v4ng3l1s / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Flash: bad cast during garbage collection from KeenTeam #210

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Credit is to "Jihui Lu of KeenTeam (@K33nTeam), working with the Chromium 
vulnerability reward program"

Flash player 15.0.0.239 in Chrome 39 Linux x64.

This looks like a bad cast. For example on Linux x64 in Chrome the crash is 
deterministic:

=> 0x00007f78dd2a7bd1:  mov    (%rdi),%rax
%rdi == 0x400000000

On other builds, I see a crash dereferencing 0x0000ffff8000.

I also attach apparent variants.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 3 Dec 2014 at 9:24

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 4 Dec 2014 at 3:42

GoogleCodeExporter commented 9 years ago
Adobe tracking as PSIRT-3167

Original comment by cev...@google.com on 4 Dec 2014 at 3:45

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 4 Feb 2015 at 7:10

GoogleCodeExporter commented 9 years ago
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html

Original comment by cev...@google.com on 6 Feb 2015 at 3:14

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 12 Feb 2015 at 8:12