New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 406593: Draw the image outside of the inline frame

Reported by khaga19...@gmail.com, Aug 22 2014

Issue description

Steps to reproduce the problem:
1. Open the attached HTML file repro1.html

What is the expected behavior?

What went wrong?

Did this work before? N/A 

Chrome version: 37.0.2062.94  Channel: beta
OS Version: 4.4.2
Flash Version: 

This seems to be the same issue discussed here: [ issue 331168 ]
 
repro2.html
258 bytes View Download
repro1.html
80 bytes View Download

Comment 1 by ClusterFuzz, Aug 25 2014

Project Member
Labels: Untriaged-1

Comment 2 by khaga19...@gmail.com, Aug 26 2014

victim.html
76 bytes View Download
repro.html
798 bytes View Download

Comment 3 by wfh@chromium.org, Aug 26 2014

Cc: le...@chromium.org
Labels: Cr-Blink-Rendering
Hi - thank you for your report.  I am unsure what the reproduction step here is, can you describe in more detail the vulnerability you are reporting, and how to verify it locally?  Does this only affect Android?

Comment 4 by khaga19...@gmail.com, Aug 26 2014

Hi. Thanks for your reply. This will work only on Android.

The first attached POC (repro1.html, repro2.html) is the simple repro, the second (repro.html, victim.html) is more effective and fun.

Steps to reproduce:
1. Serve the attached HTML files from a local http server (in my case, Python 3.4's builtin HTTP Server)
2. Go to http://[ADDR]/{repro1,victim}.html
3. Click anywhere on page

Thanks.

Comment 5 by khaga19...@gmail.com, Aug 26 2014

Add to explanation: The second POC is use  issue 406559  to hijack the click event.

Comment 6 by ClusterFuzz, Aug 28 2014

Project Member
Labels: -Untriaged-1 Untriaged-2

Comment 7 by wfh@chromium.org, Aug 28 2014

Cc: palmer@chromium.org jchaffraix@chromium.org wangxianzhu@chromium.org
Thanks for the update.  Still trying to replicate this issue.

Comment 8 by wangxianzhu@chromium.org, Aug 28 2014

Reproduced on Linux with DevTools device emulation enabled. It doesn't need a web server to reproduce.

Modified 102400 to 1024 in the test to easy tracing. Attached a trace containing the frame dumps and a screen shot of trace viewer.

Seems something wrong with composited scrollbars.
trace.zip
7.4 MB Download
Screenshot from 2014-08-28 13:45:59.png
190 KB View Download

Comment 9 by khaga19...@gmail.com, Aug 28 2014

I'm glad you can reproduce it!

Comment 10 by wfh@chromium.org, Aug 29 2014

Cc: -wangxianzhu@chromium.org
Labels: -Untriaged-2 Security_Impact-Stable Security_Severity-Medium
Owner: wangxianzhu@chromium.org
wangxianzhu@ I'm assigning you as owner as you're able to reproduce this.  Can you triage and/or reassign as necessary.

Comment 11 by ClusterFuzz, Aug 29 2014

Project Member
Labels: -Pri-2 Pri-1

Comment 12 by wangxianzhu@chromium.org, Aug 29 2014

Cc: wangxianzhu@chromium.org
Owner: vollick@chromium.org
vollick@ could you take a look or reassign?

The issue seems that the customized scrollbar layers is not clipped by the scrolling layer.

Comment 13 by ClusterFuzz, Aug 30 2014

Project Member
Labels: Untriaged-3

Comment 14 by ClusterFuzz, Aug 31 2014

Project Member
Labels: -Untriaged-3 Untriaged-4

Comment 15 by wfh@chromium.org, Sep 2 2014

Status: Assigned

Comment 16 by palmer@chromium.org, Sep 5 2014

Labels: M-37

Comment 17 by ClusterFuzz, Sep 6 2014

Project Member
Labels: Nag
vollick@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz

Comment 18 by vollick@chromium.org, Sep 8 2014

Cc: hartma...@chromium.org

Comment 19 by vollick@chromium.org, Sep 8 2014

I'm going to be ooo for a week, but I've cc'd Glenn in case he has time to look at this (or delegate it) before I come back.

Comment 20 by bugdroid1@chromium.org, Sep 16 2014

Project Member
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=182021

------------------------------------------------------------------
r182021 | vollick@chromium.org | 2014-09-15T23:56:46.631624Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/TestExpectations?r1=182021&r2=182020&pathrev=182021
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/rendering/compositing/RenderLayerCompositor.cpp?r1=182021&r2=182020&pathrev=182021

Clip iframe overflow controls.

Clips overflow controls via m_overflowControlsHostLayer.

BUG= 406593 

Review URL: https://codereview.chromium.org/564983003
-----------------------------------------------------------------

Comment 21 by vollick@chromium.org, Sep 16 2014

Labels: -Untriaged-4 -Nag
Above fix is trivial.

Requesting a merge to both M38 and M37

Comment 22 by vollick@chromium.org, Sep 17 2014

Labels: Merge-Requested

Comment 23 by k...@google.com, Sep 17 2014

Labels: -M-37 -Merge-Requested M-38 Merge-Approved
No more 37s.

Comment 24 by bugdroid1@chromium.org, Sep 18 2014

Project Member
Labels: -Merge-Approved merge-merged-2125
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=182216

------------------------------------------------------------------
r182216 | vollick@chromium.org | 2014-09-18T03:51:24.186156Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/branches/chromium/2125/LayoutTests/TestExpectations?r1=182216&r2=182215&pathrev=182216
   M http://src.chromium.org/viewvc/blink/branches/chromium/2125/Source/core/rendering/compositing/RenderLayerCompositor.cpp?r1=182216&r2=182215&pathrev=182216

Merge 182021 "Clip iframe overflow controls."

> Clip iframe overflow controls.
> 
> Clips overflow controls via m_overflowControlsHostLayer.
> 
> BUG= 406593 
> 
> Review URL: https://codereview.chromium.org/564983003

TBR=vollick@chromium.org

Review URL: https://codereview.chromium.org/579073002
-----------------------------------------------------------------

Comment 25 by vollick@chromium.org, Sep 18 2014

Labels: -M-38 M-37 Merge-Requested

Comment 26 by vollick@chromium.org, Sep 19 2014

Cc: amineer@chromium.org
+amineer for 37

Comment 27 by vollick@chromium.org, Sep 19 2014

Labels: -M-37 -Merge-Requested
Status: Fixed
Only P0's for 37. So I'm removing the merge request.

Comment 28 by ClusterFuzz, Sep 19 2014

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 29 by timwillis@chromium.org, Oct 3 2014

Labels: reward-topanel Release-0-M38

Comment 30 by timwillis@chromium.org, Oct 7 2014

Labels: -reward-topanel reward-unpaid reward-1500 CVE-2014-3201
Congratulations - $1500 for this report ($1000 for the bug + $500 for the high-quality proof of concept).

Comment 31 by khaga19...@gmail.com, Oct 8 2014

Thanks!

Comment 32 by timwillis@google.com, Dec 9 2014

Labels: -reward-unpaid reward-inprogress
Payment in progress.

Comment 33 by timwillis@google.com, Dec 9 2014

Labels: -reward-inprogress reward-inprocess

Comment 34 by timwillis@google.com, Dec 22 2014

Labels: -reward-inprocess
Processing via our e-payment system can take up to six weeks, but the reward should be on its way to you. Thanks again for your help!

Comment 35 by ClusterFuzz, Dec 26 2014

Project Member
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.

Comment 36 by laforge@google.com, Jan 9 2015

Labels: -Cr-Blink-Rendering Cr-Blink-Layout
Migrate from Cr-Blink-Rendering to Cr-Blink-Layout

Comment 37 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 38 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 39 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 40 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment