Security: heap-use-after-free in ProbeForLowSeverityLifetimeIssue
Reported by
zhouzhen...@gmail.com,
Jan 30 2018
|
|||||||||||||||
Issue description
VULNERABILITY DETAILS
This issue was found by fuzzing against a 64-bit asan linux build of pdfium_test with XFA enabled.
VERSION
Operating System: Fedora 27 x86_64
REPRODUCTION CASE
Get the latest chromium source code, build pdfium_test with the following args.gn (command: ninja -C out/default pdfium_test)
---------------------
enable_nacl=false
is_debug=false
is_asan=true
pdf_use_skia = false
pdf_use_skia_paths = false
pdf_enable_xfa = true
pdf_enable_v8 = true
pdf_enable_xfa_bmp = true
pdf_enable_xfa_gif = true
pdf_enable_xfa_png = true
pdf_enable_xfa_tiff = true
symbol_level=2
----------------------
./pdfium_test /tmp/pdf_crashes/use-after-free-poc
Rendering PDF file /tmp/pdf_crashes/use-after-free-poc.
=================================================================
==23580==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000039260 at pc 0x000003228bf9 bp 0x7fffb2aadb20 sp 0x7fffb2aadb18
READ of size 1 at 0x606000039260 thread T0
#0 0x3228bf8 in ProbeForLowSeverityLifetimeIssue third_party/pdfium/core/fxcrt/unowned_ptr.h:100:7
#1 0x3228bf8 in ~UnownedPtr third_party/pdfium/core/fxcrt/unowned_ptr.h:52
#2 0x3228bf8 in CJX_Object::~CJX_Object() third_party/pdfium/fxjs/xfa/cjx_object.cpp:129
#3 0x367168d in ~CJX_PageSet third_party/pdfium/fxjs/xfa/cjx_pageset.cpp:13:27
#4 0x367168d in CJX_PageSet::~CJX_PageSet() third_party/pdfium/fxjs/xfa/cjx_pageset.cpp:13
#5 0x366bc9e in operator() buildtools/third_party/libc++/trunk/include/memory:2286:5
#6 0x366bc9e in reset buildtools/third_party/libc++/trunk/include/memory:2599
#7 0x366bc9e in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2553
#8 0x366bc9e in CXFA_Object::~CXFA_Object() third_party/pdfium/xfa/fxfa/parser/cxfa_object.cpp:33
#9 0x36715dd in ~CXFA_PageSet third_party/pdfium/xfa/fxfa/parser/cxfa_pageset.cpp:44:32
#10 0x36715dd in CXFA_PageSet::~CXFA_PageSet() third_party/pdfium/xfa/fxfa/parser/cxfa_pageset.cpp:44
#11 0x360b85c in CXFA_Node::~CXFA_Node() third_party/pdfium/xfa/fxfa/parser/cxfa_node.cpp:545:5
#12 0x36929ad in ~CXFA_Subform third_party/pdfium/xfa/fxfa/parser/cxfa_subform.cpp:77:32
#13 0x36929ad in CXFA_Subform::~CXFA_Subform() third_party/pdfium/xfa/fxfa/parser/cxfa_subform.cpp:77
#14 0x360b85c in CXFA_Node::~CXFA_Node() third_party/pdfium/xfa/fxfa/parser/cxfa_node.cpp:545:5
#15 0x3695bfd in ~CXFA_Template third_party/pdfium/xfa/fxfa/parser/cxfa_template.cpp:42:34
#16 0x3695bfd in CXFA_Template::~CXFA_Template() third_party/pdfium/xfa/fxfa/parser/cxfa_template.cpp:42
#17 0x360b85c in CXFA_Node::~CXFA_Node() third_party/pdfium/xfa/fxfa/parser/cxfa_node.cpp:545:5
#18 0x36a174d in ~CXFA_Xfa third_party/pdfium/xfa/fxfa/parser/cxfa_xfa.cpp:34:24
#19 0x36a174d in CXFA_Xfa::~CXFA_Xfa() third_party/pdfium/xfa/fxfa/parser/cxfa_xfa.cpp:34
#20 0x35a1ceb in CXFA_Document::~CXFA_Document() third_party/pdfium/xfa/fxfa/parser/cxfa_document.cpp:102:3
#21 0x35b37bd in operator() buildtools/third_party/libc++/trunk/include/memory:2286:5
#22 0x35b37bd in reset buildtools/third_party/libc++/trunk/include/memory:2599
#23 0x35b37bd in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2553
#24 0x35b37bd in CXFA_DocumentParser::~CXFA_DocumentParser() third_party/pdfium/xfa/fxfa/parser/cxfa_document_parser.cpp:18
#25 0x3225bc7 in operator() buildtools/third_party/libc++/trunk/include/memory:2286:5
#26 0x3225bc7 in reset buildtools/third_party/libc++/trunk/include/memory:2599
#27 0x3225bc7 in CXFA_FFDoc::CloseDoc() third_party/pdfium/xfa/fxfa/cxfa_ffdoc.cpp:332
#28 0x31d009d in CloseXFADoc third_party/pdfium/fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:67:14
#29 0x31d009d in CPDFXFA_Context::LoadXFADoc() third_party/pdfium/fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:116
#30 0x270393d in FPDF_LoadXFA third_party/pdfium/fpdfsdk/fpdfview.cpp:599:63
#31 0xbd7725 in (anonymous namespace)::RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, (anonymous namespace)::Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) third_party/pdfium/samples/pdfium_test.cc:1435:10
#32 0xbd4ec8 in main third_party/pdfium/samples/pdfium_test.cc:1630:5
#33 0x7fb04acd2009 in __libc_start_main (/lib64/libc.so.6+0x21009)
0x606000039260 is located 0 bytes inside of 56-byte region [0x606000039260,0x606000039298)
freed by thread T0 here:
#0 0xbcf522 in operator delete(void*) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:149:3
#1 0x35b7f10 in CXFA_LayoutPageMgr::~CXFA_LayoutPageMgr() third_party/pdfium/xfa/fxfa/parser/cxfa_layoutpagemgr.cpp:283:5
#2 0x35e58ac in operator() buildtools/third_party/libc++/trunk/include/memory:2286:5
#3 0x35e58ac in reset buildtools/third_party/libc++/trunk/include/memory:2599
#4 0x35e58ac in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2553
#5 0x35e58ac in CXFA_LayoutProcessor::~CXFA_LayoutProcessor() third_party/pdfium/xfa/fxfa/parser/cxfa_layoutprocessor.cpp:26
#6 0x35a2508 in operator() buildtools/third_party/libc++/trunk/include/memory:2286:5
#7 0x35a2508 in reset buildtools/third_party/libc++/trunk/include/memory:2599
#8 0x35a2508 in CXFA_Document::ClearLayoutData() third_party/pdfium/xfa/fxfa/parser/cxfa_document.cpp:120
#9 0x3225ba3 in CXFA_FFDoc::CloseDoc() third_party/pdfium/xfa/fxfa/cxfa_ffdoc.cpp:330:10
#10 0x31d009d in CloseXFADoc third_party/pdfium/fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:67:14
#11 0x31d009d in CPDFXFA_Context::LoadXFADoc() third_party/pdfium/fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:116
#12 0x270393d in FPDF_LoadXFA third_party/pdfium/fpdfsdk/fpdfview.cpp:599:63
#13 0xbd7725 in (anonymous namespace)::RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, (anonymous namespace)::Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) third_party/pdfium/samples/pdfium_test.cc:1435:10
#14 0xbd4ec8 in main third_party/pdfium/samples/pdfium_test.cc:1630:5
#15 0x7fb04acd2009 in __libc_start_main (/lib64/libc.so.6+0x21009)
previously allocated by thread T0 here:
#0 0xbce942 in operator new(unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:92:3
#1 0x35b8d0d in CXFA_LayoutPageMgr::InitLayoutPage(CXFA_Node*) third_party/pdfium/xfa/fxfa/parser/cxfa_layoutpagemgr.cpp:305:9
#2 0x35e5b11 in CXFA_LayoutProcessor::StartLayout(bool) third_party/pdfium/xfa/fxfa/parser/cxfa_layoutprocessor.cpp:50:26
#3 0x32c7f4b in CXFA_FFDocView::StartLayout() third_party/pdfium/xfa/fxfa/cxfa_ffdocview.cpp:74:38
#4 0x31cffe3 in CPDFXFA_Context::LoadXFADoc() third_party/pdfium/fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:115:22
#5 0x270393d in FPDF_LoadXFA third_party/pdfium/fpdfsdk/fpdfview.cpp:599:63
#6 0xbd7725 in (anonymous namespace)::RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, (anonymous namespace)::Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) third_party/pdfium/samples/pdfium_test.cc:1435:10
#7 0xbd4ec8 in main third_party/pdfium/samples/pdfium_test.cc:1630:5
#8 0x7fb04acd2009 in __libc_start_main (/lib64/libc.so.6+0x21009)
SUMMARY: AddressSanitizer: heap-use-after-free third_party/pdfium/core/fxcrt/unowned_ptr.h:100:7 in ProbeForLowSeverityLifetimeIssue
Shadow bytes around the buggy address:
0x0c0c7ffff1f0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c7ffff200: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0c7ffff210: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0c7ffff220: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 04
0x0c0c7ffff230: fa fa fa fa 00 00 00 00 00 00 00 04 fa fa fa fa
=>0x0c0c7ffff240: fd fd fd fd fd fd fd fa fa fa fa fa[fd]fd fd fd
0x0c0c7ffff250: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c7ffff260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7ffff270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7ffff280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7ffff290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==23580==ABORTING
,
Jan 30 2018
,
Jan 30 2018
,
Jan 30 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4592690201886720.
,
Jan 30 2018
Does the issue only affect head?
,
Jan 30 2018
,
Jan 30 2018
This would only get triggered in sanitizer builds as the Probe only happens for the sanitizers.
,
Jan 30 2018
As per the name, Severity Low.
,
Feb 14 2018
,
Feb 14 2018
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/c4ffab7a2308dabdc2ba1355902d94f7cc3b2d8f commit c4ffab7a2308dabdc2ba1355902d94f7cc3b2d8f Author: Dan Sinclair <dsinclair@chromium.org> Date: Wed Feb 14 21:12:42 2018 Fix lifetime probe issue in CJX_Object This CL removes the UnownedPtr to the CXFA_LayoutItem from CJX_Object. This is because the CJX_Object will be destroyed by the CXFA_Node which is destroyed in the CXFA_Document destructor (due to the vector of unique_ptr being destroyed). The CXFA_LayoutItem will be freed in the LayoutProcessor which also lives in the CXFA_Document. Bug: chromium:807215 Change-Id: I86040e154ee2e5d461fc4d3565a10a9181680207 Reviewed-on: https://pdfium-review.googlesource.com/26851 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org> [modify] https://crrev.com/c4ffab7a2308dabdc2ba1355902d94f7cc3b2d8f/fxjs/xfa/cjx_object.h
,
Feb 14 2018
,
Feb 15 2018
,
Feb 15 2018
ClusterFuzz testcase 5363653640716288 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
May 24 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 1
,
Nov 12
Hi zhouzhenster@, ProbeForLowSeverityLifetimeIssue alerts that there is a potential object lifecycle issue, but not that it can actually be reached. We'd consider rewarding if it could be demonstrated to be exploitable, but I'm afraid the panel declined to reward.
,
Nov 12
|
|||||||||||||||
►
Sign in to add a comment |
|||||||||||||||
Comment 1 by elawrence@chromium.org
, Jan 30 2018