Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 165836 Information leak when sending messages cross process that use WriteData() on structures/objects which contain padding bytes.
Starred by 1 user Reported by cdn@chromium.org, Dec 13 2012 Back to list
Status: Fixed
Owner:
Email to this user bounced
Closed: Jan 2013
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug-Security



Sign in to add a comment
cevans get the credit for this one.

When we use WriteData() to write a structure or object into a message it will not only copy the member variables but also any padding bytes from the original object. cevans and I tested this on Linux with a WebKeyboardEvent (which contains a bool) and found that we could leak a few bytes of memory from the browser process into the renderer. 

The only example of this that we are ware of is when handling WebInputEvents but it is likely that there are others lurking. 

The fix is to memset() the entire object to 0 for every subclass of WebInputEvent (and any other classes that are used in this way).

I'll submit a fix tomorrow and keep an eye out for more of these. 
 
Labels: Audit-IPC
Did we land the fix for this?
Comment 3 by cdn@chromium.org, Jan 2 2013
working on it

webkit tracking bug https://bugs.webkit.org/show_bug.cgi?id=105934
Comment 4 by cdn@chromium.org, Jan 3 2013
Labels: Merge-Approved
Status: Fixed
Fix landed as http://trac.webkit.org/changeset/138684
Labels: -Restrict-View-SecurityTeam -OS-All -Mstone-23 -Merge-Approved Restrict-View-SecurityNotify OS-Linux Mstone-25 Merge-Merged Release-0
M25: http://trac.webkit.org/changeset/139379

Marking Linux only because of the unique ASLR situation there.
Labels: CVE-2013-0892
Project Member Comment 7 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-Internals -Internals-Core -SecImpacts-Stable -SecImpacts-Beta -SecSeverity-Low -Mstone-25 Security-Severity-Low Security-Impact-Stable Security-Impact-Beta Cr-Internals M-25 Cr-Internals-Core Type-Bug-Security
Project Member Comment 8 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Low Security_Severity-Low
Project Member Comment 9 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 10 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Labels: -Restrict-View-SecurityNotify
Bulk release of old security bug reports.

Project Member Comment 12 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 13 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 14 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment