New issue
Advanced search Search tips

Issue 42396 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2010
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug-Security
M-5

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Security: WebKit: WebCore::WebGLUnsignedIntArrayInternal::getCallback ReadAV@Arbitrary (deef89ee3d0345edebeaf13cf974c47c)

Reported by skylined@chromium.org, Apr 23 2010

Issue description

Repro:          new WebGLUnsignedIntArray(0, 8).get(0x20000000);
Problem:        get method does not check sanity of argument.
id:             WebCore::WebGLUnsignedIntArrayInternal::getCallback ReadAV@Arbitrary (deef89ee3d0345edebeaf13cf974c47c)
description:    Security: Attempt to read from arbitrary memory @ 0x831A0C48 in WebCore::WebGLUnsignedIntArrayInternal::getCallback
stack:          WebCore::WebGLUnsignedIntArrayInternal::getCallback
                v8::internal::HandleApiCallHelper<...>
                v8::internal::Builtin_HandleApiCall
                v8::internal::Invoke
                v8::internal::Execution::Call
                v8::Script::Run
                WebCore::V8Proxy::runScript
                WebCore::V8Proxy::evaluate
                WebCore::ScriptController::evaluate
                WebCore::ScriptController::executeScript
                WebCore::HTMLTokenizer::scriptExecution
                WebCore::HTMLTokenizer::scriptHandler
                WebCore::HTMLTokenizer::parseNonHTMLText
                WebCore::HTMLTokenizer::parseTag
                WebCore::HTMLTokenizer::write
                WebCore::FrameLoader::write
                WebCore::FrameLoader::endIfNotLoadingMainResource
                WebCore::FrameLoader::finishedLoading
                WebCore::MainResourceLoader::didFinishLoading
                WebCore::ResourceLoader::didFinishLoading
                webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest
                ResourceDispatcher::OnRequestComplete
                IPC::MessageWithTuple<...>
                ResourceDispatcher::DispatchMessageW
                ResourceDispatcher::OnMessageReceived
                ChildThread::OnMessageReceived
                RunnableMethod<...>::Run
                MessageLoop::RunTask
                MessageLoop::DoWork
                base::MessagePumpDefault::Run
                MessageLoop::RunInternal
                MessageLoop::Run
                RendererMain


 
WebCore..WebGLUnsignedIntArrayInternal..getCallback ReadAV@Arbitrary (85a8a8ddc12e58307da0f2addba3407b).repro.pickle.zip
8.4 KB Download
WebCore..WebGLUnsignedIntArrayInternal..getCallback ReadAV@Arbitrary (85a8a8ddc12e58307da0f2addba3407b).html
483 KB Download
Labels: SecSeverity-High
Summary: Security: WebKit: WebCore::WebGLUnsignedIntArrayInternal::getCallback ReadAV@Arbitrary (deef89ee3d0345edebeaf13cf974c47c)
WebKit bug: https://bugs.webkit.org/show_bug.cgi?id=38039
Issue 42348 has been merged into this issue.

Comment 4 by jsc...@chromium.org, Apr 23 2010

Ken, do you mind taking this, or finding an appropriate owner? Also, can we verify if 
this is (or should  be) behind a flag or not?

Luckily, you need "--enable-webgl" command-line switch for this to (not) work.

Comment 6 by kbr@chromium.org, Apr 23 2010

Status: Assigned
Yes, I'll certainly take it.

Comment 7 by karen@chromium.org, Apr 26 2010

Labels: Mstone-5

Comment 8 by kbr@chromium.org, Apr 26 2010

Is a fix for this required for Chrome 5? As has been pointed out, this does not affect Chrome unless the --
enable-webgl flag is passed. It is related to the refactoring described in https://bugs.webkit.org/show_bug.cgi?
id=37712 . Right now it is not at the top of my priority list.

I think that as long as WebGL is not stable enough as to require opt-in, we should not 
put it in the release version at all. As long as this is only in the development 
version and behind a command-line flag, I don't mind punting this at all.

@Justin: do you have any objections?
My thoughts: i dont think we should leave a memory corruption flaw open and let our
users get exploited in case they enable web-gl through command line. if we are just
disabling webgl completely and only shipping the bits, then it is ok. 

Chris, Justin - thoughts ?
@inferno: I'm not sure this is a "memory corruption"; it sounds like OOB reads. That 
can of course be serious depending on the context. Sounds possible serious in this 
context; ASLR could be defeated, and heap data stolen from a different domain?

@kbr: it doesn't sound M5-critical, no. However, Chromium's serious approach to 
security means that a security bug should remain open for the minimum amount of time 
possible. Especially so given that this sounds like a simple fix for a regression 
since the heavy audit we did on this code area. If you're not able to fix it 
promptly, maybe we can help?

Comment 12 by kbr@chromium.org, Apr 27 2010

I can fix this within the next couple of weeks. Would that be acceptable?

Yep. Thanks!

Comment 14 by kbr@chromium.org, May 6 2010

Can you please add me to the CC: list of https://bugs.webkit.org/show_bug.cgi?id=38039 ? Thanks.

can you please sign up for a webkit account. i will add you as soon as you do that.
ping me on im(aarya@)
Labels: NeedsMerge
Status: FixUnreleased
Committed r58957: <http://trac.webkit.org/changeset/58957>

Needs to be merged for 375. lets wait for this to bake on dev channel before merging.
Labels: -SecSeverity-High SecSeverity-Low
Labels: -Pri-0 Pri-3
Labels: -NeedsMerge
Status: WillMerge
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Bulk edit for SecurityNotify Migration.
Status: FixUnreleased
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=51034 

------------------------------------------------------------------------
r51034 | inferno@chromium.org | 2010-06-28 13:09:50 -0700 (Mon, 28 Jun 2010) | 95 lines
Changed paths:
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/array-get-and-set-method-removal-expected.txt
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/array-get-and-set-method-removal.html
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/array-get-out-of-bounds-expected.txt
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/array-get-out-of-bounds.html
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/array-setters-expected.txt?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/array-setters.html?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/array-unit-tests-expected.txt?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/array-unit-tests.html?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/bug-32456-expected.txt?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/bug-32456.html?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/js/JSWebGLArrayHelper.h?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/js/JSWebGLByteArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/js/JSWebGLFloatArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/js/JSWebGLIntArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/js/JSWebGLShortArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/js/JSWebGLUnsignedByteArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/js/JSWebGLUnsignedIntArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/js/JSWebGLUnsignedShortArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/v8/custom/V8WebGLArrayCustom.h?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/v8/custom/V8WebGLByteArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/v8/custom/V8WebGLFloatArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/v8/custom/V8WebGLIntArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/v8/custom/V8WebGLShortArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/v8/custom/V8WebGLUnsignedByteArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/v8/custom/V8WebGLUnsignedIntArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/v8/custom/V8WebGLUnsignedShortArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLByteArray.h?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLByteArray.idl?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLFloatArray.h?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLFloatArray.idl?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLIntArray.h?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLIntArray.idl?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLShortArray.h?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLShortArray.idl?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLUnsignedByteArray.h?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLUnsignedByteArray.idl?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLUnsignedIntArray.h?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLUnsignedIntArray.idl?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLUnsignedShortArray.h?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLUnsignedShortArray.idl?r1=51034&r2=51033

Merge 58957 - 2010-05-06  Kenneth Russell  <kbr@google.com>

        Reviewed by Dimitri Glazkov.

        WebCore::WebGLUnsignedIntArrayInternal::getCallback ReadAV@Arbitrary (deef89ee3d0345edebeaf13cf974c47c)
        https://bugs.webkit.org/show_bug.cgi?id=38039

        Web IDL now allows indexed getters and setters to be unnamed. Per
        discussion in WebGL working group and recent update to spec,
        removed the buggy get() and single-element set() methods from the
        JavaScript bindings to the WebGL array types. Refactored set()
        implementation in JSC bindings to share more code and modified V8
        binding to look more like it. Added unit tests for indexed getter
        with out-of-range indices and verifying removal of get and
        single-element set methods. Updated existing WebGL array tests.

        Tests: fast/canvas/webgl/array-get-and-set-method-removal.html
               fast/canvas/webgl/array-get-out-of-bounds.html

        * bindings/js/JSWebGLArrayHelper.h:
        (WebCore::setWebGLArrayHelper):
        * bindings/js/JSWebGLByteArrayCustom.cpp:
        (WebCore::JSWebGLByteArray::set):
        * bindings/js/JSWebGLFloatArrayCustom.cpp:
        (WebCore::JSWebGLFloatArray::set):
        * bindings/js/JSWebGLIntArrayCustom.cpp:
        (WebCore::JSWebGLIntArray::set):
        * bindings/js/JSWebGLShortArrayCustom.cpp:
        (WebCore::JSWebGLShortArray::set):
        * bindings/js/JSWebGLUnsignedByteArrayCustom.cpp:
        (WebCore::JSWebGLUnsignedByteArray::set):
        * bindings/js/JSWebGLUnsignedIntArrayCustom.cpp:
        (WebCore::JSWebGLUnsignedIntArray::set):
        * bindings/js/JSWebGLUnsignedShortArrayCustom.cpp:
        (WebCore::JSWebGLUnsignedShortArray::set):
        * bindings/v8/custom/V8WebGLArrayCustom.h:
        (WebCore::setWebGLArrayHelper):
        * bindings/v8/custom/V8WebGLByteArrayCustom.cpp:
        (WebCore::V8WebGLByteArray::setCallback):
        * bindings/v8/custom/V8WebGLFloatArrayCustom.cpp:
        (WebCore::V8WebGLFloatArray::setCallback):
        * bindings/v8/custom/V8WebGLIntArrayCustom.cpp:
        (WebCore::V8WebGLIntArray::setCallback):
        * bindings/v8/custom/V8WebGLShortArrayCustom.cpp:
        (WebCore::V8WebGLShortArray::setCallback):
        * bindings/v8/custom/V8WebGLUnsignedByteArrayCustom.cpp:
        (WebCore::V8WebGLUnsignedByteArray::setCallback):
        * bindings/v8/custom/V8WebGLUnsignedIntArrayCustom.cpp:
        (WebCore::V8WebGLUnsignedIntArray::setCallback):
        * bindings/v8/custom/V8WebGLUnsignedShortArrayCustom.cpp:
        (WebCore::V8WebGLUnsignedShortArray::setCallback):
        * html/canvas/WebGLByteArray.h:
        * html/canvas/WebGLByteArray.idl:
        * html/canvas/WebGLFloatArray.h:
        * html/canvas/WebGLFloatArray.idl:
        * html/canvas/WebGLIntArray.h:
        * html/canvas/WebGLIntArray.idl:
        * html/canvas/WebGLShortArray.h:
        * html/canvas/WebGLShortArray.idl:
        * html/canvas/WebGLUnsignedByteArray.h:
        * html/canvas/WebGLUnsignedByteArray.idl:
        * html/canvas/WebGLUnsignedIntArray.h:
        * html/canvas/WebGLUnsignedIntArray.idl:
        * html/canvas/WebGLUnsignedShortArray.h:
        * html/canvas/WebGLUnsignedShortArray.idl:
2010-05-06  Kenneth Russell  <kbr@google.com>

        Reviewed by Dimitri Glazkov.

        WebCore::WebGLUnsignedIntArrayInternal::getCallback ReadAV@Arbitrary (deef89ee3d0345edebeaf13cf974c47c)
        https://bugs.webkit.org/show_bug.cgi?id=38039

        Web IDL now allows indexed getters and setters to be unnamed. Per
        discussion in WebGL working group and recent update to spec,
        removed the buggy get() and single-element set() methods from the
        JavaScript bindings to the WebGL array types. Refactored set()
        implementation in JSC bindings to share more code and modified V8
        binding to look more like it. Added unit tests for indexed getter
        with out-of-range indices and verifying removal of get and
        single-element set methods. Updated existing WebGL array tests.

        * fast/canvas/webgl/array-get-and-set-method-removal-expected.txt: Added.
        * fast/canvas/webgl/array-get-and-set-method-removal.html: Added.
        * fast/canvas/webgl/array-get-out-of-bounds-expected.txt: Added.
        * fast/canvas/webgl/array-get-out-of-bounds.html: Added.
        * fast/canvas/webgl/array-setters-expected.txt:
        * fast/canvas/webgl/array-setters.html:
        * fast/canvas/webgl/array-unit-tests-expected.txt:
        * fast/canvas/webgl/array-unit-tests.html:
        * fast/canvas/webgl/bug-32456-expected.txt:
        * fast/canvas/webgl/bug-32456.html:

BUG= 42396 
TBR=kbr@google.com
Review URL: http://codereview.chromium.org/2862033
------------------------------------------------------------------------

Labels: -Restrict-View-SecurityNotify
Status: Fixed
Was fixed in 5.0.375.99; releasing.
Labels: Type-Security
Labels: SecImpacts-Stable
Batch update.
Project Member

Comment 26 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 27 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-WebKit -WebKit-Core -SecSeverity-Low -Mstone-5 -Type-Security -SecImpacts-Stable Cr-Content Security-Severity-Low M-5 Security-Impact-Stable Type-Bug-Security Cr-Content-Core
Project Member

Comment 28 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 29 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Low Security_Severity-Low
Project Member

Comment 30 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 31 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 32 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 33 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment