New issue
Advanced search Search tips

Issue 613607 link

Starred by 2 users
Status: Fixed
Owner:
tsepez@chromium.org
Closed: May 2016
Cc:
thestig@chromium.org
tsepez@chromium.org
dsinclair@chromium.org
och...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Global-buffer-overflow in XFA_GetMethodByName

Project Member Reported by ClusterFuzz, May 20 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5998214892748800

Fuzzer: ifratric_acrojs
Job Type: linux_asan_pdfium
Platform Id: linux

Crash Type: Global-buffer-overflow READ 4
Crash Address: 0x0000042d0920
Crash State:
  XFA_GetMethodByName
  CXFA_ScriptContext::NormalPropTypeGetter
  FXJSE_V8_GenericNamedPropertySetterCallback
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=393856:393893

Minimized Testcase (2582.82 Kb): https://cluster-fuzz.appspot.com/download/AMIfv974sF8VpioeVxJCUAES0UNJHSZ_-vFKkBNjjj_D2SXCLLyIaWnRmBrw9l1y4bekGs0YduBzV8opd6PyyFlupY3qr0pk95LpAhxMxp2oRw94ZWIknXDO27U1yT4ykg2NNbd2NvmnvNEGYxjbKmR3e3CVDj93Zkz1aqRUbywsHYhDKov_gQ8

Filer: ochang

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by och...@chromium.org, May 20 2016 

Issue 612920 has been merged into this issue.

Comment 2 by och...@chromium.org, May 20 2016

Cc: tsepez@chromium.org dsinclair@chromium.org thestig@chromium.org
Components: Internals>Plugins>PDF
The CF testcase is marked as "Unreproducible", but running that testcase locally gives me a null deref with a similar stack.
Project Member

Comment 3 by sheriffbot@chromium.org, May 21 2016

Labels: Pri-1

Comment 4 by penny...@chromium.org, May 23 2016

Owner: penny...@chromium.org
Status: Assigned (was: Available)

Comment 5 by och...@chromium.org, May 25 2016 

pennymac, friendly ping - was any progress made here? bug 612922 (which is owned by tsepez@) might be related.

Comment 6 by tsepez@chromium.org, May 25 2016

Owner: tsepez@chromium.org
I'll take this, similar to the related bug.  Repro's with a segv in pdfium_test on linux.

Comment 7 by tsepez@chromium.org, May 25 2016

Owner: jochen@chromium.org
At https://code.google.com/p/chromium/codesearch#chromium/src/third_party/pdfium/xfa/fxjse/util_inline.h&rcl=1464117624&l=22, we use the presence of an internal field to tell if this is a FXJSE object, but that isn't sufficient. I'm guessing this is being applied to the wrong object type.

Jochen, I recall you took a look at this at one point?  Thoughts

Comment 8 by tsepez@chromium.org, May 26 2016 

Note that the lpClass argument to FXJSE_RetrieveObjectBinding() is always null, which means that the secondary check at line 40 never happens.

Comment 9 by tsepez@chromium.org, May 27 2016 

 Issue 615381  has been merged into this issue.

Comment 10 by jochen@chromium.org, May 30 2016 

would be rad if clusterfuzz included the JS in plain text for pdf fuzzers...

Comment 11 by jochen@chromium.org, May 30 2016 

This might because the interceptor uses the "This()" value, while the actual object that has the intereptor on it is the Holder() value. The XFA code is ridiculously bad :-/

Comment 12 by tsepez@chromium.org, May 31 2016

Status: Fixed (was: Assigned)
https://pdfium.googlesource.com/pdfium/+/3a005f22703b9303a306bf34cbd17c3729f763aa may take care of this.

Comment 13 by tsepez@chromium.org, May 31 2016

Owner: tsepez@chromium.org

Comment 14 by och...@chromium.org, May 31 2016

Cc: och...@chromium.org
 Issue 615792  has been merged into this issue.
Project Member

Comment 15 by ClusterFuzz, May 31 2016

Labels: Merge-Triage
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Project Member

Comment 16 by sheriffbot@chromium.org, Jun 1 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 18 by awhalley@chromium.org, Jun 20 2016

Labels: M52

Comment 19 by awhalley@chromium.org, Jun 20 2016

Labels: -M52 M-52

Comment 20 by awhalley@chromium.org, Jun 20 2016

Labels: Merge-Request-52 Security_Impact-Beta

Comment 21 by thestig@chromium.org, Jun 20 2016 

ochang: Didn't we turn off XFA for M-52?

Comment 22 by tin...@google.com, Jun 20 2016

Labels: -Merge-Request-52 Merge-Review-52 Hotlist-Merge-Review
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

Comment 23 by och...@chromium.org, Jun 20 2016

Labels: -M-52 -Security_Impact-Beta -Merge-Review-52 Security_Impact-None
Yep. It should be turned off -- removing request labels.

Comment 24 by och...@chromium.org, Jun 20 2016

Labels: -Merge-Triage -Hotlist-Merge-review
Project Member

Comment 25 by sheriffbot@chromium.org, Sep 7 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 26 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 27 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 28 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment