Issue metadata
Sign in to add a comment
|
Security: heap-buffer-overflow in CJS_PublicMethods::AFRange_Validate
Reported by
zhouzhen...@gmail.com,
Aug 15
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
This issue was found by fuzzing against a 64-bit asan linux build of pdfium_test.
VERSION
Chrome Version: asan-linux-stable-68.0.3440.75
Operating System: Fedora 28 x86_64
REPRODUCTION CASE
./pdfium_test tests_09f6943d6a4c43437b41040a0ad1cb5beb18f983
Rendering PDF file tests_09f6943d6a4c43437b41040a0ad1cb5beb18f983.
=================================================================
==24417==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000006e20 at pc 0x000002def531 bp 0x7ffdc4aba6b0 sp 0x7ffdc4aba6a8
READ of size 8 at 0x602000006e20 thread T0
#0 0x2def530 in CJS_PublicMethods::AFRange_Validate(CJS_Runtime*, std::__1::vector<v8::Local<v8::Value>, std::__1::allocator<v8::Local<v8::Value> > > const&) third_party/pdfium/fxjs/cjs_publicmethods.cpp:1686:40
#1 0x2ddd223 in CJS_PublicMethods::AFRange_Validate_static(v8::FunctionCallbackInfo<v8::Value> const&) third_party/pdfium/fxjs/cjs_publicmethods.cpp:132:23
#2 0xf0ded9 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo*) v8/src/api-arguments-inl.h:94:3
#3 0xf0b670 in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) v8/src/builtins/builtins-api.cc:109:36
#4 0xf09348 in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) v8/src/builtins/builtins-api.cc:139:5
#5 0x7eafde0dc33c (<unknown module>)
#6 0x7eafde091934 (<unknown module>)
#7 0x7eafde08eed4 (<unknown module>)
#8 0x7eafde086440 (<unknown module>)
#9 0x178d209 in Call v8/src/simulator.h:113:12
#10 0x178d209 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling, v8::internal::Execution::Target) v8/src/execution.cc:155
#11 0x178c753 in CallInternal v8/src/execution.cc:191:10
#12 0x178c753 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:202
#13 0xdc4c1b in v8::Script::Run(v8::Local<v8::Context>) v8/src/api.cc:2180:7
#14 0x2d2b43d in CFXJS_Engine::Execute(fxcrt::WideString const&) third_party/pdfium/fxjs/cfxjs_engine.cpp:540:25
#15 0x2d32191 in CJS_Runtime::ExecuteScript(fxcrt::WideString const&) third_party/pdfium/fxjs/cjs_runtime.cpp:195:10
#16 0x2dcc828 in CJS_EventContext::RunScript(fxcrt::WideString const&) third_party/pdfium/fxjs/cjs_event_context.cpp:53:23
#17 0x26728e7 in CPDFSDK_InterForm::OnFormat(CPDF_FormField*, bool&) third_party/pdfium/fpdfsdk/cpdfsdk_interform.cpp:331:57
#18 0x266a429 in CPDFSDK_Widget::OnFormat(bool&) third_party/pdfium/fpdfsdk/cpdfsdk_widget.cpp:651:24
#19 0x266708a in CPDFSDK_WidgetHandler::OnLoad(CPDFSDK_Annot*) third_party/pdfium/fpdfsdk/cpdfsdk_widgethandler.cpp:235:34
#20 0x265777d in CPDFSDK_PageView::LoadFXAnnots() third_party/pdfium/fpdfsdk/cpdfsdk_pageview.cpp:519:23
#21 0x2681028 in CPDFSDK_FormFillEnvironment::GetPageView(CPDF_Page*, bool) third_party/pdfium/fpdfsdk/cpdfsdk_formfillenvironment.cpp:548:14
#22 0x2653627 in FormHandleToPageView third_party/pdfium/fpdfsdk/fpdf_formfill.cpp:120:39
#23 0x2653627 in FORM_OnAfterLoadPage third_party/pdfium/fpdfsdk/fpdf_formfill.cpp:573
#24 0xb28c12 in (anonymous namespace)::GetPageForIndex(_FPDF_FORMFILLINFO*, fpdf_document_t__*, int) third_party/pdfium/samples/pdfium_test.cc:497:3
#25 0xb2221d in RenderPage third_party/pdfium/samples/pdfium_test.cc:516:20
#26 0xb2221d in RenderPdf third_party/pdfium/samples/pdfium_test.cc:757
#27 0xb2221d in main third_party/pdfium/samples/pdfium_test.cc:924
#28 0x7f3e2e65424a in __libc_start_main (/lib64/libc.so.6+0x2324a)
0x602000006e20 is located 0 bytes to the right of 16-byte region [0x602000006e10,0x602000006e20)
allocated by thread T0 here:
#0 0xb1af72 in operator new(unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:93:3
#1 0x254a184 in __libcpp_allocate buildtools/third_party/libc++/trunk/include/new:259:10
#2 0x254a184 in allocate buildtools/third_party/libc++/trunk/include/memory:1799
#3 0x254a184 in allocate buildtools/third_party/libc++/trunk/include/memory:1548
#4 0x254a184 in __split_buffer buildtools/third_party/libc++/trunk/include/__split_buffer:311
#5 0x254a184 in void std::__1::vector<v8::Local<v8::Value>, std::__1::allocator<v8::Local<v8::Value> > >::__push_back_slow_path<v8::Local<v8::Value> >(v8::Local<v8::Value>&&) buildtools/third_party/libc++/trunk/include/vector:1578
#6 0x2ddd1aa in push_back buildtools/third_party/libc++/trunk/include/vector:1619:9
#7 0x2ddd1aa in JSGlobalFunc<&CJS_PublicMethods::AFRange_Validate> third_party/pdfium/fxjs/cjs_publicmethods.cpp:130
#8 0x2ddd1aa in CJS_PublicMethods::AFRange_Validate_static(v8::FunctionCallbackInfo<v8::Value> const&) third_party/pdfium/fxjs/cjs_publicmethods.cpp:243
#9 0xf0ded9 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo*) v8/src/api-arguments-inl.h:94:3
#10 0xf0b670 in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) v8/src/builtins/builtins-api.cc:109:36
#11 0xf09348 in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) v8/src/builtins/builtins-api.cc:139:5
#12 0x7eafde0dc33c (<unknown module>)
#13 0x7eafde091934 (<unknown module>)
#14 0x7eafde08eed4 (<unknown module>)
#15 0x7eafde086440 (<unknown module>)
#16 0x178d209 in Call v8/src/simulator.h:113:12
#17 0x178d209 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling, v8::internal::Execution::Target) v8/src/execution.cc:155
#18 0x178c753 in CallInternal v8/src/execution.cc:191:10
#19 0x178c753 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:202
#20 0xdc4c1b in v8::Script::Run(v8::Local<v8::Context>) v8/src/api.cc:2180:7
#21 0x2d2b43d in CFXJS_Engine::Execute(fxcrt::WideString const&) third_party/pdfium/fxjs/cfxjs_engine.cpp:540:25
#22 0x2d32191 in CJS_Runtime::ExecuteScript(fxcrt::WideString const&) third_party/pdfium/fxjs/cjs_runtime.cpp:195:10
#23 0x2dcc828 in CJS_EventContext::RunScript(fxcrt::WideString const&) third_party/pdfium/fxjs/cjs_event_context.cpp:53:23
#24 0x26728e7 in CPDFSDK_InterForm::OnFormat(CPDF_FormField*, bool&) third_party/pdfium/fpdfsdk/cpdfsdk_interform.cpp:331:57
#25 0x266a429 in CPDFSDK_Widget::OnFormat(bool&) third_party/pdfium/fpdfsdk/cpdfsdk_widget.cpp:651:24
#26 0x266708a in CPDFSDK_WidgetHandler::OnLoad(CPDFSDK_Annot*) third_party/pdfium/fpdfsdk/cpdfsdk_widgethandler.cpp:235:34
#27 0x265777d in CPDFSDK_PageView::LoadFXAnnots() third_party/pdfium/fpdfsdk/cpdfsdk_pageview.cpp:519:23
#28 0x2681028 in CPDFSDK_FormFillEnvironment::GetPageView(CPDF_Page*, bool) third_party/pdfium/fpdfsdk/cpdfsdk_formfillenvironment.cpp:548:14
#29 0x2653627 in FormHandleToPageView third_party/pdfium/fpdfsdk/fpdf_formfill.cpp:120:39
#30 0x2653627 in FORM_OnAfterLoadPage third_party/pdfium/fpdfsdk/fpdf_formfill.cpp:573
#31 0xb28c12 in (anonymous namespace)::GetPageForIndex(_FPDF_FORMFILLINFO*, fpdf_document_t__*, int) third_party/pdfium/samples/pdfium_test.cc:497:3
#32 0xb2221d in RenderPage third_party/pdfium/samples/pdfium_test.cc:516:20
#33 0xb2221d in RenderPdf third_party/pdfium/samples/pdfium_test.cc:757
#34 0xb2221d in main third_party/pdfium/samples/pdfium_test.cc:924
#35 0x7f3e2e65424a in __libc_start_main (/lib64/libc.so.6+0x2324a)
SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/pdfium/fxjs/cjs_publicmethods.cpp:1686:40 in CJS_PublicMethods::AFRange_Validate(CJS_Runtime*, std::__1::vector<v8::Local<v8::Value>, std::__1::allocator<v8::Local<v8::Value> > > const&)
Shadow bytes around the buggy address:
0x0c047fff8d70: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8d80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8d90: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fff8da0: fa fa fd fa fa fa fd fa fa fa 00 fc fa fa 00 fc
0x0c047fff8db0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff8dc0: fa fa 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==24417==ABORTING
testcase is in the attachment.
,
Aug 15
Bisects to https://pdfium-review.googlesource.com/c/pdfium/+/34531. That CL introduced a missing "return" at https://pdfium-review.googlesource.com/c/pdfium/+/34531/4/fxjs/cjs_publicmethods.cpp#1677 Marking as "fixed" rather than as "wontfix" to trigger backport evaluation.
,
Aug 15
,
Aug 15
,
Aug 15
Same issue in fxjs/cjs_document.cpp:657 in M68, fixed in same CL.
git grep -n '^\s*CJS_Return('
does not show any more instances of the anti-pattern in ToT.
,
Aug 15
+awhalley Let's see if this repros on M69.
,
Aug 15
Does not affect M69. So we just need to decide if we want a M68 merge.
,
Aug 16
,
Aug 16
,
Aug 20
,
Aug 23
Reassigning owner since I didn't fix the bug.
,
Aug 27
(found by multiple, including internal, fuzzers)
,
Aug 28
awhalley@ Thank you for informing me. If my fuzzer was the first one found the issue, Could I request a CVE? Thank you again.
,
Aug 29
,
Sep 5
Hi zhouzhenster@ - thanks the query. I'm sorry for comment 12, I incorrectly included it as part of a bulk update with some other bugs where that was true: there were no fuzzers involved here >_< However, it's correct that we didn't make a fix in response to this report, and hence it's not eligible for a reward payment. Please see comments 2 for details of the change that fixed this issue. I'll look into the CVE question and get back to you.
,
Sep 5
Thank you for your reply. Yesterday m69 stable was released, and I still didn't get a reply. That indeed make a bad impression on me.
,
Sep 14
The NextAction date has arrived: 2018-09-14
,
Sep 18
Hi awhalley@, NextAction date has arrived. Would you please tell me the final conclusion, Thank you.
,
Sep 18
awhalley's out for a few days. I'll ping him on 2018-09-21 if he has not replied by then.
,
Sep 21
The NextAction date has arrived: 2018-09-21
,
Sep 22
Hi zhouzhenster@ - reward-wise, I'm afraid answer is still as comment 16. However, I can confirm I will be issuing a CVE for this report :-) I'm working with MITRE on our next batch of allocations, and I'll get this one done when they come through. Cheers!
,
Sep 22
That's a good new, thank you very much.
,
Oct 9
Sorry it took so long! I'll also update the M68 release notes.
,
Oct 10
thanks a lot
,
Nov 22
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 4
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by tsepez@chromium.org
, Aug 15