276 - Flash: not great ASLR for the Flash heap on Win7 64-bit - project-zero

Starred by 3 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Jul 2015
Cc:	project-...@google.com
CVE-2015-3097 Deadline-90 Fixed-2015-Jul-8 Reported-2015-Mar-3 Deadline-Exceeded Id-3347 CCProjectZeroMembers Finder-cevans Product-Flash Vendor-Adobe Severity-Low

Flash: not great ASLR for the Flash heap on Win7 64-bit

Reported by cevans@google.com, Mar 4 2015

Back to list

I noticed that the ASLR for the Flash heap is not great on Win7 64-bit.

Appended below are some virtual mappings towards the high end of a Win7 64-bit Chrome Flash process:

*      7ff`bd6a0000      7ff`be6a0000        0`01000000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unclassified> 
*      7ff`be6a0000      7ff`bf6a0000        0`01000000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unclassified> 
*      7ff`bf6a0000      7ff`c06a0000        0`01000000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unclassified> 
*      7ff`c06a0000      7ff`c16a0000        0`01000000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unclassified> 
*      7ff`c16a0000      7ff`c26a0000        0`01000000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unclassified> 
*      7ff`c26a0000      7ff`c36a0000        0`01000000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unclassified> 
*      7ff`c36a0000      7ff`c46a0000        0`01000000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unclassified> 
*      7ff`c46a0000      7ff`c56a0000        0`01000000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unclassified> 
*      7ff`c56a0000      7ff`c5ca0000        0`00600000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unclassified> 
|-     7ff`c5ca0000      7ff`c66a0000        0`00a00000 MEM_PRIVATE MEM_RESERVE                                    <unclassified> 
*      7ff`c66a0000      7ff`feea0000        0`38800000             MEM_FREE    PAGE_NOACCESS                      Free 
*      7ff`feea0000      7ff`fefa0000        0`00100000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unclassified> 
*      7ff`fefa0000      7ff`fefa8000        0`00008000             MEM_FREE    PAGE_NOACCESS                      Free 
*      7ff`fefa8000      7ff`fefaa000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB [b24.bd8; ~9]
*      7ff`fefaa000      7ff`fefac000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB [b24.b50; ~8]
*      7ff`fefac000      7ff`fefae000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB [b24.b4c; ~7]
*      7ff`fefae000      7ff`fefb0000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB [b24.b48; ~6]
*      7ff`fefb0000      7ff`ff41a000        0`0046a000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unclassified> 
|-     7ff`ff41a000      7ff`ff42a000        0`00010000 MEM_PRIVATE MEM_COMMIT  PAGE_EXECUTE_READ                  <unclassified> 
|-     7ff`ff42a000      7ff`ff4a0000        0`00076000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unclassified> 
|-     7ff`ff4a0000      7ff`ff4b0000        0`00010000 MEM_PRIVATE MEM_COMMIT  PAGE_EXECUTE_READ                  <unclassified> 
|-     7ff`ff4b0000      7ff`ff4b9000        0`00009000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unclassified> 
|-     7ff`ff4b9000      7ff`ff4c9000        0`00010000 MEM_PRIVATE MEM_COMMIT  PAGE_EXECUTE_READ                  <unclassified> 
|-     7ff`ff4c9000      7ff`ff6b0000        0`001e7000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unclassified> 
|-     7ff`ff6b0000      7ff`fffb0000        0`00900000 MEM_PRIVATE MEM_RESERVE                                    <unclassified> 
*      7ff`fffb0000      7ff`fffd3000        0`00023000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      MemoryMappedFile "PageFile"
*      7ff`fffd3000      7ff`fffd5000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB [b24.b44; ~5]
*      7ff`fffd5000      7ff`fffd7000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB [b24.b40; ~4]
*      7ff`fffd7000      7ff`fffd9000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB [b24.b38; ~3]
*      7ff`fffd9000      7ff`fffda000        0`00001000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PEB [b24]
*      7ff`fffda000      7ff`fffdc000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB [b24.b34; ~2]
*      7ff`fffdc000      7ff`fffde000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB [b24.b30; ~1]
*      7ff`fffde000      7ff`fffe0000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB [b24.b28; ~0]
*      7ff`fffe0000      7ff`ffff0000        0`00010000 MEM_PRIVATE MEM_RESERVE PAGE_NOACCESS                      <unclassified>


In short, the Flash heap allocations are piled into a very small and predictable range -- they represent most of the <unclassified> lines above, including the PAGE_EXECUTE_READ mappings which are presumably the Flash JIT. It's bad news to have executable mappings at a predictable address, especially JIT pages.

I've marked this as lower severity because Win7 64-bit ASLR is (contrary to my expectations) not great. Fixing this will be a useful security defense in depth but then other Win7 mappings being at predicatable address (such as the PEB / TEBs) may remain a problem.

The root cause appears to be the use of the MEM_TOP_DOWN flag to VirtualAlloc. I confirmed this in WinDbg. And I could have saved myself a lot of time by simply looking at the open source Flash heap: https://github.com/adobe-flash/avmplus/tree/master/AVMPI (see MMgcPortWin.cpp).

Unfortunately, Win7 _without_ MEM_TOP_DOWN on VirtualAlloc doesn't appear to be much better -- the allocations then end up in the first 4GB as far as I can see. To get good behaviour will require manual randomization, such as is done in PartitionAlloc, see: https://chromium.googlesource.com/chromium/blink.git/+/master/Source/wtf/AddressSpaceRandomization.cpp

FWIW, Win8.1 64-bit appears noticeably better all around, including for MEM_TOP_DOWN allocations.

+     7ff7`b41b0000     7ff7`b461a000        0`0046a000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unknown>  
      7ff7`b461a000     7ff7`b462a000        0`00010000 MEM_PRIVATE MEM_COMMIT  PAGE_EXECUTE_READ                  <unknown>  
      7ff7`b462a000     7ff7`b46a0000        0`00076000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unknown>  
      7ff7`b46a0000     7ff7`b46b0000        0`00010000 MEM_PRIVATE MEM_COMMIT  PAGE_EXECUTE_READ                  <unknown>  
      7ff7`b46b0000     7ff7`b46be000        0`0000e000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unknown>  
      7ff7`b46be000     7ff7`b46ce000        0`00010000 MEM_PRIVATE MEM_COMMIT  PAGE_EXECUTE_READ                  <unknown>  
      7ff7`b46ce000     7ff7`b48b0000        0`001e2000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unknown>  
      7ff7`b48b0000     7ff7`b51b0000        0`00900000 MEM_PRIVATE MEM_RESERVE                                    <unknown>  
+     7ff7`b51b0000     7ff7`b51b5000        0`00005000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [Read Only Shared Memory]
      7ff7`b51b5000     7ff7`b52b0000        0`000fb000 MEM_MAPPED  MEM_RESERVE                                    MappedFile "PageFile"
+     7ff7`b52b0000     7ff7`b52d3000        0`00023000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [NLS Tables]
+     7ff7`b52d3000     7ff7`b52d5000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB        [~5; aa0.9bc]
+     7ff7`b52d5000     7ff7`b52d7000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB        [~4; aa0.be0]
+     7ff7`b52d7000     7ff7`b52d9000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB        [~3; aa0.608]
+     7ff7`b52d9000     7ff7`b52db000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB        [~2; aa0.aa4]
+     7ff7`b52db000     7ff7`b52dd000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB        [~1; aa0.a9c]
+     7ff7`b52dd000     7ff7`b52df000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB        [~0; aa0.a8c]
+     7ff7`b52df000     7ff7`b52e0000        0`00001000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PEB        [aa0]


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Comment 1 by cevans@google.com, Mar 6 2015

Labels: Id-3347

Comment 2 by cevans@google.com, May 29 2015

Labels: Deadline-Grace Deadline-Exceeded

Due to be fixed in a Jun 9 update.

Comment 3 by cevans@google.com, Jun 4 2015

Labels: CVE-2015-3097

Comment 4 by cevans@google.com, Jun 9 2015

Status: Fixed

https://helpx.adobe.com/security/products/flash-player/apsb15-11.html

Comment 5 by cevans@google.com, Jun 11 2015

Labels: -Restrict-View-Commit -Deadline-Grace
Status: New

Turns out this was declared fixed in the release notes, but not actually fixed.
The deadline has expired.

Comment 6 Deleted

Comment 7 by cevans@google.com, Jul 9 2015

Labels: Fixed-2015-Jul-8
Status: Fixed

Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

Was only able to check the heap location is properly randomized on Linux x64 due to my current travels, but it is randomized nicely.

Comment 8 by cevans@google.com, Jul 14 2015

Sample heap location on Win7 x64:

1a6`bdf60000

No longer at 7ff`???????? so good :)

► Sign in to add a comment