New issue
Advanced search Search tips

Issue 598290 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Mar 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Chrome OS [CWE-120] use of banned functions.

Reported by eternalg...@gmail.com, Mar 28 2016 
VULNERABILITY DETAILS
Possible Buffer Overflow [CWE-120]

VERSION
ChromeOs Version: Current Stable
Operating System: Chromeos

REPRODUCTION CASE
A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. In this case, a buffer is a sequential section of memory allocated to contain anything from a character string to an array of integers. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code. 

VULNERABLE CODE
https://chromium.googlesource.com/chromiumos/third_party/u-boot-v1/+/refs/heads/0.15.877.B/examples/api/libgenwrap.c#40

int printf (const char *fmt, ...)
{
	va_list args;
	uint i;
	char printbuffer[256];
	va_start (args, fmt);
	/* For this to work, printbuffer must be larger than
	 * anything we ever want to print.
	 */
	i = vsprintf (printbuffer, fmt, args);
	va_end (args);
	/* Print the string */
	ub_puts (printbuffer);
	return i;
}

Copies data in the buffer without checking the actual size of the buffer.
This might cause a Buffer Overflow which can result in a DoS vulnerability(Crash) or Arbitary Code Execution. 

MITITGATION

Use vsnprintf() instead.
vsnprintf knows how big the buffer that will contain the result is, and it will make sure not to go past that(instead truncating the result to fit within buf ).

Comment 1 by wfh@chromium.org, Mar 28 2016

Labels: -Restrict-View-SecurityTeam
Status: WontFix (was: Unconfirmed)
Thank you for your detailed explanation of buffer overflow conditions.

This code is example code and not compiled into any part of Chromium, I can't see how this could have any affect on either Chrome or Chrome OS.

Closing as WontFix but please reply if you have any more details, preferably with a proof of concept of how you would exploit this (and versions of Chrome or Chrome OS affected)

Comment 2 by eternalg...@gmail.com, Mar 28 2016 

Samsung Chromebook (Snow) uses this module for Verified Boot.
Thus, some chromebooks are still affected by this.

Comment 3 by eternalg...@gmail.com, Mar 29 2016 

U-Boot
Both ARM and (recent) x86 devices use U-Boot as their bootloader. On x86 we use Coreboot to set up RAM and load U-Boot. You can find an overview of the verified boot process in the U-Boot Porting Guide. U-Boot still uses the EFI partition table described below.

Reference: http://www.chromium.org/chromium-os/chromiumos-design-docs/disk-format
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment