Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 42396 Security: WebKit: WebCore::WebGLUnsignedIntArrayInternal::getCallback ReadAV@Arbitrary (deef89ee3d0345edebeaf13cf974c47c)
Starred by 0 users Reported by skylined@chromium.org, Apr 23 2010 Back to list
Status: Fixed
Owner:
Closed: May 2010
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug-Security
M-5

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Repro:          new WebGLUnsignedIntArray(0, 8).get(0x20000000);
Problem:        get method does not check sanity of argument.
id:             WebCore::WebGLUnsignedIntArrayInternal::getCallback ReadAV@Arbitrary (deef89ee3d0345edebeaf13cf974c47c)
description:    Security: Attempt to read from arbitrary memory @ 0x831A0C48 in WebCore::WebGLUnsignedIntArrayInternal::getCallback
stack:          WebCore::WebGLUnsignedIntArrayInternal::getCallback
                v8::internal::HandleApiCallHelper<...>
                v8::internal::Builtin_HandleApiCall
                v8::internal::Invoke
                v8::internal::Execution::Call
                v8::Script::Run
                WebCore::V8Proxy::runScript
                WebCore::V8Proxy::evaluate
                WebCore::ScriptController::evaluate
                WebCore::ScriptController::executeScript
                WebCore::HTMLTokenizer::scriptExecution
                WebCore::HTMLTokenizer::scriptHandler
                WebCore::HTMLTokenizer::parseNonHTMLText
                WebCore::HTMLTokenizer::parseTag
                WebCore::HTMLTokenizer::write
                WebCore::FrameLoader::write
                WebCore::FrameLoader::endIfNotLoadingMainResource
                WebCore::FrameLoader::finishedLoading
                WebCore::MainResourceLoader::didFinishLoading
                WebCore::ResourceLoader::didFinishLoading
                webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest
                ResourceDispatcher::OnRequestComplete
                IPC::MessageWithTuple<...>
                ResourceDispatcher::DispatchMessageW
                ResourceDispatcher::OnMessageReceived
                ChildThread::OnMessageReceived
                RunnableMethod<...>::Run
                MessageLoop::RunTask
                MessageLoop::DoWork
                base::MessagePumpDefault::Run
                MessageLoop::RunInternal
                MessageLoop::Run
                RendererMain


 
WebCore..WebGLUnsignedIntArrayInternal..getCallback ReadAV@Arbitrary (85a8a8ddc12e58307da0f2addba3407b).repro.pickle.zip
8.4 KB Download
WebCore..WebGLUnsignedIntArrayInternal..getCallback ReadAV@Arbitrary (85a8a8ddc12e58307da0f2addba3407b).html
483 KB Download
Labels: SecSeverity-High
Summary: Security: WebKit: WebCore::WebGLUnsignedIntArrayInternal::getCallback ReadAV@Arbitrary (deef89ee3d0345edebeaf13cf974c47c) (was: NULL)
WebKit bug: https://bugs.webkit.org/show_bug.cgi?id=38039
Issue 42348 has been merged into this issue.
Comment 4 by jsc...@chromium.org, Apr 23 2010
Ken, do you mind taking this, or finding an appropriate owner? Also, can we verify if 
this is (or should  be) behind a flag or not?

Luckily, you need "--enable-webgl" command-line switch for this to (not) work.
Comment 6 by kbr@chromium.org, Apr 23 2010
Status: Assigned
Yes, I'll certainly take it.

Comment 7 by karen@chromium.org, Apr 26 2010
Labels: Mstone-5
Comment 8 by kbr@chromium.org, Apr 26 2010
Is a fix for this required for Chrome 5? As has been pointed out, this does not affect Chrome unless the --
enable-webgl flag is passed. It is related to the refactoring described in https://bugs.webkit.org/show_bug.cgi?
id=37712 . Right now it is not at the top of my priority list.

I think that as long as WebGL is not stable enough as to require opt-in, we should not 
put it in the release version at all. As long as this is only in the development 
version and behind a command-line flag, I don't mind punting this at all.

@Justin: do you have any objections?
My thoughts: i dont think we should leave a memory corruption flaw open and let our
users get exploited in case they enable web-gl through command line. if we are just
disabling webgl completely and only shipping the bits, then it is ok. 

Chris, Justin - thoughts ?
@inferno: I'm not sure this is a "memory corruption"; it sounds like OOB reads. That 
can of course be serious depending on the context. Sounds possible serious in this 
context; ASLR could be defeated, and heap data stolen from a different domain?

@kbr: it doesn't sound M5-critical, no. However, Chromium's serious approach to 
security means that a security bug should remain open for the minimum amount of time 
possible. Especially so given that this sounds like a simple fix for a regression 
since the heavy audit we did on this code area. If you're not able to fix it 
promptly, maybe we can help?
Comment 12 by kbr@chromium.org, Apr 27 2010
I can fix this within the next couple of weeks. Would that be acceptable?

Yep. Thanks!
Comment 14 by kbr@chromium.org, May 6 2010
Can you please add me to the CC: list of https://bugs.webkit.org/show_bug.cgi?id=38039 ? Thanks.

can you please sign up for a webkit account. i will add you as soon as you do that.
ping me on im(aarya@)
Labels: NeedsMerge
Status: FixUnreleased
Committed r58957: <http://trac.webkit.org/changeset/58957>

Needs to be merged for 375. lets wait for this to bake on dev channel before merging.
Labels: -SecSeverity-High SecSeverity-Low
Labels: -Pri-0 Pri-3
Labels: -NeedsMerge
Status: WillMerge
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Bulk edit for SecurityNotify Migration.
Status: FixUnreleased
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=51034 

------------------------------------------------------------------------
r51034 | inferno@chromium.org | 2010-06-28 13:09:50 -0700 (Mon, 28 Jun 2010) | 95 lines
Changed paths:
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/array-get-and-set-method-removal-expected.txt
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/array-get-and-set-method-removal.html
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/array-get-out-of-bounds-expected.txt
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/array-get-out-of-bounds.html
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/array-setters-expected.txt?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/array-setters.html?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/array-unit-tests-expected.txt?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/array-unit-tests.html?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/bug-32456-expected.txt?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/canvas/webgl/bug-32456.html?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/js/JSWebGLArrayHelper.h?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/js/JSWebGLByteArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/js/JSWebGLFloatArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/js/JSWebGLIntArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/js/JSWebGLShortArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/js/JSWebGLUnsignedByteArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/js/JSWebGLUnsignedIntArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/js/JSWebGLUnsignedShortArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/v8/custom/V8WebGLArrayCustom.h?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/v8/custom/V8WebGLByteArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/v8/custom/V8WebGLFloatArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/v8/custom/V8WebGLIntArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/v8/custom/V8WebGLShortArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/v8/custom/V8WebGLUnsignedByteArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/v8/custom/V8WebGLUnsignedIntArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/bindings/v8/custom/V8WebGLUnsignedShortArrayCustom.cpp?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLByteArray.h?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLByteArray.idl?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLFloatArray.h?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLFloatArray.idl?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLIntArray.h?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLIntArray.idl?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLShortArray.h?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLShortArray.idl?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLUnsignedByteArray.h?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLUnsignedByteArray.idl?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLUnsignedIntArray.h?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLUnsignedIntArray.idl?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLUnsignedShortArray.h?r1=51034&r2=51033
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/html/canvas/WebGLUnsignedShortArray.idl?r1=51034&r2=51033

Merge 58957 - 2010-05-06  Kenneth Russell  <kbr@google.com>

        Reviewed by Dimitri Glazkov.

        WebCore::WebGLUnsignedIntArrayInternal::getCallback ReadAV@Arbitrary (deef89ee3d0345edebeaf13cf974c47c)
        https://bugs.webkit.org/show_bug.cgi?id=38039

        Web IDL now allows indexed getters and setters to be unnamed. Per
        discussion in WebGL working group and recent update to spec,
        removed the buggy get() and single-element set() methods from the
        JavaScript bindings to the WebGL array types. Refactored set()
        implementation in JSC bindings to share more code and modified V8
        binding to look more like it. Added unit tests for indexed getter
        with out-of-range indices and verifying removal of get and
        single-element set methods. Updated existing WebGL array tests.

        Tests: fast/canvas/webgl/array-get-and-set-method-removal.html
               fast/canvas/webgl/array-get-out-of-bounds.html

        * bindings/js/JSWebGLArrayHelper.h:
        (WebCore::setWebGLArrayHelper):
        * bindings/js/JSWebGLByteArrayCustom.cpp:
        (WebCore::JSWebGLByteArray::set):
        * bindings/js/JSWebGLFloatArrayCustom.cpp:
        (WebCore::JSWebGLFloatArray::set):
        * bindings/js/JSWebGLIntArrayCustom.cpp:
        (WebCore::JSWebGLIntArray::set):
        * bindings/js/JSWebGLShortArrayCustom.cpp:
        (WebCore::JSWebGLShortArray::set):
        * bindings/js/JSWebGLUnsignedByteArrayCustom.cpp:
        (WebCore::JSWebGLUnsignedByteArray::set):
        * bindings/js/JSWebGLUnsignedIntArrayCustom.cpp:
        (WebCore::JSWebGLUnsignedIntArray::set):
        * bindings/js/JSWebGLUnsignedShortArrayCustom.cpp:
        (WebCore::JSWebGLUnsignedShortArray::set):
        * bindings/v8/custom/V8WebGLArrayCustom.h:
        (WebCore::setWebGLArrayHelper):
        * bindings/v8/custom/V8WebGLByteArrayCustom.cpp:
        (WebCore::V8WebGLByteArray::setCallback):
        * bindings/v8/custom/V8WebGLFloatArrayCustom.cpp:
        (WebCore::V8WebGLFloatArray::setCallback):
        * bindings/v8/custom/V8WebGLIntArrayCustom.cpp:
        (WebCore::V8WebGLIntArray::setCallback):
        * bindings/v8/custom/V8WebGLShortArrayCustom.cpp:
        (WebCore::V8WebGLShortArray::setCallback):
        * bindings/v8/custom/V8WebGLUnsignedByteArrayCustom.cpp:
        (WebCore::V8WebGLUnsignedByteArray::setCallback):
        * bindings/v8/custom/V8WebGLUnsignedIntArrayCustom.cpp:
        (WebCore::V8WebGLUnsignedIntArray::setCallback):
        * bindings/v8/custom/V8WebGLUnsignedShortArrayCustom.cpp:
        (WebCore::V8WebGLUnsignedShortArray::setCallback):
        * html/canvas/WebGLByteArray.h:
        * html/canvas/WebGLByteArray.idl:
        * html/canvas/WebGLFloatArray.h:
        * html/canvas/WebGLFloatArray.idl:
        * html/canvas/WebGLIntArray.h:
        * html/canvas/WebGLIntArray.idl:
        * html/canvas/WebGLShortArray.h:
        * html/canvas/WebGLShortArray.idl:
        * html/canvas/WebGLUnsignedByteArray.h:
        * html/canvas/WebGLUnsignedByteArray.idl:
        * html/canvas/WebGLUnsignedIntArray.h:
        * html/canvas/WebGLUnsignedIntArray.idl:
        * html/canvas/WebGLUnsignedShortArray.h:
        * html/canvas/WebGLUnsignedShortArray.idl:
2010-05-06  Kenneth Russell  <kbr@google.com>

        Reviewed by Dimitri Glazkov.

        WebCore::WebGLUnsignedIntArrayInternal::getCallback ReadAV@Arbitrary (deef89ee3d0345edebeaf13cf974c47c)
        https://bugs.webkit.org/show_bug.cgi?id=38039

        Web IDL now allows indexed getters and setters to be unnamed. Per
        discussion in WebGL working group and recent update to spec,
        removed the buggy get() and single-element set() methods from the
        JavaScript bindings to the WebGL array types. Refactored set()
        implementation in JSC bindings to share more code and modified V8
        binding to look more like it. Added unit tests for indexed getter
        with out-of-range indices and verifying removal of get and
        single-element set methods. Updated existing WebGL array tests.

        * fast/canvas/webgl/array-get-and-set-method-removal-expected.txt: Added.
        * fast/canvas/webgl/array-get-and-set-method-removal.html: Added.
        * fast/canvas/webgl/array-get-out-of-bounds-expected.txt: Added.
        * fast/canvas/webgl/array-get-out-of-bounds.html: Added.
        * fast/canvas/webgl/array-setters-expected.txt:
        * fast/canvas/webgl/array-setters.html:
        * fast/canvas/webgl/array-unit-tests-expected.txt:
        * fast/canvas/webgl/array-unit-tests.html:
        * fast/canvas/webgl/bug-32456-expected.txt:
        * fast/canvas/webgl/bug-32456.html:

BUG= 42396 
TBR=kbr@google.com
Review URL: http://codereview.chromium.org/2862033
------------------------------------------------------------------------

Labels: -Restrict-View-SecurityNotify
Status: Fixed
Was fixed in 5.0.375.99; releasing.
Labels: Type-Security
Labels: SecImpacts-Stable
Batch update.
Project Member Comment 26 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 27 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-WebKit -WebKit-Core -SecSeverity-Low -Mstone-5 -Type-Security -SecImpacts-Stable Cr-Content Security-Severity-Low M-5 Security-Impact-Stable Type-Bug-Security Cr-Content-Core
Project Member Comment 28 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member Comment 29 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Low Security_Severity-Low
Project Member Comment 30 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 31 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 32 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 33 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment