210 - Flash: bad cast during garbage collection from KeenTeam - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Feb 2015
Cc:	█ lv.sam...@gmail.com █ woo...@gmail.com project-...@google.com
Reported-2014-Dec-3 Fixed-2015-Feb-5 Deadline-90 Finder-external CVE-2015-0322 Finder-keen CCProjectZeroMembers Product-Flash Severity-High Vendor-Adobe Id-3167

Flash: bad cast during garbage collection from KeenTeam

Reported by cevans@google.com, Dec 3 2014

Back to list

Credit is to "Jihui Lu of KeenTeam (@K33nTeam), working with the Chromium vulnerability reward program"

Flash player 15.0.0.239 in Chrome 39 Linux x64.

This looks like a bad cast. For example on Linux x64 in Chrome the crash is deterministic:

=> 0x00007f78dd2a7bd1:	mov    (%rdi),%rax
%rdi == 0x400000000

On other builds, I see a crash dereferencing 0x0000ffff8000.

I also attach apparent variants.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

display_list_mc2.swf
18.7 KB Download

display_list_mc9.swf
3.4 KB Download

display_list_mc4.swf
6.6 KB Download

Comment 1 by cevans@google.com, Dec 4 2014

Cc: lv.sam...@gmail.com woo...@gmail.com

Comment 2 by cevans@google.com, Dec 4 2014

Labels: Id-3167
Summary: Flash: bad cast during garbage collection from KeenTeam (was: Flash: bad cast during garbage collection )

Adobe tracking as PSIRT-3167

Comment 3 by cevans@google.com, Feb 4 2015

Labels: CVE-2015-0322

Comment 4 by cevans@google.com, Feb 6 2015

Labels: Fixed-2015-Feb-5
Status: Fixed

https://helpx.adobe.com/security/products/flash-player/apsb15-04.html

Comment 5 by cevans@google.com, Feb 12 2015

Labels: -Restrict-View-Commit

Comment 6 by cevans@google.com, May 6 2015

Reward tracking: https://code.google.com/p/chromium/issues/detail?id=470749

► Sign in to add a comment