Issue metadata
Sign in to add a comment
|
Security: Heap buffer overflow from unchecked length in mojo::edk::ports::Message::Parse |
||||||||||||||||||||
Issue descriptionThere is a similar issue to the ones in bug 611887 with ports message parsing: void NodeController::OnPortsMessage(Channel::MessagePtr channel_message) { DCHECK(io_task_runner_->RunsTasksOnCurrentThread()); void* data; size_t num_data_bytes; NodeChannel::GetPortsMessageData( channel_message.get(), &data, &num_data_bytes); size_t num_header_bytes, num_payload_bytes, num_ports_bytes; ports::Message::Parse(data, num_data_bytes, &num_header_bytes, &num_payload_bytes, &num_ports_bytes); CHECK(channel_message); ports::ScopedMessage message( new PortsMessage(num_header_bytes, num_payload_bytes, num_ports_bytes, std::move(channel_message))); node_->AcceptMessage(std::move(message)); AcceptIncomingMessages(); } ports::Message::Parse is passed |num_data_bytes|, but in that function: void Message::Parse(const void* bytes, size_t num_bytes, size_t* num_header_bytes, size_t* num_payload_bytes, size_t* num_ports_bytes) { const EventHeader* header = static_cast<const EventHeader*>(bytes); switch (header->type) { case EventType::kUser: |bytes| is dereferenced without checking |num_bytes| first. |num_bytes| is also never checked when setting the output values (|num_header_bytes|, |num_payload_bytes|, |num_payload_bytes|). "Repro" (diff to write malicious data) attached. ASan output: ==30021==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300027923b at pc 0x7ff6f7650c42 bp 0x7ff6ca2d8150 sp 0x7ff6ca2d8148 [348/1202] READ of size 4 at 0x60300027923b thread T18 (Chrome_IOThread) #0 0x7ff6f7650c41 in mojo::edk::ports::Message::Parse(void const*, unsigned long, unsigned long*, unsigned long*, unsigned long*) out/Default/../../mojo/edk/system/ports/message.cc:23:19 #1 0x7ff6f761a6b1 in mojo::edk::NodeController::OnPortsMessage(std::__1::unique_ptr<mojo::edk::Channel::Message, std::__1::default_delete<mojo::edk::Channel::Message> >) out/Default/../../mojo/edk/system/node_controller.cc:802:3 #2 0x7ff6f760f80d in mojo::edk::NodeChannel::OnChannelMessage(void const*, unsigned long, std::__1::unique_ptr<std::__1::vector<mojo::edk::PlatformHandle, std::__1::allocator<mojo::edk::PlatformHandle> >, mojo::edk::PlatformHandleVe ctorDeleter>) out/Default/../../mojo/edk/system/node_channel.cc:530:7 #3 0x7ff6f75d9922 in mojo::edk::Channel::OnReadComplete(unsigned long, unsigned long*) out/Default/../../mojo/edk/system/channel.cc:577:7 #4 0x7ff6f75ddcac in mojo::edk::(anonymous namespace)::ChannelPosix::OnFileCanReadWithoutBlocking(int) out/Default/../../mojo/edk/system/channel_posix.cc:295:14 #5 0x7ff704eb7329 in OnFileCanReadWithoutBlocking out/Default/../../base/message_loop/message_pump_libevent.cc:95:3 #6 0x7ff704eb7329 in base::MessagePumpLibevent::OnLibeventNotification(int, short, void*) out/Default/../../base/message_loop/message_pump_libevent.cc:344 #7 0x7ff705054ba2 in event_process_active out/Default/../../base/third_party/libevent/event.c:381:4 #8 0x7ff705054ba2 in event_base_loop out/Default/../../base/third_party/libevent/event.c:521 #9 0x7ff704eb7931 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) out/Default/../../base/message_loop/message_pump_libevent.cc:221:5 #10 0x7ff704f255d8 in base::RunLoop::Run() out/Default/../../base/run_loop.cc:35:3 #11 0x7ff704eac0ee in base::MessageLoop::Run() out/Default/../../base/message_loop/message_loop.cc:294:3 #12 0x7ff6fd6ce892 in content::BrowserThreadImpl::IOThreadRun(base::MessageLoop*) out/Default/../../content/browser/browser_thread_impl.cc:215:3 #13 0x7ff6fd6cee58 in content::BrowserThreadImpl::Run(base::MessageLoop*) out/Default/../../content/browser/browser_thread_impl.cc:251:14 #14 0x7ff704fb4ad0 in base::Thread::ThreadMain() out/Default/../../base/threading/thread.cc:254:3 #15 0x7ff704fa2724 in base::(anonymous namespace)::ThreadFunc(void*) out/Default/../../base/threading/platform_thread_posix.cc:70:3 #16 0x7ff6efc74181 in start_thread /build/eglibc-3GlaMS/eglibc-2.19/nptl/pthread_create.c:312 0x60300027923b is located 2 bytes to the right of 25-byte region [0x603000279220,0x603000279239) allocated by thread T18 (Chrome_IOThread) here: #0 0x7ff706718fb7 in __interceptor_posix_memalign (/mnt/ssd/chromium/src/out/Default/chrome+0x1180fb7) #1 0x7ff704e9c428 in base::AlignedAlloc(unsigned long, unsigned long) out/Default/../../base/memory/aligned_memory.cc:31:7 #2 0x7ff6f75d833c in mojo::edk::Channel::Message::Message(unsigned long, unsigned long, mojo::edk::Channel::Message::Header::MessageType) out/Default/../../mojo/edk/system/channel.cc:73:30 #3 0x7ff6f760f00d in mojo::edk::NodeChannel::OnChannelMessage(void const*, unsigned long, std::__1::unique_ptr<std::__1::vector<mojo::edk::PlatformHandle, std::__1::allocator<mojo::edk::PlatformHandle> >, mojo::edk::PlatformHandleVe ctorDeleter>) out/Default/../../mojo/edk/system/node_channel.cc:527:15 #4 0x7ff6f75d9922 in mojo::edk::Channel::OnReadComplete(unsigned long, unsigned long*) out/Default/../../mojo/edk/system/channel.cc:577:7 #5 0x7ff6f75ddcac in mojo::edk::(anonymous namespace)::ChannelPosix::OnFileCanReadWithoutBlocking(int) out/Default/../../mojo/edk/system/channel_posix.cc:295:14 #6 0x7ff704eb7329 in OnFileCanReadWithoutBlocking out/Default/../../base/message_loop/message_pump_libevent.cc:95:3 #7 0x7ff704eb7329 in base::MessagePumpLibevent::OnLibeventNotification(int, short, void*) out/Default/../../base/message_loop/message_pump_libevent.cc:344 #8 0x7ff705054ba2 in event_process_active out/Default/../../base/third_party/libevent/event.c:381:4 #9 0x7ff705054ba2 in event_base_loop out/Default/../../base/third_party/libevent/event.c:521 #10 0x7ff704eb7931 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) out/Default/../../base/message_loop/message_pump_libevent.cc:221:5 #11 0x7ff704f255d8 in base::RunLoop::Run() out/Default/../../base/run_loop.cc:35:3 #12 0x7ff704eac0ee in base::MessageLoop::Run() out/Default/../../base/message_loop/message_loop.cc:294:3 #13 0x7ff6fd6ce892 in content::BrowserThreadImpl::IOThreadRun(base::MessageLoop*) out/Default/../../content/browser/browser_thread_impl.cc:215:3 #14 0x7ff6fd6cee58 in content::BrowserThreadImpl::Run(base::MessageLoop*) out/Default/../../content/browser/browser_thread_impl.cc:251:14 #15 0x7ff704fb4ad0 in base::Thread::ThreadMain() out/Default/../../base/threading/thread.cc:254:3 #16 0x7ff704fa2724 in base::(anonymous namespace)::ThreadFunc(void*) out/Default/../../base/threading/platform_thread_posix.cc:70:3 #17 0x7ff6efc74181 in start_thread /build/eglibc-3GlaMS/eglibc-2.19/nptl/pthread_create.c:312
,
May 17 2016
,
May 17 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/73af3951c285542c5397293375e0c19bd4a7ce65 commit 73af3951c285542c5397293375e0c19bd4a7ce65 Author: rockot <rockot@chromium.org> Date: Tue May 17 05:19:33 2016 [mojo-edk] Sanity checks on ports message parsing BUG= 612364 R=ochang@chromium.org Review-Url: https://codereview.chromium.org/1987593002 Cr-Commit-Position: refs/heads/master@{#394059} [modify] https://crrev.com/73af3951c285542c5397293375e0c19bd4a7ce65/mojo/edk/system/node_channel.cc [modify] https://crrev.com/73af3951c285542c5397293375e0c19bd4a7ce65/mojo/edk/system/node_channel.h [modify] https://crrev.com/73af3951c285542c5397293375e0c19bd4a7ce65/mojo/edk/system/node_controller.cc [modify] https://crrev.com/73af3951c285542c5397293375e0c19bd4a7ce65/mojo/edk/system/node_controller.h [modify] https://crrev.com/73af3951c285542c5397293375e0c19bd4a7ce65/mojo/edk/system/ports/message.cc [modify] https://crrev.com/73af3951c285542c5397293375e0c19bd4a7ce65/mojo/edk/system/ports/message.h
,
May 17 2016
,
May 17 2016
Adding Merge-Triage label for tracking purposes. Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone. When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com. Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in. - Your friendly ClusterFuzz
,
May 18 2016
,
May 18 2016
,
May 18 2016
[Automated comment] Less than 2 weeks to go before stable on M51, manual review required.
,
May 18 2016
Is this bug applicable to all or any specific os? Also before we approve merge to M51, Could you please confirm whether this bug is baked/verified in Canary and safe to merge?
,
May 18 2016
This applies to all OSes and is safe to merge.
,
May 18 2016
Thank you rockot@. Approving merge to M51 branch 2704. Please merge asap.
,
May 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9ebeb1e0d429bce4d2384dc6acd9681c54716d2e commit 9ebeb1e0d429bce4d2384dc6acd9681c54716d2e Author: Ken Rockot <rockot@chromium.org> Date: Wed May 18 22:17:25 2016 [mojo-edk] Sanity checks on ports message parsing BUG= 612364 R=ochang@chromium.org Review-Url: https://codereview.chromium.org/1987593002 Cr-Commit-Position: refs/heads/master@{#394059} (cherry picked from commit 73af3951c285542c5397293375e0c19bd4a7ce65) Review URL: https://codereview.chromium.org/1988413002 . Cr-Commit-Position: refs/branch-heads/2704@{#591} Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251} [modify] https://crrev.com/9ebeb1e0d429bce4d2384dc6acd9681c54716d2e/mojo/edk/system/node_channel.cc [modify] https://crrev.com/9ebeb1e0d429bce4d2384dc6acd9681c54716d2e/mojo/edk/system/node_channel.h [modify] https://crrev.com/9ebeb1e0d429bce4d2384dc6acd9681c54716d2e/mojo/edk/system/node_controller.cc [modify] https://crrev.com/9ebeb1e0d429bce4d2384dc6acd9681c54716d2e/mojo/edk/system/node_controller.h [modify] https://crrev.com/9ebeb1e0d429bce4d2384dc6acd9681c54716d2e/mojo/edk/system/ports/message.cc [modify] https://crrev.com/9ebeb1e0d429bce4d2384dc6acd9681c54716d2e/mojo/edk/system/ports/message.h
,
May 24 2016
,
May 24 2016
,
Aug 23 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
,
Jul 28
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by och...@chromium.org
, May 17 2016Status: Assigned (was: Unconfirmed)