New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 119250 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

GPU, Plugin, and NaCl processes have PROCESS_DUP_HANDLE permission on renderer processes

Project Member Reported by jsc...@chromium.org, Mar 21 2012

Issue description

I stumbled on this while trying to land a patch fixing the process permissions issue. The root problem is that the GPU process retains a handle with PROCESS_DUP_HANDLE permission any connected renderer process: https://code.google.com/codesearch#OAMlx_jo-ck/src/content/browser/gpu/browser_gpu_channel_host_factory.cc&exact_package=chromium&q=DuplicateHandle%20file:gpu&type=cs&l=197

A compromised GPU process could use this to duplicate any open resource in any connected renderer (e.g. The IPC pipe can be duplicated and the GPU could impersonate a privileged renderer). I'm marking this medium because the WebStore is the most privileged renderer currently known to be triggerable from the web, and it still has a browser-side prompt on installing extensions. So, it shouldn't be a direct escalation out of the GPU process.

I'll circle back with Al tomorrow. The solution is to add IPCs and move the handle duplication to the browser. This is the only place I can find where the renderer process handle is actually used:
https://code.google.com/codesearch#OAMlx_jo-ck/src/content/common/gpu/media/dxva_video_decode_accelerator.cc&exact_package=chromium&ct=rc&cd=4&q=DuplicateHandle%20file:gpu&sq=&l=149

 

Comment 1 by jsc...@chromium.org, Mar 21 2012

Forgot about the really obvious attack here. You duplicate the renderer's own process handle with DUPLICATE_SAME_ACCESS. Then you can do whatever you want to the process (read/write memory, CreateRemoteThread, etc.).

Comment 2 by jsc...@chromium.org, Mar 23 2012

The plugin process has the same issue. I have a fix in process for both.

Comment 3 by jsc...@chromium.org, Mar 23 2012

Cc: -jsc...@chromium.org
Owner: jsc...@chromium.org
Status: Started

Comment 4 by jsc...@chromium.org, Mar 23 2012

Labels: -SecSeverity-Medium SecSeverity-High
Upping the severity because this hole is bigger than it originally seemed.

Comment 5 Deleted

Comment 6 by jsc...@chromium.org, Mar 29 2012

Summary: GPU and Plugin processes have PROCESS_DUP_HANDLE permission on renderer processes
I just landed the API and fixes for the plugin process. Next step is to fix the GPU process. Then I'll add an interception that prevents people from making this mistake in the future.
Project Member

Comment 7 by bugdroid1@chromium.org, Mar 29 2012

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=129629

------------------------------------------------------------------------
r129629 | jschuh@chromium.org | Thu Mar 29 09:29:01 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/renderer/webplugin_delegate_proxy.cc?r1=129629&r2=129628&pathrev=129629
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/plugin/plugin_channel.h?r1=129629&r2=129628&pathrev=129629
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/plugin/plugin_channel.cc?r1=129629&r2=129628&pathrev=129629
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/plugin/webplugin_proxy.cc?r1=129629&r2=129628&pathrev=129629
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/target_services.cc?r1=129629&r2=129628&pathrev=129629
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_policy.cc?r1=129629&r2=129628&pathrev=129629
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/sandbox_policy.h?r1=129629&r2=129628&pathrev=129629
 D http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/handle_policy.cc?r1=129629&r2=129628&pathrev=129629
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/browser_main_loop.cc?r1=129629&r2=129628&pathrev=129629
 D http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/handle_interception.h?r1=129629&r2=129628&pathrev=129629
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/tests/common/controller.h?r1=129629&r2=129628&pathrev=129629
 D http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/handle_dispatcher.h?r1=129629&r2=129628&pathrev=129629
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/sandbox_policy_base.cc?r1=129629&r2=129628&pathrev=129629
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_init_win.cc?r1=129629&r2=129628&pathrev=129629
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/broker_services.cc?r1=129629&r2=129628&pathrev=129629
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/broker_services.h?r1=129629&r2=129628&pathrev=129629
 D http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/handle_dispatcher.cc?r1=129629&r2=129628&pathrev=129629
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/sandbox.h?r1=129629&r2=129628&pathrev=129629
 D http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/handle_interception.cc?r1=129629&r2=129628&pathrev=129629
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/tests/common/controller.cc?r1=129629&r2=129628&pathrev=129629
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/sandbox.gyp?r1=129629&r2=129628&pathrev=129629
 D http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/handle_policy.h?r1=129629&r2=129628&pathrev=129629
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/chrome_content_client.cc?r1=129629&r2=129628&pathrev=129629
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_policy.h?r1=129629&r2=129628&pathrev=129629
 D http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/handle_policy_test.cc?r1=129629&r2=129628&pathrev=129629
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/ipc_tags.h?r1=129629&r2=129628&pathrev=129629
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/target_services.h?r1=129629&r2=129628&pathrev=129629

Revert 129627 - Add a sandbox API for broker handle duplication

BUG= 119250 
Review URL: https://chromiumcodereview.appspot.com/9838083

TBR=jschuh@chromium.org
Review URL: https://chromiumcodereview.appspot.com/9924010
------------------------------------------------------------------------

Comment 8 by jsc...@chromium.org, Mar 29 2012

Got this error on this test:

NPAPIVisiblePluginTester.MultipleInstancesSyncCalls: 
.\test\ui\ui_test.cc(759): error: Failed
Timeout reached in WaitUntilCookieNonEmpty
.\test\ui\ui_test.cc(638): error: Value of: cookie_value
  Actual: ""
Expected: expected_cookie_value
Which is: "OK"

It's probably just a timing issue, but I had to revert to further investigate.

Project Member

Comment 9 by bugdroid1@chromium.org, Mar 31 2012

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=130029

------------------------------------------------------------------------
r130029 | jschuh@chromium.org | Fri Mar 30 19:12:33 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/target_services.cc?r1=130029&r2=130028&pathrev=130029
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_policy.cc?r1=130029&r2=130028&pathrev=130029
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/sandbox_policy.h?r1=130029&r2=130028&pathrev=130029
 A http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/handle_policy.cc?r1=130029&r2=130028&pathrev=130029
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/browser_main_loop.cc?r1=130029&r2=130028&pathrev=130029
 A http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/handle_interception.h?r1=130029&r2=130028&pathrev=130029
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/tests/common/controller.h?r1=130029&r2=130028&pathrev=130029
 A http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/handle_dispatcher.h?r1=130029&r2=130028&pathrev=130029
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/sandbox_policy_base.cc?r1=130029&r2=130028&pathrev=130029
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_init_win.cc?r1=130029&r2=130028&pathrev=130029
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/broker_services.cc?r1=130029&r2=130028&pathrev=130029
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/broker_services.h?r1=130029&r2=130028&pathrev=130029
 A http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/handle_dispatcher.cc?r1=130029&r2=130028&pathrev=130029
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/sandbox.h?r1=130029&r2=130028&pathrev=130029
 A http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/handle_interception.cc?r1=130029&r2=130028&pathrev=130029
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/tests/common/controller.cc?r1=130029&r2=130028&pathrev=130029
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/sandbox.gyp?r1=130029&r2=130028&pathrev=130029
 A http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/handle_policy.h?r1=130029&r2=130028&pathrev=130029
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_policy.h?r1=130029&r2=130028&pathrev=130029
 A http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/handle_policy_test.cc?r1=130029&r2=130028&pathrev=130029
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/ipc_tags.h?r1=130029&r2=130028&pathrev=130029
 M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/target_services.h?r1=130029&r2=130028&pathrev=130029

Add a sandbox API for broker handle duplication 

BUG= 119250 
Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=129627
Review URL: https://chromiumcodereview.appspot.com/9838083
------------------------------------------------------------------------
Cc: mseaborn@chromium.org
Summary: GPU, Plugin, and NaCl processes have PROCESS_DUP_HANDLE permission on renderer processes

Comment 11 Deleted

Comment 12 Deleted

Project Member

Comment 13 by bugdroid1@chromium.org, Apr 14 2012

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=132303

------------------------------------------------------------------------
r132303 | jschuh@chromium.org | Fri Apr 13 17:52:16 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/gpu/browser_gpu_channel_host_factory.cc?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/renderer/render_thread_impl.cc?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/renderer/webplugin_delegate_proxy.cc?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/plugin/plugin_channel.h?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/gpu/gpu_command_buffer_stub.cc?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/plugin/plugin_channel.cc?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/gpu/browser_gpu_channel_host_factory.h?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/plugin/webplugin_proxy.cc?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/np_channel_base.h?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/sandbox_policy.cc?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/gpu/gpu_channel.h?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/renderer_host/gpu_message_filter.cc?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/gpu/gpu_process_host.cc?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/gpu/client/gpu_channel_host.cc?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/gpu/media/dxva_video_decode_accelerator.h?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/gpu/media/gpu_video_decode_accelerator.h?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/gpu/gpu_messages.h?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/gpu/media/gpu_video_decode_accelerator.cc?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/gpu/media/dxva_video_decode_accelerator.cc?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/gpu/client/gpu_channel_host.h?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/gpu/client/webgraphicscontext3d_command_buffer_impl.cc?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/gpu/client/command_buffer_proxy_impl.cc?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/renderer_host/gpu_message_filter.h?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/gpu/gpu_channel.cc?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/gpu/gpu_process_host.h?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/common/chrome_content_client.cc?r1=132303&r2=132302&pathrev=132303
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/gpu/media/video_decode_accelerator_unittest.cc?r1=132303&r2=132302&pathrev=132303

Convert plugin and GPU process to brokered handle duplication.

BUG= 119250 
Review URL: https://chromiumcodereview.appspot.com/9958034
------------------------------------------------------------------------
Project Member

Comment 14 by bugdroid1@chromium.org, Apr 15 2012

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=132356

------------------------------------------------------------------------
r132356 | jschuh@chromium.org | Sat Apr 14 21:12:02 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/renderer/webplugin_delegate_proxy.cc?r1=132356&r2=132355&pathrev=132356

I accidentally converted a DCHECK to a CHECK when I landed r132303

Apparently it really should be a DCHECK.

TBR=jam@chromium.org
BUG= 123495 
BUG= 119250 

Review URL: http://codereview.chromium.org/10094003
------------------------------------------------------------------------
Labels: Merge-Approved
Status: FixUnreleased
I'm going to have to handle the merges for this (assuming it's possible).
Note that the fix for NaCl is tracked under  issue nativeclient:2719 .
Labels: -Restrict-View-SecurityTeam -Merge-Approved Restrict-View-SecurityNotify Mstone-20
Justin says M20 -- seems reasonable!
Labels: CVE-2012-2816
Status: Fixed
Labels: -Restrict-View-SecurityNotify
Project Member

Comment 21 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 22 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-Internals -Feature-GPU -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta -Mstone-20 M-20 Cr-Internals-GPU Security-Impact-Stable Security-Impact-Beta Cr-Internals Security-Severity-High Type-Bug-Security
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 14 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 24 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 25 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 26 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 27 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 28 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 29 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment