Issue metadata
Sign in to add a comment
|
Security: Memory Corruption in Chrome
Reported by
kushal89...@gmail.com,
Aug 25 2017
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Memory Corruption triggered in Chrome. PoC has been tested on latest Chrome Windows "asan" build namely build 497481. Build links have been shared in the Step 1 of the "Reproduction Case" section. VERSION The latest "ASAN" builds of Chrome, namely asan build 497481. Operating System: Windows 7 SP1. REPRODUCTION CASE 1) Download Windows chrome "asan" build from https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/win32-release%2Fasan-coverage-win32-release-497481.zip?generation=1503695013993159&alt=media 2) Unzip the downloaded "asan" builds. 3) Change directory to chrome.exe location. 4) Run the chrome binary against the PoC.pdf testcase file using the --no-sandbox and --allow-file-access-from-files flags. 5) Check the crash details in WinDbg. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION WinDbg output with Disassembly View: - Microsoft (R) Windows Debugger Version 10.0.10586.567 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. *** wait with pending attach Symbol search path is: srv* Executable search path is: ModLoad: 00000000`00220000 00000000`00f1c000 C:\Users\kshah\Desktop\win32-release%2Fasan-coverage-win32-release-497481\asan-coverage-win32-release-497481\chrome.exe ModLoad: 00000000`76ec0000 00000000`7706a000 C:\Windows\SYSTEM32\ntdll.dll ModLoad: 00000000`770a0000 00000000`77220000 ntdll.dll ModLoad: 00000000`74690000 00000000`746cf000 C:\Windows\SYSTEM32\wow64.dll ModLoad: 00000000`74630000 00000000`7468c000 C:\Windows\SYSTEM32\wow64win.dll ModLoad: 00000000`74620000 00000000`74628000 C:\Windows\SYSTEM32\wow64cpu.dll ModLoad: 00000000`76b50000 00000000`76c60000 KERNEL32.dll ModLoad: 00000000`766f0000 00000000`76737000 KERNELBASE.dll ModLoad: 00000000`5b9e0000 00000000`5bbdb000 chrome_elf.dll ModLoad: 00000000`741d0000 00000000`741d9000 VERSION.dll ModLoad: 00000000`74c80000 00000000`74d2c000 msvcrt.dll ModLoad: 00000000`75530000 00000000`755d1000 ADVAPI32.dll ModLoad: 00000000`76b00000 00000000`76b19000 SECHOST.dll ModLoad: 00000000`74d30000 00000000`74e20000 RPCRT4.dll ModLoad: 00000000`74940000 00000000`749a0000 SspiCli.dll ModLoad: 00000000`74930000 00000000`7493c000 CRYPTBASE.dll ModLoad: 00000000`77070000 00000000`77075000 PSAPI.DLL ModLoad: 00000000`75aa0000 00000000`766ec000 SHELL32.dll ModLoad: 00000000`74b00000 00000000`74b57000 SHLWAPI.dll ModLoad: 00000000`751e0000 00000000`75270000 GDI32.dll ModLoad: 00000000`749f0000 00000000`74af0000 USER32.dll ModLoad: 00000000`755e0000 00000000`755ea000 LPK.dll ModLoad: 00000000`75270000 00000000`7530d000 USP10.dll ModLoad: 00000000`737f0000 00000000`73822000 WINMM.dll ModLoad: 00000000`73350000 00000000`733a8000 WINHTTP.dll ModLoad: 00000000`73300000 00000000`73350000 webio.dll ModLoad: 00000000`72eb0000 00000000`72eb3000 api-ms-win-core-synch-l1-2-0.dll ModLoad: 00000000`76a90000 00000000`76af0000 IMM32.dll ModLoad: 00000000`75740000 00000000`7580d000 MSCTF.dll ModLoad: 00000000`0f1b0000 00000000`25278000 chrome_child.dll ModLoad: 00000000`74e20000 00000000`74f7d000 ole32.dll ModLoad: 00000000`769f0000 00000000`76a81000 OLEAUT32.dll ModLoad: 00000000`76c60000 00000000`76c95000 WS2_32.dll ModLoad: 00000000`74b60000 00000000`74b66000 NSI.dll ModLoad: 00000000`755f0000 00000000`75607000 USERENV.dll ModLoad: 00000000`754f0000 00000000`754fb000 profapi.dll ModLoad: 00000000`76b20000 00000000`76b4f000 WINTRUST.dll ModLoad: 00000000`75610000 00000000`75731000 CRYPT32.dll ModLoad: 00000000`75a80000 00000000`75a8c000 MSASN1.dll ModLoad: 00000000`75470000 00000000`754eb000 COMDLG32.dll ModLoad: 00000000`73b70000 00000000`73d0e000 COMCTL32.dll ModLoad: 00000000`60120000 00000000`6027d000 dbghelp.dll ModLoad: 00000000`60110000 00000000`60114000 api-ms-win-crt-string-l1-1-0.dll ModLoad: 00000000`5fff0000 00000000`60108000 ucrtbase.dll ModLoad: 00000000`5ffe0000 00000000`5ffe3000 api-ms-win-core-timezone-l1-1-0.dll ModLoad: 00000000`5ffd0000 00000000`5ffd3000 api-ms-win-core-file-l2-1-0.dll ModLoad: 00000000`5ffc0000 00000000`5ffc3000 api-ms-win-core-localization-l1-2-0.dll ModLoad: 00000000`5ffb0000 00000000`5ffb3000 api-ms-win-core-processthreads-l1-1-1.dll ModLoad: 00000000`5ffa0000 00000000`5ffa3000 api-ms-win-core-file-l1-2-0.dll ModLoad: 00000000`5ff90000 00000000`5ff93000 api-ms-win-crt-time-l1-1-0.dll ModLoad: 00000000`5ff80000 00000000`5ff84000 api-ms-win-crt-runtime-l1-1-0.dll ModLoad: 00000000`5ff70000 00000000`5ff80000 api-ms-win-crt-private-l1-1-0.dll ModLoad: 00000000`72b60000 00000000`72bb1000 WINSPOOL.DRV ModLoad: 00000000`745f0000 00000000`7460c000 IPHLPAPI.DLL ModLoad: 00000000`745e0000 00000000`745e7000 WINNSI.DLL ModLoad: 00000000`73b60000 00000000`73b68000 Secur32.dll ModLoad: 00000000`75310000 00000000`7545b000 urlmon.dll ModLoad: 00000000`74af0000 00000000`74af4000 api-ms-win-downlevel-ole32-l1-1-0.dll ModLoad: 00000000`76af0000 00000000`76af4000 api-ms-win-downlevel-shlwapi-l1-1-0.dll ModLoad: 00000000`74c70000 00000000`74c75000 api-ms-win-downlevel-advapi32-l1-1-0.dll ModLoad: 00000000`75a70000 00000000`75a74000 api-ms-win-downlevel-user32-l1-1-0.dll ModLoad: 00000000`74c60000 00000000`74c64000 api-ms-win-downlevel-version-l1-1-0.dll ModLoad: 00000000`75a90000 00000000`75a93000 api-ms-win-downlevel-normaliz-l1-1-0.dll ModLoad: 00000000`75460000 00000000`75463000 Normaliz.dll ModLoad: 00000000`75830000 00000000`75a65000 iertutil.dll ModLoad: 00000000`76740000 00000000`769eb000 WININET.dll ModLoad: 00000000`61560000 00000000`61696000 DWrite.dll ModLoad: 00000000`6c520000 00000000`6c6b1000 gdiplus.dll ModLoad: 00000000`73510000 00000000`73590000 UxTheme.dll ModLoad: 00000000`626b0000 00000000`626f1000 tv_w32.dll (1ce0.14fc): Illegal instruction - code c000001d (!!! second chance !!!) wow64!Wow64NotifyDebugger+0x1d: 00000000`7469cb49 654c8b1c2530000000 mov r11,qword ptr gs:[30h] gs:00000000`00000030=???????????????? 0:000> r rax=00000000fffdb000 rbx=000000000011e980 rcx=000000000011d250 rdx=0000000000000000 rsi=00000000746986cb rdi=0000000000000000 rip=000000007469cb49 rsp=000000000011d730 rbp=000000000011dbf0 r8=000000000011d718 r9=000000000011dbf0 r10=0000000000000000 r11=0000000000000246 r12=000000000011e0f0 r13=000000000011fd00 r14=000000000011e980 r15=ffffffffffffffff iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000204 wow64!Wow64NotifyDebugger+0x1d: 00000000`7469cb49 654c8b1c2530000000 mov r11,qword ptr gs:[30h] gs:00000000`00000030=???????????????? 0:000> kb # RetAddr : Args to Child : Call Site 00 00000000`7469cc6a : 00000000`0011d780 00000000`0001007f ffffffff`ffffffff 00000000`00000003 : wow64!Wow64NotifyDebugger+0x1d 01 00000000`7469ce4a : 00000000`0001007f 00000000`fffdb000 00000000`0111948c 00000000`00000003 : wow64!HandleRaiseException+0xee 02 00000000`746b6c2d : 00000000`01119430 00000000`fffdb000 00000000`fffdd000 00000000`746a050c : wow64!Wow64NtRaiseException+0x132 03 00000000`7469d18f : 00000000`01118380 00000000`011198d8 00000000`fffdb000 00000000`fffdd000 : wow64!whNtRaiseException+0x15 04 00000000`74622776 : 00000000`74a15602 00000000`74690023 00000000`00000246 00000000`0112ca00 : wow64!Wow64SystemServiceEx+0xd7 05 00000000`7469d286 : 00000000`00000000 00000000`74621920 00000000`76fd03c8 00000000`76eecce1 : wow64cpu!ServiceNoTurbo+0x2d 06 00000000`7469c69e : 00000000`00000000 00000000`00000000 00000000`74694b10 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa 07 00000000`76effb96 : 00000000`01254be0 00000000`00000000 00000000`76fed670 00000000`76fc0910 : wow64!Wow64LdrpInitialize+0x42a 08 00000000`76f5bd09 : 00000000`00000000 00000000`76eff3b1 00000000`0011f660 00000000`00000000 : ntdll!LdrpInitializeProcess+0x17e3 09 00000000`76eea36e : 00000000`0011f660 00000000`00000000 00000000`fffdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x22a30 0a 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* GetUrlPageData2 (WinHttp) failed: 12030. DUMP_CLASS: 2 DUMP_QUALIFIER: 0 FAULTING_IP: chrome!__sanitizer::CheckFailed+20 [e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_termination.cc @ 75] 00000000`00613fe0 0f0b ud2 EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 0000000000613fe0 (chrome!__sanitizer::Trap) ExceptionCode: c000001d (Illegal instruction) ExceptionFlags: 00000000 NumberParameters: 0 FAULTING_THREAD: 000014fc PROCESS_NAME: chrome.exe ERROR_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An attempt was made to execute an illegal instruction. EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An attempt was made to execute an illegal instruction. EXCEPTION_CODE_STR: c000001d WATSON_BKT_PROCSTAMP: 59a08ea6 WATSON_BKT_PROCVER: 62.0.3197.0 PROCESS_VER_PRODUCT: Chromium WATSON_BKT_MODULE: chrome.exe WATSON_BKT_MODSTAMP: 59a08ea6 WATSON_BKT_MODOFFSET: 3f3fe0 WATSON_BKT_MODVER: 62.0.3197.0 MODULE_VER_PRODUCT: Chromium BUILD_VERSION_STRING: 6.1.7601.23864 (win7sp1_ldr.170707-0600) MODLIST_WITH_TSCHKSUM_HASH: a869759f9cf17c86b0623f1a9b39aa94da1d6919 MODLIST_SHA1_HASH: f36324d48687921444abd016a1f0533bed247e7a NTGLOBALFLAG: 400 APPLICATION_VERIFIER_FLAGS: 0 PRODUCT_TYPE: 1 SUITE_MASK: 272 APP: chrome.exe ANALYSIS_SESSION_HOST: FGT-KSHAH ANALYSIS_SESSION_TIME: 08-25-2017 15:28:55.0261 ANALYSIS_VERSION: 10.0.10586.567 amd64fre LAST_CONTROL_TRANSFER: from 000000007469cc6a to 000000007469cb49 THREAD_ATTRIBUTES: THREAD_SHA1_HASH_MOD_FUNC: 351f47ac448cb4b3e45bc49a85bd5be607388e36 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 5a5abf5ef1ed7cfe1eb5d59d511b9009e043f591 OS_LOCALE: ENU PROBLEM_CLASSES: Tid [0x0] Frame [0x00] String [STATUS_ILLEGAL_INSTRUCTION] Data Bucketing EXPLOITABLE Tid [0x14fc] Frame [0x00]: wow64!Wow64NotifyDebugger Failure Bucketing EXPLOITABLE Tid [0x14fc] Frame [0x00]: wow64!Wow64NotifyDebugger Failure Bucketing AFTER_CALL Tid [0x14fc] Frame [0x00]: wow64!Wow64NotifyDebugger Failure Bucketing BUGCHECK_STR: STATUS_ILLEGAL_INSTRUCTION_EXPLOITABLE_AFTER_CALL DEFAULT_BUCKET_ID: STATUS_ILLEGAL_INSTRUCTION_EXPLOITABLE_AFTER_CALL STACK_TEXT: 00000000`0011d730 00000000`7469cb49 wow64!Wow64NotifyDebugger+0x1d 00000000`0011d760 00000000`7469cc6a wow64!HandleRaiseException+0xee 00000000`0011dc40 00000000`7469ce4a wow64!Wow64NtRaiseException+0x132 00000000`0011e160 00000000`746b6c2d wow64!whNtRaiseException+0x15 00000000`0011e190 00000000`7469d18f wow64!Wow64SystemServiceEx+0xd7 00000000`0011ea50 00000000`74622776 wow64cpu!ServiceNoTurbo+0x2d 00000000`0011eb10 00000000`7469d286 wow64!RunCpuSimulation+0xa 00000000`0011eb60 00000000`7469c69e wow64!Wow64LdrpInitialize+0x42a 00000000`0011f0b0 00000000`76effb96 ntdll!LdrpInitializeProcess+0x17e3 00000000`0011f5a0 00000000`76f5bd09 ntdll! ?? ::FNODOBFM::`string'+0x22a30 00000000`0011f610 00000000`76eea36e ntdll!LdrInitializeThunk+0xe STACK_COMMAND: .ecxr ; kb ; dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; dps 11d730 ; kb FAILED_INSTRUCTION_ADDRESS: chrome!__sanitizer::CheckFailed+20 [e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_termination.cc @ 75] 00000000`00613fe0 0f0b ud2 THREAD_SHA1_HASH_MOD: 9c076e709c4fae2a87d501f3ee08d9f359faca98 FOLLOWUP_IP: wow64!Wow64NotifyDebugger+1d 00000000`7469cb49 654c8b1c2530000000 mov r11,qword ptr gs:[30h] FAULT_INSTR_CODE: 1c8b4c65 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: wow64!Wow64NotifyDebugger+1d FOLLOWUP_NAME: MachineOwner MODULE_NAME: wow64 IMAGE_NAME: wow64.dll DEBUG_FLR_IMAGE_TIMESTAMP: 595fa993 FAILURE_BUCKET_ID: STATUS_ILLEGAL_INSTRUCTION_EXPLOITABLE_AFTER_CALL_c000001d_wow64.dll!Wow64NotifyDebugger BUCKET_ID: X64_STATUS_ILLEGAL_INSTRUCTION_EXPLOITABLE_AFTER_CALL_BAD_IP_wow64!Wow64NotifyDebugger+1d PRIMARY_PROBLEM_CLASS: X64_STATUS_ILLEGAL_INSTRUCTION_EXPLOITABLE_AFTER_CALL_BAD_IP_wow64!Wow64NotifyDebugger+1d BUCKET_ID_OFFSET: 1d BUCKET_ID_MODULE_STR: wow64 BUCKET_ID_MODTIMEDATESTAMP: 595fa993 BUCKET_ID_MODCHECKSUM: 42c3e BUCKET_ID_MODVER_STR: 6.1.7601.23864 BUCKET_ID_PREFIX_STR: X64_STATUS_ILLEGAL_INSTRUCTION_EXPLOITABLE_AFTER_CALL_BAD_IP_ FAILURE_PROBLEM_CLASS: STATUS_ILLEGAL_INSTRUCTION_EXPLOITABLE_AFTER_CALL FAILURE_EXCEPTION_CODE: c000001d FAILURE_IMAGE_NAME: wow64.dll FAILURE_FUNCTION_NAME: Wow64NotifyDebugger BUCKET_ID_FUNCTION_STR: Wow64NotifyDebugger FAILURE_SYMBOL_NAME: wow64.dll!Wow64NotifyDebugger WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/chrome.exe/62.0.3197.0/59a08ea6/chrome.exe/62.0.3197.0/59a08ea6/c000001d/003f3fe0.htm?Retriage=1 TARGET_TIME: 2017-08-25T22:28:57.000Z OSBUILD: 7601 OSSERVICEPACK: 1 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 OSPLATFORM_TYPE: x64 OSNAME: Windows 7 OSEDITION: Windows 7 WinNt (Service Pack 1) SingleUserTS USER_LCID: 0 OSBUILD_TIMESTAMP: 2017-07-07 08:13:57 BUILDDATESTAMP_STR: 170707-0600 BUILDLAB_STR: win7sp1_ldr BUILDOSVER_STR: 6.1.7601.23864 ANALYSIS_SESSION_ELAPSED_TIME: 3356 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:status_illegal_instruction_exploitable_after_call_c000001d_wow64.dll!wow64notifydebugger FAILURE_ID_HASH: {b72c1303-8347-5b70-5396-964351deefce} Followup: MachineOwner --------- 0:000> !exploitable -v !exploitable 1.6.0.0 HostMachine\HostUser Executing Processor Architecture is x64 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x613fe0 Second Chance Exception Type: STATUS_ILLEGAL_INSTRUCTION (0xC000001D) Exception Hash (Major/Minor): 0xe56b743a.0x1e246c9f Hash Usage : Stack Trace: Major+Minor : wow64!Wow64NotifyDebugger+0x1d Major+Minor : wow64!HandleRaiseException+0xee Major+Minor : wow64!Wow64NtRaiseException+0x132 Major+Minor : wow64!whNtRaiseException+0x15 Major+Minor : wow64!Wow64SystemServiceEx+0xd7 Minor : wow64cpu!ServiceNoTurbo+0x2d Minor : wow64!RunCpuSimulation+0xa Minor : wow64!Wow64LdrpInitialize+0x42a Minor : ntdll!LdrpInitializeProcess+0x17e3 Minor : ntdll! ?? ::FNODOBFM::`string'+0x22a30 Minor : ntdll!LdrInitializeThunk+0xe Instruction Address: 0x000000007469cb49 Description: Illegal Instruction Violation Short Description: IllegalInstruction Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Illegal Instruction Violation starting at wow64!Wow64NotifyDebugger+0x000000000000001d (Hash=0xe56b743a.0x1e246c9f) An illegal instruction exception indicates that the attacker controls execution flow. Disassembly View: 00000000`7469cb24 cc int 3 00000000`7469cb25 cc int 3 00000000`7469cb26 cc int 3 00000000`7469cb27 cc int 3 00000000`7469cb28 cc int 3 00000000`7469cb29 cc int 3 00000000`7469cb2a cc int 3 00000000`7469cb2b cc int 3 wow64!Wow64NotifyDebugger: 00000000`7469cb2c 4883ec28 sub rsp,28h 00000000`7469cb30 65488b042530000000 mov rax,qword ptr gs:[30h] 00000000`7469cb39 48c7809014000004000000 mov qword ptr [rax+1490h],4 00000000`7469cb44 e85fbbffff call wow64!Wow64NotifyDebuggerHelper (00000000`746986a8) 00000000`7469cb49 654c8b1c2530000000 mov r11,qword ptr gs:[30h] gs:00000000`00000030=???????????????? ---> crash occurs here. 00000000`7469cb52 4983a39014000000 and qword ptr [r11+1490h],0 00000000`7469cb5a b001 mov al,1 00000000`7469cb5c eb13 jmp wow64!Wow64NotifyDebugger+0x45 (00000000`7469cb71) 00000000`7469cb5e 65488b042530000000 mov rax,qword ptr gs:[30h] 00000000`7469cb67 4883a09014000000 and qword ptr [rax+1490h],0 00000000`7469cb6f 32c0 xor al,al 00000000`7469cb71 4883c428 add rsp,28h 00000000`7469cb75 c3 ret 00000000`7469cb76 cc int 3 00000000`7469cb77 cc int 3 00000000`7469cb78 cc int 3 00000000`7469cb79 cc int 3
,
Aug 28 2017
chrome!__sanitizer::CheckFailed
,
Aug 28 2017
chrome!__sanitizer::CheckFailed+20 [e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_termination.cc @ 75] kcc@, I wonder if you can route this to the right person. The crash seems to come from the sanitizer. Thank you.
,
Aug 28 2017
This might just be a case of stack exhaustion due to circular references in the PDF.
,
Aug 28 2017
I have no one to help on Windows (+rnk@ just in case). The PDF seems to crash un-instrumented chrome on Linux as well, so the problem is unlikely related to the sanitizers (and may indeed by a stack overflow)
,
Aug 29 2017
This is what a crash (ID: 509812933dfe4c1c) look like on Linux, BTW: (chrome -memory_linux.cc:35 ) base::(anonymous namespace)::OnNoMemory() (chrome + 0x02f55633 ) operator new(unsigned long) (chrome -new:226 ) std::__1::deque<DependencyNode*, std::__1::allocator<DependencyNode*> >::__add_back_capacity() (chrome -deque:1824 ) CPDF_StreamContentParser::AddPathObject(int, bool) (chrome -cpdf_streamcontentparser.cpp:1520 ) CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) (chrome -cpdf_contentparser.cpp:182 ) CPDF_ContentParser::Continue(IFX_Pause*) (chrome -cpdf_pageobjectholder.cpp:37 ) CPDF_PageObjectHolder::ContinueParse(IFX_Pause*) (chrome -cpdf_streamcontentparser.cpp:774 ) CPDF_StreamContentParser::AddForm(CPDF_Stream*) (chrome -cpdf_streamcontentparser.cpp:759 ) CPDF_StreamContentParser::Handle_ExecuteXObject() (chrome -cpdf_streamcontentparser.cpp:1520 ) CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) (chrome -cpdf_contentparser.cpp:182 ) CPDF_ContentParser::Continue(IFX_Pause*) (chrome -cpdf_pageobjectholder.cpp:37 ) CPDF_PageObjectHolder::ContinueParse(IFX_Pause*) (chrome -cpdf_streamcontentparser.cpp:774 ) CPDF_StreamContentParser::AddForm(CPDF_Stream*) ... 83 more (chrome -cpdf_contentparser.cpp:182 ) CPDF_ContentParser::Continue(IFX_Pause*) (chrome -cpdf_pageobjectholder.cpp:37 ) CPDF_PageObjectHolder::ContinueParse(IFX_Pause*) (chrome -cpdf_streamcontentparser.cpp:774 ) CPDF_StreamContentParser::AddForm(CPDF_Stream*) (chrome -cpdf_streamcontentparser.cpp:759 ) CPDF_StreamContentParser::Handle_ExecuteXObject() (chrome -cpdf_streamcontentparser.cpp:1520 ) CPDF_StreamConteAssignedntParser::Parse(unsigned char const*, unsigned int, unsigned int) (chrome -cpdf_contentparser.cpp:182 ) CPDF_ContentParser::Continue(IFX_Pause*) (chrome -cpdf_pageobjectholder.cpp:37 ) CPDF_PageObjectHolder::ContinueParse(IFX_Pause*) (chrome -cpdf_streamcontentparser.cpp:774 ) CPDF_StreamContentParser::AddForm(CPDF_Stream*) (chrome -cpdf_streamcontentparser.cpp:759 ) CPDF_StreamContentParser::Handle_ExecuteXObject() (chrome -cpdf_streamcontentparser.cpp:1520 ) CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) (chrome -cpdf_contentparser.cpp:182 ) CPDF_ContentParser::Continue(IFX_Pause*) (chrome -cpdf_pageobjectholder.cpp:37 ) CPDF_PageObjectHolder::ContinueParse(IFX_Pause*) (chrome -fpdfview.cpp:698 ) FPDF_LoadPage
,
Aug 29 2017
rharrison@ can you take a look and see if this is a recursion problem in the parser? Sounds like it repros on linux.
,
Aug 29 2017
,
Aug 29 2017
,
Aug 29 2017
With the recursion limit of 32 levels, the parsing code ends up continously banging against the limit. I think it makes progress, but with that many levels of recursion, it would work through it very very slowly. I tried checking only unique streams get pass into AddForm() in any particular level, but tcpdf/example_062.pdf is a legit example that does that. My other idea to break the recursion is to check in AddForm() that previous levels of recursion did not already parse a given a stream.
,
Aug 30 2017
,
Aug 30 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 30 2017
,
Aug 31 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/bc0ca1ec9b157ab8773c9043725c7422f7c1a57c commit bc0ca1ec9b157ab8773c9043725c7422f7c1a57c Author: Ryan Harrison <rharrison@chromium.org> Date: Thu Aug 31 17:06:29 2017 Prevent duplicate parses of same data, in the same recursive descent When parsing if there is a loop in the data being parsed, the recursions will just keep cycling until it exhausts memory and crashes. This CL introduces a parsed set, which a reference to is passed down the descent. If the data being parsed at a specific stage of the descent is already in the parsed set, then the parse returns at that point. BUG= chromium:759224 Change-Id: I1dca73d81020099dec03fd49aaa44cdcdf38e17e Reviewed-on: https://pdfium-review.googlesource.com/12470 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Ryan Harrison <rharrison@chromium.org> [modify] https://crrev.com/bc0ca1ec9b157ab8773c9043725c7422f7c1a57c/core/fpdfapi/page/cpdf_form.cpp [modify] https://crrev.com/bc0ca1ec9b157ab8773c9043725c7422f7c1a57c/core/fpdfapi/page/cpdf_streamcontentparser.cpp [modify] https://crrev.com/bc0ca1ec9b157ab8773c9043725c7422f7c1a57c/core/fpdfapi/page/cpdf_contentparser.h [modify] https://crrev.com/bc0ca1ec9b157ab8773c9043725c7422f7c1a57c/core/fpdfapi/page/cpdf_streamcontentparser.h [modify] https://crrev.com/bc0ca1ec9b157ab8773c9043725c7422f7c1a57c/core/fpdfapi/page/cpdf_contentparser.cpp [modify] https://crrev.com/bc0ca1ec9b157ab8773c9043725c7422f7c1a57c/core/fpdfapi/page/cpdf_form.h
,
Aug 31 2017
From what I can tell this isn't a regression, but a long standing issue with how this code operated. I have landed the fix on PDFium's HEAD. Does this need to be merged into any other branches?
,
Aug 31 2017
There are tons of ways to cause PDFium to infinite loop or have a stack overflow. I wouldn't bother merging.
,
Aug 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f6e1ef671553e43a24c88669379af61c59b7081d commit f6e1ef671553e43a24c88669379af61c59b7081d Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org> Date: Thu Aug 31 21:59:36 2017 Roll src/third_party/pdfium/ af59cf16b..47a90b894 (12 commits) https://pdfium.googlesource.com/pdfium.git/+log/af59cf16b40b..47a90b894ecc $ git log af59cf16b..47a90b894 --date=short --no-merges --format='%ad %ae %s' 2017-08-31 dsinclair More BIDI code shuffling 2017-08-31 dsinclair Move bidi code to fx_bidi 2017-08-31 rharrison Properly handle \n, \r, \r\n when inserting text 2017-08-31 thestig Prevent FPDFAvail_IsDocAvail() from infinite looping. 2017-08-31 rharrison Clean up of typing in lexer code 2017-08-31 dsinclair Add component to owners 2017-08-31 dsinclair Remove fx_basic.h 2017-08-31 rharrison Prevent duplicate parses of same data, in the same recursive descent 2017-08-31 thestig Change APIs to use FPDF_BYTESTRING for keys. 2017-08-31 thestig Implement FORM_OnFocus() API. 2017-08-31 hnakashima Fixing CBC_OnedEAN13Writer checksum. 2017-08-30 npm Use vector instead of pointer in CJBig2_Segment Created with: roll-dep src/third_party/pdfium BUG= 759224 , 754594 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Change-Id: I6efc74f2c62576a1fdc234c62b5bf8c644c0df65 Reviewed-on: https://chromium-review.googlesource.com/646726 Reviewed-by: <pdfium-deps-roller@chromium.org> Commit-Queue: <pdfium-deps-roller@chromium.org> Cr-Commit-Position: refs/heads/master@{#499028} [modify] https://crrev.com/f6e1ef671553e43a24c88669379af61c59b7081d/DEPS
,
Sep 1 2017
,
Sep 6 2017
,
Sep 11 2017
I'm afraid the VRP Panel declined to reward for this issue, which does appear to be an unexploitable stack overflow.
,
Sep 11 2017
Hello @awhalley, @elawre.., @thestig, @dominickn, @dsinclair, Google Product Security Team, Good Afternoon. The original report clearly shows WinDbg stating it to be "Exploitable", and this time it is the default WinDbg plugins stating so, and not the "apparently heuristic"(as stated in previous reports) !exploitable plugin. Still, somehow as always it turns out to "stack overflow", God only knows how!!! And as always the issue is diligently fixed BUT no bounty is provided for the issue. This has been happening far too often and isn't in the slightest bit amusing anymore. With that being said, this will most probably be my last PDF related Chrome report via responsible disclosure for quite a while. Good Luck and Godspeed!!! Not Thanking You, Yours Sincerely, Kushal Arvind Shah.
,
Oct 5 2017
Dear Kushal, I realise this can be frustrating, but I'm afraid that none of the tools are infallible. If you believe we've got it wrong in this case (or any other) we're happy to reconsider if you can provide details on how this could be used in a practictical exploit.
,
Oct 5 2017
,
Oct 6 2017
Hello Andrew, Good Afternoon. Firstly, thank you for responding, I sincerely appreciate it. I understand Andrew, none of the tools are infallible, but I am not sure how every time the researcher's tools are fallible and not the other way around. Anyways, I will most probably let this one go for now and might revisit it again in 2018. Also I have a question w.r.t the pdf XFA support. I came across several XFA reports overlapping(time wise) wherein some were rewarded and some were not (But all of them were fixed diligently), and the primary reason supplied was XFA support. Could someone confirm once and for all, if pdf with xfa is supported by Chrome or not. Accordingly, I can "responsibly" send in a flurry of security-bug reports for the same. If not, I can let them be. Eagerly awaiting your response. Thanking You, Yours Sincerely, Kushal Arvind Shah. Security Researcher | Fortinet's FortiGuard Labs. PS: It's always a pleasure talking with nice guys like you Andrew, a rarity these days among Chrome Security Team (ref. crbug.com/763213 c#12).
,
Dec 8 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by kushal89...@gmail.com
, Aug 25 2017