New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 32915 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jan 2010
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 0
Type: Bug-Security

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment

[MD audit] [Window Sandbox] CrossCallParamsEx::CreateFromBuffer() integer overflow

Project Member Reported by cpu@chromium.org, Jan 22 2010

Issue description

In src\sandbox\src\crosscall_server.cc there is an integer overflow issue 
with call_params->GetParamsCount()

If the param_count value in the untrusted buffer is above max_uint / 4 or if 
param_count is 0.

The net effect is that we allocate memory from the heap
   backing_mem = new char[actual_size];

In which actual_size is smaller than required by 0x60 bytes. The following 
placement new allocation:
   new(backing_mem)CrossCallParamsEx();

Causes bytes outside the allocated chunk of the heap to be overwritten. I 
does not appear that the values or location are controlled by the attacker, 
in fact they are just zeros form the above ctor.

Unfortunately now the loop that calls 
  address = copied_params->GetRawParameter() 

is now operating in memory that has not been fully initialized. This codepath 
then performs 7 tests on the |address| value which random memory is unlikely 
to pass but one can never be sure.

The severity rating reflects the fact that the bug is in a security sensitive  code-path but I is believed that it would be very hard to exploit this bug 
beyond DoS via heap corruption.

 

Comment 1 by cpu@chromium.org, Jan 22 2010

Status: Started

Comment 2 by bugdro...@gmail.com, Jan 22 2010

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=36923 

------------------------------------------------------------------------
r36923 | cpu@chromium.org | 2010-01-22 15:38:14 -0800 (Fri, 22 Jan 2010) | 6 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/crosscall_params.h?r1=36923&r2=36922
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/crosscall_server.cc?r1=36923&r2=36922
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/ipc_unittest.cc?r1=36923&r2=36922

Fix integer overflow in sbox

BUG= 32915 
TEST= unit test included

Review URL: http://codereview.chromium.org/553061
------------------------------------------------------------------------

Labels: NeedsMerge

Comment 4 by cpu@chromium.org, Jan 23 2010

Status: Fixed
Btw, credits for the find go to Mark Dowd.
Status: FixUnreleased
Labels: -NeedsMerge
Merged to 249 [r37077] and 249s [r37078]

Comment 7 by bugdro...@gmail.com, Jan 26 2010

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=37077 

------------------------------------------------------------------------
r37077 | cevans@chromium.org | 2010-01-25 17:32:13 -0800 (Mon, 25 Jan 2010) | 9 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/249/src/sandbox/src/crosscall_params.h?r1=37077&r2=37076
   M http://src.chromium.org/viewvc/chrome/branches/249/src/sandbox/src/crosscall_server.cc?r1=37077&r2=37076
   M http://src.chromium.org/viewvc/chrome/branches/249/src/sandbox/src/ipc_unittest.cc?r1=37077&r2=37076

Merge 36923 - Fix integer overflow in sbox

BUG= 32915 
TEST= unit test included

Review URL: http://codereview.chromium.org/553061

TBR=cpu@chromium.org
Review URL: http://codereview.chromium.org/553082
------------------------------------------------------------------------

Comment 8 by bugdro...@gmail.com, Jan 26 2010

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=37078 

------------------------------------------------------------------------
r37078 | cevans@chromium.org | 2010-01-25 17:33:11 -0800 (Mon, 25 Jan 2010) | 9 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/249s/src/sandbox/src/crosscall_params.h?r1=37078&r2=37077
   M http://src.chromium.org/viewvc/chrome/branches/249s/src/sandbox/src/crosscall_server.cc?r1=37078&r2=37077
   M http://src.chromium.org/viewvc/chrome/branches/249s/src/sandbox/src/ipc_unittest.cc?r1=37078&r2=37077

Merge 36923 - Fix integer overflow in sbox

BUG= 32915 
TEST= unit test included

Review URL: http://codereview.chromium.org/553061

TBR=cpu@chromium.org
Review URL: http://codereview.chromium.org/555093
------------------------------------------------------------------------

Labels: -Restrict-View-SecurityTeam
Status: Fixed
Labels: Type-Security
Labels: SecImpacts-Stable
Batch update.
Project Member

Comment 12 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 13 by bugdroid1@chromium.org, Mar 10 2013

Labels: -SecSeverity-High -Type-Security -SecImpacts-Stable Security-Impact-Stable Security-Severity-High Type-Bug-Security
Project Member

Comment 14 by bugdroid1@chromium.org, Mar 11 2013

Labels: -Area-Undefined
Project Member

Comment 15 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Labels: allpublic

Sign in to add a comment