- In this bug, a crash is addressed which is manifested when we open two large size text files (
first.txt & second.txt
) as input to SumatraPDF 32 bit. - Run the following command, or you can manually open the both files in SumatraPDF 32 bit(3.4.6).
SumatraPDF.exe first.txt second.txt
The following crash has been encountered.
Microsoft (R) Windows Debugger Version 10.0.22000.194 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\Administrator\Downloads\sumatrapdf-3.4.6rel\sumatrapdf-3.4.6rel\out\dbg32\crashinfo\sumatrapdfcrash.dmp]
User Mini Dump File: Only registers, stack and portions of memory are available
Symbol search path is: srv*
Executable search path is:
Windows 10 Version 19044 MP (12 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Debug session time: Tue Sep 27 14:18:04.000 2022 (UTC + 5:30)
System Uptime: not available
Process Uptime: 0 days 0:04:07.000
..............
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(22a4.a40): Access violation - code c0000005 (first/second chance not available)
For analysis of this file, run !analyze -v
eax=c0000034 ebx=020fe29c ecx=00000000 edx=00000000 esi=00000000 edi=0000029c
eip=772629fc esp=020fe0f0 ebp=020fe160 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200216
ntdll!NtWaitForSingleObject+0xc:
772629fc c20c00 ret 0Ch
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for SumatraPDF.exe
KEY_VALUES_STRING: 1
Key : AV.Dereference
Value: NullPtr
Key : AV.Fault
Value: Write
Key : Analysis.CPU.mSec
Value: 2827
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 3238
Key : Analysis.Init.CPU.mSec
Value: 640
Key : Analysis.Init.Elapsed.mSec
Value: 12340
Key : Analysis.Memory.CommitPeak.Mb
Value: 118
Key : Timeline.Process.Start.DeltaSec
Value: 247
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
Key : WER.Process.Version
Value: 3.4.6.0
CONTEXT: (.ecxr)
eax=00000000 ebx=01e76000 ecx=00000000 edx=00000000 esi=007914b5 edi=007914b5
eip=77257a6e esp=020ffbc8 ebp=020ffbd0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
ntdll!_RtlUserThreadStart+0x1b:
77257a6e cc int 3
Resetting default scope
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 0089b083 (SumatraPDF!CrashMe+0x00000013)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00000000
Attempt to write to address 00000000
PROCESS_NAME: SumatraPDF.exe
WRITE_ADDRESS: 00000000
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 00000000
FAULTING_THREAD: ffffffff
STACK_TEXT:
0089b083 0089b083 SumatraPDF!CrashMe+0x13
FAULTING_SOURCE_LINE: C:\Users\Administrator\Downloads\sumatrapdf-3.4.6rel\sumatrapdf-3.4.6rel\src\utils\BaseUtil.h
FAULTING_SOURCE_FILE: C:\Users\Administrator\Downloads\sumatrapdf-3.4.6rel\sumatrapdf-3.4.6rel\src\utils\BaseUtil.h
FAULTING_SOURCE_LINE_NUMBER: 200
FAULTING_SOURCE_CODE:
196: // but it seemed to confuse callstack walking
197: inline void CrashMe() {
198: char* p = nullptr;
199: // cppcheck-suppress nullPointer
> 200: *p = 0; // NOLINT
201: }
202: #if COMPILER_MSVC
203: #pragma warning(pop)
204: #endif
205:
SYMBOL_NAME: SumatraPDF!CrashMe+13
MODULE_NAME: SumatraPDF
IMAGE_NAME: SumatraPDF.exe
STACK_COMMAND: .ecxr ; kb ; ** Pseudo Context ** Pseudo ** Value: d ** ; kb
FAILURE_BUCKET_ID: NULL_POINTER_WRITE_CONTEXT_MISMATCH_c0000005_SumatraPDF.exe!CrashMe
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
IMAGE_VERSION: 3.4.6.0
FAILURE_ID_HASH: {1595dcef-2e27-85d9-39da-85ddbd1355a2}
Followup: MachineOwner
---------
0:000> !msec.exploitable
!exploitable 1.6.0.0
Warning: Unable to read from the TEB in the current thread.
Warning: Unable to read from the TEB in the current thread.
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at ntdll!_RtlUserThreadStart+0x000000000000001b (Hash=0xcc3d4e45.0x55921273)
User mode write access violations that are near NULL are unknown.
- The issue can be reproduced with and without PageHeap enabled on Windows 11 - 22563.1000 64-bit machine having version SumatraPDF 3.4.6 32-bit.
- Below is the function, where it is crashing.
if (s->buf == s->els) {
newEls = (char*)Allocator::Alloc(s->allocator, allocSize);
if (newEls) {
memcpy(newEls, s->buf, s->len + 1);
}
} else {
newEls = (char*)Allocator::Realloc(s->allocator, s->els, allocSize);
}
if (!newEls) {
CrashAlwaysIf(gAllowAllocFailure.load() == 0);
return nullptr;
}
- The
CrashAlwaysIf
macro is being called in the EnsureCap function as a way to handle a failure to allocate memory. When the Alloc or Realloc function returns a null pointer, indicating that memory allocation has failed, the CrashAlwaysIf macro is called to cause the program to crash intentionally because it internally callsCrashMe
function that sets a null pointer to a non-null value, which will cause an access violation when the program tries to dereference the null pointer. This will trigger an exception and cause the program to crash.
- Denial of Service
The vulnerability is tested to work on following version:
- SumatraPDF 3.4.6 32-bit.
- Windows 11 - 22563.1000 64 bit
- Windows 10 - 10.0.19042.1586 64-bit