search

kevinmel2000 / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Flash: wild pointer crash in drawing and bitmap handling #396

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
A nasty looking crash is manifesting in various different ways under fuzzing, 
apparently related to drawing and bitmap handling.

A trigger is attached, 
signal_sigsegv_7ffff5b5aee2_252_0688bbd450e7c095265d00be2fca50ab.swf

The base file from which this fuzz case was generated is attached, 
0688bbd450e7c095265d00be2fca50ab.swf

The crash on 64-bit Linux looks like this:

=> 0x00007f69314b8f7d:  cmpl   $0xc,0x174(%rax)

rax            0x83071500ff0300 36881008741516032

If we trace through the usages of %rax, we can get to some bad writes pretty 
easily:

=> 0x00007f69314b8f7d:  cmpl   $0xc,0x174(%rax)
   0x00007f69314b8f84:  je     0x7f69314b8fa0
...
   0x00007f69314b8fa0:  mov    (%rax),%rdi      <-- rdi compromised
   0x00007f69314b8fa3:  callq  0x7f69314b8810
...
   0x00007f69314b8810:  mov    (%rsi),%edx
   0x00007f69314b8812:  cmp    $0x7ffffff,%edx
   0x00007f69314b8818:  je     0x7f69314b8862
   0x00007f69314b881a:  mov    0x10(%rdi),%eax
   0x00007f69314b881d:  cmp    $0x7ffffff,%eax
   0x00007f69314b8822:  je     0x7f69314b8868
   0x00007f69314b8824:  sub    $0x1,%edx
   0x00007f69314b8827:  cmp    %eax,%edx
   0x00007f69314b8829:  cmovg  %eax,%edx
   0x00007f69314b882c:  mov    0x14(%rdi),%eax
   0x00007f69314b882f:  mov    %edx,0x10(%rdi)  <---- rdi written to

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 20 May 2015 at 9:57

Attachments:

GoogleCodeExporter commented 8 years ago 
PSIRT-3730

Original comment by cev...@google.com on 26 May 2015 at 10:16

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 11 Aug 2015 at 3:38

GoogleCodeExporter commented 8 years ago 
Fixed in https://helpx.adobe.com/security/products/flash-player/apsb15-19.html

Original comment by natashe...@google.com on 18 Aug 2015 at 7:25