|
|
Flash: out-of-bounds write in ShaderParameter resolution | |||||||||||
| Reported by cevans@google.com, Apr 8 2015 | Back to list | |||||||||||
When running the attached test case, you'll often see a crash on a bad write, perhaps looking a little like this (Linux x64): Program received signal SIGSEGV, Segmentation fault. 0x00007fad007f731b in ?? () => 0x00007fad007f731b: mov %eax,0x10(%rdx,%rcx,4) rax 0x41414141 1094795585 rdx 0x7facfe38a048 140380976226376 rcx 0x2faf085 50000005 The attacker actually controls the value being written (eax) and the bad out-of-bounds index (rcx). The cause is that ShaderParameter resolution has a bug. Each ShaderParameter patches the shader bytecode in order to set an input parameter value. Unfortunately, if a ShaderParameter from a longer program is associated with a ShaderData for a shorter program, the patch-up location goes out-of-bounds relative to the short program. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Comment 1
by
cevans@google.com,
Apr 14 2015
,
Jun 4 2015
,
Jun 6 2015
Attaching libpepflashplayer.cros.41.0.2272.102.so.gz, which is the Pepper Flash Linux plug-in from Chrome OS v41.0.2272.102, and Flash version 17.0.0.134. This version will be used as a basis for some exploitation examples.
,
Jun 6 2015
,
Jun 6 2015
(Actually attached a .bz2 compressed version in order to not hit the 10MB attachment limit)
,
Jun 9 2015
,
Jun 11 2015
libpepflashplayer.cros.41.0.2272.102.so depends on libstdc++.so.6.0.20, attaching that here too.
,
Jun 26 2015
Added tradition, unreliable exploit that uses Vector.<uint>
,
Jul 10 2015
Attaching 100% reliable infoleak which is achieved using intra-chunk heap corruption from this bug.
|
||||||||||||
| ► Sign in to add a comment | ||||||||||||
