000000000001d (Hash=0xe56b743a.0xb3f1bd5a) An illegal instruction exception indicates that the attacker controls execution flow. Disassembly View: - wow64!Wow64NotifyDebugger: 00000000`7471cb2c 4883ec28 sub rsp,28h 00000000`7471cb30 65488b042530000000 mov rax,qword ptr gs:[30h] 00000000`7471cb39 48c7809014000004000000 mov qword ptr [rax+1490h],4 00000000`7471cb44 e85fbbffff call wow64!Wow64NotifyDebuggerHelper (00000000`747186a8) 00000000`7471cb49 654c8b1c2530000000 mov r11,qword ptr gs:[30h] gs:00000000`00000030=???????????????? 00000000`7471cb52 4983a39014000000 and qword ptr [r11+1490h],0 00000000`7471cb5a b001 mov al,1 00000000`7471cb5c eb13 jmp wow64!Wow64NotifyDebugger+0x45 (00000000`7471cb71) 00000000`7471cb5e 65488b042530000000 mov rax,qword ptr gs:[30h] 00000000`7471cb67 4883a09014000000 and qword ptr [rax+1490h],0 00000000`7471cb6f 32c0 xor al,al 00000000`7471cb71 4883c428 add rsp,28h 00000000`7471cb75 c3 ret VERSION DETAILS: - Chrome Version: latest asan build of pdfium_test: win32-release-asan-win32-release-392310 Operating System: Windows 7 Pro SP1 x64 Did this work before? N/A Chrome version: 50.0.2661.94 Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 21.0 r0
,
May 10 2016
I'm not able to reproduce a crash with this pdf, even with windbg. Based on the report I'm not convinced that this would actually be an exploitable issue, but could you please provide more specific information about how you're running pdfium_test.exe to see this crash?
,
May 10 2016
,
May 10 2016
I am also unable to repro on windows using asan-win32-release-392597. are you using the 64-bit debugger on a 32-bit binary?
,
May 11 2016
@mbarbella, Sorry for the late reply, I downloaded the win32 asan build of chrome from the url, "https://commondatastorage.googleapis.com/chromium-browser-asan/index.html?prefix=win32-release/". Once downloaded and unzipped, I ran the pdfium_test binary inside against the attached PoC.pdf file. I have attached a video displaying the windbg attached run and confirming the vulnerability via the !exploitable Crash Analyzer extension. @wfh, I am using the 32-bit debugger against the 32-bit(release-392597)binary, but my OS environment is 64-bit.
,
May 11 2016
Thank you for providing more feedback. Adding requester "mbarbella@chromium.org" for another review and adding "Needs-Review" label for tracking. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 11 2016
Thanks for the report. I still can't reproduce this, so I don't think there's anything actionable for us here. Note that the build you were using for testing was built with the AddressSanitizer tool. It's instrumented to detect certain memory issues, and we'd usually expect it to output a report and stack trace if an issue was detected. See https://www.chromium.org/developers/testing/addresssanitizer for more information.
,
Aug 18 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by ClusterFuzz
, May 10 2016