Security: Memory Corruption Vulnerability in Chrome due to Illegal Instruction Violation.
Reported by
kushal89...@gmail.com,
Feb 23 2017
|
|||||||
Issue descriptionVULNERABILITY DETAILS Memory Corruption triggered in Chrome. PoC has been tested on several latest Chrome Linux & Windows "asan" builds, and also on the Publicly available Chrome Linux/Windows 64bit browser, as of Feb 22 4:16PM PST. Build links have been shared in the Step 1 of the "Reproduction Case" section. VERSION The latest "ASAN" builds of Chrome and also the Publicly-available versions of Chrome Browser. Operating System: Ubuntu 15.10 64bit, Windows 7 SP1 64bit. REPRODUCTION CASE 1) Download Linux chrome "asan" build from https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/linux-release%2Fasan-linux-release-452095.zip?generation=1487799543058920&alt=media [Most Preferable for PoC] OR 1) Download Windows chrome "asan" build from https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/win32-release%2Fasan-coverage-win32-release-450818.zip?generation=1487223208800191&alt=media 2) Unzip the downloaded "asan" builds. 3) Change directory to chrome.exe/pdfium_test.exe location. 4) Run the chrome/pdfium binary against the PoC.pdf testcase file. 5) The pdf opens up in the browser. Scroll Down to page 2. 6) Check the crash details in the terminal/command-prompt window. NOTE: Linux build is MOST preferable for testing. Windows can be used, but might be flaky. Havent yet tested on MacOS yet. NOTE2: Crash occurs in Latest PUBLIC versions of Chrome too. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Linux ASAN Chrome binary output: - h4ck3r@h4ck3r-VirtualBox:/var/crash$ /home/h4ck3r/Downloads/asan-linux-release-452095/chrome --no-sandbox --allow-sandbox-debugging --renderer-cmd-prefix='xterm -title renderer -e gdb -ex run --args' /home/h4ck3r/Desktop/fuzz-6.pdf Received signal 4 ILL_ILLOPN 563951cacfe9 #0 0x56393bb5a1a1 __interceptor_backtrace #1 0x563942e5c49c base::debug::StackTrace::StackTrace() #2 0x563942e5b304 base::debug::(anonymous namespace)::StackDumpSignalHandler() #3 0x7fa7e418ad10 <unknown> #4 0x563951cacfe9 CFX_BinaryBuf::ExpandBuf() #5 0x563951e4639e CPDF_SyntaxParser::ReadStream() #6 0x563951e45019 CPDF_SyntaxParser::GetObject() #7 0x563951e1eb66 CPDF_Parser::ParseIndirectObjectAt() #8 0x563951e20531 CPDF_Parser::ParseIndirectObject() #9 0x563951de7256 CPDF_Document::ParseIndirectObject() #10 0x563951dfee6c CPDF_IndirectObjectHolder::GetOrParseIndirectObject() #11 0x563951d3e18a CPDF_Type3Font::LoadChar() #12 0x563951d3f896 CPDF_Type3Font::GetCharBBox() #13 0x563951d93588 CPDF_TextObject::CalcPositionData() #14 0x563951f03ce6 CPDF_StreamContentParser::AddTextObject() #15 0x563951ee91b6 CPDF_StreamContentParser::Handle_ShowText() #16 0x563951f04e95 CPDF_StreamContentParser::Parse() #17 0x563951ed1a7a CPDF_ContentParser::Continue() #18 0x563951d8a53c CPDF_PageObjectHolder::ContinueParse() #19 0x563951c43dc2 FPDF_LoadPage #20 0x563941ef3183 chrome_pdf::PDFiumPage::GetPage() #21 0x563941eb9220 chrome_pdf::PDFiumEngine::ContinuePaint() #22 0x563941eb8579 chrome_pdf::PDFiumEngine::Paint() #23 0x563941f23988 chrome_pdf::OutOfProcessInstance::OnPaint() #24 0x563941f3e3cc PaintManager::DoPaint() #25 0x563941f412ad PaintManager::OnFlushComplete() #26 0x563941f4150a pp::CompletionCallbackFactory<>::CallbackData<>::Thunk() #27 0x5639470fef2c ppapi::TrackedCallback::Run() #28 0x56394b5a14ae ppapi::proxy::PluginResource::OnReplyReceived() #29 0x56394b59f1ac ppapi::proxy::PluginMessageFilter::DispatchResourceReply() #30 0x5639430ffbdb base::debug::TaskAnnotator::RunTask() #31 0x563942ee1748 base::MessageLoop::RunTask() #32 0x563942ee2660 base::MessageLoop::DeferOrRunPendingTask() #33 0x563942ee3ccf base::MessageLoop::DoWork() #34 0x563942ef00cf base::MessagePumpDefault::Run() #35 0x563942ee0524 base::MessageLoop::RunHandler() #36 0x563942f82a1f base::RunLoop::Run() #37 0x5639416dec72 content::PpapiPluginMain() #38 0x563941ea870c content::RunZygote() #39 0x563941eaccdd content::ContentMainRunnerImpl::Run() #40 0x563941ea67ee content::ContentMain() #41 0x56393bbe2876 ChromeMain #42 0x7fa7e0ee7ac0 __libc_start_main #43 0x56393bb0ea51 <unknown> r8: 000000008fff6fff r9: 0000000000000000 r10: 0000000000004032 r11: 0000000000000206 r12: 00007fa6918b3300 r13: 0000604000051c10 r14: 00007fa6918b3300 r15: 000000007fffffff di: 00007fa6914f7000 si: 0000000000000000 bp: 00007ffe721f3370 bx: 000000008000007e dx: 000010004e436e00 ax: 000056395c2331e8 cx: 000010004e436e00 sp: 00007ffe721f3350 ip: 0000563951cacfe9 efl: 0000000000010206 cgf: 0000000000000033 erf: 0000000000000000 trp: 0000000000000006 msk: 0000000000000000 cr2: 0000000000000000 [end of stack trace] LINUX ASAN Pdfium_test binary result: - h4ck3r@h4ck3r-VirtualBox:~/Downloads$ gdb --args /home/h4ck3r/Downloads/asan-linux-release-452095/pdfium_test /home/h4ck3r/Desktop/fuzz-6.pdf GNU gdb (Ubuntu 7.10-1ubuntu2) 7.10 Copyright (C) 2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /home/h4ck3r/Downloads/asan-linux-release-452095/pdfium_test...done. (gdb) r Starting program: /home/h4ck3r/Downloads/asan-linux-release-452095/pdfium_test /home/h4ck3r/Desktop/fuzz-6.pdf [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7ffeaa34a700 (LWP 13175)] Rendering PDF file /home/h4ck3r/Desktop/fuzz-6.pdf. Program received signal SIGILL, Illegal instruction. 0x0000000002aec899 in HandleFailure<int> () at ../../third_party/pdfium/third_party/base/numerics/safe_conversions.h:63 63 ../../third_party/pdfium/third_party/base/numerics/safe_conversions.h: No such file or directory. (gdb) bt #0 0x0000000002aec899 in HandleFailure<int> () at ../../third_party/pdfium/third_party/base/numerics/safe_conversions.h:63 #1 ValueOrDie<int, pdfium::base::CheckOnFailure> () at ../../third_party/pdfium/third_party/base/numerics/safe_math.h:157 #2 ExpandBuf () at ../../third_party/pdfium/core/fxcrt/fx_basic_buffer.cpp:63 #3 0x0000000002c485be in ReadStream () at ../../third_party/pdfium/core/fpdfapi/parser/cpdf_syntax_parser.cpp:736 #4 0x0000000002c47239 in GetObject () at ../../third_party/pdfium/core/fpdfapi/parser/cpdf_syntax_parser.cpp:482 #5 0x0000000002c26026 in ParseIndirectObjectAt () at ../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:1334 #6 0x0000000002c279f1 in ParseIndirectObject () at ../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:1112 #7 0x0000000002bf1776 in ParseIndirectObject () at ../../third_party/pdfium/core/fpdfapi/parser/cpdf_document.cpp:363 #8 0x0000000002c0752c in GetOrParseIndirectObject () at ../../third_party/pdfium/core/fpdfapi/parser/cpdf_indirect_object_holder.cpp:39 #9 0x0000000002b5709a in LoadChar () at ../../third_party/pdfium/core/fpdfapi/font/cpdf_type3font.cpp:97 #10 0x0000000002b587a6 in CPDF_Type3Font::GetCharBBox(unsigned int) () at ../../third_party/pdfium/core/fpdfapi/font/cpdf_type3font.cpp:150 #11 0x0000000002b9e258 in CalcPositionData () at ../../third_party/pdfium/core/fpdfapi/page/cpdf_textobject.cpp:214 #12 0x0000000002d0c176 in AddTextObject () at ../../third_party/pdfium/core/fpdfapi/page/cpdf_streamcontentparser.cpp:1271 #13 0x0000000002cf1646 in Handle_ShowText () at ../../third_party/pdfium/core/fpdfapi/page/cpdf_streamcontentparser.cpp:1297 #14 0x0000000002d0d325 in Parse () at ../../third_party/pdfium/core/fpdfapi/page/cpdf_streamcontentparser.cpp:1537 #15 0x0000000002cd9f0a in Continue () at ../../third_party/pdfium/core/fpdfapi/page/cpdf_contentparser.cpp:178 #16 0x0000000002b953dc in ContinueParse () at ../../third_party/pdfium/core/fpdfapi/page/cpdf_pageobjectholder.cpp:33 #17 0x0000000002a39602 in FPDF_LoadPage () at ../../third_party/pdfium/fpdfsdk/fpdfview.cpp:636 #18 0x0000000000500f34 in GetPageForIndex () at ../../third_party/pdfium/samples/pdfium_test.cc:617 #19 0x0000000000501b23 in RenderPage () at ../../third_party/pdfium/samples/pdfium_test.cc:637 #20 0x0000000000504c73 in RenderPdf () at ../../third_party/pdfium/samples/pdfium_test.cc:862 #21 0x00000000005066a9 in main () at ../../third_party/pdfium/samples/pdfium_test.cc:1003 (gdb) info registers rax 0x473f268 74707560 rbx 0x8000007e 2147483774 rcx 0x10007fff7e00 17594333494784 rdx 0x10007fff7e00 17594333494784 rsi 0x0 0 rdi 0x7ffeaacf7000 140731764142080 rbp 0x7fffffffceb0 0x7fffffffceb0 rsp 0x7fffffffce90 0x7fffffffce90 r8 0x8fff6fff 2415882239 r9 0x0 0 r10 0x4032 16434 r11 0x206 518 r12 0x7ffeab0e2b00 140731768253184 r13 0x60400002fd10 105827994369296 r14 0x7ffeab0e2b00 140731768253184 r15 0x7fffffff 2147483647 rip 0x2aec899 0x2aec899 <ExpandBuf()+809> eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) exploitable __main__:99: UserWarning: GDB v7.10 may not support required Python API Description: Bad instruction Short description: BadInstruction (9/22) Hash: 89ece97ced5676c501fac1c4eea904d3.6b943cc1ab77b503f78c8a8c72980c98 Exploitability Classification: EXPLOITABLE Explanation: The target tried to execute a malformed or privileged instruction. This may indicate that the control flow is tainted. (gdb) Windows ASAN Build Chrome binary output: - C:\>"C:\Users\kshah\Downloads\win32-release%2Fasan-coverage-win32-release-450818 \asan-coverage-win32-release-450818\chrome.exe" --no-sandbox C:\Users\kshah\Desk top\fuzz-6.pdf ==12972==ERROR: AddressSanitizer failed to allocate 0x80002000 (-2147475456) byt es of LargeMmapAllocator (error code: 8) ==12972==Dumping process modules: 0x00e40000-0x0177f000 C:\Users\kshah\Downloads\win32-release%2Fasan-cove rage-win32-release-450818\asan-coverage-win32-release-450818\chrome.exe 0x17800000-0x2e5a0000 C:\Users\kshah\Downloads\win32-release%2Fasan-cove rage-win32-release-450818\asan-coverage-win32-release-450818\chrome_child.dll 0x58d40000-0x58f84000 C:\Users\kshah\Downloads\win32-release%2Fasan-cove rage-win32-release-450818\asan-coverage-win32-release-450818\chrome_elf.dll 0x5f980000-0x5fab6000 C:\Windows\system32\DWrite.dll 0x5fe20000-0x5ffb1000 C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.1.7601.23545_none_5c06d189a00e2c29\GDIPLUS.DLL 0x63f40000-0x63fc0000 C:\Windows\system32\uxtheme.dll 0x664f0000-0x664f3000 C:\Windows\system32\api-ms-win-core-synch-l1-2-0.D LL 0x6ffa0000-0x6fff1000 C:\Windows\system32\WINSPOOL.DRV 0x74100000-0x74158000 C:\Windows\system32\WINHTTP.dll 0x74170000-0x741c0000 C:\Windows\system32\webio.dll 0x74240000-0x7432b000 C:\Windows\system32\dbghelp.dll 0x74900000-0x74932000 C:\Windows\system32\WINMM.dll 0x74ad0000-0x74ad8000 C:\Windows\system32\Secur32.dll 0x74ae0000-0x74c7e000 C:\Windows\WinSxS\x86_microsoft.windows.common-con trols_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\COMCTL32.dll 0x75110000-0x75119000 C:\Windows\system32\VERSION.dll 0x75520000-0x75527000 C:\Windows\system32\WINNSI.DLL 0x75530000-0x7554c000 C:\Windows\system32\IPHLPAPI.DLL 0x75660000-0x7566c000 C:\Windows\syswow64\CRYPTBASE.dll 0x75670000-0x756d0000 C:\Windows\syswow64\SspiCli.dll 0x756d0000-0x75761000 C:\Windows\syswow64\OLEAUT32.dll 0x75780000-0x757c7000 C:\Windows\syswow64\KERNELBASE.dll 0x75b90000-0x75c90000 C:\Windows\syswow64\USER32.dll 0x75f30000-0x75fcd000 C:\Windows\syswow64\USP10.dll 0x76060000-0x760f0000 C:\Windows\syswow64\GDI32.dll 0x760f0000-0x76125000 C:\Windows\syswow64\WS2_32.dll 0x76130000-0x76149000 C:\Windows\SysWOW64\sechost.dll 0x763d0000-0x7701c000 C:\Windows\syswow64\SHELL32.dll 0x77020000-0x770cc000 C:\Windows\syswow64\msvcrt.dll 0x77100000-0x77157000 C:\Windows\syswow64\SHLWAPI.dll 0x77160000-0x7716c000 C:\Windows\syswow64\MSASN1.dll 0x77170000-0x77291000 C:\Windows\syswow64\CRYPT32.dll 0x772c0000-0x772c6000 C:\Windows\syswow64\NSI.dll 0x772d0000-0x772d5000 C:\Windows\syswow64\PSAPI.DLL 0x772f0000-0x77350000 C:\Windows\system32\IMM32.DLL 0x77350000-0x77440000 C:\Windows\syswow64\RPCRT4.dll 0x77450000-0x775ad000 C:\Windows\syswow64\ole32.dll 0x775b0000-0x775ba000 C:\Windows\syswow64\LPK.dll 0x775c0000-0x776d0000 C:\Windows\syswow64\kernel32.dll 0x776d0000-0x7779d000 C:\Windows\syswow64\MSCTF.dll 0x77820000-0x778c1000 C:\Windows\syswow64\ADVAPI32.dll 0x778d0000-0x778ff000 C:\Windows\syswow64\WINTRUST.dll 0x77900000-0x7797b000 C:\Windows\syswow64\COMDLG32.dll 0x77d80000-0x77f00000 C:\Windows\SysWOW64\ntdll.dll ==12972==AddressSanitizer CHECK failed: E:\b\build\slave\win_upload_clang\build\ src\third_party\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_common. cc:120 "((0 && "unable to mmap")) != (0)" (0x0, 0x0) #0 0x10df3d9 in _asan::AsanCheckFailed e:\b\build\slave\win_upload_clang\bui ld\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_rtl.cc:68 #1 0x10edc73 in __sanitizer::CheckFailed(char const *,int,char const *,unsig ned __int64,unsigned __int64) e:\b\build\slave\win_upload_clang\build\src\third_ party\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_termination.cc:79 #2 0x10efbda in __sanitizer::ReportMmapFailureAndDie(unsigned long,char cons t *,char const *,unsigned int,bool) e:\b\build\slave\win_upload_clang\build\src\ third_party\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_common.cc:1 20 #3 0x10ee904 in __sanitizer::MmapOrDie(unsigned long,char const *,bool) e:\b \build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\li b\sanitizer_common\sanitizer_win.cc:93 #4 0x10f56be in __sanitizer::LargeMmapAllocator<struct __asan::AsanMapUnmapC allback>::Allocate(class __sanitizer::AllocatorStats *,unsigned long,unsigned lo ng) e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compil er-rt\lib\sanitizer_common\sanitizer_allocator_secondary.h:41 #5 0x10f55cf in __sanitizer::CombinedAllocator<class __sanitizer::SizeClassA llocator32<0,4294967296,16,class __sanitizer::SizeClassMap<3,4,8,17,64,14>,20,cl ass __sanitizer::FlatByteMap<4096>,struct __asan::AsanMapUnmapCallback>,struct _ _sanitizer::SizeClassAllocatorLocalCache<class __sanitizer::SizeClassAllocator32 <0,4294967296,16,class __sanitizer::SizeClassMap<3,4,8,17,64,14>,20,class __sani tizer::FlatByteMap<4096>,struct __asan::AsanMapUnmapCallback> >,class __sanitize r::LargeMmapAllocator<struct __asan::AsanMapUnmapCallback> >::Allocate(struct __ sanitizer::SizeClassAllocatorLocalCache<class __sanitizer::SizeClassAllocator32< 0,4294967296,16,class __sanitizer::SizeClassMap<3,4,8,17,64,14>,20,class __sanit izer::FlatByteMap<4096>,struct __asan::AsanMapUnmapCallback> > *,unsigned long,u nsigned long,bool,bool) e:\b\build\slave\win_upload_clang\build\src\third_party\ llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_allocator_combined.h:70 #6 0x10f5b07 in __asan::Allocator::Allocate(unsigned long,unsigned long,stru ct __sanitizer::BufferedStackTrace *,enum __asan::AllocType,bool) e:\b\build\sla ve\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asa n_allocator.cc:405 #7 0x10f6112 in __asan::Allocator::Calloc(unsigned long,unsigned long,struct __sanitizer::BufferedStackTrace *) e:\b\build\slave\win_upload_clang\build\src\ third_party\llvm\projects\compiler-rt\lib\asan\asan_allocator.cc:604 #8 0x10f85b5 in __asan::asan_calloc(unsigned long,unsigned long,struct __san itizer::BufferedStackTrace *) e:\b\build\slave\win_upload_clang\build\src\third_ party\llvm\projects\compiler-rt\lib\asan\asan_allocator.cc:781 #9 0x10ec0fb in calloc e:\b\build\slave\win_upload_clang\build\src\third_par ty\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:82 #10 0x24a5bdc6 in CPDF_SyntaxParser::ReadStream(class std::unique_ptr<class CPDF_Dictionary,struct std::default_delete<class CPDF_Dictionary> >,unsigned int ,unsigned int) C:\b\c\b\win_asan_release_coverage\src\third_party\pdfium\core\fp dfapi\parser\cpdf_syntax_parser.cpp:731:11 #11 0x24a5aa3b in CPDF_SyntaxParser::GetObjectW(class CPDF_IndirectObjectHol der *,unsigned int,unsigned int,bool) C:\b\c\b\win_asan_release_coverage\src\thi rd_party\pdfium\core\fpdfapi\parser\cpdf_syntax_parser.cpp:482:12 #12 0x2499b60d in CPDF_Parser::ParseIndirectObjectAt(class CPDF_IndirectObje ctHolder *,int,unsigned int) C:\b\c\b\win_asan_release_coverage\src\third_party\ pdfium\core\fpdfapi\parser\cpdf_parser.cpp:1334:18 #13 0x2499cacb in CPDF_Parser::ParseIndirectObject(class CPDF_IndirectObject Holder *,unsigned int) C:\b\c\b\win_asan_release_coverage\src\third_party\pdfium \core\fpdfapi\parser\cpdf_parser.cpp:1112:12 #14 0x249b5695 in CPDF_Document::ParseIndirectObject(unsigned int) C:\b\c\b\ win_asan_release_coverage\src\third_party\pdfium\core\fpdfapi\parser\cpdf_docume nt.cpp:363:33 #15 0x249ff6f2 in CPDF_IndirectObjectHolder::GetOrParseIndirectObject(unsign ed int) C:\b\c\b\win_asan_release_coverage\src\third_party\pdfium\core\fpdfapi\p arser\cpdf_indirect_object_holder.cpp:39:42 #16 0x24a08731 in CPDF_Reference::GetDirect(void)const C:\b\c\b\win_asan_re lease_coverage\src\third_party\pdfium\core\fpdfapi\parser\cpdf_reference.cpp:82: 35 #17 0x249c8051 in CPDF_Dictionary::GetDirectObjectFor(class CFX_ByteString c onst &)const C:\b\c\b\win_asan_release_coverage\src\third_party\pdfium\core\fpd fapi\parser\cpdf_dictionary.cpp:86:17 #18 0x24b7c92c in CPDF_Type3Font::LoadChar(unsigned int) C:\b\c\b\win_asan_r elease_coverage\src\third_party\pdfium\core\fpdfapi\font\cpdf_type3font.cpp:97:4 5 #19 0x24b7dd3a in CPDF_Type3Font::GetCharBBox(unsigned int) C:\b\c\b\win_asa n_release_coverage\src\third_party\pdfium\core\fpdfapi\font\cpdf_type3font.cpp:1 50:33 #20 0x24aeff28 in CPDF_TextObject::CalcPositionData(float *,float *,float) C :\b\c\b\win_asan_release_coverage\src\third_party\pdfium\core\fpdfapi\page\cpdf_ textobject.cpp:219:32 #21 0x24b67740 in CPDF_StreamContentParser::AddTextObject(class CFX_ByteStri ng *,float,float *,int) C:\b\c\b\win_asan_release_coverage\src\third_party\pdfiu m\core\fpdfapi\page\cpdf_streamcontentparser.cpp:1284:12 #22 0x24b5b9c9 in CPDF_StreamContentParser::Handle_ShowText(void) C:\b\c\b\w in_asan_release_coverage\src\third_party\pdfium\core\fpdfapi\page\cpdf_streamcon tentparser.cpp:1313:3 #23 0x24b5fcc6 in CPDF_StreamContentParser::OnOperator(class CFX_StringCTemp late<char> const &) C:\b\c\b\win_asan_release_coverage\src\third_party\pdfium\co re\fpdfapi\page\cpdf_streamcontentparser.cpp:576:5 #24 0x24b68518 in CPDF_StreamContentParser::Parse(unsigned char const *,unsi gned int,unsigned int) C:\b\c\b\win_asan_release_coverage\src\third_party\pdfium \core\fpdfapi\page\cpdf_streamcontentparser.cpp:1556:9 #25 0x24ac3f74 in CPDF_ContentParser::Continue(class IFX_Pause *) C:\b\c\b\w in_asan_release_coverage\src\third_party\pdfium\core\fpdfapi\page\cpdf_contentpa rser.cpp:178:24 #26 0x24ab78e8 in CPDF_PageObjectHolder::ContinueParse(class IFX_Pause *) C: \b\c\b\win_asan_release_coverage\src\third_party\pdfium\core\fpdfapi\page\cpdf_p ageobjectholder.cpp:33:14 #27 0x249d5974 in CPDF_Page::ParseContent(void) C:\b\c\b\win_asan_release_co verage\src\third_party\pdfium\core\fpdfapi\page\cpdf_page.cpp:100:3 #28 0x248a1a88 in FPDF_LoadPage C:\b\c\b\win_asan_release_coverage\src\third _party\pdfium\fpdfsdk\fpdfview.cpp:636:10 #29 0x1b94cb0f in chrome_pdf::PDFiumPage::GetPage(void) C:\b\c\b\win_asan_re lease_coverage\src\pdf\pdfium\pdfium_page.cc:126:13 #30 0x1b8ed342 in chrome_pdf::PDFiumEngine::ContinuePaint(int,class pp::Imag eData *) C:\b\c\b\win_asan_release_coverage\src\pdf\pdfium\pdfium_engine.cc:2961 :40 #31 0x1b8ecdbd in chrome_pdf::PDFiumEngine::Paint(class pp::Rect const &,cla ss pp::ImageData *,class std::vector<class pp::Rect,class std::allocator<class p p::Rect> > *,class std::vector<class pp::Rect,class std::allocator<class pp::Rec t> > *) C:\b\c\b\win_asan_release_coverage\src\pdf\pdfium\pdfium_engine.cc:1108: 11 #32 0x1b930072 in chrome_pdf::OutOfProcessInstance::OnPaint(class std::vecto r<class pp::Rect,class std::allocator<class pp::Rect> > const &,class std::vecto r<struct PaintManager::ReadyRect,class std::allocator<struct PaintManager::Ready Rect> > *,class std::vector<class pp::Rect,class std::allocator<class pp::Rect> > *) C:\b\c\b\win_asan_release_coverage\src\pdf\out_of_process_instance.cc:922:1 6 #33 0x1b959b4c in PaintManager::DoPaint(void) C:\b\c\b\win_asan_release_cove rage\src\pdf\paint_manager.cc:237:12 #34 0x1b95b2fe in PaintManager::OnFlushComplete(int) C:\b\c\b\win_asan_relea se_coverage\src\pdf\paint_manager.cc:330:5 #35 0x1b95bd6b in pp::CompletionCallbackFactory<class PaintManager,class pp: :ThreadSafeThreadTraits>::CallbackData<class pp::CompletionCallbackFactory<class PaintManager,class pp::ThreadSafeThreadTraits>::Dispatcher0<void ( PaintManager ::*)(int)> >::Thunk(void *,int) C:\b\c\b\win_asan_release_coverage\src\ppapi\uti lity\completion_callback_factory.h:584:15 #36 0x1e731ead in ppapi::TrackedCallback::Run(int) C:\b\c\b\win_asan_release _coverage\src\ppapi\shared_impl\tracked_callback.cc:135:9 #37 0x1ee8d101 in ppapi::proxy::Graphics2DResource::OnPluginMsgFlushACK(clas s ppapi::proxy::ResourceMessageReplyParams const &) C:\b\c\b\win_asan_release_co verage\src\ppapi\proxy\graphics_2d_resource.cc:159:28 #38 0x1ee8d5be in base::internal::Invoker<struct base::internal::BindState<v oid ( ppapi::proxy::Graphics2DResource::*)(class ppapi::proxy::ResourceMessageRe plyParams const &),class scoped_refptr<class ppapi::proxy::Graphics2DResource> > ,void (class ppapi::proxy::ResourceMessageReplyParams const &)>::Run(class base: :internal::BindStateBase *,class ppapi::proxy::ResourceMessageReplyParams const &) C:\b\c\b\win_asan_release_coverage\src\base\bind_internal.h:340:29 #39 0x1ee22359 in base::internal::RunMixin<class base::Callback<void (class ppapi::proxy::ResourceMessageReplyParams const &),1,1> >::Run(class ppapi::proxy ::ResourceMessageReplyParams const &)const C:\b\c\b\win_asan_release_coverage\s rc\base\callback.h:85:12 #40 0x1ee8e5af in ?Run@?$PluginResourceCallback@V?$MessageT@UPpapiPluginMsg_ Graphics2D_FlushAck_Meta@@V?$tuple@$$V@std@@X@IPC@@V?$Callback@$$A6AXABVResource MessageReplyParams@proxy@ppapi@@@Z$00$00@base@@@proxy@ppapi@@UAEXABVResourceMess ageReplyParams@23@ABVMessage@IPC@@@Z C:\b\c\b\win_asan_release_coverage\src\ppap i\proxy\plugin_resource_callback.h:40:10 #41 0x1ed38ab1 in ppapi::proxy::PluginResource::OnReplyReceived(class ppapi: :proxy::ResourceMessageReplyParams const &,class IPC::Message const &) C:\b\c\b\ win_asan_release_coverage\src\ppapi\proxy\plugin_resource.cc:54:15 #42 0x1ed2fed4 in ppapi::proxy::PluginMessageFilter::DispatchResourceReply(c lass ppapi::proxy::ResourceMessageReplyParams const &,class IPC::Message const & ) C:\b\c\b\win_asan_release_coverage\src\ppapi\proxy\plugin_message_filter.cc:11 6:13 #43 0x1ed30a11 in base::internal::Invoker<struct base::internal::BindState<v oid (*)(class ppapi::proxy::ResourceMessageReplyParams const &,class IPC::Messag e const &),class ppapi::proxy::ResourceMessageReplyParams,class IPC::Message>,vo id (void)>::Run(class base::internal::BindStateBase *) C:\b\c\b\win_asan_release _coverage\src\base\bind_internal.h:340:29 #44 0x1bcdbcf9 in base::debug::TaskAnnotator::RunTask(char const *,struct ba se::PendingTask *) C:\b\c\b\win_asan_release_coverage\src\base\debug\task_annota tor.cc:57:3 #45 0x1bae9ed5 in base::MessageLoop::RunTask(struct base::PendingTask *) C:\ b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc:423:19 #46 0x1baeb768 in base::MessageLoop::DeferOrRunPendingTask(struct base::Pend ingTask) C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.c c:434:5 #47 0x1baed566 in base::MessageLoop::DoWork(void) C:\b\c\b\win_asan_release_ coverage\src\base\message_loop\message_loop.cc:527:13 #48 0x1bcdeb6d in base::MessagePumpDefault::Run(class base::MessagePump::Del egate *) C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_pump_d efault.cc:33:31 #49 0x1bae8bde in base::MessageLoop::RunHandler(void) C:\b\c\b\win_asan_rele ase_coverage\src\base\message_loop\message_loop.cc:387:10 #50 0x1bb991d0 in base::RunLoop::Run(void) C:\b\c\b\win_asan_release_coverag e\src\base\run_loop.cc:37:10 #51 0x1b060842 in content::PpapiPluginMain(struct content::MainFunctionParam s const &) C:\b\c\b\win_asan_release_coverage\src\content\ppapi_plugin\ppapi_plu gin_main.cc:157:19 #52 0x1b8df244 in content::RunNamedProcessTypeMain(class std::basic_string<c har,struct std::char_traits<char>,class std::allocator<char> > const &,struct co ntent::MainFunctionParams const &,class content::ContentMainDelegate *) C:\b\c\b \win_asan_release_coverage\src\content\app\content_main_runner.cc:482:14 #53 0x1b8e1132 in content::ContentMainRunnerImpl::Run(void) C:\b\c\b\win_asa n_release_coverage\src\content\app\content_main_runner.cc:842:12 #54 0x1b8dec40 in content::ContentMain(struct content::ContentMainParams con st &) C:\b\c\b\win_asan_release_coverage\src\content\app\content_main.cc:20:28 #55 0x17801244 in ChromeMain C:\b\c\b\win_asan_release_coverage\src\chrome\a pp\chrome_main.cc:113:12 #56 0xe4d663 in MainDllLoader::Launch(struct HINSTANCE__ *,class base::TimeT icks) C:\b\c\b\win_asan_release_coverage\src\chrome\app\main_dll_loader_win.cc:2 01:12 #57 0xe41d3e in main C:\b\c\b\win_asan_release_coverage\src\chrome\app\chrom e_exe_main_win.cc:283:20 #58 0x11030cc in _scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\start up\exe_common.inl:253 #59 0x775d3369 (C:\Windows\syswow64\kernel32.dll+0x7dd73369) #60 0x77db9901 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9901) #61 0x77db98d4 (C:\Windows\SysWOW64\ntdll.dll+0x7dea98d4)
,
Feb 23 2017
This intentionally crashes in order to stop the buffer to wrapping around in size. The crashing line is: m_AllocSize = new_size.ValueOrDie(); tsepez@ is there anything we should do here? We're handling the overflow, we just forced the crash as a result of the bad input.
,
Feb 23 2017
This would require propagating an error code back through lots of calls. You might take a stab at it, but generally, this is OOM.
,
Feb 23 2017
Later tested on MacOS Public Chrome version , crash occurs there too. An exploitable SIGILL Signal was received as seen clearly in the linux 'asan' build's chrome & pdfium binary output. No indication of OOM anywhere in the crashing call stack.
,
Feb 23 2017
The call stack won't have an OOM. When we detect that the size of the requested buffer will overflow we call ValueOrDie. This triggers a SIGILL locally and terminates the process.
,
Feb 23 2017
I believe the following flow, new_size.ValueOrDie(); => HandleFailure<Dst>(); => __builtin_trap(); is unsafe and exploitable as __builtin_trap generates a SIGILL signal which can be trapped and execution can be continued.
,
Feb 27 2017
Adding others who know more about ValueOrDie then I do.
,
Feb 27 2017
Wouldn't Chromium itself have to trap the SIGILL and continue execution? Implying that if an attacker made Chromium trap and ignore the instruction, they already had code execution inside of the process?
,
Feb 27 2017
The code is doing exactly what it's supposed to and there's no vulnerability here. Yes, we can trap SIGILL (in fact, our crash handler almost certainly does) but we absolutely don't eat the signal and let execution continue.
,
Feb 27 2017
Removing security restrictions, as this is an OOM crash.
,
May 1 2017
,
Sep 4
Setting PDF bugs assigned to me back to untriaged so they can get re-assigned as needed.
,
Sep 5
Closing as per comment #9. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by tsepez@chromium.org
, Feb 23 2017Owner: dsinclair@chromium.org
Status: Assigned (was: Unconfirmed)