Security: Chrome PDF Memory Corruption Vulnerability [ubsan build]
Reported by
kushal89...@gmail.com,
Sep 9 2017
|
||||||||||
Issue descriptionVULNERABILITY DETAILS Memory Corruption Vulnerability triggered in Chrome. PoC has been tested on latest Chrome Linux "ubsan" build namely build 500649 as of Sept 08 5:05PM PST. Build links have been shared in the Step 1 of the "Reproduction Case" section. VERSION The latest "UBSAN" builds of Chrome, namely ubsan build 500649. Operating System: Ubuntu. REPRODUCTION CASE 1) Download Linux chrome "ubsan" build from https://www.googleapis.com/download/storage/v1/b/chromium-browser-ubsan/o/linux-release-vptr%2Fubsan-vptr-linux-release-500649.zip?generation=1504909312425784&alt=media 2) Unzip the downloaded "ubsan" builds. 3) Change directory to chrome binary location. 4) Run the chrome binary against the PoC.pdf testcase file using the --no-sandbox and --allow-file-access-from-files flags. 5) Check the crash details in the terminal window. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION pdfium_test SegFault Crash: - root@kush:~/Desktop# /root/Desktop/ubsan-vptr-linux-release-500649/pdfium_test /root/Desktop/ubsan_pdf_crash.pdf Rendering PDF file /root/Desktop/ubsan_pdf_crash.pdf. Received signal 6 ==== C stack trace =============================== [0x000001ce273e] [0x7f35ccc370c0] [0x7f35cb829fcf] [0x7f35cb82b3fa] [0x00000144b4b9] [0x00000145400d] [0x00000166a1ac] [0x00000166922a] [0x00000166a893] [0x0000016542da] [0x000001628771] [0x00000163a05c] [0x0000016252fb] [0x00000174c958] [0x0000013d500e] [0x0000013e1652] [0x0000013e18ce] [0x00000043dbed] [0x7f35cb8172b1] [0x000000421552] [end of stack trace] Aborted Chrome Binary Output: - root@kush:~/Desktop# /root/Desktop/ubsan-vptr-linux-release-500649/chrome --no-sandbox --allow-file-access-from-files /root/Desktop/ubsan_pdf_crash.pdf Received signal 6 #0 0x555d815a6b7d base::debug::StackTrace::StackTrace() #1 0x555d815a6573 base::debug::(anonymous namespace)::StackDumpSignalHandler() #2 0x7f86d1b680c0 <unknown> #3 0x7f86cab82fcf gsignal #4 0x7f86cab843fa abort #5 0x555d8a44a23d CFX_BinaryBuf::ExpandBuf() #6 0x555d8a556e8c CPDF_SyntaxParser::ReadStream() #7 0x555d8a555f0a CPDF_SyntaxParser::GetObjectInternal() #8 0x555d8a557573 CPDF_SyntaxParser::GetIndirectObject() #9 0x555d8a53e96a CPDF_Parser::ParseIndirectObject() #10 0x555d8a510a11 CPDF_Document::ParseIndirectObject() #11 0x555d8a5257ec CPDF_IndirectObjectHolder::GetOrParseIndirectObject() #12 0x555d8a50cfbb CPDF_Dictionary::GetStreamFor() #13 0x555d8a637fa8 CPDF_Metadata::CPDF_Metadata() #14 0x555d8a3e031e CheckUnSupportError() #15 0x555d8a403a32 (anonymous namespace)::LoadDocumentImpl() #16 0x555d8a403fee FPDF_LoadCustomDocument #17 0x555d8a3979c2 chrome_pdf::PDFiumEngine::TryLoadingDoc() #18 0x555d8a379393 chrome_pdf::PDFiumEngine::LoadDocument() #19 0x555d8a3aedbb pp::CompletionCallbackFactory<>::CallbackData<>::Thunk() #20 0x555d84520bfe ppapi::TrackedCallback::Run() #21 0x555d8988dc70 ppapi::proxy::URLLoaderResource::OnReplyReceived() #22 0x555d897c1cb8 ppapi::proxy::PluginMessageFilter::DispatchResourceReply() #23 0x555d815a7ef2 base::debug::TaskAnnotator::RunTask() #24 0x555d815e6e85 base::MessageLoop::RunTask() #25 0x555d815e78bc base::MessageLoop::DeferOrRunPendingTask() #26 0x555d815e8318 base::MessageLoop::DoWork() #27 0x555d815ebce6 base::MessagePumpDefault::Run() #28 0x555d8164ede6 base::RunLoop::Run() #29 0x555d80a49e3c content::PpapiPluginMain() #30 0x555d80c900f3 content::RunZygote() #31 0x555d80c93864 content::ContentMainRunnerImpl::Run() #32 0x555d80caa24d service_manager::Main() #33 0x555d80c8fb6d content::ContentMain() #34 0x555d7cfe0844 ChromeMain #35 0x7f86cab702b1 __libc_start_main #36 0x555d7cfc705b <unknown> r8: 0000000000000000 r9: 00007ffc356b0400 r10: 0000000000000008 r11: 0000000000000246 r12: 0000555d9660b630 r13: 000014e0f8b00580 r14: 00007ffc356b06b0 r15: 0000000000000000 di: 0000000000000002 si: 00007ffc356b0400 bp: 00007ffc356b0640 bx: 0000000000000006 dx: 0000000000000000 ax: 0000000000000000 cx: 00007f86cab82fcf sp: 00007ffc356b0478 ip: 00007f86cab82fcf efl: 0000000000000246 cgf: 002b000000000033 erf: 0000000000000000 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000 [end of stack trace] Calling _exit(1). Core file will not be generated.
,
Sep 9 2017
Hello @elawre.., Google Product Security Team, Good Morning. I would like to confirm that the crash is consistently reproducible in latest Chrome Canary build (Version 63.0.3211.0 (Official Build) canary (64-bit)) available at https://www.google.com/chrome/browser/canary.html Thanks, ~Kushal.
,
Sep 11 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5988060658663424.
,
Sep 11 2017
CFX_BinaryBuf::EstimateSize() is receiving a negative size. Before https://pdfium-review.googlesource.com/11830, EstimateSize() runs: if (m_AllocSize < size) and does nothing when the comparison is: 0 < -15. When |size| gets interpreted as unsigned, |size| becomes a very large number, and ExpandBuf() then tries to allocate a lot of memory, and OOM occurs.
,
Sep 12 2017
BTW, this looks similar to bug 695265 , which presumably happened without a signed/unsigned integer conversion.
,
Sep 12 2017
,
Sep 12 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/5b2092a1ec59077b430bd2cab91554cad2eb5128 commit 5b2092a1ec59077b430bd2cab91554cad2eb5128 Author: Ryan Harrison <rharrison@chromium.org> Date: Tue Sep 12 20:17:27 2017 Don't attempt to decrypt AES streams that are too short When reading a stream, if it is encrypted using an AES cipher it must be atleast 16 bytes long aka 128 bits, other wise it is malformed. BUG= chromium:763585 Change-Id: Ied7c36978f1eb24aeda93a184527b6d6a191e5c3 Reviewed-on: https://pdfium-review.googlesource.com/13751 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Ryan Harrison <rharrison@chromium.org> [modify] https://crrev.com/5b2092a1ec59077b430bd2cab91554cad2eb5128/core/fpdfapi/parser/cpdf_crypto_handler.h [modify] https://crrev.com/5b2092a1ec59077b430bd2cab91554cad2eb5128/core/fpdfapi/parser/cpdf_crypto_handler.cpp [modify] https://crrev.com/5b2092a1ec59077b430bd2cab91554cad2eb5128/core/fpdfapi/parser/cpdf_syntax_parser.cpp
,
Sep 12 2017
,
Sep 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6550b0a9b59558fd2a2190cf7950e3ab897905d8 commit 6550b0a9b59558fd2a2190cf7950e3ab897905d8 Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org> Date: Tue Sep 12 22:46:07 2017 Roll src/third_party/pdfium/ 8ac74971a..5b2092a1e (1 commit) https://pdfium.googlesource.com/pdfium.git/+log/8ac74971a335..5b2092a1ec59 $ git log 8ac74971a..5b2092a1e --date=short --no-merges --format='%ad %ae %s' 2017-09-12 rharrison Don't attempt to decrypt AES streams that are too short Created with: roll-dep src/third_party/pdfium BUG= 763585 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Change-Id: Idbe0456179d244337dba103a3b55254b920a1b33 Reviewed-on: https://chromium-review.googlesource.com/663943 Reviewed-by: <pdfium-deps-roller@chromium.org> Commit-Queue: <pdfium-deps-roller@chromium.org> Cr-Commit-Position: refs/heads/master@{#501432} [modify] https://crrev.com/6550b0a9b59558fd2a2190cf7950e3ab897905d8/DEPS
,
Sep 13 2017
ClusterFuzz testcase 5272205037666304 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 13 2017
,
Oct 30 2017
Any CVE-ID and/or bounty for this one?? Thanks, ~ Kushal.
,
Oct 30 2017
,
Nov 9 2017
Hello Andrew, Good Evening. Its been a short while since this one went up to the panel, could you share an update if any? Thanks, ~Kushal.
,
Nov 9 2017
Humm - this never got a severity label assigned so didn't go up for consideration. Adding manually and will change our queries to find any others that might have been missed. Sorry about that!
,
Nov 16 2017
Hello Andrew, Good Morning. It's been a short while since this one re-visited the reward panel, could you share an update if any? Thanks, ~ Kushal.
,
Nov 16 2017
Hi Kushal! I'm terribly sorry to say that the VRP panel looked at this and concluded that it's an unexploitable out-of-memory bug, so not eligible for a reward :-( Cheers, Andrew
,
Nov 16 2017
,
Nov 17 2017
Hello Andrew, Good Evening. This report is similar to crbug.com/446032 which was initially considered OOM but was eventually rewarded. Could you bring this point to the Reward Panel? Thanks, ~ Kushal.
,
Dec 1 2017
Hi Kushal. We took another look at this and agree that this issue isn't exploitable. Sorry!
,
Jan 4 2018
Hello Andrew, No worries, and thanks for the effort, I seriously appreciate it. Thanks, ~ Kushal. |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by elawrence@chromium.org
, Sep 9 2017