New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Email to this user bounced
Closed: Oct 2011
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Security: css/CSSParser.cpp memory corruption bug
Reported by hashcoll...@gmail.com, Oct 20 2011 Back to list

VULNERABILITY DETAILS
date: 16 Oct 2011
version: the lastest chrome version in cvs
target: chromium
filename: css/CSSParser.cpp
bug type: unbound memory access
process layer: the renderer process
function: CSSParser::addProperty(int propId, PassRefPtr<CSSValue> value, bool important)
description:

void CSSParser::addProperty(int propId, PassRefPtr<CSSValue> value, bool important)
{
    OwnPtr<CSSProperty> prop(new CSSProperty(propId, value, important, m_currentShorthand, m_implicitShorthand));
    if (m_numParsedProperties >= m_maxParsedProperties) {
        m_maxParsedProperties += 32; // @1
        if (m_maxParsedProperties > UINT_MAX / sizeof(CSSProperty*)) // @2
            return;
        m_parsedProperties = static_cast<CSSProperty**>(fastRealloc(m_parsedProperties,
            m_maxParsedProperties * sizeof(CSSProperty*)));
    }
    m_parsedProperties[m_numParsedProperties++] = prop.leakPtr(); // @3
}

@2, the code prevents from overflowing. But as you can see @1, m_maxParsedProperties can be added, if m_numParsedProperties is bigger or same. So, if we call a lot addProperty(), it will be checked by @2, but once it'll bypass @2 as m_maxParsedProperties will be overflowed. Then, we can manipulate unbound memory area at @3.

[PROBLEM]: Even though i could't make any crash yet. With some reasons, I don't have my computer to test this bug yet. I can't install chromium in my school's desktop. However I believe this is a memory corruption bug. But i have to say it's hard to trigger this bug since we need to hit the routine for almost (0xffffffff/32). It would take a lot of time and system resources. I don't think this bug is useful in the real world, but still can be named as a security bug.


VERSION
Chrome Version: [x.x.x.x] + [stable, beta, or dev]
Operating System: [Please indicate OS, version, and service pack level]

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]

 
Comment 1 by tsepez@chromium.org, Oct 20 2011
Labels: Mstone-17 SecSeverity-Medium
Upstreamed as https://bugs.webkit.org/show_bug.cgi?id=70540
sorry i can't see the link, https://bugs.webkit.org/show_bug.cgi?id=70540 as i'm not authorized. i wonder if my bug is confirmed. thank you.
Comment 3 by jsc...@chromium.org, Oct 22 2011
Labels: -SecSeverity-Medium
The link is the upstream WebKit report; if you have a WebKit bugzilla account you can be added to the CC. At the moment the report is unconfirmed, so we can't estimate impact. If you provide a repro case that triggers the code we could proceed much more quickly.
Labels: -Mstone-17 Mstone-15 SecSeverity-High OS-Linux reward-topanel
Owner: cevans@chromium.org
Status: Assigned
There is no integer overflow risk here. The buffer is only extended linearly, by 32 elements at a time. Since sizeof(void*) == 4 on 32-bit or 8 on 64-bit, the allocation will either fail (32-bit) or the UINT_MAX/sizeof(CSSProperty*) check will trip (64-bit) long before the 32-bit "m_maxParsedProperties" value overflows.

There is however a buffer overflow risk here: when the condition hits and the "return" is executed, "m_maxParsedProperties += 32;" will have executed without a corresponding realloc() to resize the buffer. I believe this might be exploitable for a heap overflow on our 64-bit Linux platform, if the user has a _lot_ of physical memory.

Yeah, I didn't say about the realloc() because it was obvious. Also I'm stuck at installing chrome in my machine as it doesn't have enough RAM and HDD. Sorry for not giving a repro case. :(
What machine do you have, how much RAM / HDD?! :P
hehe right, i need to buy a new one soon. when i tried to compile the chromium, it always says errors because of out of memory... :( btw, seems i still don't have access to https://bugs.webkit.org/show_bug.cgi?id=70783 i signed up, tho. my id is hashcollisions@gmail.com on the webkig site. thanks.
Comment 9 Deleted
Labels: -Restrict-View-SecurityTeam -Mstone-15 -SecSeverity-High Restrict-View-SecurityNotify Mstone-17 SecSeverity-Medium
Status: FixUnreleased
Committed r98374: <http://trac.webkit.org/changeset/98374>

I'm downgrading the severity due to the preconditions of mapping 4GB of _pointers_ to objects so a ridiculous amount of memory would be needed for the objects themselves.

@hashcollisions: under what name would you like to be credited in our eventual release notes?
awesome, can i have "Chu"? :) 
Labels: -Pri-0 -Area-Undefined -Mstone-17 Pri-2 Area-WebKit Mstone-15 SecImpacts-Stable SecImpacts-Beta
Labels: -Mstone-15 Mstone-16 Merge-Approved
@jschuh: I don't think this is worth merging to M15 but it's so simple that M16 is a no-brainer. Setting Mstone-16, Merge-Approved.
Labels: -Merge-Approved Merge-Merged
Merged to M16: http://trac.webkit.org/changeset/99074
Labels: -reward-topanel
@hashcollisions: thanks again for the report. The rewards panel decided not to reward this for a couple of reasons:
- The report was slightly misdiagnosed (there is a memory corruption but it does not involve triggering an integer overflow to hit it)
- The issue isn't exploitable on 32-bit systems.
- The issue is believe to be unrealistic to exploit on 64-bit systems.

Of course, we'll still credit you by name in our Chrome 16 release notes.
Comment 17 by cdn@chromium.org, May 15 2012
Status: Fixed
Marking old security bugs Fixed..
Project Member Comment 18 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 19 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-WebKit -Mstone-16 -SecSeverity-Medium -SecImpacts-Stable -SecImpacts-Beta Cr-Content Security-Impact-Stable Security-Impact-Beta Security-Severity-Medium Type-Bug-Security M-16
Project Member Comment 20 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 21 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 23 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 24 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member Comment 25 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 26 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 27 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Labels: reward-topanel
Project Member Comment 29 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 30 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: -reward-topanel reward-0
Sign in to add a comment