Adobe Flash incorrect jit optimization with op_pushscope

GoogleCodeExporter commented 9 years ago

See previous similar bugs for more details.

op_pushscope is marked as not throwing in opcodes.tbl an exception, yet looking 
at the verifier:

opcode.tbl:

//              opCount  throw  stack  internal  name                   hex     

ABC_OP(         0,       0,     -1,    0,        pushscope)             // 0x30 

Verifier.cpp:

            case OP_pushscope:
            {
                checkStack(1,0);
                if (state->scopeDepth + 1 > ms->max_scope())
                    verifyFailed(kScopeStackOverflowError);

                Traits* scopeTraits = state->peek().traits;
                const ScopeTypeChain* scope = info->declaringScope();
                if (scope->fullsize > (scope->size+state->scopeDepth))
                {
                    // extra constraints on type of pushscope allowed
                    Traits* requiredType = scope->getScopeTraitsAt(scope->size+state->scopeDepth);
                    if (!scopeTraits || !scopeTraits->subtypeof(requiredType))
                    {
                        verifyFailed(kIllegalOperandTypeError, core->toErrorString(scopeTraits), core->toErrorString(requiredType));
                    }
                }

                emitCheckNull(sp);  <-- this will emit code which will throw a catchable exception
                coder->writeOp1(state, pc, opcode, ms->scope_base() + state->scopeDepth);
                state->pop();
                state->setType(ms->scope_base() + state->scopeDepth, scopeTraits, true, false);
                state->scopeDepth++;
                break;
            }

Invoking pushscope with a NULL atom argument will throw an exception at runtime 
and invoke a control-flow path not seen by the verifier which can be abused to 
achieve code execution.

Attached PoC for avmshell.

Original issue reported on code.google.com by ianb...@google.com on 23 Sep 2014 at 6:28

Attachments:

jit_pushscope.abc

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 23 Sep 2014 at 6:41

Added labels: ReportedOn-2014-September-23
Removed labels: ****

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 23 Sep 2014 at 7:14

Added labels: ReportedOn-2014-Sep-23
Removed labels: ReportedOn-2014-September-23

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 24 Sep 2014 at 9:15

Added labels: Id-3050
Removed labels: ****

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 8 Nov 2014 at 2:36

Added labels: CVE-2014-0585
Removed labels: ****

GoogleCodeExporter commented 9 years ago

http://helpx.adobe.com/security/products/flash-player/apsb14-24.html

Original comment by cev...@google.com on 20 Nov 2014 at 1:23

Changed state: Fixed
Added labels: Fixed-2014-Nov-11
Removed labels: Restrict-View-Commit

codenote / google-security-research

Adobe Flash incorrect jit optimization with op_pushscope #114