New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 613300 link

Starred by 1 user
Status: Fixed
Owner:
fsam...@chromium.org
Last visit > 30 days ago
Closed: May 2016
Cc:
danakj@chromium.org
vollick@chromium.org
penghuang@chromium.org
markdittmer@chromium.org
rjkroege@chromium.org
ben@chromium.org
vmi...@chromium.org
sadrul@chromium.org
piman@chromium.org
tsepez@chromium.org
jbau...@chromium.org
mustash-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security
mus



Sign in to add a comment

Client-local parts of surface ID should be 64-bit and randomly generated

Project Member Reported by fsam...@chromium.org, May 19 2016 
Surface IDs in Chrome are guessable and so a compromised renderer could potentially embed privileged content such as browser UI or the Chrome OS System UI. We should make sure that surface IDs are not guessable. SurfaceId should consist of two components:

1. 32-bit namespace (we have that now)
2. 64-bit process-local ID that is randomly generated: this needs to be introduced.

This change ensures that one renderer cannot guess surfaces of other clients.

Comment 1 by fsam...@chromium.org, May 19 2016

Cc: markdittmer@chromium.org penghuang@chromium.org

Comment 2 by tsepez@chromium.org, May 19 2016

Labels: -Restrict-View-Google -Type-Bug -Pri-3 Security_Impact-Head Security_Severity-Low M-52 Restrict-View-SecurityTeam Pri-2 Type-Bug-Security

Comment 3 by fsam...@chromium.org, May 25 2016

Cc: ben@chromium.org
Project Member

Comment 4 by bugdroid1@chromium.org, May 25 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/845b871f4cfe95ebe15330a9dac32d3c69b598b9

commit 845b871f4cfe95ebe15330a9dac32d3c69b598b9
Author: fsamuel <fsamuel@chromium.org>
Date: Wed May 25 17:36:11 2016

Make cc::SurfaceId unguessable

This CL makes surface IDs unguessable.

With this patch, surface ID consists of three components.

1. Namespace ID is a display compositor allocated 32-bit
   ID.

2. Nonce is a cryptographically secure random, unguessable
   64-bit integer generated by the client.

3. Local ID is a 32-bit sequentially increasing integer
   generated by the client.

With this CL, once a surface ID is allocated, its
components cannot be modified.

BUG= 613300 
CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel

Review-Url: https://codereview.chromium.org/1996783002
Cr-Commit-Position: refs/heads/master@{#395926}

[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/ipc/cc_param_traits.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/ipc/cc_param_traits.h
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/ipc/cc_param_traits_macros.h
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/ipc/cc_param_traits_unittest.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/layers/surface_layer_impl.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/layers/surface_layer_impl_unittest.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/layers/surface_layer_unittest.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/quads/draw_quad_unittest.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/quads/surface_draw_quad.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/surfaces/display_scheduler.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/surfaces/display_scheduler_unittest.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/surfaces/surface.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/surfaces/surface_aggregator_perftest.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/surfaces/surface_aggregator_unittest.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/surfaces/surface_factory_client.h
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/surfaces/surface_factory_unittest.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/surfaces/surface_hittest_unittest.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/surfaces/surface_id.h
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/surfaces/surface_id_allocator.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/surfaces/surface_id_allocator.h
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/cc/surfaces/surface_unittest.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/components/mus/public/interfaces/surface_id.mojom
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/components/mus/ws/server_window_surface.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/components/mus/ws/window_finder.h
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/content/browser/browser_plugin/browser_plugin_guest.h
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/content/browser/frame_host/cross_process_frame_connector.h
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/content/browser/renderer_host/render_widget_host_input_event_router.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/content/browser/renderer_host/render_widget_host_view_aura.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/content/browser/renderer_host/render_widget_host_view_mac.mm
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/content/renderer/browser_plugin/browser_plugin.h
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/content/renderer/render_frame_proxy.h
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/mojo/converters/surfaces/surfaces_type_converters.cc
[modify] https://crrev.com/845b871f4cfe95ebe15330a9dac32d3c69b598b9/mojo/converters/surfaces/tests/surface_unittest.cc

Comment 5 by fsam...@chromium.org, May 26 2016 

I'll leave this open for a day or two and if it sticks then I'll mark this bug as FIXED.
Project Member

Comment 6 by sheriffbot@chromium.org, May 26 2016

Labels: -Security_Impact-Head Security_Impact-Beta

Comment 7 by danakj@chromium.org, May 31 2016 

Fixed?

Comment 8 by fsam...@chromium.org, May 31 2016

Status: Fixed (was: Started)
Yes. Marking as fixed.
Project Member

Comment 9 by sheriffbot@chromium.org, Jun 1 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 10 by sheriffbot@chromium.org, Sep 7 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 11 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 12 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 13 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 14 by fsam...@chromium.org, Jun 13 2017

Blocking:

Comment 15 by lafo...@chromium.org, Feb 26 2018

Components: -MUS Internals>Services>WindowService

Sign in to add a comment