New issue
Advanced search Search tips

Issue 831464 link

Starred by 0 users
Status: Duplicate
Merged: issue 835636
Owner:
dsinclair@chromium.org
Closed: May 2018
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: ----
Type: Bug-Security

Blocking:
issue 62400



Sign in to add a comment

Security: PDFium heap-use-after-free in fxcrt::UnownedPtr<CFX_XMLNode>::ProbeForLowSeverityLifetimeIssue

Reported by zhouat2...@gmail.com, Apr 11 2018 
VULNERABILITY DETAILS

ASAN Log, I'll post the details later.


pdfium_test ./testcase-000385_uaf


Rendering PDF file ./testcase-000385_uaf.
Rendered 1 pages.
=================================================================
==839==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700000d140 at pc 0x0000020a0d82 bp 0x7ffde2a2bb20 sp 0x7ffde2a2bb18
READ of size 1 at 0x60700000d140 thread T0
    #0 0x20a0d81 in fxcrt::UnownedPtr<CFX_XMLNode>::ProbeForLowSeverityLifetimeIssue() core/fxcrt/unowned_ptr.h:101:7
    #1 0x20a0c9f in fxcrt::UnownedPtr<CFX_XMLNode>::operator=(CFX_XMLNode*) core/fxcrt/unowned_ptr.h:56:5
    #2 0x298baf8 in fxcrt::MaybeOwned<CFX_XMLNode, std::__1::default_delete<CFX_XMLNode> >::Reset(CFX_XMLNode*) core/fxcrt/maybe_owned.h:41:12
    #3 0x2aba96d in fxcrt::MaybeOwned<CFX_XMLNode, std::__1::default_delete<CFX_XMLNode> >::ResetIfUnowned() core/fxcrt/maybe_owned.h:47:7
    #4 0x2a6301b in CXFA_Node::ReleaseXMLNodeIfUnowned() xfa/fxfa/parser/cxfa_node.cpp:545:13
    #5 0x2bd4617 in CXFA_NodeOwner::ReleaseXMLNodesIfNeeded() xfa/fxfa/parser/cxfa_nodeowner.cpp:28:9
    #6 0x29b5fb1 in CXFA_DocumentParser::~CXFA_DocumentParser() xfa/fxfa/parser/cxfa_document_parser.cpp:18:16
    #7 0x22d4af9 in operator() buildtools/third_party/libc++/trunk/include/memory:2286:5
    #8 0x22d4af9 in reset buildtools/third_party/libc++/trunk/include/memory:2599
    #9 0x22d4af9 in CXFA_FFDoc::CloseDoc() xfa/fxfa/cxfa_ffdoc.cpp:330
    #10 0x21c9008 in CPDFXFA_Context::CloseXFADoc() fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:67:14
    #11 0x21c87b3 in CPDFXFA_Context::~CPDFXFA_Context() fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:49:3
    #12 0x21c9158 in CPDFXFA_Context::~CPDFXFA_Context() fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:45:37
    #13 0xbe933d in FPDF_CloseDocument fpdfsdk/fpdf_view.cpp:727:3
    #14 0x903fd8 in FPDFDocumentDeleter::operator()(void*) public/cpp/fpdf_deleters.h:31:47
    #15 0x8f3403 in reset buildtools/third_party/libc++/trunk/include/memory:2599:7
    #16 0x8f3403 in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2553
    #17 0x8f3403 in (anonymous namespace)::RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, (anonymous namespace)::Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:753
    #18 0x8e6508 in main samples/pdfium_test.cc:902:5
    #19 0x7f5456cbd82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

0x60700000d140 is located 0 bytes inside of 80-byte region [0x60700000d140,0x60700000d190)
freed by thread T0 here:
    #0 0x8e0bc2 in operator delete(void*) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:149:3
    #1 0x20805a1 in CFX_XMLElement::~CFX_XMLElement() core/fxcrt/xml/cfx_xmlelement.cpp:21:35
    #2 0x207e65a in CFX_XMLNode::DeleteChildren() core/fxcrt/xml/cfx_xmlnode.cpp:34:5
    #3 0x2059386 in CJX_Object::SetAttributeValue(fxcrt::WideString const&, fxcrt::WideString const&, bool, bool) fxjs/xfa/cjx_object.cpp:558:17
    #4 0x296eb7c in (anonymous namespace)::CreateDataBinding(CXFA_Node*, CXFA_Node*, bool) xfa/fxfa/parser/cxfa_document.cpp:648:26
    #5 0x29690aa in (anonymous namespace)::CopyContainer_Field(CXFA_Document*, CXFA_Node*, CXFA_Node*, CXFA_Node*, bool, bool) xfa/fxfa/parser/cxfa_document.cpp:818:7
    #6 0x2962b47 in CXFA_Document::DataMerge_CopyContainer(CXFA_Node*, CXFA_Node*, CXFA_Node*, bool, bool, bool) xfa/fxfa/parser/cxfa_document.cpp:1591:14
    #7 0x29682b4 in (anonymous namespace)::CopyContainer_SubformSet(CXFA_Document*, CXFA_Node*, CXFA_Node*, CXFA_Node*, bool, bool) xfa/fxfa/parser/cxfa_document.cpp:1033:24
    #8 0x2962b0a in CXFA_Document::DataMerge_CopyContainer(CXFA_Node*, CXFA_Node*, CXFA_Node*, bool, bool, bool) xfa/fxfa/parser/cxfa_document.cpp:1585:14
    #9 0x296c7b6 in CXFA_Document::DoDataMerge() xfa/fxfa/parser/cxfa_document.cpp:1742:7
    #10 0x2320f45 in CXFA_FFDocView::StartLayout() xfa/fxfa/cxfa_ffdocview.cpp:71:24
    #11 0x21ca428 in CPDFXFA_Context::LoadXFADoc() fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:115:22
    #12 0xbe45c9 in FPDF_LoadXFA fpdfsdk/fpdf_view.cpp:251:63
    #13 0x8f296f in (anonymous namespace)::RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, (anonymous namespace)::Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:707:10
    #14 0x8e6508 in main samples/pdfium_test.cc:902:5
    #15 0x7f5456cbd82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 here:
    #0 0x8dffe2 in operator new(unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:92:3
    #1 0x2c221f4 in CFX_XMLParser::DoParser() core/fxcrt/xml/cfx_xmlparser.cpp:98:20
    #2 0x2c1fd58 in CFX_XMLDoc::DoLoad() core/fxcrt/xml/cfx_xmldoc.cpp:41:31
    #3 0x2c0eb16 in CXFA_SimpleParser::DoParse() xfa/fxfa/parser/cxfa_simple_parser.cpp:369:29
    #4 0x29b6af2 in CXFA_DocumentParser::DoParse() xfa/fxfa/parser/cxfa_document_parser.cpp:36:37
    #5 0x22d70af in CXFA_FFDoc::DoLoad() xfa/fxfa/cxfa_ffdoc.cpp:233:40
    #6 0x21ca121 in CPDFXFA_Context::LoadXFADoc() fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:100:28
    #7 0xbe45c9 in FPDF_LoadXFA fpdfsdk/fpdf_view.cpp:251:63
    #8 0x8f296f in (anonymous namespace)::RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, (anonymous namespace)::Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:707:10
    #9 0x8e6508 in main samples/pdfium_test.cc:902:5
    #10 0x7f5456cbd82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free core/fxcrt/unowned_ptr.h:101:7 in fxcrt::UnownedPtr<CFX_XMLNode>::ProbeForLowSeverityLifetimeIssue()
Shadow bytes around the buggy address:
  0x0c0e7fff99d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
  0x0c0e7fff99e0: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0e7fff99f0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fd fd
  0x0c0e7fff9a00: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x0c0e7fff9a10: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
=>0x0c0e7fff9a20: 00 00 00 00 fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c0e7fff9a30: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c0e7fff9a40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c0e7fff9a50: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff9a60: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
  0x0c0e7fff9a70: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==839==ABORTING



to produce:

1. config
./pdfium_test --show-config
V8,V8_EXTERNAL,XFA,ASAN

2. testcase-000385_uaf 
see the attachment

3. the latest pdfium

l5@l5:~/repo/pdfium$ git log
commit 6058efdbdc186e120e7e2121c290ac4d820ffbf8
Author: Tom Sepez <tsepez@chromium.org>
Date:   Fri Apr 6 23:48:24 2018 +0000

    Add span.h from chromium base.
    
    Allows indexing with better bounds-checking to occur. Some small
    modifications are required to deal with PDFium being intentionally
    held at C++11 compliance, not C++14.
    
    Use in one place as check on correctness.
    
    Change-Id: Id2875cf0a93980112bc536a93c4f9ec5306c0dac
    Reviewed-on: https://pdfium-review.googlesource.com/29671
    Commit-Queue: Tom Sepez <tsepez@chromium.org>
    Reviewed-by: Chris Palmer <palmer@chromium.org>
    Reviewed-by: dsinclair <dsinclair@chromium.org>

Comment 1 by tsepez@chromium.org, Apr 11 2018

Owner: dsinclair@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 2 by tsepez@chromium.org, Apr 11 2018

Labels: Security_Severity-Low Security_Impact-None OS-Linux OS-Mac OS-Windows
Note: XFA

Comment 3 by dsinclair@chromium.org, Apr 16 2018

Blocking: 62400

Comment 4 by dsinclair@chromium.org, May 3 2018

Mergedinto: 835636
Status: Duplicate (was: Assigned)
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 9

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment