Security: heap-use-after-free(ProbeForLowSeverityLifetimeIssue) in PDFium
Reported by
yuanvi...@gmail.com,
Aug 22 2017
|
|||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36
Steps to reproduce the problem:
VULNERABILITY DETAILS
==1617:1617==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000002350 at pc 0x0000034b40ba bp 0x7ffe82b7fe60 sp 0x7ffe82b7fe58
READ of size 1 at 0x604000002350 thread T0
#0 0x34b40b9 in ProbeForLowSeverityLifetimeIssue third_party/pdfium/core/fxcrt/cfx_unowned_ptr.h:100:7
#1 0x34b40b9 in ~CFX_UnownedPtr third_party/pdfium/core/fxcrt/cfx_unowned_ptr.h:50
#2 0x34b40b9 in CPDF_Document::~CPDF_Document() third_party/pdfium/core/fpdfapi/parser/cpdf_document.cpp:359
#3 0x34b45b9 in CPDF_Document::~CPDF_Document() third_party/pdfium/core/fpdfapi/parser/cpdf_document.cpp:357:33
#4 0x4ac9d19 in CPDFXFA_Context::~CPDFXFA_Context() third_party/pdfium/fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:50:37
#5 0x5c391e in operator() third_party/pdfium/public/cpp/fpdf_deleters.h:26:47
#6 0x5c391e in reset buildtools/third_party/libc++/trunk/include/memory:2585
#7 0x5c391e in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2539
#8 0x5c391e in RenderPdf third_party/pdfium/samples/pdfium_test.cc:1475
#9 0x5c391e in main third_party/pdfium/samples/pdfium_test.cc:1624
#10 0x7f0027a3682f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
0x604000002350 is located 0 bytes inside of 48-byte region [0x604000002350,0x604000002380)
freed by thread T0 here:
#0 0x5c00f2 in operator delete(void*) (/home/chrome/chromium/src/out/pdf/pdfium_test+0x5c00f2)
#1 0x34df48c in operator() buildtools/third_party/libc++/trunk/include/memory:2272:5
#2 0x34df48c in reset buildtools/third_party/libc++/trunk/include/memory:2585
#3 0x34df48c in operator= buildtools/third_party/libc++/trunk/include/memory:2451
#4 0x34df48c in CPDF_IndirectObjectHolder::ReplaceIndirectObjectIfHigherGeneration(unsigned int, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> >) third_party/pdfium/core/fpdfapi/parser/cpdf_indirect_object_holder.cpp:78
#5 0x350785b in CPDF_Parser::LoadCrossRefV5(long*, bool) third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:990:23
#6 0x3515f77 in CPDF_Parser::LoadLinearizedAllCrossRefV5(long) third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:1435:8
#7 0x351726c in CPDF_Parser::LoadLinearizedMainXRefTable() third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:1474:8
#8 0x3493ac0 in CPDF_DataAvail::CheckLinearizedData(CPDF_DataAvail::DownloadHints*) third_party/pdfium/core/fpdfapi/parser/cpdf_data_avail.cpp:1324:35
#9 0x3499a02 in CPDF_DataAvail::IsFormAvail(CPDF_DataAvail::DownloadHints*) third_party/pdfium/core/fpdfapi/parser/cpdf_data_avail.cpp:1578:33
#10 0x174cdd4 in FPDFAvail_IsFormAvail third_party/pdfium/fpdfsdk/fpdf_dataavail.cpp:186:60
#11 0x5c641e in RenderPdf third_party/pdfium/samples/pdfium_test.cc:1396:14
#12 0x5c641e in main third_party/pdfium/samples/pdfium_test.cc:1624
#13 0x7f0027a3682f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
previously allocated by thread T0 here:
#0 0x5bf4d2 in operator new(unsigned long) (/home/chrome/chromium/src/out/pdf/pdfium_test+0x5bf4d2)
#1 0x176c711 in pdfium::internal::MakeUniqueResult<CPDF_Dictionary>::Scalar pdfium::MakeUnique<CPDF_Dictionary, CFX_WeakPtr<CFX_StringPoolTemplate<CFX_ByteString>, std::__1::default_delete<CFX_StringPoolTemplate<CFX_ByteString> > >&>(CFX_WeakPtr<CFX_StringPoolTemplate<CFX_ByteString>, std::__1::default_delete<CFX_StringPoolTemplate<CFX_ByteString> > >&) third_party/pdfium/third_party/base/ptr_util.h:56:29
#2 0x355149b in CPDF_SyntaxParser::GetObjectInternal(CPDF_IndirectObjectHolder*, unsigned int, unsigned int, bool) third_party/pdfium/core/fpdfapi/parser/cpdf_syntax_parser.cpp:451:9
#3 0x354f9dc in CPDF_SyntaxParser::GetObject(CPDF_IndirectObjectHolder*, unsigned int, unsigned int, bool) third_party/pdfium/core/fpdfapi/parser/cpdf_syntax_parser.cpp:379:17
#4 0x35109f8 in CPDF_Parser::ParseIndirectObjectAtInternal(CPDF_IndirectObjectHolder*, long, unsigned int, bool, long*) third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:1277:24
#5 0x350d061 in ParseIndirectObjectAt third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:1238:10
#6 0x350d061 in CPDF_Parser::ParseIndirectObject(CPDF_IndirectObjectHolder*, unsigned int) third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:1181
#7 0x34b47ae in CPDF_Document::ParseIndirectObject(unsigned int) third_party/pdfium/core/fpdfapi/parser/cpdf_document.cpp:363:33
#8 0x34dc7ec in CPDF_IndirectObjectHolder::GetOrParseIndirectObject(unsigned int) third_party/pdfium/core/fpdfapi/parser/cpdf_indirect_object_holder.cpp:39:42
#9 0x34b5165 in CPDF_Document::LoadDocumentInfo() third_party/pdfium/core/fpdfapi/parser/cpdf_document.cpp:381:27
#10 0x34b57ee in CPDF_Document::LoadLinearizedDoc(CPDF_LinearizedHeader const*) third_party/pdfium/core/fpdfapi/parser/cpdf_document.cpp:394:3
#11 0x3514bf6 in CPDF_Parser::StartLinearizedParse(CFX_RetainPtr<IFX_SeekableReadStream> const&, CPDF_Document*) third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:1398:16
#12 0x174bc01 in FPDFAvail_GetDocument third_party/pdfium/fpdfsdk/fpdf_dataavail.cpp:153:54
#13 0x5c5598 in RenderPdf third_party/pdfium/samples/pdfium_test.cc:1387:15
#14 0x5c5598 in main third_party/pdfium/samples/pdfium_test.cc:1624
#15 0x7f0027a3682f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-use-after-free third_party/pdfium/core/fxcrt/cfx_unowned_ptr.h:100:7 in ProbeForLowSeverityLifetimeIssue
Shadow bytes around the buggy address:
0x0c087fff8410: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff8420: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff8430: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
0x0c087fff8440: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fd
0x0c087fff8450: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
=>0x0c087fff8460: fa fa 00 00 00 00 00 00 fa fa[fd]fd fd fd fd fd
0x0c087fff8470: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa
0x0c087fff8480: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
0x0c087fff8490: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
0x0c087fff84a0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
0x0c087fff84b0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1617:1617==ABORTING
VERSION
commit bde6f35d285b0415cdcaf92e58fbe276bc499255
REPRODUCTION CASE
build pdfium_test with these options
```
is_asan = true
is_debug = false
pdf_use_skia_paths = true
pdf_enable_v8 = true
pdf_enable_xfa = true
pdf_enable_xfa_bmp = true
pdf_enable_xfa_gif = true
pdf_enable_xfa_png = true
pdf_enable_xfa_tiff = true
```
./pdfium_test poc.pdf
What is the expected behavior?
What went wrong?
though ProbeForLowSeverityLifetimeIssue cause this heap-use-after-free issue, it may also a security bug
Did this work before? N/A
Chrome version: 60.0.3112.101 Channel: stable
OS Version: 10.0
Flash Version:
,
Aug 22 2017
,
Aug 22 2017
,
Aug 23 2017
,
Aug 23 2017
,
Aug 24 2017
Attached is the source of my test PDF for this bug. To generate the test PDF, I ran: testing/tools/fixup_pdf_template.py non_linear.in qpdf --linearize --object-streams=generate non_linear.pdf bug_757705.pdf Then I edited bug_757705.pdf in a text editor and changed object 1 0 to 12 1, and updated the file size.
,
Aug 28 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/91f443f4f3b9682959435a5417b48975729b9338 commit 91f443f4f3b9682959435a5417b48975729b9338 Author: Lei Zhang <thestig@chromium.org> Date: Mon Aug 28 18:03:23 2017 Move replaced indirect objects to the orphans list. ReplaceIndirectObjectIfHigherGeneration() deletes replaced objects, but those objects may be in use. So move them to the orphans list instead to avoid potential dangling pointers. BUG= chromium:757705 Change-Id: Ide83a1b85b754166d298fd50e655ca331ba4f942 Reviewed-on: https://pdfium-review.googlesource.com/11670 Reviewed-by: Art Snake <art-snake@yandex-team.ru> Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org> [add] https://crrev.com/91f443f4f3b9682959435a5417b48975729b9338/testing/resources/bug_757705.pdf [modify] https://crrev.com/91f443f4f3b9682959435a5417b48975729b9338/core/fpdfapi/parser/cpdf_parser_embeddertest.cpp [modify] https://crrev.com/91f443f4f3b9682959435a5417b48975729b9338/core/fpdfapi/parser/cpdf_indirect_object_holder.cpp
,
Aug 28 2017
,
Aug 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fba89ede793d458424c4ce775dca0521a5cf14f2 commit fba89ede793d458424c4ce775dca0521a5cf14f2 Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org> Date: Mon Aug 28 21:02:47 2017 Roll src/third_party/pdfium/ 8a4494034..827f6ff22 (6 commits) https://pdfium.googlesource.com/pdfium.git/+log/8a4494034eb7..827f6ff220ed $ git log 8a4494034..827f6ff22 --date=short --no-merges --format='%ad %ae %s' 2017-08-28 thestig Add a nullptr check in ReplaceIndirectObjectIfHigherGeneration(). 2017-08-26 thestig Remove unused / rarely used CFX_PTemplate methods. 2017-08-28 rharrison Convert find markers to Optionals in CPDF_TextPageFind 2017-08-28 thestig Pass more const CFX_Matrix* params in CFFL_FormFiller. 2017-08-24 thestig Add helper methods in CJBig2_GRRDProc. 2017-08-23 thestig Move replaced indirect objects to the orphans list. Created with: roll-dep src/third_party/pdfium BUG= 757705 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Change-Id: I51e55964a86276d1f293b034a3fae787e580a92a Reviewed-on: https://chromium-review.googlesource.com/639192 Reviewed-by: <pdfium-deps-roller@chromium.org> Commit-Queue: <pdfium-deps-roller@chromium.org> Cr-Commit-Position: refs/heads/master@{#497871} [modify] https://crrev.com/fba89ede793d458424c4ce775dca0521a5cf14f2/DEPS
,
Aug 29 2017
,
Sep 11 2017
,
Sep 18 2017
Hi yuanvi.cn@ - the VRP panel looked at this, and would be interested in seeing what happens if you try to reproduce after removing the ProbeForLowSeverityLifetimeIssue() check, as it might be masking a higher severity issue.
,
Oct 11 2017
,
Dec 5 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||
►
Sign in to add a comment |
|||||||||||||||
Comment 1 by elawrence@chromium.org
, Aug 22 2017