Issue metadata
Sign in to add a comment
|
Security: PDFium UAF in CXFA_NodeOwner::ReleaseXMLNodesIfNeeded
Reported by
stackexp...@gmail.com,
Apr 13 2018
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
An UAF issue was found in CXFA_NodeOwner::ReleaseXMLNodesIfNeeded in xfa\fxfa\cxfa_ffdoc.cpp.
ASAN Log:
=================================================================
==15608==ERROR: AddressSanitizer: heap-use-after-free on address 0x07a09e50 at pc 0x035b4522 bp 0x0032e904 sp 0x0032e8f8
READ of size 1 at 0x07a09e50 thread T0
==15608==*** WARNING: Failed to initialize DbgHelp! ***
==15608==*** Most likely this means that the app is already ***
==15608==*** using DbgHelp, possibly with incompatible flags. ***
==15608==*** Due to technical reasons, symbolization might crash ***
==15608==*** or produce wrong results. ***
#0 0x35b4521 in fxcrt::MaybeOwned<CFX_XMLNode,std::default_delete<CFX_XMLNode> >::ResetIfUnowned C:\pdfium\core\fxcrt\maybe_owned.h:48
#1 0x3611b97 in CXFA_NodeOwner::ReleaseXMLNodesIfNeeded C:\pdfium\xfa\fxfa\parser\cxfa_nodeowner.cpp:28
#2 0x3558e56 in CXFA_FFDoc::CloseDoc C:\pdfium\xfa\fxfa\cxfa_ffdoc.cpp:329
#3 0x3522ae1 in CPDFXFA_Context::CloseXFADoc C:\pdfium\fpdfsdk\fpdfxfa\cpdfxfa_context.cpp:67
#4 0x35225c8 in CPDFXFA_Context::~CPDFXFA_Context C:\pdfium\fpdfsdk\fpdfxfa\cpdfxfa_context.cpp:49
#5 0x352453a in CPDFXFA_Context::~CPDFXFA_Context C:\pdfium\fpdfsdk\fpdfxfa\cpdfxfa_context.cpp:45
#6 0x2b08bcb in FPDF_CloseDocument C:\pdfium\fpdfsdk\fpdf_view.cpp:727
#7 0xf4521c in main C:\pdfium\samples\pdfium_test.cc:902
#8 0x3b6877a in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283
#9 0x7627343c in BaseThreadInitThunk+0x11 (C:\Windows\syswow64\kernel32.dll+0x7dd7343c)
#10 0x77e99831 in RtlInitializeExceptionChain+0x62 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9831)
#11 0x77e99804 in RtlInitializeExceptionChain+0x35 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9804)
0x07a09e50 is located 0 bytes inside of 36-byte region [0x07a09e50,0x07a09e74)
freed by thread T0 here:
#0 0x3b55388 in free c:\b\rr\tmpkmvu8v\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:44
#1 0x36c2636 in CFX_XMLElement::~CFX_XMLElement C:\pdfium\core\fxcrt\xml\cfx_xmlelement.cpp:21
#2 0x36ce5d3 in CFX_XMLNode::DeleteChildren C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:34
#3 0x35ded44 in CXFA_Node::SetToXML C:\pdfium\xfa\fxfa\parser\cxfa_node.cpp:4682
#4 0x39491f2 in CJX_Object::SetAttributeValue C:\pdfium\fxjs\xfa\cjx_object.cpp:511
#5 0x35faafb in `anonymous namespace'::CreateDataBinding C:\pdfium\xfa\fxfa\parser\cxfa_document.cpp:647
#6 0x35f830b in `anonymous namespace'::CopyContainer_Field C:\pdfium\xfa\fxfa\parser\cxfa_document.cpp:817
#7 0x35f49e3 in CXFA_Document::DataMerge_CopyContainer C:\pdfium\xfa\fxfa\parser\cxfa_document.cpp:1590
#8 0x35f69ef in CXFA_Document::DataMerge_CopyContainer C:\pdfium\xfa\fxfa\parser\cxfa_document.cpp:1584
#9 0x35f9d0c in CXFA_Document::DoDataMerge C:\pdfium\xfa\fxfa\parser\cxfa_document.cpp:1741
#10 0x354c14f in CXFA_FFDocView::StartLayout C:\pdfium\xfa\fxfa\cxfa_ffdocview.cpp:71
#11 0x3522e7c in CPDFXFA_Context::LoadXFADoc C:\pdfium\fpdfsdk\fpdfxfa\cpdfxfa_context.cpp:107
#12 0x2b04e05 in FPDF_LoadXFA C:\pdfium\fpdfsdk\fpdf_view.cpp:251
#13 0xf44138 in main C:\pdfium\samples\pdfium_test.cc:902
#14 0x3b6877a in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283
#15 0x7627343c in BaseThreadInitThunk+0x11 (C:\Windows\syswow64\kernel32.dll+0x7dd7343c)
#16 0x77e99831 in RtlInitializeExceptionChain+0x62 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9831)
#17 0x77e99804 in RtlInitializeExceptionChain+0x35 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9804)
previously allocated by thread T0 here:
#0 0x3b5546c in malloc c:\b\rr\tmpkmvu8v\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:60
#1 0x3b67c16 in operator new f:\dd\vctools\crt\vcstartup\src\heap\new_scalar.cpp:34
#2 0x36d7360 in CFX_XMLParser::Parse C:\pdfium\core\fxcrt\xml\cfx_xmlparser.cpp:182
#3 0x3615dcb in CXFA_DocumentParser::LoadXML C:\pdfium\xfa\fxfa\parser\cxfa_document_parser.cpp:363
#4 0x36157d6 in CXFA_DocumentParser::Parse C:\pdfium\xfa\fxfa\parser\cxfa_document_parser.cpp:340
#5 0x355981f in CXFA_FFDoc::ParseDoc C:\pdfium\xfa\fxfa\cxfa_ffdoc.cpp:184
#6 0x355a176 in CXFA_FFDoc::OpenDoc C:\pdfium\xfa\fxfa\cxfa_ffdoc.cpp:286
#7 0x3522d6f in CPDFXFA_Context::LoadXFADoc C:\pdfium\fpdfsdk\fpdfxfa\cpdfxfa_context.cpp:94
#8 0x2b04e05 in FPDF_LoadXFA C:\pdfium\fpdfsdk\fpdf_view.cpp:251
#9 0xf44138 in main C:\pdfium\samples\pdfium_test.cc:902
#10 0x3b6877a in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283
#11 0x7627343c in BaseThreadInitThunk+0x11 (C:\Windows\syswow64\kernel32.dll+0x7dd7343c)
#12 0x77e99831 in RtlInitializeExceptionChain+0x62 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9831)
#13 0x77e99804 in RtlInitializeExceptionChain+0x35 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9804)
SUMMARY: AddressSanitizer: heap-use-after-free C:\pdfium\core\fxcrt\maybe_owned.h:48 in fxcrt::MaybeOwned<CFX_XMLNode,std::default_delete<CFX_XMLNode> >::ResetIfUnowned
Shadow bytes around the buggy address:
0x30f41370: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x30f41380: fa fa 00 00 00 00 00 06 fa fa fd fd fd fd fd fa
0x30f41390: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
0x30f413a0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x30f413b0: fa fa 00 00 00 00 04 fa fa fa 00 00 00 00 00 fa
=>0x30f413c0: fa fa fd fd fd fd fd fa fa fa[fd]fd fd fd fd fa
0x30f413d0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x30f413e0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x30f413f0: fa fa 00 00 00 00 04 fa fa fa 00 00 00 00 00 fa
0x30f41400: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 04 fa
0x30f41410: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 04 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==15608==ABORTING
VERSION
Chrome Version: pdfium with XFA enabled
Operating System: All
REPRODUCTION CASE
A proof-of-concept file which can trigger the crash was attached.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace *with symbols*, registers,
exception record]
Client ID (if relevant): [see link above]
,
Apr 13 2018
,
Apr 13 2018
,
Apr 13 2018
,
Apr 13 2018
,
Apr 16 2018
,
Apr 18 2018
,
Apr 20 2018
,
Apr 20 2018
Culprit CL: https://pdfium-review.googlesource.com/26811 or https://pdfium.googlesource.com/pdfium.git/+/e40678ed8a22ecd57421877af39cf7f281f618c4 Trying to find the PDFium roll to identify the milestone.
,
Apr 23 2018
This is quite probably the UnownedPtr low severity warning triggering which is only enabled on *SAN builds.
,
Apr 24 2018
#c10 Seems you are right, it cannot be triggered when ASAN is disabled.
,
May 3 2018
,
Aug 9
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by stackexp...@gmail.com
, Apr 13 2018