Issue metadata
Sign in to add a comment
|
Security: Buffer overread in Devtools / Blink JSON parsers |
||||||||||||||||||
Issue description
Flagging as Security because this is potentially triggerable by anyone with access to the DevTools network interface, and the Blink platform parser will soon be used to parse untrusted HTTP headers, so this will definitely *become* a security issue if left unfixed.
VULNERABILITY DETAILS
The JSON parser used by the DevTools inspector protocol (gen/blink/platform/inspector_protocol/InspectorProtocol.cpp) will read past the end of its character buffer if the final character of its input is a "\" character.
In two places, it uses a structure like this:
while (start < end) {
CharType c = *start++;
if ('\\' == c) {
c = *start++;
Which will read past the end of the string if it ends in an incomplete escape sequence.
The same code, as ported to platform/json exists in the parser there (JSONParser.cpp), and suffers from the same issue. That parser, however, is not currently used anywhere in Chrome.
The DevTools parser may be accessible over the network when Chrome is running. I haven't looked into the impact of sending malformed messages there.
VERSION
Chrome Version: ToT [55.0.2875.0]
Operating System: All
I have a patch for this, including test cases which should be triggered on an LSAN bot, and a new fuzzer for the JSON parser, which I can upload as soon as I figure out how to restrict the visibility of a Rietveld CL.
,
Sep 28 2016
,
Sep 28 2016
Thanks for catching that, Ian.
,
Oct 4 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d6b7b063aaa06b780d5fb5b575531bd757f95c19 commit d6b7b063aaa06b780d5fb5b575531bd757f95c19 Author: Ian Clelland <iclelland@google.com> Date: Tue Oct 04 04:12:26 2016 Fix bounds check in platform JSON parser. WTF::Strings are not null-terminated, so this error would cause a single character to be read past the end of the string, if the string ends in an unfinished escape sequence. (This parser is not currently used by any code in blink) This also adds a test that would have caught this error, if run on an MSAN bot, and fixes the same code in the DevTools parser. The DevTools parser would not trigger an out-of-bounds read in the same situation, since it operates on null-terminated string data. Also added is the fuzzer which caught the issue in the first place. BUG= 651166 R=dgozman@chromium.org, mmoroz@chromium.org, pfeldman@chromium.org, pfeldman Review URL: https://codereview.chromium.org/2380823002 . Cr-Commit-Position: refs/heads/master@{#422702} [modify] https://crrev.com/d6b7b063aaa06b780d5fb5b575531bd757f95c19/third_party/WebKit/Source/platform/BUILD.gn [modify] https://crrev.com/d6b7b063aaa06b780d5fb5b575531bd757f95c19/third_party/WebKit/Source/platform/inspector_protocol/lib/Parser_cpp.template [modify] https://crrev.com/d6b7b063aaa06b780d5fb5b575531bd757f95c19/third_party/WebKit/Source/platform/json/JSONParser.cpp [add] https://crrev.com/d6b7b063aaa06b780d5fb5b575531bd757f95c19/third_party/WebKit/Source/platform/json/JSONParserFuzzer.cpp [modify] https://crrev.com/d6b7b063aaa06b780d5fb5b575531bd757f95c19/third_party/WebKit/Source/platform/json/JSONParserTest.cpp
,
Oct 4 2016
Marking as fixed; waiting on clusterfuzz reports before marking as verified.
,
Oct 4 2016
,
Jan 10 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by iclell...@chromium.org
, Sep 28 2016