Issue metadata
Sign in to add a comment
|
Security: UAF in PDFium's TimerProc() |
||||||||||||||||||||||
Issue descriptionSee attached Poc Repro'd under pdfium_test at version 766901f5ec79b3c3ccd1e872f699642d771a89c5 ==3016==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600005df38 at pc 0x00000211f441 bp 0x7ffc535b4380 sp 0x7ffc535b4378 WRITE of size 1 at 0x60600005df38 thread T0 #0 0x211f440 in ~CFX_AutoRestorer ./out/Asan/../../core/fxcrt/include/fx_basic.h:732 #1 0x211f440 in TimerProc ./out/Asan/../../fpdfsdk/javascript/JS_Object.cpp:126 #2 0x211f440 in ?? ??:0 #3 0x512e9e in AdvanceTime ./out/Asan/../../testing/embedder_test_timer_handling_delegate.h:70 #4 0x512e9e in ?? ??:0 #5 0x51a2e7 in TestBody ./out/Asan/../../fpdfsdk/fpdfformfill_embeddertest.cpp:129 #6 0x51a2e7 in ?? ??:0 #7 0x1bec62d in HandleExceptionsInMethodIfSupported<testing::Test, void> ./out/Asan/../../testing/gtest/src/gtest.cc:2418 (discriminator 3) #8 0x1bec62d in Run ./out/Asan/../../testing/gtest/src/gtest.cc:2434 (discriminator 3) #9 0x1bec62d in ?? ??:0 #10 0x1bed6f7 in Run ./out/Asan/../../testing/gtest/src/gtest.cc:2610 #11 0x1bed6f7 in ?? ??:0 #12 0x1bee8a2 in Run ./out/Asan/../../testing/gtest/src/gtest.cc:2728 (discriminator 1) #13 0x1bee8a2 in ?? ??:0 #14 0x1c003d5 in RunAllTests ./out/Asan/../../testing/gtest/src/gtest.cc:4591 (discriminator 1) #15 0x1c003d5 in ?? ??:0 #16 0x1bffa79 in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> ./out/Asan/../../testing/gtest/src/gtest.cc:2418 (discriminator 3) #17 0x1bffa79 in Run ./out/Asan/../../testing/gtest/src/gtest.cc:4209 (discriminator 3) #18 0x1bffa79 in ?? ??:0 #19 0x574853 in RUN_ALL_TESTS ./out/Asan/../../testing/gtest/include/gtest/gtest.h:2326 (discriminator 1) #20 0x574853 in main ./out/Asan/../../testing/embedder_test.cpp:342 (discriminator 1) #21 0x574853 in ?? ??:0 #22 0x7f3c35955f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287 #23 0x7f3c35955f44 in ?? ??:0 0x60600005df38 is located 24 bytes inside of 64-byte region [0x60600005df20,0x60600005df60) freed by thread T0 here: #0 0x4ead9b in operator delete(void*) ??:? #1 0x4ead9b in ?? ??:0 #2 0x2128c18 in operator() ./out/Asan/../../buildtools/third_party/libc++/trunk/include/memory:2529 (discriminator 1) #3 0x2128c18 in reset ./out/Asan/../../buildtools/third_party/libc++/trunk/include/memory:2735 (discriminator 1) #4 0x2128c18 in ~unique_ptr ./out/Asan/../../buildtools/third_party/libc++/trunk/include/memory:2703 (discriminator 1) #5 0x2128c18 in destroy ./out/Asan/../../buildtools/third_party/libc++/trunk/include/memory:1795 (discriminator 1) #6 0x2128c18 in __destroy<std::__1::unique_ptr<CJS_Timer, std::__1::default_delete<CJS_Timer> > > ./out/Asan/../../buildtools/third_party/libc++/trunk/include/memory:1668 (discriminator 1) #7 0x2128c18 in destroy<std::__1::unique_ptr<CJS_Timer, std::__1::default_delete<CJS_Timer> > > ./out/Asan/../../buildtools/third_party/libc++/trunk/include/memory:1536 (discriminator 1) #8 0x2128c18 in __destruct_at_end ./out/Asan/../../buildtools/third_party/libc++/trunk/include/vector:424 (discriminator 1) #9 0x2128c18 in __destruct_at_end ./out/Asan/../../buildtools/third_party/libc++/trunk/include/vector:812 (discriminator 1) #10 0x2128c18 in erase ./out/Asan/../../buildtools/third_party/libc++/trunk/include/vector:1677 (discriminator 1) #11 0x2128c18 in ClearTimerCommon ./out/Asan/../../fpdfsdk/javascript/app.cpp:487 (discriminator 1) #12 0x2128c18 in ?? ??:0 #13 0x2130582 in clearInterval ./out/Asan/../../fpdfsdk/javascript/app.cpp:456 (discriminator 1) #14 0x2130582 in JSMethod<app, &app::clearInterval> ./out/Asan/../../fpdfsdk/javascript/JS_Define.h:158 (discriminator 1) #15 0x2130582 in ?? ??:0 #16 0x58c6a9 in Call ./out/Asan/../../v8/src/api-arguments.cc:19 #17 0x58c6a9 in ?? ??:0 #18 0x6a9624 in HandleApiCallHelper<false> ./out/Asan/../../v8/src/builtins.cc:5801 (discriminator 1) #19 0x6a9624 in ?? ??:0 #20 0x729a0e in Builtin_Impl_HandleApiCall ./out/Asan/../../v8/src/builtins.cc:5831 (discriminator 14) #21 0x729a0e in ?? ??:0 #6 0x7f3c0da063a6 (<unknown module>) #7 0x7f3c0da6c4a9 (<unknown module>) #8 0x7f3c0da6c327 (<unknown module>) #9 0x7f3c0da44002 (<unknown module>) #10 0x7f3c0da24c8e (<unknown module>) #22 0xe99714 in Invoke ./out/Asan/../../v8/src/execution.cc:98 #23 0xe99714 in ?? ??:0 #24 0xe990ef in Call ./out/Asan/../../v8/src/execution.cc:155 (discriminator 2) #25 0xe990ef in ?? ??:0 #26 0x59fc5b in Run ./out/Asan/../../v8/src/api.cc:1891 (discriminator 3) #27 0x59fc5b in ?? ??:0 #28 0x1c25633 in FXJS_Execute ./out/Asan/../../fxjs/fxjs_v8.cpp:467 (discriminator 2) #29 0x1c25633 in ?? ??:0 #30 0x2086a2c in CJS_Runtime::Execute(CFX_WideString const&, CFX_WideString*) ./out/Asan/../../fpdfsdk/javascript/cjs_runtime.cpp:224 (discriminator 1) #31 0x2086a2c in ?? ??:0 #32 0x208413b in RunScript ./out/Asan/../../fpdfsdk/javascript/cjs_context.cpp:52 (discriminator 2) #33 0x208413b in ?? ??:0 #34 0x2128f9c in RunJsScript ./out/Asan/../../fpdfsdk/javascript/app.cpp:522 #35 0x2128f9c in TimerProc ./out/Asan/../../fpdfsdk/javascript/app.cpp:505 #36 0x2128f9c in ?? ??:0 #37 0x211f3c9 in TimerProc ./out/Asan/../../fpdfsdk/javascript/JS_Object.cpp:125 #38 0x211f3c9 in ?? ??:0 #39 0x512e9e in AdvanceTime ./out/Asan/../../testing/embedder_test_timer_handling_delegate.h:70 #40 0x512e9e in ?? ??:0 #41 0x51a2e7 in TestBody ./out/Asan/../../fpdfsdk/fpdfformfill_embeddertest.cpp:129 #42 0x51a2e7 in ?? ??:0 #43 0x1bec62d in HandleExceptionsInMethodIfSupported<testing::Test, void> ./out/Asan/../../testing/gtest/src/gtest.cc:2418 (discriminator 3) #44 0x1bec62d in Run ./out/Asan/../../testing/gtest/src/gtest.cc:2434 (discriminator 3) #45 0x1bec62d in ?? ??:0 #46 0x1bed6f7 in Run ./out/Asan/../../testing/gtest/src/gtest.cc:2610 #47 0x1bed6f7 in ?? ??:0 #48 0x1bee8a2 in Run ./out/Asan/../../testing/gtest/src/gtest.cc:2728 (discriminator 1) #49 0x1bee8a2 in ?? ??:0 #50 0x1c003d5 in RunAllTests ./out/Asan/../../testing/gtest/src/gtest.cc:4591 (discriminator 1) #51 0x1c003d5 in ?? ??:0 #52 0x1bffa79 in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> ./out/Asan/../../testing/gtest/src/gtest.cc:2418 (discriminator 3) #53 0x1bffa79 in Run ./out/Asan/../../testing/gtest/src/gtest.cc:4209 (discriminator 3) #54 0x1bffa79 in ?? ??:0 #55 0x574853 in RUN_ALL_TESTS ./out/Asan/../../testing/gtest/include/gtest/gtest.h:2326 (discriminator 1) #56 0x574853 in main ./out/Asan/../../testing/embedder_test.cpp:342 (discriminator 1) #57 0x574853 in ?? ??:0 #58 0x7f3c35955f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287 #59 0x7f3c35955f44 in ?? ??:0 previously allocated by thread T0 here: #0 0x4ea79b in operator new(unsigned long) ??:? #1 0x4ea79b in ?? ??:0 #2 0x2127ea1 in setInterval ./out/Asan/../../fpdfsdk/javascript/app.cpp:384 #3 0x2127ea1 in ?? ??:0 #4 0x2136b95 in JSMethod<app, &app::setInterval> ./out/Asan/../../fpdfsdk/javascript/JS_Define.h:158 (discriminator 3) #5 0x2136b95 in ?? ??:0 #6 0x58c6a9 in Call ./out/Asan/../../v8/src/api-arguments.cc:19 #7 0x58c6a9 in ?? ??:0 #8 0x6a9624 in HandleApiCallHelper<false> ./out/Asan/../../v8/src/builtins.cc:5801 (discriminator 1) #9 0x6a9624 in ?? ??:0 #10 0x729a0e in Builtin_Impl_HandleApiCall ./out/Asan/../../v8/src/builtins.cc:5831 (discriminator 14) #11 0x729a0e in ?? ??:0 #6 0x7f3c0da063a6 (<unknown module>) #7 0x7f3c0da6bfb3 (<unknown module>) #8 0x7f3c0da44002 (<unknown module>) #9 0x7f3c0da24c8e (<unknown module>) #12 0xe99714 in Invoke ./out/Asan/../../v8/src/execution.cc:98 #13 0xe99714 in ?? ??:0 #14 0xe990ef in Call ./out/Asan/../../v8/src/execution.cc:155 (discriminator 2) #15 0xe990ef in ?? ??:0 #16 0x59fc5b in Run ./out/Asan/../../v8/src/api.cc:1891 (discriminator 3) #17 0x59fc5b in ?? ??:0 #18 0x1c25633 in FXJS_Execute ./out/Asan/../../fxjs/fxjs_v8.cpp:467 (discriminator 2) #19 0x1c25633 in ?? ??:0 #20 0x2086a2c in CJS_Runtime::Execute(CFX_WideString const&, CFX_WideString*) ./out/Asan/../../fpdfsdk/javascript/cjs_runtime.cpp:224 (discriminator 1) #21 0x2086a2c in ?? ??:0 #22 0x208413b in RunScript ./out/Asan/../../fpdfsdk/javascript/cjs_context.cpp:52 (discriminator 2) #23 0x208413b in ?? ??:0 #24 0x1b80e20 in RunDocumentOpenJavaScript ./out/Asan/../../fpdfsdk/fsdk_actionhandler.cpp:551 (discriminator 1) #25 0x1b80e20 in DoAction_JavaScript ./out/Asan/../../fpdfsdk/fsdk_actionhandler.cpp:38 (discriminator 1) #26 0x1b80e20 in ?? ??:0 #27 0x1bafe8a in ProcJavascriptFun ./out/Asan/../../fpdfsdk/fsdk_mgr.cpp:309 (discriminator 1) #28 0x1bafe8a in ?? ??:0 #29 0x573b48 in EmbedderTest::DoOpenActions() ./out/Asan/../../testing/embedder_test.cpp:226 #30 0x573b48 in ?? ??:0 #31 0x51a2da in TestBody ./out/Asan/../../fpdfsdk/fpdfformfill_embeddertest.cpp:128 #32 0x51a2da in ?? ??:0 #33 0x1bec62d in HandleExceptionsInMethodIfSupported<testing::Test, void> ./out/Asan/../../testing/gtest/src/gtest.cc:2418 (discriminator 3) #34 0x1bec62d in Run ./out/Asan/../../testing/gtest/src/gtest.cc:2434 (discriminator 3) #35 0x1bec62d in ?? ??:0 #36 0x1bed6f7 in Run ./out/Asan/../../testing/gtest/src/gtest.cc:2610 #37 0x1bed6f7 in ?? ??:0 #38 0x1bee8a2 in Run ./out/Asan/../../testing/gtest/src/gtest.cc:2728 (discriminator 1) #39 0x1bee8a2 in ?? ??:0 #40 0x1c003d5 in RunAllTests ./out/Asan/../../testing/gtest/src/gtest.cc:4591 (discriminator 1) #41 0x1c003d5 in ?? ??:0 #42 0x1bffa79 in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> ./out/Asan/../../testing/gtest/src/gtest.cc:2418 (discriminator 3) #43 0x1bffa79 in Run ./out/Asan/../../testing/gtest/src/gtest.cc:4209 (discriminator 3) #44 0x1bffa79 in ?? ??:0 #45 0x574853 in RUN_ALL_TESTS ./out/Asan/../../testing/gtest/include/gtest/gtest.h:2326 (discriminator 1) #46 0x574853 in main ./out/Asan/../../testing/embedder_test.cpp:342 (discriminator 1) #47 0x574853 in ?? ??:0 #48 0x7f3c35955f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287 #49 0x7f3c35955f44 in ?? ??:0
,
Aug 4 2016
CF no good, needs to run under the pdfium_embeddertest of the same name. This is a modified version of the file used by the embeddertest of the same name.
,
Aug 4 2016
,
Aug 4 2016
,
Aug 4 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8c5429e3337f1635fee44eb51d4c9330d05e54db commit 8c5429e3337f1635fee44eb51d4c9330d05e54db Author: thestig <thestig@chromium.org> Date: Thu Aug 04 23:07:09 2016 Roll PDFium a72ab5e..32e693f https://pdfium.googlesource.com/pdfium.git/+log/a72ab5e..32e693f BUG= 634394 , 624514 TBR=tsepez@chromium.org Review-Url: https://codereview.chromium.org/2210063004 Cr-Commit-Position: refs/heads/master@{#409927} [modify] https://crrev.com/8c5429e3337f1635fee44eb51d4c9330d05e54db/DEPS
,
Aug 5 2016
,
Aug 5 2016
Issue 634716 has been merged into this issue.
,
Aug 10 2016
,
Aug 11 2016
,
Aug 11 2016
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
,
Aug 11 2016
+ awhalley@, seems to be baked in canary. Can we take this in for M53?
,
Aug 11 2016
Yep, good for M53.
,
Aug 11 2016
Approving merge to M53 branch 2785. Please merge latest by tomorrow, Friday 5:00 PM PT so we can take this change in for next week Beta release. Thank you.
,
Aug 15 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 15 2016
Please merge your change by today 5:00 PM PT so we can take it in for this week Beta release. Thank you.
,
Aug 15 2016
ochang: Do you want to help with the merge? I don't have time today.
,
Aug 15 2016
Sure, will do.
,
Aug 15 2016
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/5981d02c94a8352af961c45a2a02bcf814d8299b commit 5981d02c94a8352af961c45a2a02bcf814d8299b Author: Oliver Chang <ochang@google.com> Date: Mon Aug 15 21:32:29 2016
,
Aug 15 2016
,
Aug 31 2016
,
Sep 14 2016
,
Nov 11 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by tsepez@chromium.org
, Aug 4 2016