Bug 698538 - GSView 6.0 MS Windows allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .pdf file, related to a "Data from Faulting Address controls Branch Selection starting at mupdfnet64!mIncrementalSaveFile+0x00000".
Summary: GSView 6.0 MS Windows allows attackers to cause a denial of service or possib...
Status: RESOLVED FIXED
Alias: None
Product: Artifex GSview
Classification: Unclassified
Component: General (show other bugs)
Version: unspecified
Hardware: PC Windows 8
: P4 normal
Assignee: Michael Vrhel
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-14 22:47 UTC by WangLin
Modified: 2017-09-30 10:29 UTC (History)
1 user (show)

See Also:
Customer:
Word Size: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description WangLin 2017-09-14 22:47:15 UTC 
Created attachment 14260 [details]
Proof of concept

!exploitable -m
IDENTITY:HostMachine\HostUser
PROCESSOR:X64
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0x10
EXCEPTION_CODE:0xC0000005
EXCEPTION_LEVEL:FIRST_CHANCE
EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
EXCEPTION_SUBTYPE:READ
FAULTING_INSTRUCTION:000007fa`b430dd1e mov rdi,qword ptr [rbx+10h]
BASIC_BLOCK_INSTRUCTION_COUNT:10
BASIC_BLOCK_INSTRUCTION:000007fa`b430dd1e mov rdi,qword ptr [rbx+10h]
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:rbx
BASIC_BLOCK_INSTRUCTION:000007fa`b430dd22 cmovne rcx,rax
BASIC_BLOCK_INSTRUCTION:000007fa`b430dd26 movsxd rax,dword ptr [rbx+2ch]
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:rbx
BASIC_BLOCK_INSTRUCTION:000007fa`b430dd2a mov dword ptr [rsp+60h],r15d
BASIC_BLOCK_INSTRUCTION:000007fa`b430dd2f mov qword ptr [rbp+180h],rcx
BASIC_BLOCK_INSTRUCTION:000007fa`b430dd36 lea rcx,[rdi+rax*4]
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:rax
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:rdi
BASIC_BLOCK_INSTRUCTION:000007fa`b430dd3a mov qword ptr [rsp+50h],rdi
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:rdi
BASIC_BLOCK_INSTRUCTION:000007fa`b430dd3f mov qword ptr [rbp],rcx
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:rcx
BASIC_BLOCK_INSTRUCTION:000007fa`b430dd43 cmp rdi,rcx
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:rcx
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:rdi
BASIC_BLOCK_INSTRUCTION:000007fa`b430dd46 je mupdfnet64!mincrementalsavefile+0x40df (000007fa`b430e9af)
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:ZeroFlag
MAJOR_HASH:0x650f2c3a
MINOR_HASH:0x4e7c1c32
STACK_DEPTH:28
STACK_FRAME:mupdfnet64!mIncrementalSaveFile+0x344e
STACK_FRAME:mupdfnet64+0x56a3
STACK_FRAME:mupdfnet64!mRenderPageMT+0x9a
STACK_FRAME:Unknown
STACK_FRAME:Unknown
STACK_FRAME:Unknown
STACK_FRAME:Unknown
STACK_FRAME:mscorlib_ni+0xe761c8
STACK_FRAME:mscorlib_ni+0x51611e
STACK_FRAME:mscorlib_ni+0x4a39a5
STACK_FRAME:mscorlib_ni+0x4a3719
STACK_FRAME:mscorlib_ni+0x5163f5
STACK_FRAME:mscorlib_ni+0x515a95
STACK_FRAME:mscorlib_ni+0x4d136a
STACK_FRAME:clr+0xa7f3
STACK_FRAME:clr+0xa6de
STACK_FRAME:clr+0xae76
STACK_FRAME:clr!GetMetaDataInternalInterface+0x31d01
STACK_FRAME:clr+0xc121
STACK_FRAME:clr+0xc0a8
STACK_FRAME:clr+0xc019
STACK_FRAME:clr+0xc15f
STACK_FRAME:clr!GetMetaDataInternalInterface+0x31c8e
STACK_FRAME:clr!GetMetaDataInternalInterface+0x30b26
STACK_FRAME:clr!GetMetaDataInternalInterface+0x30a1a
STACK_FRAME:clr!CopyPDBs+0x44a2
STACK_FRAME:KERNEL32!BaseThreadInitThunk+0x1a
STACK_FRAME:ntdll!RtlUserThreadStart+0x21
INSTRUCTION_ADDRESS:0x000007fab430dd1e
INVOKING_STACK_FRAME:0
DESCRIPTION:Data from Faulting Address controls Branch Selection
SHORT_DESCRIPTION:TaintedDataControlsBranchSelection
CLASSIFICATION:UNKNOWN
BUG_TITLE:Data from Faulting Address controls Branch Selection starting at mupdfnet64!mIncrementalSaveFile+0x000000000000344e (Hash=0x650f2c3a.0x4e7c1c32)
EXPLANATION:The data from the faulting address is later used to determine whether or not a branch is taken.
Comment 1 Michael Vrhel 2017-09-21 12:08:38 UTC 
Thanks,

This has been fixed and will be in the next release.