Issue 756273 link

Starred by 2 users

Issue metadata

Status:	Duplicate
Merged:	issue 752796
Owner:	thestig@chromium.org
Closed:	Aug 2017
Cc:	tsepez@chromium.org
Components:	Internals>Plugins>PDF
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	1
Type:	Bug-Security
allpublic

Security: memory corruption in chrome_child!CPDF_Parser::ParseAndAppendCrossRefSubsectionData

Reported by kushal89...@gmail.com, Aug 17 2017

Issue description

VULNERABILITY DETAILS

Memory Corruption triggered in Chrome.

PoC has been tested on latest Chrome Windows "asan" build namely build 494880. 

Build links have been shared in the Step 1 of the "Reproduction Case" section.


VERSION

The latest "ASAN" builds of Chrome, namely asan build 494880. 

Operating System: Windows 7 SP1.

REPRODUCTION CASE

1) Download Windows chrome "asan" build from https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/win32-release%2Fasan-coverage-win32-release-494880.zip?generation=1502921970918974&alt=media

2) Unzip the downloaded "asan" builds.

3) Change directory to chrome.exe location.

4) Run the chrome binary against the PoC.pdf testcase file using the --no-sandbox flag.

5) Check the crash details in WinDbg. 


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION

WinDbg output with Disassembly View: -

Microsoft (R) Windows Debugger Version 10.0.10586.567 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\chrome.exe" --no-sandbox C:\Users\kshah\Desktop\fuzz-91.pdf
Symbol search path is: srv*
Executable search path is: 
ModLoad: 00000000`001f0000 00000000`00eeb000   chrome.exe
ModLoad: 00000000`77a00000 00000000`77baa000   ntdll.dll
ModLoad: 00000000`77be0000 00000000`77d60000   ntdll32.dll
ModLoad: 00000000`751d0000 00000000`7520f000   C:\Windows\SYSTEM32\wow64.dll
ModLoad: 00000000`75170000 00000000`751cc000   C:\Windows\SYSTEM32\wow64win.dll
ModLoad: 00000000`75160000 00000000`75168000   C:\Windows\SYSTEM32\wow64cpu.dll
(39d4.1d78): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00000000`77aa7980 cc              int     3
0:000> .symfix+; .reload /f; g
Reloading current modules
......
ModLoad: 00000000`778e0000 00000000`779ff000   WOW64_IMAGE_SECTION
ModLoad: 00000000`76d00000 00000000`76e10000   WOW64_IMAGE_SECTION
ModLoad: 00000000`778e0000 00000000`779ff000   NOT_AN_IMAGE
ModLoad: 00000000`777e0000 00000000`778da000   NOT_AN_IMAGE
ModLoad: 00000000`76d00000 00000000`76e10000   C:\Windows\syswow64\kernel32.dll
ModLoad: 00000000`76cb0000 00000000`76cf7000   C:\Windows\syswow64\KERNELBASE.dll
ModLoad: 00000000`55960000 00000000`55b5b000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\chrome_elf.dll
ModLoad: 00000000`739b0000 00000000`739b9000   C:\Windows\SysWOW64\VERSION.dll
ModLoad: 00000000`76c00000 00000000`76cac000   C:\Windows\syswow64\msvcrt.dll
ModLoad: 00000000`76440000 00000000`764e1000   C:\Windows\syswow64\ADVAPI32.dll
ModLoad: 00000000`76f40000 00000000`76f59000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 00000000`76350000 00000000`76440000   C:\Windows\syswow64\RPCRT4.dll
ModLoad: 00000000`75480000 00000000`754e0000   C:\Windows\syswow64\SspiCli.dll
ModLoad: 00000000`75470000 00000000`7547c000   C:\Windows\syswow64\CRYPTBASE.dll
ModLoad: 00000000`76bf0000 00000000`76bf5000   C:\Windows\syswow64\PSAPI.DLL
ModLoad: 00000000`754e0000 00000000`7612c000   C:\Windows\syswow64\SHELL32.dll
ModLoad: 00000000`77360000 00000000`773b7000   C:\Windows\syswow64\SHLWAPI.dll
ModLoad: 00000000`76540000 00000000`765d0000   C:\Windows\syswow64\GDI32.dll
ModLoad: 00000000`761d0000 00000000`762d0000   C:\Windows\syswow64\USER32.dll
ModLoad: 00000000`76f10000 00000000`76f1a000   C:\Windows\syswow64\LPK.dll
ModLoad: 00000000`76130000 00000000`761cd000   C:\Windows\syswow64\USP10.dll
ModLoad: 00000000`73070000 00000000`730a2000   C:\Windows\SysWOW64\WINMM.dll
ModLoad: 00000000`72d50000 00000000`72da8000   C:\Windows\SysWOW64\WINHTTP.dll
ModLoad: 00000000`72d00000 00000000`72d50000   C:\Windows\SysWOW64\webio.dll
(39d4.1d78): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll32!LdrpDoDebuggerBreak+0x2c:
77c80ed4 cc              int     3
0:000:x86> g
ModLoad: 71d80000 71d83000   C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.DLL
ModLoad: 76990000 769f0000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 765d0000 7669d000   C:\Windows\syswow64\MSCTF.dll
ModLoad: 732e0000 7332c000   C:\Windows\SysWOW64\apphelp.dll

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Symbol search path is: srv*
Executable search path is: srv*
ModLoad: 00000000`001f0000 00000000`00eeb000   chrome.exe
ModLoad: 00000000`77a00000 00000000`77baa000   ntdll.dll
ModLoad: 00000000`77be0000 00000000`77d60000   ntdll32.dll
ModLoad: 00000000`751d0000 00000000`7520f000   C:\Windows\SYSTEM32\wow64.dll
ModLoad: 00000000`75170000 00000000`751cc000   C:\Windows\SYSTEM32\wow64win.dll
ModLoad: 00000000`75160000 00000000`75168000   C:\Windows\SYSTEM32\wow64cpu.dll
(5328.563c): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00000000`77aa7980 cc              int     3
---Redacted Output to keep COmment Size short---
3:044> g
ModLoad: 00000000`778e0000 00000000`779ff000   WOW64_IMAGE_SECTION
ModLoad: 00000000`76f20000 00000000`76f32000   C:\Windows\syswow64\DEVOBJ.dll
ModLoad: 00000000`76d00000 00000000`76e10000   WOW64_IMAGE_SECTION
ModLoad: 00000000`778e0000 00000000`779ff000   NOT_AN_IMAGE
ModLoad: 00000000`740e0000 00000000`740ea000   C:\Windows\SysWOW64\slc.dll
ModLoad: 00000000`777e0000 00000000`778da000   NOT_AN_IMAGE
ModLoad: 00000000`71720000 00000000`71737000   C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 00000000`76d00000 00000000`76e10000   C:\Windows\syswow64\kernel32.dll
ModLoad: 00000000`76cb0000 00000000`76cf7000   C:\Windows\syswow64\KERNELBASE.dll
ModLoad: 00000000`74090000 00000000`740a8000   C:\Windows\SysWOW64\dxva2.dll
ModLoad: 00000000`55960000 00000000`55b5b000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\chrome_elf.dll
ModLoad: 00000000`53ab0000 00000000`53e3b000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\D3DCompiler_47.dll
ModLoad: 00000000`739b0000 00000000`739b9000   C:\Windows\SysWOW64\VERSION.dll
ModLoad: 00000000`76c00000 00000000`76cac000   C:\Windows\syswow64\msvcrt.dll
ModLoad: 00000000`76440000 00000000`764e1000   C:\Windows\syswow64\ADVAPI32.dll
ModLoad: 00000000`76f40000 00000000`76f59000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 00000000`76350000 00000000`76440000   C:\Windows\syswow64\RPCRT4.dll
ModLoad: 00000000`75480000 00000000`754e0000   C:\Windows\syswow64\SspiCli.dll
ModLoad: 00000000`75470000 00000000`7547c000   C:\Windows\syswow64\CRYPTBASE.dll
ModLoad: 00000000`76bf0000 00000000`76bf5000   C:\Windows\syswow64\PSAPI.DLL
ModLoad: 00000000`754e0000 00000000`7612c000   C:\Windows\syswow64\SHELL32.dll
ModLoad: 00000000`77360000 00000000`773b7000   C:\Windows\syswow64\SHLWAPI.dll
ModLoad: 00000000`76540000 00000000`765d0000   C:\Windows\syswow64\GDI32.dll
ModLoad: 00000000`761d0000 00000000`762d0000   C:\Windows\syswow64\USER32.dll
ModLoad: 00000000`76f10000 00000000`76f1a000   C:\Windows\syswow64\LPK.dll
ModLoad: 00000000`76130000 00000000`761cd000   C:\Windows\syswow64\USP10.dll
ModLoad: 00000000`52710000 00000000`53aa3000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\libglesv2.dll
ModLoad: 00000000`73070000 00000000`730a2000   C:\Windows\SysWOW64\WINMM.dll
ModLoad: 00000000`74960000 00000000`74b23000   C:\Windows\SysWOW64\d3d9.dll
ModLoad: 00000000`72d50000 00000000`72da8000   C:\Windows\SysWOW64\WINHTTP.dll
ModLoad: 00000000`74950000 00000000`74956000   C:\Windows\SysWOW64\d3d8thk.dll
ModLoad: 00000000`72d00000 00000000`72d50000   C:\Windows\SysWOW64\webio.dll
ModLoad: 00000000`72250000 00000000`72263000   C:\Windows\SysWOW64\dwmapi.dll
(1464.59b4): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll32!LdrpDoDebuggerBreak+0x2c:
77c80ed4 cc              int     3
3:044:x86> g
ModLoad: 71d80000 71d83000   C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.DLL
ModLoad: 64e10000 64e3b000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\libegl.dll
ModLoad: 76990000 769f0000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 765d0000 7669d000   C:\Windows\syswow64\MSCTF.dll
ModLoad: 71ec0000 71f0c000   C:\Windows\SysWOW64\dxgi.dll
ModLoad: 73e20000 73f95000   C:\Windows\SysWOW64\d3d11.dll
ModLoad: 61d50000 61d6c000   C:\Windows\SysWOW64\DXGIDebug.dll
ModLoad: 51eb0000 52705000   C:\Windows\SysWOW64\igd10iumd32.dll
ModLoad: 61400000 6142c000   C:\Windows\SysWOW64\d3d10_1.dll
ModLoad: 5f860000 5f8a1000   C:\Windows\SysWOW64\d3d10_1core.dll
ModLoad: 74270000 742a9000   C:\Windows\SysWOW64\ncrypt.dll
ModLoad: 6cce0000 6d586000   C:\Windows\SysWOW64\igdusc32.dll
ModLoad: 22b30000 22c8d000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 00000000`22f30000 00000000`2308d000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 00000000`690e0000 00000000`69250000   C:\Windows\SysWOW64\explorerframe.dll
ModLoad: 00000000`69770000 00000000`6979f000   C:\Windows\SysWOW64\DUser.dll
ModLoad: 00000000`69020000 00000000`690d2000   C:\Windows\SysWOW64\DUI70.dll
ModLoad: 00000000`56fb0000 00000000`56fdf000   C:\Windows\SysWOW64\shdocvw.dll
ModLoad: 00000000`236e0000 00000000`2432c000   C:\Windows\SysWOW64\shell32.dll
ModLoad: 00000000`750a0000 00000000`750a9000   C:\Windows\SysWOW64\LINKINFO.dll
ModLoad: 00000000`0f460000 00000000`2533c000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\chrome_child.dll
ModLoad: 00000000`76a80000 00000000`76bdd000   C:\Windows\syswow64\ole32.dll
ModLoad: 00000000`770a0000 00000000`77131000   C:\Windows\syswow64\OLEAUT32.dll
ModLoad: 00000000`76500000 00000000`76535000   C:\Windows\syswow64\WS2_32.dll
ModLoad: 00000000`76be0000 00000000`76be6000   C:\Windows\syswow64\NSI.dll
ModLoad: 00000000`77340000 00000000`77357000   C:\Windows\syswow64\USERENV.dll
ModLoad: 00000000`76f00000 00000000`76f0b000   C:\Windows\syswow64\profapi.dll
ModLoad: 00000000`77170000 00000000`7719f000   C:\Windows\syswow64\WINTRUST.dll
ModLoad: 00000000`76f70000 00000000`77091000   C:\Windows\syswow64\CRYPT32.dll
ModLoad: 00000000`76970000 00000000`7697c000   C:\Windows\syswow64\MSASN1.dll
ModLoad: 00000000`762d0000 00000000`7634b000   C:\Windows\syswow64\COMDLG32.dll
ModLoad: 00000000`73350000 00000000`734ee000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\COMCTL32.dll
ModLoad: 00000000`55c00000 00000000`55d5d000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\dbghelp.dll
ModLoad: 00000000`64f20000 00000000`64f24000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-crt-string-l1-1-0.dll
ModLoad: 00000000`5ffd0000 00000000`600e8000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\ucrtbase.DLL
ModLoad: 00000000`64f10000 00000000`64f13000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-core-timezone-l1-1-0.dll
ModLoad: 00000000`64f00000 00000000`64f03000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-core-file-l2-1-0.dll
ModLoad: 00000000`64ef0000 00000000`64ef3000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-core-localization-l1-2-0.dll
ModLoad: 00000000`64ee0000 00000000`64ee3000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-core-processthreads-l1-1-1.dll
ModLoad: 00000000`64ed0000 00000000`64ed3000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-core-file-l1-2-0.dll
ModLoad: 00000000`64ec0000 00000000`64ec3000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-crt-time-l1-1-0.dll
ModLoad: 00000000`64eb0000 00000000`64eb4000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-crt-runtime-l1-1-0.dll
ModLoad: 00000000`64ea0000 00000000`64eb0000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-crt-private-l1-1-0.dll
ModLoad: 00000000`75040000 00000000`75091000   C:\Windows\SysWOW64\WINSPOOL.DRV
ModLoad: 00000000`73dd0000 00000000`73dec000   C:\Windows\SysWOW64\IPHLPAPI.DLL
ModLoad: 00000000`73dc0000 00000000`73dc7000   C:\Windows\SysWOW64\WINNSI.DLL
ModLoad: 00000000`73340000 00000000`73348000   C:\Windows\SysWOW64\Secur32.dll
ModLoad: 00000000`77690000 00000000`777db000   C:\Windows\syswow64\urlmon.dll
ModLoad: 00000000`76f60000 00000000`76f64000   C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
ModLoad: 00000000`76980000 00000000`76984000   C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
ModLoad: 00000000`77bb0000 00000000`77bb5000   C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
ModLoad: 00000000`76e60000 00000000`76e64000   C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
ModLoad: 00000000`76960000 00000000`76964000   C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
ModLoad: 00000000`766a0000 00000000`766a3000   C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
ModLoad: 00000000`764f0000 00000000`764f3000   C:\Windows\syswow64\normaliz.DLL
ModLoad: 00000000`773c0000 00000000`775f5000   C:\Windows\syswow64\iertutil.dll
ModLoad: 00000000`766b0000 00000000`7695b000   C:\Windows\syswow64\WININET.dll
ModLoad: 00000000`5fb20000 00000000`5fc56000   C:\Windows\SysWOW64\DWrite.dll

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Symbol search path is: srv*
Executable search path is: srv*
ModLoad: 00000000`001f0000 00000000`00eeb000   chrome.exe
ModLoad: 00000000`77a00000 00000000`77baa000   ntdll.dll
ModLoad: 00000000`77be0000 00000000`77d60000   ntdll32.dll
ModLoad: 00000000`751d0000 00000000`7520f000   C:\Windows\SYSTEM32\wow64.dll
ModLoad: 00000000`75170000 00000000`751cc000   C:\Windows\SYSTEM32\wow64win.dll
ModLoad: 00000000`75160000 00000000`75168000   C:\Windows\SYSTEM32\wow64cpu.dll
(3e74.3484): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00000000`77aa7980 cc              int     3
4:089> g
ModLoad: 00000000`778e0000 00000000`779ff000   WOW64_IMAGE_SECTION
ModLoad: 00000000`76d00000 00000000`76e10000   WOW64_IMAGE_SECTION
ModLoad: 00000000`73160000 00000000`73165000   C:\Windows\SysWOW64\wshtcpip.dll
ModLoad: 00000000`778e0000 00000000`779ff000   NOT_AN_IMAGE
ModLoad: 00000000`731b0000 00000000`731c7000   C:\Windows\SysWOW64\CRYPTSP.dll
ModLoad: 00000000`777e0000 00000000`778da000   NOT_AN_IMAGE
ModLoad: 00000000`76d00000 00000000`76e10000   C:\Windows\syswow64\kernel32.dll
ModLoad: 00000000`76cb0000 00000000`76cf7000   C:\Windows\syswow64\KERNELBASE.dll
ModLoad: 00000000`55960000 00000000`55b5b000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\chrome_elf.dll
ModLoad: 00000000`739b0000 00000000`739b9000   C:\Windows\SysWOW64\VERSION.dll
ModLoad: 00000000`76c00000 00000000`76cac000   C:\Windows\syswow64\msvcrt.dll
ModLoad: 00000000`76440000 00000000`764e1000   C:\Windows\syswow64\ADVAPI32.dll
ModLoad: 00000000`76f40000 00000000`76f59000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 00000000`76350000 00000000`76440000   C:\Windows\syswow64\RPCRT4.dll
ModLoad: 00000000`75480000 00000000`754e0000   C:\Windows\syswow64\SspiCli.dll
ModLoad: 00000000`75470000 00000000`7547c000   C:\Windows\syswow64\CRYPTBASE.dll
ModLoad: 00000000`723e0000 00000000`7241b000   C:\Windows\SysWOW64\rsaenh.dll
ModLoad: 00000000`76bf0000 00000000`76bf5000   C:\Windows\syswow64\PSAPI.DLL
ModLoad: 00000000`754e0000 00000000`7612c000   C:\Windows\syswow64\SHELL32.dll
ModLoad: 00000000`716e0000 00000000`7171d000   C:\Windows\SysWOW64\bcryptprimitives.dll
ModLoad: 00000000`77360000 00000000`773b7000   C:\Windows\syswow64\SHLWAPI.dll
ModLoad: 00000000`76540000 00000000`765d0000   C:\Windows\syswow64\GDI32.dll
ModLoad: 00000000`761d0000 00000000`762d0000   C:\Windows\syswow64\USER32.dll
ModLoad: 00000000`76f10000 00000000`76f1a000   C:\Windows\syswow64\LPK.dll
ModLoad: 00000000`76130000 00000000`761cd000   C:\Windows\syswow64\USP10.dll
ModLoad: 00000000`73070000 00000000`730a2000   C:\Windows\SysWOW64\WINMM.dll
ModLoad: 00000000`72d50000 00000000`72da8000   C:\Windows\SysWOW64\WINHTTP.dll
ModLoad: 00000000`72d00000 00000000`72d50000   C:\Windows\SysWOW64\webio.dll
(3e74.3484): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll32!LdrpDoDebuggerBreak+0x2c:
77c80ed4 cc              int     3
4:089:x86> g
ModLoad: 00000000`71d80000 00000000`71d83000   C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.DLL
ModLoad: 00000000`76990000 00000000`769f0000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 00000000`765d0000 00000000`7669d000   C:\Windows\syswow64\MSCTF.dll
ModLoad: 00000000`740b0000 00000000`740cd000   C:\Windows\SysWOW64\cryptnet.dll
ModLoad: 00000000`0f460000 00000000`2533c000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\chrome_child.dll
ModLoad: 00000000`76a80000 00000000`76bdd000   C:\Windows\syswow64\ole32.dll
ModLoad: 00000000`770a0000 00000000`77131000   C:\Windows\syswow64\OLEAUT32.dll
ModLoad: 00000000`76500000 00000000`76535000   C:\Windows\syswow64\WS2_32.dll
ModLoad: 00000000`76be0000 00000000`76be6000   C:\Windows\syswow64\NSI.dll
ModLoad: 00000000`77340000 00000000`77357000   C:\Windows\syswow64\USERENV.dll
ModLoad: 00000000`76f00000 00000000`76f0b000   C:\Windows\syswow64\profapi.dll
ModLoad: 00000000`77170000 00000000`7719f000   C:\Windows\syswow64\WINTRUST.dll
ModLoad: 00000000`76f70000 00000000`77091000   C:\Windows\syswow64\CRYPT32.dll
ModLoad: 00000000`76970000 00000000`7697c000   C:\Windows\syswow64\MSASN1.dll
ModLoad: 00000000`762d0000 00000000`7634b000   C:\Windows\syswow64\COMDLG32.dll
ModLoad: 00000000`73350000 00000000`734ee000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\COMCTL32.dll
ModLoad: 00000000`55c00000 00000000`55d5d000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\dbghelp.dll
ModLoad: 00000000`64f20000 00000000`64f24000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-crt-string-l1-1-0.dll
ModLoad: 00000000`5ffd0000 00000000`600e8000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\ucrtbase.DLL
ModLoad: 00000000`64f10000 00000000`64f13000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-core-timezone-l1-1-0.dll
ModLoad: 00000000`64f00000 00000000`64f03000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-core-file-l2-1-0.dll
ModLoad: 00000000`64ef0000 00000000`64ef3000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-core-localization-l1-2-0.dll
ModLoad: 00000000`64ee0000 00000000`64ee3000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-core-processthreads-l1-1-1.dll
ModLoad: 00000000`64ed0000 00000000`64ed3000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-core-file-l1-2-0.dll
ModLoad: 00000000`64ec0000 00000000`64ec3000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-crt-time-l1-1-0.dll
ModLoad: 00000000`64eb0000 00000000`64eb4000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-crt-runtime-l1-1-0.dll
ModLoad: 00000000`64ea0000 00000000`64eb0000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-crt-private-l1-1-0.dll
ModLoad: 00000000`75040000 00000000`75091000   C:\Windows\SysWOW64\WINSPOOL.DRV
ModLoad: 00000000`73dd0000 00000000`73dec000   C:\Windows\SysWOW64\IPHLPAPI.DLL
ModLoad: 00000000`73dc0000 00000000`73dc7000   C:\Windows\SysWOW64\WINNSI.DLL
ModLoad: 00000000`73340000 00000000`73348000   C:\Windows\SysWOW64\Secur32.dll
ModLoad: 00000000`77690000 00000000`777db000   C:\Windows\syswow64\urlmon.dll
ModLoad: 00000000`76f60000 00000000`76f64000   C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
ModLoad: 00000000`76980000 00000000`76984000   C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
ModLoad: 00000000`77bb0000 00000000`77bb5000   C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
ModLoad: 00000000`76e60000 00000000`76e64000   C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
ModLoad: 00000000`76960000 00000000`76964000   C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
ModLoad: 00000000`766a0000 00000000`766a3000   C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
ModLoad: 00000000`764f0000 00000000`764f3000   C:\Windows\syswow64\normaliz.DLL
ModLoad: 00000000`773c0000 00000000`775f5000   C:\Windows\syswow64\iertutil.dll
ModLoad: 00000000`766b0000 00000000`7695b000   C:\Windows\syswow64\WININET.dll
ModLoad: 00000000`5fb20000 00000000`5fc56000   C:\Windows\SysWOW64\DWrite.dll

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Symbol search path is: srv*
Executable search path is: srv*
ModLoad: 00000000`001f0000 00000000`00eeb000   chrome.exe
ModLoad: 00000000`77a00000 00000000`77baa000   ntdll.dll
ModLoad: 00000000`77be0000 00000000`77d60000   ntdll32.dll
ModLoad: 00000000`751d0000 00000000`7520f000   C:\Windows\SYSTEM32\wow64.dll
ModLoad: 00000000`75170000 00000000`751cc000   C:\Windows\SYSTEM32\wow64win.dll
ModLoad: 00000000`75160000 00000000`75168000   C:\Windows\SYSTEM32\wow64cpu.dll
(4d34.489c): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00000000`77aa7980 cc              int     3
5:112> g
ModLoad: 00000000`778e0000 00000000`779ff000   WOW64_IMAGE_SECTION
ModLoad: 00000000`76d00000 00000000`76e10000   WOW64_IMAGE_SECTION
ModLoad: 00000000`778e0000 00000000`779ff000   NOT_AN_IMAGE
ModLoad: 00000000`777e0000 00000000`778da000   NOT_AN_IMAGE
ModLoad: 00000000`76d00000 00000000`76e10000   C:\Windows\syswow64\kernel32.dll
ModLoad: 00000000`76cb0000 00000000`76cf7000   C:\Windows\syswow64\KERNELBASE.dll
ModLoad: 00000000`55960000 00000000`55b5b000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\chrome_elf.dll
ModLoad: 00000000`739b0000 00000000`739b9000   C:\Windows\SysWOW64\VERSION.dll
ModLoad: 00000000`76c00000 00000000`76cac000   C:\Windows\syswow64\msvcrt.dll
ModLoad: 00000000`76440000 00000000`764e1000   C:\Windows\syswow64\ADVAPI32.dll
ModLoad: 00000000`76f40000 00000000`76f59000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 00000000`76350000 00000000`76440000   C:\Windows\syswow64\RPCRT4.dll
ModLoad: 00000000`75480000 00000000`754e0000   C:\Windows\syswow64\SspiCli.dll
ModLoad: 00000000`75470000 00000000`7547c000   C:\Windows\syswow64\CRYPTBASE.dll
ModLoad: 00000000`76bf0000 00000000`76bf5000   C:\Windows\syswow64\PSAPI.DLL
ModLoad: 00000000`754e0000 00000000`7612c000   C:\Windows\syswow64\SHELL32.dll
ModLoad: 00000000`77360000 00000000`773b7000   C:\Windows\syswow64\SHLWAPI.dll
ModLoad: 00000000`76540000 00000000`765d0000   C:\Windows\syswow64\GDI32.dll
ModLoad: 00000000`761d0000 00000000`762d0000   C:\Windows\syswow64\USER32.dll
ModLoad: 00000000`76f10000 00000000`76f1a000   C:\Windows\syswow64\LPK.dll
ModLoad: 00000000`76130000 00000000`761cd000   C:\Windows\syswow64\USP10.dll
ModLoad: 00000000`73070000 00000000`730a2000   C:\Windows\SysWOW64\WINMM.dll
ModLoad: 00000000`72d50000 00000000`72da8000   C:\Windows\SysWOW64\WINHTTP.dll
ModLoad: 00000000`72d00000 00000000`72d50000   C:\Windows\SysWOW64\webio.dll
(4d34.489c): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll32!LdrpDoDebuggerBreak+0x2c:
77c80ed4 cc              int     3
5:112:x86> g
ModLoad: 71d80000 71d83000   C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.DLL
ModLoad: 76990000 769f0000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 765d0000 7669d000   C:\Windows\syswow64\MSCTF.dll
ModLoad: 0f460000 2533c000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\chrome_child.dll
ModLoad: 76a80000 76bdd000   C:\Windows\syswow64\ole32.dll
ModLoad: 770a0000 77131000   C:\Windows\syswow64\OLEAUT32.dll
ModLoad: 76500000 76535000   C:\Windows\syswow64\WS2_32.dll
ModLoad: 76be0000 76be6000   C:\Windows\syswow64\NSI.dll
ModLoad: 77340000 77357000   C:\Windows\syswow64\USERENV.dll
ModLoad: 76f00000 76f0b000   C:\Windows\syswow64\profapi.dll
ModLoad: 77170000 7719f000   C:\Windows\syswow64\WINTRUST.dll
ModLoad: 76f70000 77091000   C:\Windows\syswow64\CRYPT32.dll
ModLoad: 76970000 7697c000   C:\Windows\syswow64\MSASN1.dll
ModLoad: 762d0000 7634b000   C:\Windows\syswow64\COMDLG32.dll
ModLoad: 73350000 734ee000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\COMCTL32.dll
ModLoad: 55c00000 55d5d000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\dbghelp.dll
ModLoad: 64f20000 64f24000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-crt-string-l1-1-0.dll
ModLoad: 5ffd0000 600e8000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\ucrtbase.DLL
ModLoad: 64f10000 64f13000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-core-timezone-l1-1-0.dll
ModLoad: 64f00000 64f03000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-core-file-l2-1-0.dll
ModLoad: 64ef0000 64ef3000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-core-localization-l1-2-0.dll
ModLoad: 64ee0000 64ee3000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-core-processthreads-l1-1-1.dll
ModLoad: 64ed0000 64ed3000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-core-file-l1-2-0.dll
ModLoad: 64ec0000 64ec3000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-crt-time-l1-1-0.dll
ModLoad: 64eb0000 64eb4000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-crt-runtime-l1-1-0.dll
ModLoad: 64ea0000 64eb0000   C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\api-ms-win-crt-private-l1-1-0.dll
ModLoad: 75040000 75091000   C:\Windows\SysWOW64\WINSPOOL.DRV
ModLoad: 73dd0000 73dec000   C:\Windows\SysWOW64\IPHLPAPI.DLL
ModLoad: 73dc0000 73dc7000   C:\Windows\SysWOW64\WINNSI.DLL
ModLoad: 73340000 73348000   C:\Windows\SysWOW64\Secur32.dll
ModLoad: 77690000 777db000   C:\Windows\syswow64\urlmon.dll
ModLoad: 76f60000 76f64000   C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
ModLoad: 76980000 76984000   C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
ModLoad: 77bb0000 77bb5000   C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
ModLoad: 76e60000 76e64000   C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
ModLoad: 76960000 76964000   C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
ModLoad: 766a0000 766a3000   C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
ModLoad: 764f0000 764f3000   C:\Windows\syswow64\normaliz.DLL
ModLoad: 773c0000 775f5000   C:\Windows\syswow64\iertutil.dll
ModLoad: 766b0000 7695b000   C:\Windows\syswow64\WININET.dll
ModLoad: 5fb20000 5fc56000   C:\Windows\SysWOW64\DWrite.dll
ModLoad: 00000000`74430000 00000000`745c1000   C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23807_none_5c02a265a011fb02\GDIPLUS.DLL
ModLoad: 00000000`724f0000 00000000`72570000   C:\Windows\SysWOW64\uxtheme.dll
ModLoad: 00000000`61ae0000 00000000`61b21000   C:\Program Files (x86)\TeamViewer\tv_w32.dll
ModLoad: 00000000`0a260000 00000000`0a370000   C:\Windows\SysWOW64\kernel32.dll
ModLoad: 00000000`0a090000 00000000`0a131000   C:\Windows\SysWOW64\advapi32.dll
(4d34.489c): C++ EH exception - code e06d7363 (first chance)
(4d34.489c): C++ EH exception - code e06d7363 (!!! second chance !!!)
wow64!Wow64NotifyDebugger+0x1d:
00000000`751dcb49 654c8b1c2530000000 mov   r11,qword ptr gs:[30h] gs:00000000`00000030=????????????????
5:112> g
WARNING: Continuing a non-continuable exception
(4d34.489c): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-494880\asan-coverage-win32-release-494880\chrome_child.dll
chrome_child!std::_Xlength_error+0x1f:
1f25e5bb cc              int     3
5:112:x86> g
(4d34.489c): C++ EH exception - code e06d7363 (first chance)
(4d34.489c): C++ EH exception - code e06d7363 (!!! second chance !!!)
wow64!Wow64NotifyDebugger+0x1d:
00000000`751dcb49 654c8b1c2530000000 mov   r11,qword ptr gs:[30h] gs:00000000`00000030=????????????????
5:112> g
WARNING: Continuing a non-continuable exception
(4d34.489c): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
chrome_child!std::_Xout_of_range+0x1f:
1f25e5db cc              int     3
5:112:x86> g
(4d34.489c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
chrome_child!std::out_of_range::`vftable':
21d01608 af              scas    dword ptr es:[edi]   es:002b:00000000=????????
5:112:x86> g
(4d34.489c): Access violation - code c0000005 (!!! second chance !!!)
wow64!Wow64NotifyDebugger+0x1d:
00000000`751dcb49 654c8b1c2530000000 mov   r11,qword ptr gs:[30h] gs:00000000`00000030=????????????????
5:112> r
rax=00000000fffdb000 rbx=000000000013e410 rcx=000000000013cce0
rdx=0000000000000000 rsi=00000000751d86cb rdi=0000000000000000
rip=00000000751dcb49 rsp=000000000013d1c0 rbp=000000000013d680
 r8=000000000013d1a8  r9=000000000013d680 r10=0000000000000000
r11=0000000000000246 r12=000000000013db80 r13=000000000013fd00
r14=000000000013e410 r15=ffffffffffffffff
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000204
wow64!Wow64NotifyDebugger+0x1d:
00000000`751dcb49 654c8b1c2530000000 mov   r11,qword ptr gs:[30h] gs:00000000`00000030=????????????????
5:112> kb
 # RetAddr           : Args to Child                                                           : Call Site
00 00000000`751dcc6a : 00000000`0013d210 00000000`0001007f 00000000`00000000 00000000`00000003 : wow64!Wow64NotifyDebugger+0x1d
01 00000000`751dce4a : 00000000`0001007f 00000000`fffdb000 00000000`0105cd38 00000000`00000003 : wow64!HandleRaiseException+0xee
02 00000000`751f6c2d : 00000000`0105ccdc 00000000`fffdb000 00000000`fffdd000 00000000`736ea332 : wow64!Wow64NtRaiseException+0x132
03 00000000`751dd18f : ffffffff`00000000 00000000`0105c968 00000000`fffdb000 00000000`fffdd000 : wow64!whNtRaiseException+0x15
04 00000000`75162776 : 00000000`76cbc54f 00000000`751d0023 00000000`00000246 00000000`0105d0f4 : wow64!Wow64SystemServiceEx+0xd7
05 00000000`751dd286 : 00000000`00000000 00000000`75161920 00000000`77b103c8 00000000`77a2cce1 : wow64cpu!ServiceNoTurbo+0x2d
06 00000000`751dc69e : 00000000`00000000 00000000`00000000 00000000`751d4b10 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa
07 00000000`77a3fb96 : 00000000`01234d00 00000000`00000000 00000000`77b2d670 00000000`77b00910 : wow64!Wow64LdrpInitialize+0x42a
08 00000000`77a9bd09 : 00000000`00000000 00000000`77a3f3b1 00000000`0013f0f0 00000000`00000000 : ntdll!LdrpInitializeProcess+0x17e3
09 00000000`77a2a36e : 00000000`0013f0f0 00000000`00000000 00000000`fffdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x22a30
0a 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe
5:112> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

GetUrlPageData2 (WinHttp) failed: 12030.

DUMP_CLASS: 2

DUMP_QUALIFIER: 0

FAULTING_IP: 
chrome_child!std::out_of_range::`vftable'+0
00000000`21d01608 af              scas    dword ptr [rdi]

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 0000000021d01608 (chrome_child!std::out_of_range::`vftable')
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000008
   Parameter[1]: 0000000021d01608
Attempt to execute non-executable address 0000000021d01608

FAULTING_THREAD:  0000489c

PROCESS_NAME:  chrome.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000008

EXCEPTION_PARAMETER2:  0000000021d01608

WRITE_ADDRESS:  0000000021d01608 

FOLLOWUP_IP: 
wow64!Wow64NotifyDebugger+1d
00000000`751dcb49 654c8b1c2530000000 mov   r11,qword ptr gs:[30h]

FAILED_INSTRUCTION_ADDRESS: 
chrome_child!std::out_of_range::`vftable'+0
00000000`21d01608 af              scas    dword ptr [rdi]

WATSON_BKT_PROCSTAMP:  5994c3a2

WATSON_BKT_PROCVER:  62.0.3188.0

PROCESS_VER_PRODUCT:  Chromium

WATSON_BKT_MODULE:  chrome_child.dll

WATSON_BKT_MODSTAMP:  5994c31f

WATSON_BKT_MODOFFSET:  128a1608

WATSON_BKT_MODVER:  62.0.3188.0

MODULE_VER_PRODUCT:  Chromium

BUILD_VERSION_STRING:  6.1.7601.23864 (win7sp1_ldr.170707-0600)

MODLIST_WITH_TSCHKSUM_HASH:  83f89336c39b64bfa3df313a4956376852a0acc2

MODLIST_SHA1_HASH:  c290b815e94ccb7f0f35af1bbc88b878f1b0c30b

NTGLOBALFLAG:  400

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  272

APP:  chrome.exe

ANALYSIS_SESSION_HOST:  FGT-KSHAH

ANALYSIS_SESSION_TIME:  08-16-2017 16:48:23.0645

ANALYSIS_VERSION: 10.0.10586.567 amd64fre

LAST_CONTROL_TRANSFER:  from 00000000751dcc6a to 00000000751dcb49

THREAD_ATTRIBUTES: 
THREAD_SHA1_HASH_MOD_FUNC:  8378d5936eddf9ad8ec4dd49814a5c4ad33f7599

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  e49f43dc937d92dc69915f3b25dcef05c3ae4df4

OS_LOCALE:  ENU

PROBLEM_CLASSES: 



SOFTWARE_NX_FAULT
    Tid    [0x489c]
    Frame  [0x00]: wow64!Wow64NotifyDebugger



CODE
    Tid    [0x489c]
    Frame  [0x00]: wow64!Wow64NotifyDebugger
    Failure Bucketing



EXPLOITABLE
    Tid    [0x489c]
    Frame  [0x00]: wow64!Wow64NotifyDebugger
    Failure Bucketing

EXPLOITABLE
    Tid    [0x489c]
    Frame  [0x00]: wow64!Wow64NotifyDebugger
    Failure Bucketing



AFTER_CALL
    Tid    [0x489c]
    Frame  [0x00]: wow64!Wow64NotifyDebugger
    Failure Bucketing


BUGCHECK_STR:  SOFTWARE_NX_FAULT_EXPLOITABLE_AFTER_CALL_CODE

DEFAULT_BUCKET_ID:  SOFTWARE_NX_FAULT_EXPLOITABLE_AFTER_CALL_CODE

STACK_TEXT:  
00000000`0013d1c0 00000000`751dcb49 wow64!Wow64NotifyDebugger+0x1d
00000000`0013d1f0 00000000`751dcc6a wow64!HandleRaiseException+0xee
00000000`0013d6d0 00000000`751dce4a wow64!Wow64NtRaiseException+0x132
00000000`0013dbf0 00000000`751f6c2d wow64!whNtRaiseException+0x15
00000000`0013dc20 00000000`751dd18f wow64!Wow64SystemServiceEx+0xd7
00000000`0013e4e0 00000000`75162776 wow64cpu!ServiceNoTurbo+0x2d
00000000`0013e5a0 00000000`751dd286 wow64!RunCpuSimulation+0xa
00000000`0013e5f0 00000000`751dc69e wow64!Wow64LdrpInitialize+0x42a
00000000`0013eb40 00000000`77a3fb96 ntdll!LdrpInitializeProcess+0x17e3
00000000`0013f030 00000000`77a9bd09 ntdll! ?? ::FNODOBFM::`string'+0x22a30
00000000`0013f0a0 00000000`77a2a36e ntdll!LdrInitializeThunk+0xe


STACK_COMMAND:  .ecxr ; kb ; dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; dps 13d1c0 ; kb

THREAD_SHA1_HASH_MOD:  9c076e709c4fae2a87d501f3ee08d9f359faca98

FAULT_INSTR_CODE:  1c8b4c65

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  wow64!Wow64NotifyDebugger+1d

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: wow64

IMAGE_NAME:  wow64.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  595fa993

FAILURE_BUCKET_ID:  SOFTWARE_NX_FAULT_EXPLOITABLE_AFTER_CALL_CODE_c0000005_wow64.dll!Wow64NotifyDebugger

BUCKET_ID:  X64_SOFTWARE_NX_FAULT_EXPLOITABLE_AFTER_CALL_CODE_BAD_IP_wow64!Wow64NotifyDebugger+1d

PRIMARY_PROBLEM_CLASS:  X64_SOFTWARE_NX_FAULT_EXPLOITABLE_AFTER_CALL_CODE_BAD_IP_wow64!Wow64NotifyDebugger+1d

BUCKET_ID_OFFSET:  1d

BUCKET_ID_MODULE_STR:  wow64

BUCKET_ID_MODTIMEDATESTAMP:  595fa993

BUCKET_ID_MODCHECKSUM:  42c3e

BUCKET_ID_MODVER_STR:  6.1.7601.23864

BUCKET_ID_PREFIX_STR:  X64_SOFTWARE_NX_FAULT_EXPLOITABLE_AFTER_CALL_CODE_BAD_IP_

FAILURE_PROBLEM_CLASS:  SOFTWARE_NX_FAULT_EXPLOITABLE_AFTER_CALL_CODE

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  wow64.dll

FAILURE_FUNCTION_NAME:  Wow64NotifyDebugger

BUCKET_ID_FUNCTION_STR:  Wow64NotifyDebugger

FAILURE_SYMBOL_NAME:  wow64.dll!Wow64NotifyDebugger

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/chrome.exe/62.0.3188.0/5994c3a2/chrome_child.dll/62.0.3188.0/5994c31f/c0000005/128a1608.htm?Retriage=1

TARGET_TIME:  2017-08-16T23:48:24.000Z

OSBUILD:  7601

OSSERVICEPACK:  1

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 7

OSEDITION:  Windows 7 WinNt (Service Pack 1) SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  2017-07-07 08:13:57

BUILDDATESTAMP_STR:  170707-0600

BUILDLAB_STR:  win7sp1_ldr

BUILDOSVER_STR:  6.1.7601.23864

ANALYSIS_SESSION_ELAPSED_TIME: 3e01

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:software_nx_fault_exploitable_after_call_code_c0000005_wow64.dll!wow64notifydebugger

FAILURE_ID_HASH:  {cec69cdc-9801-e92f-235f-c85ba136be7d}

Followup:     MachineOwner
---------

5:112> !exploitable -v

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x64
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x21d01608
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Data Execution Protection (DEP) Violation

Exception Hash (Major/Minor): 0xe56b743a.0x1e246c9f

 Hash Usage : Stack Trace:
Major+Minor : wow64!Wow64NotifyDebugger+0x1d
Major+Minor : wow64!HandleRaiseException+0xee
Major+Minor : wow64!Wow64NtRaiseException+0x132
Major+Minor : wow64!whNtRaiseException+0x15
Major+Minor : wow64!Wow64SystemServiceEx+0xd7
Minor       : wow64cpu!ServiceNoTurbo+0x2d
Minor       : wow64!RunCpuSimulation+0xa
Minor       : wow64!Wow64LdrpInitialize+0x42a
Minor       : ntdll!LdrpInitializeProcess+0x17e3
Minor       : ntdll! ?? ::FNODOBFM::`string'+0x22a30
Minor       : ntdll!LdrInitializeThunk+0xe
Instruction Address: 0x00000000751dcb49

Description: Data Execution Prevention Violation
Short Description: DEPViolation
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at wow64!Wow64NotifyDebugger+0x000000000000001d (Hash=0xe56b743a.0x1e246c9f)

User mode DEP access violations are exploitable.

Disassembly View:
00000000`751dcb24 cc              int     3
00000000`751dcb25 cc              int     3
00000000`751dcb26 cc              int     3
00000000`751dcb27 cc              int     3
00000000`751dcb28 cc              int     3
00000000`751dcb29 cc              int     3
00000000`751dcb2a cc              int     3
00000000`751dcb2b cc              int     3
wow64!Wow64NotifyDebugger:
00000000`751dcb2c 4883ec28        sub     rsp,28h
00000000`751dcb30 65488b042530000000 mov   rax,qword ptr gs:[30h]
00000000`751dcb39 48c7809014000004000000 mov qword ptr [rax+1490h],4
00000000`751dcb44 e85fbbffff      call    wow64!Wow64NotifyDebuggerHelper (00000000`751d86a8)
00000000`751dcb49 654c8b1c2530000000 mov   r11,qword ptr gs:[30h] gs:00000000`00000030=????????????????
00000000`751dcb52 4983a39014000000 and     qword ptr [r11+1490h],0
00000000`751dcb5a b001            mov     al,1
00000000`751dcb5c eb13            jmp     wow64!Wow64NotifyDebugger+0x45 (00000000`751dcb71)
00000000`751dcb5e 65488b042530000000 mov   rax,qword ptr gs:[30h]
00000000`751dcb67 4883a09014000000 and     qword ptr [rax+1490h],0
00000000`751dcb6f 32c0            xor     al,al
00000000`751dcb71 4883c428        add     rsp,28h
00000000`751dcb75 c3              ret
00000000`751dcb76 cc              int     3
00000000`751dcb77 cc              int     3
00000000`751dcb78 cc              int     3
00000000`751dcb79 cc              int     3

Project Member

Comment 1 by ClusterFuzz, Aug 17 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5220941906051072.

Project Member

Comment 2 by ClusterFuzz, Aug 17 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5635448260263936.

Comment 3 by wfh@chromium.org, Aug 17 2017

Components: Internals>Plugins>PDF
Labels: Pri-1
Summary: Security: memory corruption in chrome_child!CPDF_Parser::ParseAndAppendCrossRefSubsectionData (was: Security: Google Chrome Memory Corruption Vulnerability)

I can repro on 62.0.3188.0 asan. Here is a stack:

00 006fca8c 74bbdbe8 chrome!__asan_wrap_RtlRaiseException+0x2a [e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_win.cc @ 97]
01 006fcaf4 1f8c56cc KERNELBASE!RaiseException+0x48
02 006fcb38 1f8be5bb chrome_child!_CxxThrowException+0x65 [f:\dd\vctools\crt\vcruntime\src\eh\throw.cpp @ 131]
03 006fcb54 19b5c305 chrome_child!std::_Xlength_error+0x1f [f:\dd\vctools\crt\crtw32\stdcpp\xthrow.cpp @ 20]
04 (Inline) -------- chrome_child!std::vector+0xf [c:\b\c\win_toolchain\vs_files\f53e4598951162bad6330f7a167486c7ae5db1e5\vc\include\vector @ 707]
05 006fcb74 19b49074 chrome_child!std::vector<CPDF_Parser::CrossRefObjData,std::allocator<CPDF_Parser::CrossRefObjData> >::_Reserve+0x147
06 006fcb94 19b484a4 chrome_child!std::vector<CPDF_Parser::CrossRefObjData,std::allocator<CPDF_Parser::CrossRefObjData> >::resize+0x9c [c:\b\c\win_toolchain\vs_files\f53e4598951162bad6330f7a167486c7ae5db1e5\vc\include\vector @ 1138]
07 006fcc6c 19b49544 chrome_child!CPDF_Parser::ParseAndAppendCrossRefSubsectionData+0xde [C:\b\c\b\win_asan_release_coverage\src\third_party\pdfium\core\fpdfapi\parser\cpdf_parser.cpp @ 480]
08 006fcd70 19b46310 chrome_child!CPDF_Parser::ParseCrossRefV4+0x30e [C:\b\c\b\win_asan_release_coverage\src\third_party\pdfium\core\fpdfapi\parser\cpdf_parser.cpp @ 564]
09 006fceac 19b3ef1b chrome_child!CPDF_Parser::LoadCrossRefV4+0x330 [C:\b\c\b\win_asan_release_coverage\src\third_party\pdfium\core\fpdfapi\parser\cpdf_parser.cpp @ 583]
0a 006fd114 19b3d943 chrome_child!CPDF_Parser::LoadAllCrossRefV4+0xcd5 [C:\b\c\b\win_asan_release_coverage\src\third_party\pdfium\core\fpdfapi\parser\cpdf_parser.cpp @ 389]
0b 006fd25c 19b3d539 chrome_child!CPDF_Parser::StartParseInternal+0x3ef [C:\b\c\b\win_asan_release_coverage\src\third_party\pdfium\core\fpdfapi\parser\cpdf_parser.cpp @ 206]
0c 006fd270 19a602df chrome_child!CPDF_Parser::StartParse+0x3b [C:\b\c\b\win_asan_release_coverage\src\third_party\pdfium\core\fpdfapi\parser\cpdf_parser.cpp @ 183]
0d 006fd318 19a60a66 chrome_child!`anonymous namespace'::LoadDocumentImpl+0x148 [C:\b\c\b\win_asan_release_coverage\src\third_party\pdfium\fpdfsdk\fpdfview.cpp @ 287]
0e 006fd3a8 19a047a0 chrome_child!FPDF_LoadCustomDocument+0x13d [C:\b\c\b\win_asan_release_coverage\src\third_party\pdfium\fpdfsdk\fpdfview.cpp @ 627]
0f 006fd3d0 199ea1f7 chrome_child!chrome_pdf::PDFiumEngine::TryLoadingDoc+0x24a [C:\b\c\b\win_asan_release_coverage\src\pdf\pdfium\pdfium_engine.cc @ 2826]
10 006fd4d8 19a47aa6 chrome_child!chrome_pdf::PDFiumEngine::LoadDocument+0x21f [C:\b\c\b\win_asan_release_coverage\src\pdf\pdfium\pdfium_engine.cc @ 2798]
11 006fd5f8 19a49052 chrome_child!chrome_pdf::DocumentLoader::DidRead+0x1b0 [C:\b\c\b\win_asan_release_coverage\src\pdf\document_loader.cc @ 443]
12 (Inline) -------- chrome_child!pp::CompletionCallbackFactory+0x41 [C:\b\c\b\win_asan_release_coverage\src\ppapi\utility\completion_callback_factory.h @ 205]
13 006fd610 16ec897b chrome_child!pp::CompletionCallbackFactory<chrome_pdf::DocumentLoader,pp::ThreadSafeThreadTraits>::CallbackData<pp::CompletionCallbackFactory<chrome_pdf::DocumentLoader,pp::ThreadSafeThreadTraits>::Dispatcher0<void (chrome_pdf::DocumentLoader::*)(int) __attribute__((thiscall))> >::Thunk+0xa0 [C:\b\c\b\win_asan_release_coverage\src\ppapi\utility\completion_callback_factory.h @ 584]
14 (Inline) -------- chrome_child!PP_RunCompletionCallback+0x31 [C:\b\c\b\win_asan_release_coverage\src\ppapi\c\pp_completion_callback.h @ 240]
15 (Inline) -------- chrome_child!ppapi::CallWhileUnlocked+0x36 [C:\b\c\b\win_asan_release_coverage\src\ppapi\shared_impl\proxy_lock.h @ 135]
16 006fd6c8 18a37c5a chrome_child!ppapi::TrackedCallback::Run+0x347 [C:\b\c\b\win_asan_release_coverage\src\ppapi\shared_impl\tracked_callback.cc @ 135]
17 (Inline) -------- chrome_child!ppapi::proxy::URLLoaderResource::RunCallback+0x72 [C:\b\c\b\win_asan_release_coverage\src\ppapi\proxy\url_loader_resource.cc @ 361]
18 006fd6f0 18a37256 chrome_child!ppapi::proxy::URLLoaderResource::OnPluginMsgFinishedLoading+0x12a [C:\b\c\b\win_asan_release_coverage\src\ppapi\proxy\url_loader_resource.cc @ 307]
19 (Inline) -------- chrome_child!ppapi::proxy::DispatchResourceReplyImpl+0x2b [C:\b\c\b\win_asan_release_coverage\src\ppapi\proxy\dispatch_reply_message.h @ 32]
1a (Inline) -------- chrome_child!ppapi::proxy::DispatchResourceReply+0x2b [C:\b\c\b\win_asan_release_coverage\src\ppapi\proxy\dispatch_reply_message.h @ 45]
1b 006fd8c4 188fa589 chrome_child!ppapi::proxy::URLLoaderResource::OnReplyReceived+0x35a [C:\b\c\b\win_asan_release_coverage\src\ppapi\proxy\url_loader_resource.cc @ 245]
1c 006fd8e0 188fb17e chrome_child!ppapi::proxy::PluginMessageFilter::DispatchResourceReply+0xb7 [C:\b\c\b\win_asan_release_coverage\src\ppapi\proxy\plugin_message_filter.cc @ 116]
1d (Inline) -------- chrome_child!base::internal::FunctorTraits+0x4 [C:\b\c\b\win_asan_release_coverage\src\base\bind_internal.h @ 150]
1e (Inline) -------- chrome_child!base::internal::InvokeHelper+0x19 [C:\b\c\b\win_asan_release_coverage\src\base\bind_internal.h @ 264]
1f (Inline) -------- chrome_child!base::internal::Invoker+0x19 [C:\b\c\b\win_asan_release_coverage\src\base\bind_internal.h @ 338]
20 006fd8f4 138ab6d5 chrome_child!base::internal::Invoker<base::internal::BindState<void (*)(const ppapi::proxy::ResourceMessageReplyParams &, const IPC::Message &),ppapi::proxy::ResourceMessageReplyParams,IPC::Message>,void ()>::Run+0x30 [C:\b\c\b\win_asan_release_coverage\src\base\bind_internal.h @ 318]
21 (Inline) -------- chrome_child!base::Callback+0x44 [C:\b\c\b\win_asan_release_coverage\src\base\callback.h @ 91]
22 006fdb70 1378edc4 chrome_child!base::debug::TaskAnnotator::RunTask+0x525 [C:\b\c\b\win_asan_release_coverage\src\base\debug\task_annotator.cc @ 57]
23 006fddb4 1378fd79 chrome_child!base::MessageLoop::RunTask+0xaf4 [C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc @ 411]
24 006fddd0 137908e4 chrome_child!base::MessageLoop::DeferOrRunPendingTask+0x119 [C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc @ 421]
25 006fdf5c 1396b8e5 chrome_child!base::MessageLoop::DoWork+0x4e4 [C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc @ 528]
26 006fdf84 1378daf1 chrome_child!base::MessagePumpDefault::Run+0x205 [C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_pump_default.cc @ 33]
27 006fdf98 1382705d chrome_child!base::MessageLoop::Run+0x51 [C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc @ 351]
28 006fe058 13139e47 chrome_child!base::RunLoop::Run+0x10d [C:\b\c\b\win_asan_release_coverage\src\base\run_loop.cc @ 124]
29 006fe5b4 135fb162 chrome_child!content::PpapiPluginMain+0xb4b [C:\b\c\b\win_asan_release_coverage\src\content\ppapi_plugin\ppapi_plugin_main.cc @ 157]
2a 006fe80c 135fc9bf chrome_child!content::RunNamedProcessTypeMain+0x3be [C:\b\c\b\win_asan_release_coverage\src\content\app\content_main_runner.cc @ 408]
2b 006fe938 13616810 chrome_child!content::ContentMainRunnerImpl::Run+0x305 [C:\b\c\b\win_asan_release_coverage\src\content\app\content_main_runner.cc @ 690]
2c 006fed94 135fad1d chrome_child!service_manager::Main+0x84a [C:\b\c\b\win_asan_release_coverage\src\services\service_manager\embedder\main.cc @ 469]
2d 006fee54 0fac12c7 chrome_child!content::ContentMain+0xb9 [C:\b\c\b\win_asan_release_coverage\src\content\app\content_main.cc @ 19]
2e 006fef88 00a5c0fd chrome_child!ChromeMain+0x2c7 [C:\b\c\b\win_asan_release_coverage\src\chrome\app\chrome_main.cc @ 125]
2f 006ff18c 00a51f5e chrome!MainDllLoader::Launch+0x46d [C:\b\c\b\win_asan_release_coverage\src\chrome\app\main_dll_loader_win.cc @ 199]
30 006ff7bc 00e63f5b chrome!main+0xf5e [C:\b\c\b\win_asan_release_coverage\src\chrome\app\chrome_exe_main_win.cc @ 276]
31 (Inline) -------- chrome!invoke_main+0x1d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 64]
32 006ff804 74c938f4 chrome!__scrt_common_main_seh+0xf9 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
33 006ff818 77515de3 KERNEL32!BaseThreadInitThunk+0x24
34 006ff860 77515dae ntdll!__RtlUserThreadStart+0x2f
35 006ff870 00000000 ntdll!_RtlUserThreadStart+0x1b

Comment 4 by wfh@chromium.org, Aug 17 2017

Cc: tsepez@chromium.org
Owner: thestig@chromium.org
Status: Available (was: Unconfirmed)

looks like 752796 which is already fixed. will let thestig@ decide....

Comment 5 by wfh@chromium.org, Aug 17 2017

p.s. no need to run with --no-sandbox if you attach the debugger to the child process. p.s. instead of doing a 'g' after the crash do a 'k' to get a stack trace - also the report ended up running !exploitable analysis on the debugbreak...

Comment 6 by thestig@chromium.org, Aug 17 2017

Mergedinto: 752796
Status: Duplicate (was: Available)

ClusterFuzz found this over a week ago.

Comment 7 by kushal89...@gmail.com, Aug 17 2017

Hello @thestif, @wfh, Google Product Security Team,

Good Evening.

I had two questions with respect to this Vulnerability. They are as follows: -

1. In c#3, @wfh states "I can repro on 62.0.3188.0 asan.", BUT in c#4 @wfh states "looks like  crbug.com/752796  which is already fixed". How can something which is already fixed, be reproducible still? I failed to understand that.

2. Since this report has been marked as a duplicate to  crbug.com/752796  as seen in c#6, could you kindly allow me access to report 752796 for transparency?

Eagerly awaiting your response in earnest.

Thanking You,

Yours Sincerely,
Kushal Arvind Shah.
Security Researcher | Fortinet's FortiGuard Labs.

Comment 8 by wfh@chromium.org, Aug 18 2017

re: #7 The fix landed before 3188 branched but after rev 494880 which is the rev I tested... and was still tagged 3188. Try testing this again on head revision or tomorrow's 3189.

Comment 9 by kushal89...@gmail.com, Aug 18 2017

Hello @wfh, Google Product Security Team,

Good Afternoon.

Could you kindly allow me access to  crbug.com/752796  for some sort of transparency as requested in c#7 ???

Also I will be checking the Vulnerability on 3189 shortly and revert thereafter.

Thanking You,

Yours Sincerely,
Kushal Arvind Shah.
Security Researcher | Fortinet's FortiGuard Labs.

Comment 10 by awhalley@google.com, Aug 18 2017

Hi Kushal,

Though it's not always possible, in this case I'll add you to  crbug.com/752796 .

Of course we always appreciate security bug reports, but I'm afraid running into duplicates is a distinct danger of fuzzing against top of tree. For our rewards program we'll consider a bug to be found internally if one of our own fuzzers independently finds the issue within 48 hours, even if that's after the external submission. Per g.co/ChromeBugRewards we encourage researchers to look at the Stable, Beta, and Dev channels.

Many thanks!

Comment 11 by kushal89...@gmail.com, Aug 19 2017

Hello @awhalley, @wfh, @thestig, Google Product Security Team,

Good Evening.

Firstly, I would like to thank @awhalley for allowing me access to  crbug.com/752796 , I sincerely appreciate the transparent approach.

Secondly, as @wfh suggested in c#7, I tried the PoC against the latest ASAN build #495646 and the output I received is as follows: -

==8412==ERROR: AddressSanitizer: heap-use-after-free on address 0xb3a14350 at pc 0x8d668a34 bp 0xbffff1a8 sp 0xbffff1a0
READ of size 4 at 0xb3a14350 thread T0 (chrome)
    #0 0x8d668a33  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0xd668a33)
    #1 0x8a03dfce  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0xa03dfce)
    #2 0x81158b49  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x1158b49)
    #3 0x8115864e  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x115864e)
    #4 0x81158367  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x1158367)
    #5 0xb6431275  (/lib/i386-linux-gnu/libc.so.6+0x18275)

0xb3a14350 is located 0 bytes inside of 24-byte region [0xb3a14350,0xb3a14368)
freed by thread T0 (chrome) here:
    #0 0x81155fb3  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x1155fb3)
    #1 0x81c931a7  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x1c931a7)
    #2 0x9489df87  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x1489df87)
    #3 0x88b9817c  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x8b9817c)
    #4 0x88b985e9  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x8b985e9)
    #5 0x9488f2e6  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x1488f2e6)
    #6 0x88b94743  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x8b94743)
    #7 0x88fd4433  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x8fd4433)
    #8 0x88fd644e  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x8fd644e)
    #9 0x88fd9068  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x8fd9068)
    #10 0x88fd1ff3  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x8fd1ff3)
    #11 0x890043ef  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x90043ef)
    #12 0x88fd3995  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x8fd3995)
    #13 0x81158633  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x1158633)
    #14 0x81158367  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x1158367)
    #15 0xb6431275  (/lib/i386-linux-gnu/libc.so.6+0x18275)

previously allocated by thread T0 (chrome) here:
    #0 0x81155373  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x1155373)
    #1 0x81c91396  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x1c91396)
    #2 0x81c911e3  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x1c911e3)
    #3 0x948958d4  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x148958d4)
    #4 0x94894152  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x14894152)
    #5 0x88b95ef3  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x8b95ef3)
    #6 0x88b946ed  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x8b946ed)
    #7 0x88fd4433  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x8fd4433)
    #8 0x88fd644e  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x8fd644e)
    #9 0x88fd9068  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x8fd9068)
    #10 0x88fd1ff3  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x8fd1ff3)
    #11 0x890043ef  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x90043ef)
    #12 0x88fd3995  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x8fd3995)
    #13 0x81158633  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x1158633)
    #14 0x81158367  (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0x1158367)
    #15 0xb6431275  (/lib/i386-linux-gnu/libc.so.6+0x18275)

SUMMARY: AddressSanitizer: heap-use-after-free (/root/Desktop/asan-v8-arm-linux-release-495646/chrome+0xd668a33) 
Shadow bytes around the buggy address:
  0x36742810: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x36742820: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x36742830: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
  0x36742840: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fa
  0x36742850: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
=>0x36742860: fd fa fa fa fd fd fd fd fa fa[fd]fd fd fa fa fa
  0x36742870: fc fc fc fc fa fa fd fd fd fa fa fa fd fd fd fd
  0x36742880: fa fa fd fd fd fd fa fa 00 00 00 04 fa fa 00 00
  0x36742890: 00 fa fa fa 00 00 00 04 fa fa 00 00 00 fa fa fa
  0x367428a0: 00 00 00 04 fa fa 00 00 00 fa fa fa 00 00 00 04
  0x367428b0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8412==ABORTING

Clearly, the Vulnerability has not been fixed or the fix was incomplete.

Eagerly awaiting your response.

Thanking You,

Yours Sincerely,
Kushal Arvind Shah.
Security Researcher | Fortinet's FortiGuard Labs.

Comment 12 by kushal89...@gmail.com, Aug 19 2017

Sorry, forgot to mention, for c#11, the testing was done on Linux platform.

Thanks,
~Kushal.

Project Member

Comment 13 by sheriffbot@chromium.org, Nov 24 2017

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 756273 link

Issue metadata

Security: memory corruption in chrome_child!CPDF_Parser::ParseAndAppendCrossRefSubsectionData

Issue description

Comment 1 by ClusterFuzz, Aug 17 2017

Comment 1 Deleted

Comment 2 by ClusterFuzz, Aug 17 2017

Comment 2 Deleted

Comment 3 by wfh@chromium.org, Aug 17 2017

Comment 3 Deleted

Comment 4 by wfh@chromium.org, Aug 17 2017

Comment 4 Deleted

Comment 5 by wfh@chromium.org, Aug 17 2017

Comment 5 Deleted

Comment 6 by thestig@chromium.org, Aug 17 2017

Comment 6 Deleted

Comment 7 by kushal89...@gmail.com, Aug 17 2017

Comment 7 Deleted

Comment 8 by wfh@chromium.org, Aug 18 2017

Comment 8 Deleted

Comment 9 by kushal89...@gmail.com, Aug 18 2017

Comment 9 Deleted

Comment 10 by awhalley@google.com, Aug 18 2017

Comment 10 Deleted

Comment 11 by kushal89...@gmail.com, Aug 19 2017

Comment 11 Deleted

Comment 12 by kushal89...@gmail.com, Aug 19 2017

Comment 12 Deleted

Comment 13 by sheriffbot@chromium.org, Nov 24 2017

Comment 13 Deleted

Sign in to add a comment