Vulnerability Credit
Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Team
1. Vulnerability Description
Affected versions:Chrome Version < 66.0.3359.170
2. Vulnerability analysis
2.1 Vulnerability type
Run poc file, get the ASAN crash dump:
Figure 1
2.2 Vulnerability root cause
1) The code corresponding to the crash point is shown in Figure 2:
Figure 2 crash point code
Since the value of m_nOrigOutputs is outside the scope of the array request space, an out-of-bounds write will occur at line #55 of Figure 2.
2) Array declaration and the size of the allocation:
The source code corresponding to the ASAN crash dump stack:
Figure 3 The source code around ASAN crash dump
With the help of the ASAN crash dump, we can locate the following source code: The size of the array is determined by the return value of the following function.
Figure 4 Calculation of the required space of the array
In Figure 4, set breakpoint at code line #100, after running multiple times, we can see that the value of `total` overflows when parsing the poc file.
3. Vulnerability exploit
Since the variables (m_nOrigOutputs, m_Exponent) can be precisely controlled in the pdf file by controlling the corresponding fields, we can simplify the assignment action . Control m_Exponent = 0, then FXSYS_pow(input [i],m_Exponent) will always be 1.
Figure 5
The contents of m_pEndValues array come from the pdf file and are fully controllable, so it’s very simple to exploit this vulnerability.
Figure 6 The contents of the overflow array are fully controllable
4. Demo
Figure 7 hijacking instruction register
5. Vulnerability Patch
The Chrome team fixed the vulnerability quickly:
Figure 8 Google Fixed the vulnerability
Using FX_SAFE_UINT32 replace previous uint32_t, the representation in memory : the upper four bytes are the value of unsigned int, and the lower four bytes hold the data overflow identifier.
Figure 10
Since the operator is overloaded, the overflow is automatically checked when doing a numerical calculation of this type, ensuring that overflow and underflow do not occur. The specific check method is to use the compiler’s built-in overflow detection function __builtin_add_overflow. After the overflow occurs, the function where the result_array is located returns directly. (See Figure 10)
6. Attack again
Affected versions: Chrome Version < 67.0.3396.99
After the official fix of CVE-2018-6120 was out, we noticed such data type:
CFX_FixedBufGrow<float, 16>, its constructor is shown in Figure 12:
Figure 12. Constructor for CFX_FixedBufGrow
CFX_FixedBufGrow<float, 16> result_array(total_results) meaning :
(1) When the required space is not greater than 16, the stack space of 16 float types is returned;
(2) Otherwise use the parameter (total_results) to request a piece of memory on the heap.
The problem is that the argument passed in here is unsigned int, while the formal parameter is int.
CVE-2018-6120 out of bound write vulnerability can be triggered again 🙂
For the latest stable version, the new vulnerability described in this section is no longer exploitable, so we decided to disclose the details here.
7. Fixed by non-security update
More than three years of functional discussion once again accidentally killed the bug.
A non-security update from Chrome last month unexpectedly fixed this vulnerability in section #6. The reason is:
after a series of performance tests passed, Chrome removed the CFX_FixedBufGrow type and replaced it with std::vector<float>. For more information, please refer to
link .
nice work, Google Chrome Team 🙂
Figure 13
8. Vulnerability Reporting Timeline
