New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Oct 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
link

Issue 100322: Security: Calling arbitrary V8 native functions from JavaScript

Reported by keuchel@chromium.org, Oct 14 2011 Project Member

Issue description

This template is ONLY for reporting security bugs. Please use a different
template for other types of bug reports.

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs


VULNERABILITY DETAILS
When lazily parsing function the allow_natives_syntax flag is always set for those functions. The preparser doesn't report invalid use of natives syntax, so within functions arbitrary natives can be called if preparsing is enabled (source file > 1024 byte). The native functions expose V8 internal functionality which could be exploited.

VERSION
Chrome Version: since 10.0.605.0 (Official Build 68547) canary build
Operating System: All OS

REPRODUCTION CASE
See the attached JavaScript file.
 
call-natives.js
1.0 KB View Download

Comment 1 by keuchel@chromium.org, Oct 14 2011

Cc: whesse@chromium.org lrn@chromium.org

Comment 2 by keuchel@chromium.org, Oct 14 2011

Cc: nepper@chromium.org jkummerow@chromium.org kmillikin@chromium.org erik.co...@gmail.com vegorov@chromium.org mstarzinger@chromium.org yangguo@chromium.org fschneider@chromium.org u...@chromium.org rossberg@chromium.org svenpanne@chromium.org

Comment 3 by keuchel@chromium.org, Oct 14 2011

Sorry the version above is not correct: this goes back to Chrome version 9.0.571.0 (r64892) when V8 version 2.5.4 (r5757) was merged into Chrome.

Comment 4 by jsc...@chromium.org, Oct 14 2011

Labels: -Pri-0 Pri-1 SecSeverity-High Mstone-15 SecImpacts-Stable SecImpacts-Beta
Thanks for catching this. Do you have an ETA on when you'll have a fix ready?

Comment 5 by lrn@chromium.org, Oct 18 2011

Patch committed on v8 bleeding edge as r9643, and ported to all branches since 3.3 (versions 3.7.0.1 (r9653), 3.6.6.4 (r9644), 3.5.10.12 (r9645), 3.4.14.32 (r9646), and 3.3.10.38 (r9651)).

Comment 6 by scarybea...@gmail.com, Oct 18 2011

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: FixUnreleased
@lrn: thanks! Is this by any chance the same issue as http://code.google.com/p/chromium/issues/detail?id=100601 ?

Comment 7 by lrn@chromium.org, Oct 18 2011

As Danno says, it's the same explit.
I don't think there is anything else to it.
It uses a known approach to make an internal method call a malicious function to get access to the script object. This was patched earlier, so overwriting the "lineFromPosition" shouldn't be possible, but it's not safe against someone with access to %IgnoreAttributesAndSetProperty().

Comment 8 by scarybea...@gmail.com, Oct 19 2011

Labels: CVE-2011-3891

Comment 9 by oritm@chromium.org, Oct 20 2011

Which Chrome versions have this fix?

Comment 10 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed..

Comment 11 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 12 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Area-WebKit -WebKit-JavaScript -SecSeverity-High -Mstone-15 -SecImpacts-Stable -SecImpacts-Beta Cr-Content Cr-Content-JavaScript Security-Impact-Stable Security-Impact-Beta Security-Severity-High M-15 Type-Bug-Security

Comment 13 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: Restrict-View-EditIssue

Comment 14 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Comment 15 by scarybea...@gmail.com, Mar 21 2013

Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue

Comment 16 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 17 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 18 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 19 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 20 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content-JavaScript Cr-Blink-JavaScript

Comment 21 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 22 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 23 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 24 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 25 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment