Security: UAF in CPWL_ComboBox::KillFocus
Reported by
manhluat...@gmail.com,
Sep 29 2017
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/pwl/cpwl_combo_box.cpp?type=cssq=package:chromium&l=175 void CPWL_ComboBox::KillFocus() { SetPopup(false); CPWL_Wnd::KillFocus(); } ---------------------------------------------------------------------- https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/pwl/cpwl_combo_box.cpp?type=cssq%3Dpackage:chromium&l=380 void CPWL_ComboBox::SetPopup(bool bPopup) { ... if (!bPopup) { m_bPopup = bPopup; Move(m_rcOldWindow, true, true); <------ (1) return; } When it's trying to kill focus a combobox, it will invoke |CPWL_ComboBox::KillFocus| instead of |CPWL_Wnd::KillFocus|. At (1) |Move| ends up calling |Form_Invalidate| which possible to run a script then trigger a UAF by destroying the widget's pdf window in the middle of KillFocus processing. Please see bug 766957 bug 765921 bug 760455 for more explanation/details. Please find attached PoC/asan/... VERSION Chrome Version: 61.0.3163.100 (Official Build) (64-bit) Operating System: OS X / Win / Linux REPRODUCTION CASE Open the pdf file, click on scrollbar which has textbox printing "a".
,
Sep 29 2017
,
Sep 29 2017
,
Oct 2 2017
,
Oct 2 2017
,
Oct 4 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/55469aed5acffcce3259d37418ba9e8b8e60d801 commit 55469aed5acffcce3259d37418ba9e8b8e60d801 Author: Henrique Nakashima <hnakashima@chromium.org> Date: Wed Oct 04 16:02:44 2017 Fix UAF in SetVisible(). SetVisible() may be called during Destroy() which may be called during SetVisible(). This fixes the latest in a family of bugs that happen after an instance is freed by code triggered by JS code while it's executing a method. The CL has a lot of protection for many of these points where JS may be executed and potentially destroy objects. The return types of many methods that may execute JS have been changed to bool, indicating whether the instance is still alive after the call. Bug: chromium:770148 Change-Id: If5a9db4d8d6aac10f4dd6b645922bb96c116684d Reviewed-on: https://pdfium-review.googlesource.com/15190 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Henrique Nakashima <hnakashima@chromium.org> [modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_combo_box.cpp [modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_wnd.cpp [modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_scroll_bar.cpp [modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_list_box.cpp [modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_edit.h [modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_edit_ctrl.h [modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_caret.h [modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_edit_ctrl.cpp [modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_combo_box.h [modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_wnd.h [modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_caret.cpp [modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_edit.cpp [modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_list_box.h [modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_scroll_bar.h [modify] https://crrev.com/55469aed5acffcce3259d37418ba9e8b8e60d801/fpdfsdk/pwl/cpwl_appstream.cpp
,
Oct 4 2017
,
Oct 5 2017
,
Oct 9 2017
,
Oct 9 2017
,
Oct 11 2017
*** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Oct 11 2017
Nice one! The VRP panel awarded $5,000 for this. Cheers!
,
Oct 14 2017
,
Oct 16 2017
,
Oct 27 2017
,
Oct 27 2017
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 27 2017
+awhalley@ (Security TPM) for M63 merge review
,
Oct 30 2017
govind@ good for 63 if commit in #6 isn't already there.
,
Oct 30 2017
#6 is already in M63 branch (M63 was branched on Oct 12th).
,
Dec 4 2017
,
Dec 4 2017
,
Jan 11 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
,
Apr 25 2018
,
Oct 5
|
||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||
Comment 1 by manhluat...@gmail.com
, Sep 29 20173.7 KB
3.7 KB Download
4.5 KB
4.5 KB Download
14.9 KB
14.9 KB View Download
367 KB
367 KB View Download