Security: UAF in CPWL_Caret::SetCaret
Reported by
manhluat...@gmail.com,
Sep 16 2017
|
||||||||||||||||
Issue descriptionThis bug affects on stable Chrome /w XFA disabled. https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/pwl/cpwl_caret.cpp?sq=package:chromium&l=86 --------------------------------------------- void CPWL_Caret::SetCaret(bool bVisible, const CFX_PointF& ptHead, const CFX_PointF& ptFoot) { if (bVisible) { if (IsVisible()) { if (m_ptHead != ptHead || m_ptFoot != ptFoot) { m_ptHead = ptHead; m_ptFoot = ptFoot; m_bFlash = true; Move(m_rcInvalid, false, true); } } else { m_ptHead = ptHead; m_ptFoot = ptFoot; EndTimer(); BeginTimer(PWL_CARET_FLASHINTERVAL); CPWL_Wnd::SetVisible(true); <---------- (1) m_bFlash = true; Move(m_rcInvalid, false, true); } } else { m_ptHead = CFX_PointF(); m_ptFoot = CFX_PointF(); m_bFlash = false; if (IsVisible()) { EndTimer(); CPWL_Wnd::SetVisible(false); } } } At (1), |SetEditCaret| calls |SetCaret| -> ... ends up at |Invalidate| which invokes |Form_Invalidate| may call |GetPage| -> |LoadFXAnnots|. Then we can destroy pdf window |this| (CPWL_Edit) in the middle of this function -> UAF occurs. It's kinda complex to trigger it, but I managed to do that.
,
Sep 16 2017
Heyy good news I've managed to make a PoC without user interaction. I probably can take control registers, but let me get back my Linux build on Monday. Cheers.
,
Sep 17 2017
,
Sep 18 2017
You can see that |rdx| is overwritten by arbitrary value, so it's definitely possible to take over RIP as well since it operating |call QWORD PTR [rdx+0x28]|
,
Sep 18 2017
,
Sep 19 2017
,
Sep 19 2017
,
Sep 19 2017
,
Sep 19 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/6f960347f8474a202d8dd99063bf8ce584896baf commit 6f960347f8474a202d8dd99063bf8ce584896baf Author: Dan Sinclair <dsinclair@chromium.org> Date: Tue Sep 19 17:57:30 2017 Setting focus on a widget may destroy the widget When a widget has focus set, this can trigger an Invalidation call which can trigger a page and annotation reload. This reload can destroy the current widget we're handling. This CL adds ObservedPtrs as needed so we can make sure the widgets are still alive after we've done the Invalidation. Bug: chromium:765921 Change-Id: I51cd24aa1ebd96abe9478efef5130a4e568dac1a Reviewed-on: https://pdfium-review.googlesource.com/14290 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> [modify] https://crrev.com/6f960347f8474a202d8dd99063bf8ce584896baf/fpdfsdk/pwl/cpwl_caret.cpp [modify] https://crrev.com/6f960347f8474a202d8dd99063bf8ce584896baf/fpdfsdk/pwl/cpwl_wnd.cpp [modify] https://crrev.com/6f960347f8474a202d8dd99063bf8ce584896baf/fpdfsdk/pwl/cpwl_edit.cpp
,
Sep 19 2017
,
Sep 20 2017
,
Sep 27 2017
,
Oct 6 2017
*** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Oct 6 2017
Congrats! The VRP panel decided to award $5,000 for this report. Thank you!
,
Oct 6 2017
,
Dec 4 2017
,
Dec 4 2017
,
Dec 27 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2018
,
Jul 28
,
Oct 5
|
||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||
Comment 1 by elawrence@chromium.org
, Sep 16 2017