Issue metadata
Sign in to add a comment
|
Security: Heap-use-after-free via GCCallback |
||||||||||||||||||||||
Issue descriptionChrome version: 52.0.2709.0 and earlier GCCallback in extensions/renderer/gc_callback.cc contains a UAF vulnerability that can be controlled with high precision (=arbitrary JS execution before the first delete, before the second delete, and after the second delete). Here is how the vulnerability works: 1. Construct a GCCallback::RunCallback in a frame (there are multiple ways to do that, https://cs.chromium.org/BindToGC). 2. While the JS callback is run, remove the frame (invalidating the JavaScript context in the process). 3. GCCallback::OnContextInvalidated is triggered because of 2. 4. Step 3 deletes |this|. 5. Now the JS function from step 2 returns, and control goes back to step 1. 6. Step 1 deletes |this| again. = double-free. Combined with bug 603725 or bug 591164, this can be exploited by any web page without user interaction. Without these bugs, this bug can still be exploited from any extension or app (without user interaction except installing the extension/app). I've an ASAN trace generated with Chrome 49.0.2623.75 because I didn't build the latest stable (50) with ASAN yet. The vulnerable code is still present on master, so that shouldn't matter.
,
Apr 15 2016
This bug affects all channels.
,
Apr 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/34c97b31e61e8329e19188b46a489412a16d2b63 commit 34c97b31e61e8329e19188b46a489412a16d2b63 Author: jochen <jochen@chromium.org> Date: Fri Apr 15 12:03:12 2016 Don't execute the fallback if we already started running the gc callback BUG= 603732 R=vogelheim@chromium.org Review URL: https://codereview.chromium.org/1887423002 Cr-Commit-Position: refs/heads/master@{#387578} [modify] https://crrev.com/34c97b31e61e8329e19188b46a489412a16d2b63/extensions/renderer/gc_callback.cc
,
Apr 15 2016
,
Apr 15 2016
Adding Merge-Triage label for tracking purposes. Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label. When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com. - Your friendly ClusterFuzz
,
Apr 19 2016
,
Apr 19 2016
Your change meets the bar and is auto-approved for M51 (branch: 2704)
,
Apr 19 2016
We're VERY close to M51 beta candidate cut. Please merge your change to M51 branch 2704 asap. Thank you.
,
Apr 20 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9865e744d09069f6f6c39e8d351b87ab1dae9ef3 commit 9865e744d09069f6f6c39e8d351b87ab1dae9ef3 Author: Jochen Eisinger <jochen@chromium.org> Date: Wed Apr 20 06:36:43 2016 Don't execute the fallback if we already started running the gc callback BUG= 603732 R=vogelheim@chromium.org Review URL: https://codereview.chromium.org/1887423002 Cr-Commit-Position: refs/heads/master@{#387578} (cherry picked from commit 34c97b31e61e8329e19188b46a489412a16d2b63) Review URL: https://codereview.chromium.org/1903123002 . Cr-Commit-Position: refs/branch-heads/2704@{#142} Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251} [modify] https://crrev.com/9865e744d09069f6f6c39e8d351b87ab1dae9ef3/extensions/renderer/gc_callback.cc
,
Apr 20 2016
,
Apr 21 2016
[Automated comment] Request affecting a post-stable build (M50), manual review required.
,
Apr 22 2016
Before we approve merge to M50, Could you please confirm whether this bug is baked/verified in Canary and safe to merge?
,
Apr 22 2016
Yes, it has Canary coverage and is safe
,
Apr 26 2016
Approving merge to M50 branch 2661, based on comment #13. Please merge asap. Thank you.
,
Apr 26 2016
Please merge your change to M50 branch 2661 before @1:00 PM PST tomorrow (Wednesday) so we can take it for this week Stable release.
,
Apr 27 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3692cce1b48f5d15b9813988207f8ee1f5c72c91 commit 3692cce1b48f5d15b9813988207f8ee1f5c72c91 Author: Jochen Eisinger <jochen@chromium.org> Date: Wed Apr 27 06:58:55 2016 Don't execute the fallback if we already started running the gc callback BUG= 603732 R=vogelheim@chromium.org Review URL: https://codereview.chromium.org/1887423002 Cr-Commit-Position: refs/heads/master@{#387578} (cherry picked from commit 34c97b31e61e8329e19188b46a489412a16d2b63) Review URL: https://codereview.chromium.org/1925543002 . Cr-Commit-Position: refs/branch-heads/2661@{#638} Cr-Branched-From: ef6f6ae5e4c96622286b563658d5cd62a6cf1197-refs/heads/master@{#378081} [modify] https://crrev.com/3692cce1b48f5d15b9813988207f8ee1f5c72c91/extensions/renderer/gc_callback.cc
,
Apr 27 2016
,
May 2 2016
Hey Rob - $3,000 for this report. I'll start payment today. CVE-ID is CVE-2016-1662 Thanks as always!
,
May 2 2016
,
May 10 2016
,
Jul 22 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
,
Apr 25 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by tsepez@chromium.org
, Apr 15 2016Owner: jochen@chromium.org
Status: Assigned (was: Unconfirmed)