New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Oct 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Security: Calling arbitrary V8 native functions from JavaScript

Reported by keuchel@chromium.org, Oct 14 2011

Issue description

This template is ONLY for reporting security bugs. Please use a different
template for other types of bug reports.

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs


VULNERABILITY DETAILS
When lazily parsing function the allow_natives_syntax flag is always set for those functions. The preparser doesn't report invalid use of natives syntax, so within functions arbitrary natives can be called if preparsing is enabled (source file > 1024 byte). The native functions expose V8 internal functionality which could be exploited.

VERSION
Chrome Version: since 10.0.605.0 (Official Build 68547) canary build
Operating System: All OS

REPRODUCTION CASE
See the attached JavaScript file.
 
call-natives.js
1.0 KB View Download
Cc: whesse@chromium.org lrn@chromium.org
Cc: nepper@chromium.org jkummerow@chromium.org kmillikin@chromium.org erik.co...@gmail.com vegorov@chromium.org mstarzinger@chromium.org yangguo@chromium.org fschneider@chromium.org u...@chromium.org rossberg@chromium.org svenpanne@chromium.org
Sorry the version above is not correct: this goes back to Chrome version 9.0.571.0 (r64892) when V8 version 2.5.4 (r5757) was merged into Chrome.

Comment 4 by jsc...@chromium.org, Oct 14 2011

Labels: -Pri-0 Pri-1 SecSeverity-High Mstone-15 SecImpacts-Stable SecImpacts-Beta
Thanks for catching this. Do you have an ETA on when you'll have a fix ready?

Comment 5 by lrn@chromium.org, Oct 18 2011

Patch committed on v8 bleeding edge as r9643, and ported to all branches since 3.3 (versions 3.7.0.1 (r9653), 3.6.6.4 (r9644), 3.5.10.12 (r9645), 3.4.14.32 (r9646), and 3.3.10.38 (r9651)).

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: FixUnreleased
@lrn: thanks! Is this by any chance the same issue as http://code.google.com/p/chromium/issues/detail?id=100601 ?

Comment 7 by lrn@chromium.org, Oct 18 2011

As Danno says, it's the same explit.
I don't think there is anything else to it.
It uses a known approach to make an internal method call a malicious function to get access to the script object. This was patched earlier, so overwriting the "lineFromPosition" shouldn't be possible, but it's not safe against someone with access to %IgnoreAttributesAndSetProperty().

Labels: CVE-2011-3891

Comment 9 by oritm@chromium.org, Oct 20 2011

Which Chrome versions have this fix?

Comment 10 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Project Member

Comment 11 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 12 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-WebKit -WebKit-JavaScript -SecSeverity-High -Mstone-15 -SecImpacts-Stable -SecImpacts-Beta Cr-Content Cr-Content-JavaScript Security-Impact-Stable Security-Impact-Beta Security-Severity-High M-15 Type-Bug-Security
Project Member

Comment 13 by bugdroid1@chromium.org, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 14 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 17 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 19 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 20 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content-JavaScript Cr-Blink-JavaScript
Project Member

Comment 21 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 22 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 23 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment