Posted by Sergei Glazunov, Project Zero (2021-02-04)
Disclosure or Patch Date: 19 October 2020
Product: Google Chrome
Advisory: https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html
Affected Versions: 86.0.4240.80 and previous
First Patched Version: 86.0.4240.111
Issue/Bug Report:
- Project Zero: https://bugs.chromium.org/p/project-zero/issues/detail?id=2103
- Chromium: https://bugs.chromium.org/p/chromium/issues/detail?id=1139963
- FreeType: https://savannah.nongnu.org/bugs/?59308
Patch CL:
- Chromium: https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+/80389cab7f5823e7c3b3fe4190a7c337439317de
- FreeType: https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/sfnt/pngshim.c?id=a3bab162b2ae616074c8877a04556932998aeacd
Bug-Introducing CL: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=01705395b08167b654a24f26673ee6e75a84f2be
Proof-of-Concept: A font file which will reproduce the crash in an ASAN build is attached here.
Exploit Sample: N/A
Access to the exploit sample? Yes
Reporter(s): Sergei Glazunov of Google Project Zero
Bug Class: Heap buffer overflow
Vulnerability Details: FreeType is a popular software development library used to render text onto bitmaps, and provides support for other font-related operations. The vulnerability exists in the function Load_SBit_Png, which processes PNG images that are embedded into fonts. Load_SBit_Png truncates the image height and width to 16-bit integers when calculating the bitmap size. This size is used to allocate the buffer. However, later the code passes the original 32-bit values for the height and width along with the allocated buffer to libpng for further processing. Therefore, if the original width and/or height are greater than 65535, the allocated buffer won’t be able to fit the bitmap.
Is the exploit method novel? Yes
Exploit method: Still under analysis.
How do you think you would have found this bug?
The issue is relatively straightforward to be found during a manual code review. It's also quite possible that it has been discovered as a result of variant analysis of https://bugs.chromium.org/p/project-zero/issues/detail?id=168.
(Historical/present/future) context of bug:
The vulnerability was used by the actor in two exploit chains:
- together with a OS kernel issue (CVE-2020-17087) on Windows,
- together with a Chrome-specific UAF (CVE-2020-15999) in the browser process on Android.
Areas/approach for variant analysis: Fuzzing for interoperability issues between FreeType and its dependencies (e.g., libpng).
Found variants: N/A
Structural improvements:
The issue is a textbook buffer overflow, so while generic solutions like memory tagging apply, it's unlikely there's a potential structural improvement that's specific to the bug/area.
Potential detection methods for similar 0-days: N/A
Other references:
No comments:
Post a Comment