Security: SIGILL - out of memory cause pdfium crashed
Reported by
zhouzhen...@gmail.com,
Feb 5 2018
|
||||
Issue description
VULNERABILITY DETAILS
This issue was found by fuzzing against a 64-bit asan linux build of pdfium_test with XFA disabled.
VERSION
Operating System: Fedora 27 x86_64
Chrome: asan-linux-stable-63.0.3239.84
REPRODUCTION CASE
~/research/asan-linux-stable-63.0.3239.84/pdfium_test SIGILL-OOM-poc
Rendering PDF file /tmp/SIGILL-OOM-poc.
<--- Last few GCs --->
[20995:0x62a000000200] 26786 ms: Mark-sweep 1276.9 (1328.9) -> 1276.9 (1328.9) MB, 4766.1 / 0.0 ms last resort GC in old space requested
[20995:0x62a000000200] 31439 ms: Mark-sweep 1276.9 (1328.9) -> 1276.9 (1328.9) MB, 4653.5 / 0.0 ms last resort GC in old space requested
<--- JS stacktrace --->
==== JS stack trace =========================================
Security context: 0x7f43c17dc769 <JSObject>
1: gc [0x7f43c1a822e1 <undefined>:~2] [pc=0x7f43c2005470](this=0x7f43c1483bb1 <JSGlobal Object>)
2: /* anonymous */ [0x7f43c1a822e1 <undefined>:11] [bytecode=0x7f43c17ebe01 offset=122](this=0x7f43c1483bb1 <JSGlobal Object>)
==== Details ================================================
[1]: gc [0x7f43c1a822e1 <undefined>:~2] [pc=0x7f43c2005470](this=0x7f43c1483bb1 <JSGlobal Object>) {
/...
#
# Fatal javascript OOM in CALL_AND_RETRY_LAST
#
Received signal 4 ILL_ILLOPN 000002ed5ffc
==== C stack trace ===============================
[0x000000a02fd1]
[0x000002ed848e]
[0x7f43eaccfaf0]
[0x000002ed5ffc]
[0x000000cf864e]
[0x000000cf8511]
[0x000001654525]
[0x0000015afaca]
[0x000001de579a]
[0x7f43c1f0469d]
[end of stack trace]
[1] 20995 illegal hardware instruction ~/research/asan-linux-stable-63.0.3239.84/pdfium_test SIGILL-OOM-poc
Testcase is in the attachment.
,
Feb 5 2018
dsinclair and tsepez: Can you please verify whether this is intended behavior? Seems like probably, but I leave it to you.
,
Feb 6 2018
I don't think there is anything we can do here. This file has a field with a JavaScript focus action. That field is focused, unfocused and focused again after 2 seconds.
The focus code for the field does:
152 // this is5for MyField 3 <80>ormat
153 function gc(){
154 arr=[];
155 for (var i = 0; i <01005555555555555555555000; i++)
156 arr[i] = [];
157 }
158 this.baseURL+="1";
159 if(this.baseURL == "1"){
160 this.getField("MyField3").borderStyle = "dashed";
161 this.getField("MyField3").setFocus();
162 gc();
163 }
So, we end up creating a log of garbage and run out of memory.
,
May 16 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by elawrence@chromium.org
, Feb 5 2018