New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Email to this user bounced
Closed: Apr 2015
Cc:



Sign in to add a comment
Adobe Flash: buffer overflow in Sound.extract()
Reported by cevans@google.com, Mar 25 2015 Back to list
Please find the attached PoC and source file, which should show the issue cleanly.

On Linux x64, it crashes this:

#0  0x00007f7babfb3bac in __memmove_ssse3_back () from /lib64/libc.so.6
#1  0x00007f7b9af328cb in ?? ()
   from /opt/google/chrome/PepperFlash/libpepflashplayer.so
#2  0x00007f7b9adcc329 in ?? ()

(gdb) x/i $rip
=> 0x7f7babfb3bac <__memmove_ssse3_back+7084>:	movdqa %xmm1,-0x10(%rdi)
(gdb) p/x $rdi
$1 = 0x7f7b996d9000
(gdb) p/x $rsi
$2 = 0x7f7b946c2f00
(gdb) p $rcx
$4 = 524224

It's faulting on a read but I'm pretty sure both the read and write are way out of bounds.

I reproduced this with APIFuzz (not yet released), this hits it for me reliably:
http://localhost/APIFuzz.html?log=1&fuzzclass=flash.media::Sound&iters=100000&yieldcount=100000&seed=9

It doesn't crash in the actual extract() call, but some number of iterations later. This is more evidence that this is a memory corruption and not just an out-of-bounds read.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
Extract.as
894 bytes Download
Extract.swf
796 bytes Download
Comment 1 by cevans@google.com, Mar 25 2015
Mateusz pointed out that I'm an idiot and that it is crashing on a write because it's AT&T syntax assembly.

Sure enough, here are the mappings at the time:

7f7b996b3000-7f7b996c9000 rw-p 00000000 00:00 0 
7f7b996c9000-7f7b996d9000 r-xp 00000000 00:00 0 
7f7b996d9000-7f7b997e2000 rw-p 00000000 00:00 0 

Looks like the write pointer has walked back into a JIT page. JIT pages are read-only in Flash.
Comment 2 by cevans@google.com, Mar 25 2015
Labels: Id-3523
Comment 3 by cevans@google.com, Apr 10 2015
Labels: CVE-2015-0348
Comment 5 by cevans@google.com, Apr 30 2015
Labels: -Restrict-View-Commit
Sign in to add a comment