Chrome Memory Corruption Vulnerability due to Out-of-bounds Write
Reported by
kushal89...@gmail.com,
Jan 17 2017
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Steps to reproduce the problem: 1. Download and extract latest Chrome "asan-build" (Currently latest build is 444043) from the link "https://commondatastorage.googleapis.com/chromium-browser-asan/index.html?prefix=win32-release/" 2. Enable Windbg as the default post-mortem debugger using the command "windbg -I" in an elevated command prompt. 3. Open the PoC.pdf with the asan-build extracted chrome.exe binary using the command "C:\[path]\chrome.exe --no-sandbox C:\[path]\PoC.pdf". 4. The pdf opens up in the browser. Scroll Down page by page to page 8. 5. Check the crash details in the post-mortem windbg window. What is the expected behavior? Page 8 should load up and be rendered correctly like the rest of the pdf document. What went wrong? Memory Corruption vulnerability triggered in the Chrome browser. Windbg debug data is as seen below. Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. *** wait with pending attach Symbol search path is: *** Invalid *** **************************************************************************** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * **************************************************************************** Executable search path is: ModLoad: 01240000 01b78000 C:\Users\kshah\Downloads\win32-release%2Fasan-coverage-win32-release-444043\asan-coverage-win32-release-444043\chrome.exe ModLoad: 76ea0000 7704a000 C:\Windows\SYSTEM32\ntdll.dll ModLoad: 77080000 77200000 ntdll.dll ModLoad: 00000000`746c0000 00000000`746ff000 C:\Windows\SYSTEM32\wow64.dll ModLoad: 00000000`74660000 00000000`746bc000 C:\Windows\SYSTEM32\wow64win.dll ModLoad: 00000000`74650000 00000000`74658000 C:\Windows\SYSTEM32\wow64cpu.dll ModLoad: 00000000`76900000 00000000`76a10000 KERNEL32.dll ModLoad: 00000000`761f0000 00000000`76237000 KERNELBASE.dll ModLoad: 00000000`6e050000 00000000`6e28d000 chrome_elf.dll ModLoad: 00000000`74200000 00000000`74209000 VERSION.dll ModLoad: 00000000`74c60000 00000000`74d0c000 msvcrt.dll ModLoad: 00000000`767c0000 00000000`76861000 ADVAPI32.dll ModLoad: 00000000`74ba0000 00000000`74bb9000 SECHOST.dll ModLoad: 00000000`75200000 00000000`752f0000 RPCRT4.dll ModLoad: 00000000`74970000 00000000`749d0000 SspiCli.dll ModLoad: 00000000`74960000 00000000`7496c000 CRYPTBASE.dll ModLoad: 00000000`75fb0000 00000000`75fb5000 PSAPI.DLL ModLoad: 00000000`752f0000 00000000`75f3c000 SHELL32.dll ModLoad: 00000000`75f40000 00000000`75f97000 SHLWAPI.dll ModLoad: 00000000`76280000 00000000`76310000 GDI32.dll ModLoad: 00000000`74dd0000 00000000`74ed0000 USER32.dll ModLoad: 00000000`77050000 00000000`7705a000 LPK.dll ModLoad: 00000000`74bc0000 00000000`74c5d000 USP10.dll ModLoad: 00000000`72100000 00000000`72132000 WINMM.dll ModLoad: 00000000`721f0000 00000000`72248000 WINHTTP.dll ModLoad: 00000000`721a0000 00000000`721f0000 webio.dll ModLoad: 00000000`6d6f0000 00000000`6d6f3000 api-ms-win-core-synch-l1-2-0.dll ModLoad: 00000000`74d10000 00000000`74d70000 IMM32.dll ModLoad: 00000000`74ac0000 00000000`74b8d000 MSCTF.dll ModLoad: 00000000`16c00000 00000000`2e046000 chrome_child.dll ModLoad: 00000000`76a20000 00000000`76b7d000 ole32.dll ModLoad: 00000000`76b80000 00000000`76c11000 OLEAUT32.dll ModLoad: 00000000`74a70000 00000000`74aa5000 WS2_32.dll ModLoad: 00000000`76a10000 00000000`76a16000 NSI.dll ModLoad: 00000000`76880000 00000000`768fb000 COMDLG32.dll ModLoad: 00000000`72870000 00000000`72a0e000 COMCTL32.dll ModLoad: 00000000`72620000 00000000`7270b000 dbghelp.dll ModLoad: 00000000`6d630000 00000000`6d681000 WINSPOOL.DRV ModLoad: 00000000`74620000 00000000`7463c000 IPHLPAPI.DLL ModLoad: 00000000`74610000 00000000`74617000 WINNSI.DLL ModLoad: 00000000`72860000 00000000`72868000 Secur32.dll ModLoad: 00000000`57710000 00000000`57846000 DWrite.dll ModLoad: 00000000`6e350000 00000000`6e364000 FONTSUB.dll ModLoad: 00000000`74a30000 00000000`74a5f000 WINTRUST.dll ModLoad: 00000000`74ed0000 00000000`74ff1000 CRYPT32.dll ModLoad: 00000000`74b90000 00000000`74b9c000 MSASN1.dll ModLoad: 00000000`6d470000 00000000`6d601000 gdiplus.dll ModLoad: 00000000`71a00000 00000000`71a80000 UxTheme.dll ModLoad: 00000000`70fc0000 00000000`71001000 tv_w32.dll (30b0.25a0): Access violation - code c0000005 (!!! second chance !!!) *** ERROR: Symbol file could not be found. Defaulted to export symbols for dbghelp.dll - dbghelp!ImagehlpApiVersionEx+0x383: 7262e490 53 push ebx 0:000:x86> R eax=00000464 ebx=00000000 ecx=00002500 edx=01240000 esi=1456b430 edi=145507d0 eip=7262e490 esp=00100f80 ebp=001013f4 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210200 dbghelp!ImagehlpApiVersionEx+0x383: 7262e490 53 push ebx 0:000:x86> r eax=00000464 ebx=00000000 ecx=00002500 edx=01240000 esi=1456b430 edi=145507d0 eip=7262e490 esp=00100f80 ebp=001013f4 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210200 dbghelp!ImagehlpApiVersionEx+0x383: 7262e490 53 push ebx 0:000:x86> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 001013f4 726303f4 ffffffff 1456b430 1456b430 dbghelp!ImagehlpApiVersionEx+0x383 00101408 72633955 ffffffff 1456b430 00000000 dbghelp!SymUnloadModule64+0xcba 00101450 7262f95a ffffffff 014f5035 00000000 dbghelp!SymFunctionTableAccess64+0x4a 00101468 72630507 014f5035 00000000 001017bc dbghelp!SymUnloadModule64+0x220 0010149c 726314e5 001015d0 00102600 001022b0 dbghelp!SymUnloadModule64+0xdcd 001014b0 72634158 00102600 00000005 50929a28 dbghelp!SymGetModuleInfoW64+0x9d5 001015ac 7263406f 001015d0 00102250 00102600 dbghelp!StackWalk64+0x1b1 *** WARNING: Unable to verify checksum for chrome_child.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for chrome_child.dll - 00102274 1b30ad11 0000014c ffffffff fffffffe dbghelp!StackWalk64+0xc8 001027d4 1b309909 00102b9c 41b58ab3 28d43424 chrome_child!GetHandleVerifier+0x216d31 *** ERROR: Symbol file could not be found. Defaulted to export symbols for KERNEL32.dll - 00102994 769503bb 00102a4c 3d6a9cc2 00000000 chrome_child!GetHandleVerifier+0x215929 *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - 00102a1c 770f5be7 00102a4c 770f5ac4 00000000 KERNEL32!GetProfileStringW+0x12ddf 001ff9cc 770b98d5 015033e4 fffde000 00000000 ntdll_77080000!RtlKnownExceptionFilter+0xb7 001ff9e4 00000000 015033e4 fffde000 00000000 ntdll_77080000!RtlInitializeExceptionChain+0x36 0:000:x86> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll - ***** OS symbols are WRONG. Please fix symbols to do analysis. ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: ntdll!_PEB *** *** *** ************************************************************************* ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for USER32.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for gdiplus.dll - ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* FAULTING_IP: dbghelp!ImagehlpApiVersionEx+383 7262e490 53 push ebx EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 000000007262e490 (dbghelp!ImagehlpApiVersionEx+0x0000000000000383) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 0000000000100f7c Attempt to write to address 0000000000100f7c FAULTING_THREAD: 00000000000025a0 PROCESS_NAME: chrome.exe ADDITIONAL_DEBUG_TEXT: Use '!findthebuild' command to search for the target build information. If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols. MODULE_NAME: dbghelp FAULTING_MODULE: 0000000076ea0000 ntdll DEBUG_FLR_IMAGE_TIMESTAMP: 4ce7b7bc ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 0000000000000001 EXCEPTION_PARAMETER2: 0000000000100f7c WRITE_ADDRESS: 0000000000100f7c FOLLOWUP_IP: dbghelp!ImagehlpApiVersionEx+383 7262e490 53 push ebx BUGCHECK_STR: APPLICATION_FAULT_INVALID_STACK_ACCESS_INVALID_POINTER_WRITE_WRONG_SYMBOLS PRIMARY_PROBLEM_CLASS: INVALID_STACK_ACCESS DEFAULT_BUCKET_ID: INVALID_STACK_ACCESS LAST_CONTROL_TRANSFER: from 00000000726303f4 to 000000007262e490 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 001013f4 726303f4 ffffffff 1456b430 1456b430 dbghelp!ImagehlpApiVersionEx+0x383 00101408 72633955 ffffffff 1456b430 00000000 dbghelp!SymUnloadModule64+0xcba 00101450 7262f95a ffffffff 014f5035 00000000 dbghelp!SymFunctionTableAccess64+0x4a 00101468 72630507 014f5035 00000000 001017bc dbghelp!SymUnloadModule64+0x220 0010149c 726314e5 001015d0 00102600 001022b0 dbghelp!SymUnloadModule64+0xdcd 001014b0 72634158 00102600 00000005 50929a28 dbghelp!SymGetModuleInfoW64+0x9d5 001015ac 7263406f 001015d0 00102250 00102600 dbghelp!StackWalk64+0x1b1 00102274 1b30ad11 0000014c ffffffff fffffffe dbghelp!StackWalk64+0xc8 001027d4 1b309909 00102b9c 41b58ab3 28d43424 chrome_child!GetHandleVerifier+0x216d31 00102994 769503bb 00102a4c 3d6a9cc2 00000000 chrome_child!GetHandleVerifier+0x215929 00102a1c 770f5be7 00102a4c 770f5ac4 00000000 KERNEL32!GetProfileStringW+0x12ddf 001ff9cc 770b98d5 015033e4 fffde000 00000000 ntdll_77080000!RtlKnownExceptionFilter+0xb7 001ff9e4 00000000 015033e4 fffde000 00000000 ntdll_77080000!RtlInitializeExceptionChain+0x36 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: dbghelp!ImagehlpApiVersionEx+383 FOLLOWUP_NAME: MachineOwner IMAGE_NAME: dbghelp.dll STACK_COMMAND: ~0s ; kb BUCKET_ID: WRONG_SYMBOLS FAILURE_BUCKET_ID: INVALID_STACK_ACCESS_c0000005_dbghelp.dll!ImagehlpApiVersionEx WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/chrome_exe/57_0_2985_0/587e5393/dbghelp_dll/6_1_7601_17514/4ce7b7bc/c0000005/0000e490.htm?Retriage=1 Followup: MachineOwner --------- 0:000:x86> .load msec.dll 0:000:x86> !exploitable -v !exploitable 1.6.0.0 HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x100f7c Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Write Access Violation Faulting Instruction:7262e490 push ebx Exception Hash (Major/Minor): 0x0ce1a874.0xf2bc6169 Hash Usage : Stack Trace: Major+Minor : dbghelp!ImagehlpApiVersionEx+0x383 Major+Minor : dbghelp!SymUnloadModule64+0xcba Major+Minor : dbghelp!SymFunctionTableAccess64+0x4a Major+Minor : dbghelp!SymUnloadModule64+0x220 Major+Minor : dbghelp!SymUnloadModule64+0xdcd Minor : dbghelp!SymGetModuleInfoW64+0x9d5 Minor : dbghelp!StackWalk64+0x1b1 Minor : dbghelp!StackWalk64+0xc8 Minor : chrome_child!GetHandleVerifier+0x216d31 Minor : chrome_child!GetHandleVerifier+0x215929 Minor : KERNEL32!GetProfileStringW+0x12ddf Excluded : ntdll_77080000!RtlKnownExceptionFilter+0xb7 Excluded : ntdll_77080000!RtlInitializeExceptionChain+0x36 Instruction Address: 0x000000007262e490 Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at dbghelp!ImagehlpApiVersionEx+0x0000000000000383 (Hash=0x0ce1a874.0xf2bc6169) User mode write access violations that are not near NULL are exploitable. Did this work before? N/A Chrome version: 57.0.2972.0 Channel: n/a OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 24.0 r0 This issue was originally reported on Jan 10 in issue 679581 and was set for analysis by clusterfuzz, BUT was un-intelligently and without any intimation or chance for clarification, closed as wont-fix by mbarbella Today, without even reading the "Note" in the FIRST LINE of the report. This issue was also tested on an "ASAN" build! "No PAGE HEAP was Enabled on the chrome binary!" "--no-sandbox" flag was used similar issue 407488 .
,
Jan 18 2017
,
Jan 20 2017
Issue still exists in the following latest(as of 12:35pm PST Jan 20, 2017) ASAN releases: - 1) https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/win32-release%2Fasan-win32-release-445058.zip?generation=1484943199194188&alt=media 2) https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/win32-release%2Fasan-coverage-win32-release-445058.zip?generation=1484940903180884&alt=media
,
Jan 23 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6380451284647936
,
Jan 23 2017
CF can't repro. I'll try again with a different setting.
,
Jan 23 2017
Hello nparker, Firstly, I would like to thank you for responding, I sincerely appreciate it. Also I have shared the reproduction steps in the "Steps to reproduce the problem:" section at the top of the report before the WinDbg output and I can consistently reproduce the issue. Kindly let me know if you still can't reproduce. Eagerly awaiting your reply in earnest. Thanks & Regards, ~ Kushal.
,
Jan 24 2017
tsepez or dsinclair, do either of you have a Windows machine on which you could try to reproduce this? Clusterfuzz doesn't seem to be having any luck.
,
Jan 25 2017
Under Linux ASAN:
ASAN:DEADLYSIGNAL
=================================================================
==30757==ERROR: AddressSanitizer: stack-overflow on address 0x7ffec7341f28 (pc 0x7f7d30c50d5b bp 0x7ffec73421d0 sp 0x7ffec7341f30 T0)
#0 0x7f7d30c50d5a in CPDF_StreamParser::GetNextWord(bool&) third_party/pdfium/core/fpdfapi/page/cpdf_streamparser.cpp:394:8
#1 0x7f7d30c4b477 in CPDF_StreamParser::ReadNextObject(bool, unsigned int) third_party/pdfium/core/fpdfapi/page/cpdf_streamparser.cpp:310:3
#2 0x7f7d30c4e81d in CPDF_StreamParser::ReadNextObject(bool, unsigned int) third_party/pdfium/core/fpdfapi/page/cpdf_streamparser.cpp:366:11
#3 0x7f7d30c4e81d in CPDF_StreamParser::ReadNextObject(bool, unsigned int) third_party/pdfium/core/fpdfapi/page/cpdf_streamparser.cpp:366:11
#4 0x7f7d30c4e81d in CPDF_StreamParser::ReadNextObject(bool, unsigned int) third_party/pdfium/core/fpdfapi/page/cpdf_streamparser.cpp:366:11
#5 0x7f7d30c4e81d in CPDF_StreamParser::ReadNextObject(bool, unsigned int) third_party/pdfium/core/fpdfapi/page/cpdf_streamparser.cpp:366:11
#6 0x7f7d30c4e81d in CPDF_StreamParser::ReadNextObject(bool, unsigned int) third_party/pdfium/core/fpdfapi/page/cpdf_streamparser.cpp:366:11
#7 0x7f7d30c4e81d in CPDF_StreamParser::ReadNextObject(bool, unsigned int) third_party/pdfium/core/fpdfapi/page/cpdf_streamparser.cpp:366:11
#8 0x7f7d30c4d70e in CPDF_StreamParser::ReadNextObject(bool, unsigned int) third_party/pdfium/core/fpdfapi/page/cpdf_streamparser.cpp:347:43
#9 0x7f7d30c4e81d in CPDF_StreamParser::ReadNextObject(bool, unsigned int) third_party/pdfium/core/fpdfapi/page/cpdf_streamparser.cpp:366:11
....
SUMMARY: AddressSanitizer: stack-overflow third_party/pdfium/core/fpdfapi/page/cpdf_streamparser.cpp:394:8 in CPDF_StreamParser::GetNextWord(bool&)
==30757==ABORTING
,
Jan 25 2017
For clusterfuzz, try with PoC.pdf#page=8 instead of just PoC.pdf. It doesn't seem to be looping, just needing too much stack memory to load the page.
,
Jan 26 2017
,
Jan 26 2017
,
Jan 26 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 26 2017
,
Jan 26 2017
Stack exhaustion, not a security issue per-se.
,
Jan 26 2017
@tsepez, Original report mentions Out-Of-Bounds Write on Windows and not Stack Exhaustion on Linux. Original report mentions OS="Windows" and not OS=All. As per c#8, @dsinclair mentioned Stack-Overflow under Linux ASAN, not Windows as mentioned in original report. Hope that helps clarify things. Thanks & Regards, ~ Kushal.
,
Jan 26 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5133182983995392
,
Jan 27 2017
,
Jan 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2a45c1ddaa0ec0c9410d8ee61bd3aa6862c64c74 commit 2a45c1ddaa0ec0c9410d8ee61bd3aa6862c64c74 Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Fri Jan 27 17:32:10 2017 Roll src/third_party/pdfium/ d532036fb..6438c4f36 (1 commit). https://pdfium.googlesource.com/pdfium.git/+log/d532036fbb0e..6438c4f36da1 $ git log d532036fb..6438c4f36 --date=short --no-merges --format='%ad %ae %s' 2017-01-27 npm Limit parsing recursion levels in CPDF_StreamParser BUG= 681920 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2658583008 Cr-Commit-Position: refs/heads/master@{#446703} [modify] https://crrev.com/2a45c1ddaa0ec0c9410d8ee61bd3aa6862c64c74/DEPS
,
Jan 27 2017
Original report mentions M55, any reason why this was marked as Impact-Head not Impact-Stable?
,
Jan 27 2017
Probably because the first line says Chrome 55 but the rest of the description is talking about the latest asan build and Chrome version 57. I'm unable to reproduce the crash by building locally on Windows, but there was a crash using chrome_asan 444043, as described in the bug report. Will need to check if there is still a crash on the next asan build which includes my CL.
,
Jan 31 2017
Hello @tsepez, @dsinclair, @nparker, @npm, @awhalley,@palmer, @est..., Google Security Team, Good Evening. The OOB-Write vulnerability was consistently reproducible till "asan" build #446650. As of "asan" build #446721, the vulnerability seems be have been fixed. I checked the log of build #446721 (https://chromium.googlesource.com/chromium/src/+log/b709759f51db1a4d86c0fef25a3301c7a9f4e44e) and I could find the commit mentioned in c#18. @tsepez & @dsinclair could you confirm the same? I sincerely appreciate all the aforementioned comment authors for their efforts and support in getting this issue fixed so quickly. Also I would like to kindly request if this will be eligible for a reward/bounty and would also like to request for the applicable CVE-ID. Eagerly awaiting your response in earnest. Thanking You, Yours Sincerely, Kushal Arvind Shah.
,
Jan 31 2017
Thank you for confirming that this has fixed the problem. It is a DEPS roll since PDFium is a separate repository. You can find it by searching for the title of the CL: "Roll src/third_party/pdfium/ d532036fb..6438c4f36 (1 commit)."
,
Jan 31 2017
,
Feb 2 2017
@npm, Yes, I could find the commit as mentioned in c#21. Also I would like to kindly request if this will be eligible for a reward/bounty and would also like to request for the applicable CVE-ID. Thanks & Regards, ~ Kushal Shah.
,
Feb 3 2017
,
Feb 3 2017
This bug requires manual review: DEPS changes referenced in bugdroid comments. Please contact the milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 3 2017
+awhalley@ for M57 merge review
,
Feb 6 2017
govind@: Looks good to approve.
,
Feb 10 2017
Approving merge to M57 branch 2987 based on comment #28. Please merge latest by 5:00 PM PT Monday (02/13) so we can pick it up for next week beta release. Thank you.
,
Feb 10 2017
Merged into pdfium's chromium/2987 branch https://codereview.chromium.org/2686193003/ DEPS already pointing to that branch
,
Feb 10 2017
Per comment #30, this is already merged to M57.
,
Feb 10 2017
,
Feb 10 2017
Looks like this isn't actually a security issue, as it was a stack overflow.
,
Feb 10 2017
@mbarbella, Google Security Team, @mbarbella, Looks like you didn't read the original report, c#15 and c#20 just like you didn't read the same issue previously reported in issue 679581 . Out Of Bounds Write is not an issue? Seriously? Can someone else apart from mbarbella please confirm the actions and reasoning behind C#32 & c#33??? Original report and C#15 clearly states that this is not stack overflow But Out-Of-Bounds Write on Windows! C#20 by "npm@chromium.org" also confirms the issue as quoted "but there was a crash using chrome_asan 444043, as described in the bug report." After confirming the issue and fixing it, thereafter disregarding the vulnerability and denying a reward is plainly cheap and unacceptable. I hope someone else can act different than mbarbella. Eagerly awaiting your reply in earnest. Thanks & Regards, ~ Kushal Shah.
,
Feb 12 2017
Hi Kushal. It does look quite like stack exhaustion is manifesting in this case as a write outside valid stack addresses. Though it's been a long while since I did windows development, could you dump the contents of the thread execution block with !teb and see what the StackBase and StackLimit are?
,
Feb 13 2017
Hi Awhalley, Firstly I would like to thank you for responding, I sincerely appreciate it. I was not expecting @mbarbella to respond at all like in issue 679581 . Anyways, I tried to dump the contents of the thread execution block with !teb but am unable to do so due to some sort of error. You mentioned that the issue looks like a write outside valid stack addresses. I believe, the valid stack addresses pertain to the thread/s belonging to the chrome processes. Any attempt to write outside of it's allocated stack space is a clear case of access violation and can be exploited. As seen in the original report, !analysis clearly states that it is an invalid pointer write and !exploitable confirms the exploitability. Also you might have noticed the "Absence of C00000FD" in the WinDbg report, which confirms that the issue was NOT caused due to any kind of "Stack Overflow". Eagerly awaiting your reply in earnest. Thanks & Regards, ~ Kushal Shah.
,
Mar 15 2017
Hi Awhalley, I would like to request for a response on C#36. Thanks, Kushal.
,
Apr 19 2017
Hello awhalley, I would like to kindly request for a response on C#36. Eagerly awaiting your response in earnest. Thanks, Kushal.
,
Apr 20 2017
Hello Kushal. Pardon the delay in replying. I've confirmed with the team that this is indeed a stack exhaustion bug. !exploitable is heuristic based and can have false positives, such as this case. Sorry :-( |
||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jan 18 2017