Issue metadata
Sign in to add a comment
|
Security: PDFium UAF in CFX_XMLNode::~CFX_XMLNode
Reported by
stackexp...@gmail.com,
Apr 18 2018
|
||||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
ASAN Log:
=================================================================
==13060==ERROR: AddressSanitizer: heap-use-after-free on address 0x075028d0 at pc 0x03330b7d bp 0x001fe778 sp 0x001fe76c
READ of size 1 at 0x075028d0 thread T0
==13060==*** WARNING: Failed to initialize DbgHelp! ***
==13060==*** Most likely this means that the app is already ***
==13060==*** using DbgHelp, possibly with incompatible flags. ***
==13060==*** Due to technical reasons, symbolization might crash ***
==13060==*** or produce wrong results. ***
#0 0x3330b7c in CFX_XMLNode::~CFX_XMLNode C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:20
#1 0x33223da in CFX_XMLElement::~CFX_XMLElement C:\pdfium\core\fxcrt\xml\cfx_xmlelement.cpp:23
#2 0x3330d21 in CFX_XMLNode::DeleteChildren C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:33
#3 0x3330948 in CFX_XMLNode::~CFX_XMLNode C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:21
#4 0x33223da in CFX_XMLElement::~CFX_XMLElement C:\pdfium\core\fxcrt\xml\cfx_xmlelement.cpp:23
#5 0x3330d21 in CFX_XMLNode::DeleteChildren C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:33
#6 0x3330948 in CFX_XMLNode::~CFX_XMLNode C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:21
#7 0x33223da in CFX_XMLElement::~CFX_XMLElement C:\pdfium\core\fxcrt\xml\cfx_xmlelement.cpp:23
#8 0x3330d21 in CFX_XMLNode::DeleteChildren C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:33
#9 0x3330948 in CFX_XMLNode::~CFX_XMLNode C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:21
#10 0x33223da in CFX_XMLElement::~CFX_XMLElement C:\pdfium\core\fxcrt\xml\cfx_xmlelement.cpp:23
#11 0x3330c60 in CFX_XMLNode::DeleteChildren C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:31
#12 0x3330948 in CFX_XMLNode::~CFX_XMLNode C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:21
#13 0x33223da in CFX_XMLElement::~CFX_XMLElement C:\pdfium\core\fxcrt\xml\cfx_xmlelement.cpp:23
#14 0x3330c60 in CFX_XMLNode::DeleteChildren C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:31
#15 0x3330948 in CFX_XMLNode::~CFX_XMLNode C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:21
#16 0x33223da in CFX_XMLElement::~CFX_XMLElement C:\pdfium\core\fxcrt\xml\cfx_xmlelement.cpp:23
#17 0x31b0241 in CXFA_FFDoc::CloseDoc C:\pdfium\xfa\fxfa\cxfa_ffdoc.cpp:155
#18 0x317a0d1 in CPDFXFA_Context::CloseXFADoc C:\pdfium\fpdfsdk\fpdfxfa\cpdfxfa_context.cpp:67
#19 0x3179bb8 in CPDFXFA_Context::~CPDFXFA_Context C:\pdfium\fpdfsdk\fpdfxfa\cpdfxfa_context.cpp:49
#20 0x317b7fa in CPDFXFA_Context::~CPDFXFA_Context C:\pdfium\fpdfsdk\fpdfxfa\cpdfxfa_context.cpp:45
#21 0x2768d2b in FPDF_CloseDocument C:\pdfium\fpdfsdk\fpdf_view.cpp:735
#22 0xba521c in main C:\pdfium\samples\pdfium_test.cc:902
#23 0x37c15ea in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283
#24 0x7627343c in BaseThreadInitThunk+0x11 (C:\Windows\syswow64\kernel32.dll+0x7dd7343c)
#25 0x77e99831 in RtlInitializeExceptionChain+0x62 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9831)
#26 0x77e99804 in RtlInitializeExceptionChain+0x35 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9804)
0x075028d0 is located 0 bytes inside of 36-byte region [0x075028d0,0x075028f4)
freed by thread T0 here:
#0 0x37ae1e8 in free c:\b\rr\tmpkmvu8v\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:44
#1 0x33223e6 in CFX_XMLElement::~CFX_XMLElement C:\pdfium\core\fxcrt\xml\cfx_xmlelement.cpp:23
#2 0x3330d21 in CFX_XMLNode::DeleteChildren C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:33
#3 0x3330948 in CFX_XMLNode::~CFX_XMLNode C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:21
#4 0x33223da in CFX_XMLElement::~CFX_XMLElement C:\pdfium\core\fxcrt\xml\cfx_xmlelement.cpp:23
#5 0x3330d21 in CFX_XMLNode::DeleteChildren C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:33
#6 0x3330948 in CFX_XMLNode::~CFX_XMLNode C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:21
#7 0x33223da in CFX_XMLElement::~CFX_XMLElement C:\pdfium\core\fxcrt\xml\cfx_xmlelement.cpp:23
#8 0x3330d21 in CFX_XMLNode::DeleteChildren C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:33
#9 0x3330948 in CFX_XMLNode::~CFX_XMLNode C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:21
#10 0x33223da in CFX_XMLElement::~CFX_XMLElement C:\pdfium\core\fxcrt\xml\cfx_xmlelement.cpp:23
#11 0x3330d21 in CFX_XMLNode::DeleteChildren C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:33
#12 0x3330948 in CFX_XMLNode::~CFX_XMLNode C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:21
#13 0x33223da in CFX_XMLElement::~CFX_XMLElement C:\pdfium\core\fxcrt\xml\cfx_xmlelement.cpp:23
#14 0x3330c60 in CFX_XMLNode::DeleteChildren C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:31
#15 0x3330948 in CFX_XMLNode::~CFX_XMLNode C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:21
#16 0x33223da in CFX_XMLElement::~CFX_XMLElement C:\pdfium\core\fxcrt\xml\cfx_xmlelement.cpp:23
#17 0x3330c60 in CFX_XMLNode::DeleteChildren C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:31
#18 0x3330948 in CFX_XMLNode::~CFX_XMLNode C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:21
#19 0x33223da in CFX_XMLElement::~CFX_XMLElement C:\pdfium\core\fxcrt\xml\cfx_xmlelement.cpp:23
#20 0x31b0241 in CXFA_FFDoc::CloseDoc C:\pdfium\xfa\fxfa\cxfa_ffdoc.cpp:155
#21 0x317a0d1 in CPDFXFA_Context::CloseXFADoc C:\pdfium\fpdfsdk\fpdfxfa\cpdfxfa_context.cpp:67
#22 0x3179bb8 in CPDFXFA_Context::~CPDFXFA_Context C:\pdfium\fpdfsdk\fpdfxfa\cpdfxfa_context.cpp:49
#23 0x317b7fa in CPDFXFA_Context::~CPDFXFA_Context C:\pdfium\fpdfsdk\fpdfxfa\cpdfxfa_context.cpp:45
#24 0x2768d2b in FPDF_CloseDocument C:\pdfium\fpdfsdk\fpdf_view.cpp:735
#25 0xba521c in main C:\pdfium\samples\pdfium_test.cc:902
#26 0x37c15ea in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283
#27 0x7627343c in BaseThreadInitThunk+0x11 (C:\Windows\syswow64\kernel32.dll+0x7dd7343c)
#28 0x77e99831 in RtlInitializeExceptionChain+0x62 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9831)
previously allocated by thread T0 here:
#0 0x37ae2cc in malloc c:\b\rr\tmpkmvu8v\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:60
#1 0x37c0a86 in operator new f:\dd\vctools\crt\vcstartup\src\heap\new_scalar.cpp:34
#2 0x331693a in CFX_XMLParser::Parse C:\pdfium\core\fxcrt\xml\cfx_xmlparser.cpp:157
#3 0x326d1f7 in CXFA_DocumentParser::LoadXML C:\pdfium\xfa\fxfa\parser\cxfa_document_parser.cpp:355
#4 0x326ccc0 in CXFA_DocumentParser::Parse C:\pdfium\xfa\fxfa\parser\cxfa_document_parser.cpp:332
#5 0x31b0b4f in CXFA_FFDoc::ParseDoc C:\pdfium\xfa\fxfa\cxfa_ffdoc.cpp:63
#6 0x31b14a6 in CXFA_FFDoc::OpenDoc C:\pdfium\xfa\fxfa\cxfa_ffdoc.cpp:107
#7 0x317a35f in CPDFXFA_Context::LoadXFADoc C:\pdfium\fpdfsdk\fpdfxfa\cpdfxfa_context.cpp:94
#8 0x2764e05 in FPDF_LoadXFA C:\pdfium\fpdfsdk\fpdf_view.cpp:251
#9 0xba4138 in main C:\pdfium\samples\pdfium_test.cc:902
#10 0x37c15ea in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283
#11 0x7627343c in BaseThreadInitThunk+0x11 (C:\Windows\syswow64\kernel32.dll+0x7dd7343c)
#12 0x77e99831 in RtlInitializeExceptionChain+0x62 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9831)
#13 0x77e99804 in RtlInitializeExceptionChain+0x35 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9804)
SUMMARY: AddressSanitizer: heap-use-after-free C:\pdfium\core\fxcrt\xml\cfx_xmlnode.cpp:20 in CFX_XMLNode::~CFX_XMLNode
Shadow bytes around the buggy address:
0x30ea04c0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x30ea04d0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x30ea04e0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x30ea04f0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x30ea0500: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
=>0x30ea0510: fa fa fd fd fd fd fd fa fa fa[fd]fd fd fd fd fa
0x30ea0520: fa fa 00 00 00 00 04 fa fa fa 00 00 00 00 04 fa
0x30ea0530: fa fa 00 00 00 00 04 fa fa fa fd fd fd fd fd fa
0x30ea0540: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
0x30ea0550: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
0x30ea0560: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13060==ABORTING
VERSION
Chrome Version: PDFium with XFA enabled
Operating System: All
REPRODUCTION CASE
A minimized proof-of-concept file has been attached.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace *with symbols*, registers,
exception record]
Client ID (if relevant): [see link above]
,
Apr 18 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5391293828825088.
,
Apr 18 2018
,
Apr 18 2018
,
Apr 18 2018
,
Apr 18 2018
Looks like this is due to the UnownedPtrs low severity probe.
#0 0x109db56dc in fxcrt::UnownedPtr<CFX_XMLNode>::ProbeForLowSeverityLifetimeIssue() unowned_ptr.h:110
#1 0x109edce84 in fxcrt::UnownedPtr<CFX_XMLNode>::~UnownedPtr() unowned_ptr.h:60
#2 0x109edce64 in fxcrt::UnownedPtr<CFX_XMLNode>::~UnownedPtr() unowned_ptr.h:60
#3 0x107e23842 in CFX_XMLNode::~CFX_XMLNode() cfx_xmlnode.cpp:22
,
Apr 19 2018
,
Apr 19 2018
,
May 2 2018
XFA => impact none.
,
May 2 2018
I believe this should be fixed by: https://pdfium-review.googlesource.com/c/pdfium/+/31313
,
May 3 2018
,
Aug 9
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by stackexp...@gmail.com
, Apr 18 2018