Microsoft Office 2007 shape drawing object use-after-free

[GoogleCodeExporter]

The following illegal instruction exception was observed in Microsoft
Office 2007 (Word RTF):

(b1c.b2c): Illegal instruction - code c000001d (first chance)
(b1c.b2c): Illegal instruction - code c000001d (!!! second chance !!!)
eax=33504aa0 ebx=00000000 ecx=0011b648 edx=0011b6a0 esi=0336fdc0 edi=03fd80c0
eip=32a44fc0 esp=0011b628 ebp=0011b65c iopl=0         nv up ei pl nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010203
mso!Ordinal2940+0x8c204:
32a44fc0 ffff             ???

0011b65c 327af4e9 mso!Ordinal4498+0x7aa
0011b6b4 327af4b0 mso!Ordinal390+0x1ff
0011b6e4 3275d928 mso!Ordinal390+0x1c6
0011b85c 32776c31 mso!Ordinal7144+0x1b3
0011b870 320a75c6 mso!Ordinal1537+0x25f
0011b8f8 320b2c4a wwlib!DllGetClassObject+0xc252
0011e1ac 320ab97e wwlib!DllGetClassObject+0x178d6
001204e8 320a70f9 wwlib!DllGetClassObject+0x1060a
00120838 31f1f293 wwlib!DllGetClassObject+0xbd85
00120a88 31c89a3f wwlib!DllCanUnloadNow+0x36a9d2
00120ccc 31bd980c wwlib!DllCanUnloadNow+0xd517e
00122398 31271c2a wwlib!DllCanUnloadNow+0x24f4b
00122a68 3129f4e6 wwlib!FMain+0x2d67b
00123b68 3129e556 wwlib!FMain+0x5af37
00123bac 31480424 wwlib!FMain+0x59fa7
00126d28 31480ace wwlib!DllGetLCID+0xf8ce
0012b14c 3148073b wwlib!DllGetLCID+0xff78
0012b19c 31481614 wwlib!DllGetLCID+0xfbe5
0012e2f8 31481659 wwlib!DllGetLCID+0x10abe
0012e31c 31315ef4 wwlib!DllGetLCID+0x10b03

Notes:

- Reproduces on Windows Server 2003 and Windows 8.

- The stack frame appears to be incorrect/invalid at time of crash,
but tracing through execution until the illegal exception occurs shows
that the crash occurs in mso.dll at Ordinal4498 on an indirect call
(at 327AEEA9 in mso.dll version 12.0.6683.5000).

- The crashing function's stack trace is included above. On the
crashing instruction, eax should typically be 327b3d5c, which is set
up in sub_327B3D3D at instruction 327B3D47.

- Between the setup at instruction 327B3D47 and the crash at
instruction 327AEEA9, the initialized value is modified. Normally no
writes occur on this value, so this is suggestive of a use-after-free.

- Specifically it appears that the crashing function is called for a
second time after being used once correctly after initialization. On
the second call, the relevant object appears to have been freed and
reallocated for use in a different ordinal.

- This was confirmed by placing a conditional breakpoint on the return
of MsoPvAllocCore using the relevant pointer value. The chunk is
allocated again in Ordinal4680, but then later used by the crashing
function (Ordinal4498).

- The structural mutation occurs with a 17-bit change to the original
document. The mutation appears to affect a series of shape drawing
object control worlds.

- Attached files: d90993d0_crash.rtf (crashing file),
d90993d0_orig.rtf (original file), d90993d0_crash_min.rtf
(structurally minimized file). The minimized file only crashes when
debugged, and has a different exception address due to heap layout
changes.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

Original issue reported on code.google.com by haw...@google.com on 21 Oct 2014 at 1:33

Attachments:

• d90993d0_crash.rtf
• d90993d0_crash_min.rtf
• d90993d0_orig.rtf

[GoogleCodeExporter]

Original comment by haw...@google.com on 21 Oct 2014 at 6:03

• Added labels: MSRC-20783

[GoogleCodeExporter]

This issue was fixed in MS14-081: 
https://technet.microsoft.com/en-us/library/security/ms14-081.aspx

Original comment by haw...@google.com on 29 Dec 2014 at 8:13

• Changed state: Fixed
• Added labels: CVE-2014-6357, Fixed-2014-Dec-9
• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by scvi...@google.com on 13 Jan 2015 at 12:28

• Added labels: Reported-2014-Oct-20
• Removed labels: Reported-2014-October-20