Issue metadata
Sign in to add a comment
|
Security: Memory Corruption OOB Write in Google Chrome
Reported by
kushal89...@gmail.com,
Aug 19 2017
|
||||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Memory Corruption Vulnerability [OOB Write] triggered in Chrome. PoC has been tested on latest Chrome Linux "asan" build namely build 495712 as of Aug 18 7:11PM PST. Build links have been shared in the Step 1 of the "Reproduction Case" section. VERSION The latest "ASAN" builds of Chrome, namely asan build 495712. Operating System: Ubuntu. REPRODUCTION CASE 1) Download Windows chrome "asan" build from https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/linux-release-v8-arm%2Fasan-v8-arm-linux-release-495712.zip?generation=1503103479029453&alt=media 2) Unzip the downloaded "asan" builds. 3) Change directory to chrome binary location. 4) Run the chrome binary against the PoC.pdf testcase file using the --no-sandbox and --allow-file-access-from-files flags. 5) Scroll down page by page till pdfium crashes 6) Check the crash details in the terminal window. NOTE: The crash using chrome binary might not display enough relevant root-cause data, BUT the "Segmentation Fault" crash using the same PoC under pdfium_test provides much more information. NOTE: I would recommend using valgrind on pdfium_test to see the crash information similar to what I received. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION pdfium_test SegFault Crash: - /root/Desktop/asan-v8-arm-linux-release-495712/pdfium_test /root/Desktop/fuzz-86.pdf Rendering PDF file /root/Desktop/fuzz-86.pdf. Received signal 11 SEGV_MAPERR 000000000048 ==== C stack trace =============================== [0x0000080b49ec] [0x00000b7f8f98] [0x0000b76dcd10] [0x00000af27a81] [0x00000af41295] [0x00000af4f7e8] [0x00000af0b8e3] [0x00000ad96918] [0x00000ad946da] [0x00000aa8ce44] [0x000008152f05] [0x00000814504d] [0x00000814066b] [0x0000b6f2b276] [0x0000080671d5] [end of stack trace] Segmentation fault Valgrind on pdfium_test : - ==9280== Command: /root/Desktop/asan-v8-arm-linux-release-495712/pdfium_test /root/Desktop/fuzz-86.pdf ==9280== --9280-- Valgrind options: --9280-- --verbose --9280-- --keep-stacktraces=alloc-and-free --9280-- --show-leak-kinds=all --9280-- --leak-check=full ###Redacted_Extra_Valgrind_Data### Can be found in attached txt file. ================================================================= ==9280==ERROR: AddressSanitizer: unknown-crash on address 0x04e57b94 at pc 0x0ae6d973 bp 0xbe974748 sp 0xbe974740 WRITE of size 4 at 0x04e57b94 thread T0 #0 0xae6d972 (/root/Desktop/asan-v8-arm-linux-release-495712/pdfium_test+0xae6d972) #1 0xae6a998 (/root/Desktop/asan-v8-arm-linux-release-495712/pdfium_test+0xae6a998) #2 0xae4cd3e (/root/Desktop/asan-v8-arm-linux-release-495712/pdfium_test+0xae4cd3e) #3 0xae7794d (/root/Desktop/asan-v8-arm-linux-release-495712/pdfium_test+0xae7794d) #4 0xaf665c4 (/root/Desktop/asan-v8-arm-linux-release-495712/pdfium_test+0xaf665c4) #5 0xae8e686 (/root/Desktop/asan-v8-arm-linux-release-495712/pdfium_test+0xae8e686) #6 0xaf892e8 (/root/Desktop/asan-v8-arm-linux-release-495712/pdfium_test+0xaf892e8) #7 0xaf696b6 (/root/Desktop/asan-v8-arm-linux-release-495712/pdfium_test+0xaf696b6) #8 0xaf7498c (/root/Desktop/asan-v8-arm-linux-release-495712/pdfium_test+0xaf7498c) #9 0xaea1ae4 (/root/Desktop/asan-v8-arm-linux-release-495712/pdfium_test+0xaea1ae4) #10 0xae96476 (/root/Desktop/asan-v8-arm-linux-release-495712/pdfium_test+0xae96476) #11 0xaa7f623 (/root/Desktop/asan-v8-arm-linux-release-495712/pdfium_test+0xaa7f623) #12 0x8147edf (/root/Desktop/asan-v8-arm-linux-release-495712/pdfium_test+0x8147edf) #13 0x814066a (/root/Desktop/asan-v8-arm-linux-release-495712/pdfium_test+0x814066a) #14 0x4660275 (/lib/i386-linux-gnu/libc.so.6+0x18275) Address 0x04e57b94 is a wild pointer. SUMMARY: AddressSanitizer: unknown-crash (/root/Desktop/asan-v8-arm-linux-release-495712/pdfium_test+0xae6d972) Shadow bytes around the buggy address: 0x209caf20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x209caf30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x209caf40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x209caf50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x209caf60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x209caf70: 00 00[04]00 00 00 00 00 00 00 00 00 00 00 00 00 0x209caf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x209caf90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x209cafa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x209cafb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x209cafc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==9280==ABORTING Chrome Binary Output: - /root/Desktop/asan-v8-arm-linux-release-495712/chrome --no-sandbox --allow-file-access-from-files /root/Desktop/fuzz-86.pdf Received signal 11 SEGV_MAPERR 000000000048 #0 0x00008110621c (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x10d121b) #1 0x00008a1d08d3 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0xa19b8d2) #2 0x00008a1cb748 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0xa196747) #3 0x00008a1cf274 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0xa19a273) #4 0x0000b76edd10 ([vdso]+0xd0f) #5 0x000097f8bf81 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x17f56f80) #6 0x000097fa5795 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x17f70794) #7 0x000097fb3ce8 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x17f7ece7) #8 0x000097f6fde3 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x17f3ade2) #9 0x000097df97c8 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x17dc47c7) #10 0x000097df734a (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x17dc2349) #11 0x000097cc9954 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x17c94953) #12 0x000097c37b0c (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x17c02b0b) #13 0x000097bf32c4 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x17bbe2c3) #14 0x000097bf21d1 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x17bbd1d0) #15 0x000097c660d2 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x17c310d1) #16 0x000097c68880 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x17c3387f) #17 0x000097c84711 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x17c4f710) #18 0x000097c882b3 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x17c532b2) #19 0x000097c88474 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x17c53473) #20 0x00008f98a9d3 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0xf9559d2) #21 0x000096bf4fa0 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x16bbff9f) #22 0x000096bf5449 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x16bc0448) #23 0x000096bf6d07 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x16bc1d06) #24 0x00009695782a (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x16922829) #25 0x0000969550a8 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x169200a7) #26 0x000096955f49 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x16920f48) #27 0x00008a1d2f10 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0xa19df0f) #28 0x00008a264e0d (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0xa22fe0c) #29 0x00008a267b1b (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0xa232b1a) #30 0x00008a26f1be (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0xa23a1bd) #31 0x00008a26382c (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0xa22e82b) #32 0x00008a323a40 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0xa2eea3f) #33 0x000088bdcb41 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x8ba7b40) #34 0x00008901c854 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x8fe7853) #35 0x00008901e86f (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x8fe986e) #36 0x000089021489 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x8fec488) #37 0x00008901a414 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x8fe5413) #38 0x00008904c810 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x901780f) #39 0x00008901bdb6 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x8fe6db5) #40 0x00008118dde7 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x1158de6) #41 0x00008118db28 (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x1158b27) #42 0x0000b5b45276 (/lib/i386-linux-gnu/libc-2.24.so+0x18275) #43 0x0000810b89ab (/root/Desktop/asan-v8-arm-linux-release-495712/chrome+0x10839aa) gs: 00000033 fs: 00000000 es: 0000007b ds: 0000007b edi: 00000000 esi: bf7fc6a0 ebp: bf7fc768 esp: bf7fc6a0 ebx: a5152994 edx: afeef000 ecx: 00000000 eax: 00000048 trp: 0000000e err: 00000004 ip: 97f8bf81 cs: 00000073 efl: 00210246 usp: bf7fc6a0 ss: 0000007b [end of stack trace] Calling _exit(1). Core file will not be generated.
,
Aug 19 2017
Attaching another PoC producing similar output with pdfium_test under valgrind, BUT for Chrome binary, producing a signal 6 exit, instead of a signal 11 as seen in previous PoC.
,
Aug 19 2017
,
Aug 21 2017
This is from https://pdfium-review.googlesource.com/11115 - seeing "SEGV_MAPERR 000000000048" usually means it's a nullptr dereference, and that's indeed what it is. Fix here: https://pdfium-review.googlesource.com/11533
,
Aug 21 2017
,
Aug 21 2017
The crash state in crbug.com/756418 is not exactly same as my PoC. Please compare the crash location stack trace in crbug.com/756418 and the stacktrace for my PoC. crbug.com/756418 shows the following: - Crash State: CPDF_StreamContentParser::Parse CPDF_ContentParser::Continue CPDF_PageObjectHolder::ContinueParse Whereas the crash location in the stack trace for my PoC is at a later stage than CPDF_StreamContentParser.
,
Aug 21 2017
It's really the same crash as this, with the same fix. I'm not sure why ClusterFuzz only listed part of the stacktrace. When I look at the testcase-detail CF page, it shows CPDF_StreamContentParser::Handle_BeginImage() above Parse().
,
Aug 21 2017
@thestig, Not sure if its same or not, since I do not have access to the testcase-detail CF page. BUT, If you look closely at the crash type in crbug.com/756418 , it says "Crash Type: Null-dereference READ" Whereas, in my report, it is a "WRITE" crash. I fail to understand how an OOB Read and an OOB Write crash could be same...could you please help? In the meanwhile, I checked the PoC against the latest "asan" build #496038 and the crash still occurs, so it's not fixed by https://pdfium-review.googlesource.com/11533
,
Aug 22 2017
I'm sure your PoC2.pdf triggers the same bug as bug 756418 . But it looks like you don't believe me, so let me show you my analysis that lead to this conclusion. a) Locally, with just an ASAN build, the crash shows: Received signal 11 SEGV_MAPERR 000000000068 which points to a nullptr dereference. If I run the ASAN build inside GDB, I can catch the crash as it happens and get the same stack trace as Valgrind below. b) Locally, when I run with a non-ASAN build inside Valgrind, I get: Invalid read of size 8 at 0x1003AF5: CFX_RetainPtr<CPDF_Image>::Get() const by 0x1003AB3: CFX_RetainPtr<CPDF_Image>::CFX_RetainPtr(CFX_RetainPtr<CPDF_Image> const&) by 0x100341F: CPDF_ImageObject::GetImage() const by 0x11F2D6B: CPDF_StreamContentParser::Handle_BeginImage() Received signal 11 SEGV_MAPERR 000000000068 which also points to a nullptr dereference. c) When I apply the fix locally to avoid the nullptr crash, the ASAN build no longer crashes. Neither does the non-ASAN build inside Valgrind. d) I have no idea why your are running Valgrind on an ASAN-enabled executable, but as far as I know, the two tools are not meant to be combined. When you do combine them, it leads to odd behavior, like the write crash you are seeing. To use a not perfect analogy, drug A can effectively treat a disease, so can drug B, but taking drug A and B at the same time leads to bad side-effects.
,
Aug 22 2017
@thestig, a) Clearly the stack trace looks different in crbug.com/756418 . That is what lead to the confusion, no one's doubting you or your analysis. b) Secondly, I haven't built the non-asan version of chrome so I "will take your word on it". Again, no one is doubting you. c) As far as Valgrind is concerned, I didn't find any 'Warning Label' to not use it with 'ASAN'. Being a clean person, I wouldn't much understand the side-effects of combining two drugs, but nevertheless I thank you for the information. d) Getting back to the issue at hand, As per c#4, if the issue was a duplicate of crbug.com/756418 then https://pdfium-review.googlesource.com/11533 should have fixed it, BUT the crash still occurs in build #496038, released after apparent fix 11533, which again brings me to question the duplicate label.
,
Aug 22 2017
For completeness, the stack trace in comment 9 part b goes on top of the part shown in comment 6. Since this is a PDFium bug that can be reproduced with pdfium_test, you can checkout and build PDFium locally if you want to verify. Unlike Chromium. PDFium is relatively small and one only needs a fraction of the computing resources to build it. As for my analogy, just to be clear, it's about drugs that treat disease, AKA medicine, and not illegal drugs. It is also just hypothetical and the point I was trying to make is that multiple tools (for treating disease) may not be good when combined, just like multiple tools used for memory error detection may not work well together. Back to the bug, https://pdfium-review.googlesource.com/11533 got abandoned because https://pdfium-review.googlesource.com/11532 will fix it instead. Since neither CL has been committed, then of course if you try a build at r496038, it's going to contain the same problem. Please wait until bug 756418 has been fixed, and for the fix to be rolled into Chromium, before testing further with Your Chromium ASAN build.
,
Aug 22 2017
@thestig, I have already tested the PoC against several asan builds and the stack trace seen in crbug.com/756418 is preliminary to the actual crashing instance in my PoC and therefore not same, BUT since you are consistently saying it is same, there isn't much an external researcher can do in that case, so I will refrain from utilizing more of my energy on this PoC. Also for the analogy, I understand your viewpoint now. The point I was making is that the explanation was crystal clear without a need for an analogy(the analogy was unnecessary and slightly rude IMO). Back to the bug, Please let me know once the CL has been committed, by which time, the bug would have surely been fixed, considering the 'n' number of commits which change the entire flow of pdfium. Nevertheless, please do let me know once its been fixed so that I can test it and ensure it's once again a safe world/environment for one and all. Thanks, ~Kushal.
,
Aug 22 2017
Bug 756418 is public, so you can star the bug and follow along. I'll try to remember to ping you on this bug anyway when it's fixed. If you did not like the analogy, then I apologize and I will just try to explain issues without them and hope the explanations are clear.
,
Aug 23 2017
Bug 756418 has been fixed in Chromium with r496707.
,
Nov 28 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by kushal89...@gmail.com
, Aug 19 2017