search

sla-cker / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Adobe Flash bad free condition #350

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
The following crash has been encountered while performing dumb fuzzing of Adobe 
Flash against malformed SWF files:

--- cut ---
FAULTING_IP: 
kernel32!InterlockedCompareExchange+c
75671398 f00fb111        lock cmpxchg dword ptr [ecx],edx

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0000000075671398 
(kernel32!InterlockedCompareExchange+0x000000000000000c)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 000000000000099d
Attempt to write to address 000000000000099d

CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
eax=00000000 ebx=00000000 ecx=0000099d edx=00000001 esi=09864000 edi=0000099d
eip=75671398 esp=002ce700 ebp=75671454 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210202
kernel32!InterlockedCompareExchange+0xc:
75671398 f00fb111        lock cmpxchg dword ptr [ecx],edx 
ds:002b:0000099d=????????

[...]

STACK_TEXT:  
002ce6fc 0191717c 0000099d 00000001 00000000 
kernel32!InterlockedCompareExchange+0xc
WARNING: Stack unwind information not available. Following frames may be wrong.
002ce720 0142a7a2 1bd99768 1bd99768 1bd9a000 
FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x69cec
002ce734 0142b9b8 1bd99000 0191f8a6 00000000 
FlashPlayer!WinMainSandboxed+0x67442
002ce73c 0191f8a6 00000000 09693000 0969345c 
FlashPlayer!WinMainSandboxed+0x68658
002ce764 0191d07b 00000000 09693000 000003ae 
FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x72416
002ce778 0191dfe3 00000000 09693000 002ce83c 
FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x6fbeb
00000000 00000000 00000000 00000000 00000000 
FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x70b53
--- cut ---

The crash reproduces reliably using the latest Flash Player Projector for 
Windows, and in Chrome. The offending x86 instruction has been observed to 
always be an XCHG (in our tests), and the location of the crash in Flash code 
appears to be related to the internal flash heap manager (i.e. looks like a bad 
free or similar condition).

The diff between the crashing testcase and original file has been minimized to 
a single byte change, 0x4F => 0x9B, at offset 0xC74. Attached are both the 
mutated and original files.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

Original issue reported on code.google.com by mjurc...@google.com on 27 Apr 2015 at 4:18

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 27 Apr 2015 at 9:25

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 5 Jul 2015 at 6:36

GoogleCodeExporter commented 9 years ago 
Fixed: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

Original comment by cev...@google.com on 9 Jul 2015 at 12:37

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 17 Jul 2015 at 4:17