New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 676773 link

Starred by 1 user
Status: Fixed
Owner:
natashenka@google.com
Last visit > 30 days ago
Closed: Nov 2017
Cc:
lafo...@chromium.org
awhalley@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Adobe Flash MovieClip.createTextField Use After Free

Reported by xiong12...@gmail.com, Dec 23 2016 

VULNERABILITY DETAILS
Adobe Flash MovieClip.createTextField Use After Free

VERSION
Chrome Version: 56.0.2924.28 beta (64-bit)
Operating System: Windows 7 en 64-bit

REPRODUCTION CASE

Open "MovieClip_createTextField.html" with chrome and observe the crash.

This is a use after free bug when in MovieClip.createEmptyMovieClip.
When create a new TextField to the MovieClip at some depth, it will first try to remove the MovieClip in that depth.
This will trig a "onKillFocus" event callback, if we remove the parent MovieClip in the callback, a use-after-free occurs.




FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State: 


(490.d84): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
0000042c`e046b860 3900            cmp     dword ptr [rax],eax ds:000004bb`44dd3e78=d56de338
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Users\yuki\AppData\Local\Google\Chrome\User Data\PepperFlash\24.0.0.186\pepflashplayer.dll - 
8:096> k
Child-SP          RetAddr           Call Site
00000000`0019c118 000007fe`d4add00e 0x42c`e046b860
00000000`0019c120 000007fe`d4adcd3e pepflashplayer!PPP_ShutdownBroker+0x98887e
00000000`0019c160 000007fe`d4adc999 pepflashplayer!PPP_ShutdownBroker+0x9885ae
00000000`0019c190 000007fe`d4adaeb5 pepflashplayer!PPP_ShutdownBroker+0x988209
00000000`0019c240 000007fe`d4ae4f84 pepflashplayer!PPP_ShutdownBroker+0x986725
00000000`0019c280 000007fe`d4345d46 pepflashplayer!PPP_ShutdownBroker+0x9907f4
00000000`0019c2c0 000007fe`d434241f pepflashplayer!PPP_ShutdownBroker+0x1f15b6
00000000`0019c300 000007fe`d433b7b9 pepflashplayer!PPP_ShutdownBroker+0x1edc8f
00000000`0019c400 000007fe`d4673046 pepflashplayer!PPP_ShutdownBroker+0x1e7029
00000000`0019c440 000007fe`d4364a53 pepflashplayer!PPP_ShutdownBroker+0x51e8b6
00000000`0019c560 000007fe`d4541c5a pepflashplayer!PPP_ShutdownBroker+0x2102c3
00000000`0019c770 000007fe`d4379a2e pepflashplayer!PPP_ShutdownBroker+0x3ed4ca
00000000`0019cf20 000007fe`d43acb13 pepflashplayer!PPP_ShutdownBroker+0x22529e
00000000`0019d010 000007fe`d4391c01 pepflashplayer!PPP_ShutdownBroker+0x258383
00000000`0019d050 000007fe`d4391dc4 pepflashplayer!PPP_ShutdownBroker+0x23d471
00000000`0019d080 000007fe`d43196c4 pepflashplayer!PPP_ShutdownBroker+0x23d634
00000000`0019d0b0 000007fe`d431e099 pepflashplayer!PPP_ShutdownBroker+0x1c4f34
00000000`0019d110 000007fe`d4679e93 pepflashplayer!PPP_ShutdownBroker+0x1c9909
00000000`0019d160 000007fe`d467a42b pepflashplayer!PPP_ShutdownBroker+0x525703
00000000`0019d480 000007fe`d4364a53 pepflashplayer!PPP_ShutdownBroker+0x525c9b



Credit:

Please credit "Yuki Chen of Qihoo 360 Vulcan Team" for this bug.

Comment 1 by aarya@google.com, Dec 24 2016

Components: Internals>Plugins>Flash
Owner: natashenka@google.com
Status: ExternalDependency (was: Unconfirmed)
Natalie, can you please file these bugs with Adobe. Thanks!

Comment 2 by aarya@google.com, Dec 24 2016

Labels: Security_Severity-High Security_Impact-Stable
Project Member

Comment 3 by sheriffbot@chromium.org, Dec 24 2016

Labels: M-55
Project Member

Comment 4 by sheriffbot@chromium.org, Dec 24 2016

Labels: Pri-1
Project Member

Comment 5 by sheriffbot@chromium.org, Jan 26 2017

Labels: -M-55 M-56

Comment 6 by awhalley@chromium.org, Feb 13 2017

Labels: reward-topanel

Comment 7 by natashenka@google.com, Feb 14 2017 

Just reported this.

Comment 8 by natashenka@google.com, Feb 15 2017 

This is PSIRT-6394

Comment 9 by natashenka@google.com, Mar 6 2017 

Yuki, I can't see the PoC anymore, did you delete it? Can you attach it again?
Project Member

Comment 10 by sheriffbot@chromium.org, Mar 10 2017

Labels: -M-56 M-57

Comment 11 by natashenka@google.com, Mar 10 2017 

This will be resolved in the upcoming March update as CVE-2017-3001.
Project Member

Comment 12 by sheriffbot@chromium.org, Apr 20 2017

Labels: -M-57 M-58
Project Member

Comment 13 by sheriffbot@chromium.org, Jun 6 2017

Labels: -M-58 M-59
Project Member

Comment 14 by sheriffbot@chromium.org, Jul 26 2017

Labels: -M-59 M-60
Project Member

Comment 15 by sheriffbot@chromium.org, Sep 6 2017

Labels: -M-60 M-61
Project Member

Comment 16 by sheriffbot@chromium.org, Oct 18 2017

Labels: -M-61 M-62

Comment 17 by xiong12...@gmail.com, Nov 8 2017 

Hello,

Since this vulnerability was fixed in March 2017 as CVE-2017-3001.
Is it possible for this case to go to reward panel now?

Comment 18 by natashenka@google.com, Nov 8 2017

Status: Fixed (was: ExternalDependency)
Project Member

Comment 19 by sheriffbot@chromium.org, Nov 9 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 20 by sheriffbot@chromium.org, Nov 11 2017

Labels: Merge-Request-63
Project Member

Comment 21 by sheriffbot@chromium.org, Nov 11 2017

Labels: -Merge-Request-63 Merge-Review-63 Hotlist-Merge-Review
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 22 by gov...@chromium.org, Nov 13 2017

Cc: awhalley@chromium.org lafo...@chromium.org
Pls apply appropriate OSs label.

+awhalley@ for M63 merge review.

Comment 23 by awhalley@google.com, Nov 14 2017

Labels: -Hotlist-Merge-Review -M-62 M-63
No merge needed for Flash bugs.

Comment 24 by gov...@chromium.org, Nov 14 2017

Labels: -Merge-Review-63
Removing "Merge-Review-63" label per comment #23.

Comment 25 by awhalley@chromium.org, Nov 16 2017

Labels: -reward-topanel reward-unpaid reward-3000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Comment 26 by awhalley@chromium.org, Nov 16 2017

Labels: -reward-unpaid reward-inprocess
Project Member

Comment 27 by sheriffbot@chromium.org, Feb 15 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment