Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 254159 Security: Chrome shared memory file can be world readable and lacks security checks when opening existing mappings.
Starred by 3 users Project Member Reported by jln@chromium.org, Jun 25 2013 Back to list
Status: Verified
Owner:
Closed: Jul 2013
Cc:
NextAction: ----
OS: Linux, Android, Chrome, Mac
Pri: 2
Type: Bug-Security


Sign in to add a comment
Initially seen in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=709413

It looks like SharedMemory::Create and the subsequently called functions don't do anything about the user's default umask. Files seem to be created with that umask.

Any temporary file should be only readable to the current user.
 
Comment 1 by jln@chromium.org, Jun 25 2013
Labels: M-29
Comment 3 by jln@chromium.org, Jul 2 2013
Labels: OS-Android
Looks like Android is vulnerable as well and it could be worse on that OS. I need to take a look.
Comment 4 by jln@chromium.org, Jul 2 2013
Cc: chr...@gmail.com
Adding Christian, the original reporter to the bug.
Labels: reward-topanel
It's a good catch. We recently started using POSIX SHM more heavily for some builds of Chrome (including Chrome OS and Android, plus the Aura build of Linux desktop). In particular, we started using POSIX SHM to transport rendered web pages from renderer to browser, so there is definitely sensitive content.

I suspect the bug has always been there, it just got more obvious recently.
Comment 6 by jln@chromium.org, Jul 2 2013
Summary: Security: Chrome shared memory file can be world readable and lacks security checks when opening existing mappings. (was: Security: Chrome temporary file can be world readable)
In addition to Christian's report on file permissions, I'm fixing the two following issues:

- When opening an existing file, make sure we're not tricked into opening a file planted by an attacker.
- When opening an existing shared memory file, check for an attacker tricking us into opening another file via a symlink.
Project Member Comment 7 by bugdroid1@chromium.org, Jul 2 2013
------------------------------------------------------------------------
r209814 | jln@chromium.org | 2013-07-02T23:31:55.432358Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/base/memory/shared_memory_posix.cc?r1=209814&r2=209813&pathrev=209814
   M http://src.chromium.org/viewvc/chrome/trunk/src/base/memory/shared_memory_unittest.cc?r1=209814&r2=209813&pathrev=209814

Posix: fix named SHM mappings permissions.

Make sure that named mappings in /dev/shm/ aren't created with
broad permissions.

BUG= 254159 
R=mark@chromium.org, markus@chromium.org

Review URL: https://codereview.chromium.org/17779002
------------------------------------------------------------------------
Comment 8 by jln@chromium.org, Jul 11 2013
Labels: Merge-Requested
I would like to merge this security fix to M29, is the branch open ?
Comment 9 by k...@google.com, Jul 12 2013
How safe is this?
Comment 10 by jln@chromium.org, Jul 12 2013
It's Mac / Linux only. I'd say it's fairly safe to merge, but not "absolutely" safe.
Comment 11 by k...@google.com, Jul 12 2013
Labels: -Merge-Requested Merge-Approved
Please keep a close eye on it in beta and on trunk.
Project Member Comment 12 by bugdroid1@chromium.org, Jul 12 2013
Labels: merge-merged-1547
------------------------------------------------------------------------
r211461 | jln@chromium.org | 2013-07-12T21:32:04.715122Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1547/src/base/memory/shared_memory_unittest.cc?r1=211461&r2=211460&pathrev=211461
   M http://src.chromium.org/viewvc/chrome/branches/1547/src/base/memory/shared_memory_posix.cc?r1=211461&r2=211460&pathrev=211461

Merge 209814 "Posix: fix named SHM mappings permissions."

> Posix: fix named SHM mappings permissions.
> 
> Make sure that named mappings in /dev/shm/ aren't created with
> broad permissions.
> 
> BUG= 254159 
> R=mark@chromium.org, markus@chromium.org
> 
> Review URL: https://codereview.chromium.org/17779002

TBR=jln@chromium.org

Review URL: https://codereview.chromium.org/19106006
------------------------------------------------------------------------
Comment 13 by jln@chromium.org, Jul 19 2013
Status: Fixed
Is this merged to M-29?  If so, please update the merge label to "Merge-Merged" before closing the bug.
Comment 15 by jln@chromium.org, Jul 23 2013
The bot updated with merge-merged-1547. Is there a manual step to do ? I don't remember ever doing something manually.
Labels: -Restrict-View-SecurityTeam -Merge-Approved Restrict-View-SecurityNotify Merge-Merged Release-0
- Merge-Approved -> Merge-Merged
- Added Release-0
- Restrict-View set to Notify
Labels: -reward-topanel reward-unpaid reward-500
Labels: -reward-unpaid reward-inprocess
Hey Christian,

The reward panel would like to send you $500 for this security bug :) Someone should get in contact within the next 2 weeks to get some payment info.

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties.
          *********************************
Labels: VerifyIn-32
Labels: -VerifyIn-32
Bulk release of old security bug reports.

Labels: -Restrict-View-SecurityNotify
Bulk release of old security bug reports.

Comment 23 by krisr@chromium.org, Nov 19 2013
Status: Verified
Old bugs that are for milestones that are way before the current stable.
Labels: -reward-inprocess
Comment 25 Deleted
Project Member Comment 26 by sheriffbot@chromium.org, Oct 1
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 27 by sheriffbot@chromium.org, Oct 2
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment