Security: Use-after-free in ResetPDFWindow();
Reported by
manhluat...@gmail.com,
Jun 27 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Steps to reproduce the problem: the poc will cause crashes on Chrome and Chromium ASAN as well. What is the expected behavior? What went wrong? At | CFFL_FormFiller::GetPDFWindow | , it invokes |ResetPDFWindow| and get a return as its return value itself as well. https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/formfiller/cffl_formfiller.cpp?sq=package:chromium&l=364 For example, |MyField3| is a TextField box so it is defined at here: https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/formfiller/cffl_textfield.cpp?sq=package:chromium&l=235 It's trying to make a new |CPWL_Wnd|, destroy the old one at line 240th, then make a new one at 246th line then call |UpdateField| <-- where the problems occur. |UpdateField| is defined here: https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/cpdfsdk_interform.cpp?sq=package:chromium&l=324 is responsible for updating fields on various pages. It calls |GetWidget| at https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/cpdfsdk_interform.cpp?sq=package:chromium&l=330 which invokes |GetPageView| at https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/cpdfsdk_interform.cpp?sq=package:chromium&l=110 |GetPageView| -> |GetPage| -> |Form_GetPage| (pdfium_engine) -> ... which later ends up at |OnLoad| |OnFormat| <-- we can run script here. So what could we do at this place ? We run: this.getField("MyField3").borderStyle = "dashed"; this.getField("MyField3").setFocus(); gc(); to trigger |GetPDFWindow| , we changed its borderstyle, so Age will change, then calls |ResetPDFWindow| -> |DestroyPDFWindow|... after it's done. |UpdateField| returns back to |ResetPDFWindow| at https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/formfiller/cffl_textfield.cpp?sq=package:chromium&l=248 but... the PDFWindow has been freed earlier. UAF occurs. I would like to use `gc();` to can see the crash on Chrome Mac OSX. Did this work before? N/A Chrome version: 58.0.3029.110 Channel: n/a OS Version: OS X 10.12.5 Flash Version:
,
Jun 27 2017
This bug and the previous ones are found by code review though.
,
Jun 27 2017
,
Jun 27 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6198274011955200.
,
Jun 27 2017
,
Jun 28 2017
No UAFs for me on Linux with pdfium_test. Does this require the Chrome PDF Viewer?
,
Jun 28 2017
But regular Linux builds crash, so let me test with Chromium + ASAN.
,
Jun 28 2017
I'll add it to my queue. Can someone add the appropriate security flags?
,
Jul 4 2017
,
Jul 5 2017
,
Jul 12 2017
thestig: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 19 2017
Hi folks Any updates ? It's been nearly a month. Thanks.
,
Jul 19 2017
Ah, the assignee has been out for a few weeks. Let me see if I can take a stab at it in the mean time.
,
Jul 19 2017
CL at https://pdfium-review.googlesource.com/c/8350
,
Jul 19 2017
This is a nice bit of deductive work, by the way. The CL just hits it with a big hammer for the time being.
,
Jul 20 2017
,
Jul 21 2017
,
Jul 24 2017
,
Jul 31 2017
,
Jul 31 2017
Congratulations manhluat93.php@! The VRP Panel decided to award $5,000 for this report! A member of our finance team will be in touch to arrange for payment. *** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Jul 31 2017
,
Aug 1 2017
Thank you for the bounty! Please credit to "Luật Nguyễn (@l4wio) of KeenLab, Tencent"; Regards.
,
Aug 5 2017
,
Aug 5 2017
This bug requires manual review: M61 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 6 2017
+ awhalley@ (Security TPM) for M61 merge review.
,
Aug 7 2017
govind@ - good for 61
,
Aug 7 2017
Approving merge to M61 Chrome OS.
,
Aug 8 2017
77417ec9e already in chromium/3163 branch.
,
Aug 8 2017
Removing "Merge-Approved-61" label per comment #33.
,
Sep 5 2017
,
Sep 6 2017
,
Sep 15 2017
,
Oct 27 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2018
|
||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||
Comment 1 Deleted