Issue metadata
Sign in to add a comment
|
Security: DCHECK failure in MessagePort destructor in Blink
Reported by
n...@tresorit.com,
Jan 19 2017
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS I am not sure if this is really a security issue or if it is exploitable, but I'm not familiar with Blink internals and this can probably lead to a UAF. MessagePort::~MessagePort() assumes (with a DCHECK) that close() has been called if the port had been previously started. close() is called via a LifecycleNotifier and if it is owned in a worker then it will only be called when terminating the WorkerGlobalScope. It is possible that the destructor is called before from the GC, this currently causes a crash in debug versions. It seems to me that the DCHECK is there to avoid a potential UAF, but I could not trigger that. I have attached a reproduction case. Creating the Blob is not necessary for the bug, it's only to comply with Same Origin Policy, the worker could be loaded from another js file too. Possible fixes: 1. Call close() from the destructor to ensure there will be no UAF. 2. If this cannot be exploited then simply remove the DCHECK. I could try it only on version 57, because currently if I checkout an older version then "gclient sync" fails with a git error for webrtc, so I couldn't compile a debug version. VERSION Chrome Version: Reproduced on 57 but it probably affects older versions too Operating System: Reproduced on Linux x64 but all OS versions should be affected REPRODUCTION CASE 0. Use a debug version of Chrome to have DCHECKs enabled. 1. Load the attached html page. 2. Trigger a GC sweep (DevConsole -> Timeline/Memory -> Trash icon) 3. Aw, Snap! FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: tab Crash State: DCHECK failure
,
Jan 23 2017
Does your automated tools run with gc exposed? content_shell seems to run like that. (From a worker can I call "self.gc();"?)
,
Jan 30 2017
Thanks for the report. I'm not sure if ClusterFuzz has any builds with debug enabled, but I think we can manually look at this. Over to the Blink GC team - haraken@, can you please take a look and triage? I'm tentatively assigning a low impact, but if there's a potential UAF that will need to be escalated.
,
Jan 30 2017
,
May 25 2017
,
Jul 24 2017
THis heaf uaf looks high severity, looks like it was triaged incorrectly. haraken@, can you please take a look.
,
Jul 24 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6752495685861376.
,
Jul 24 2017
nhiroki: Would you mind taking a look at this? This crash seems related to the timing when MessagePort::close() is called on workers.
,
Jul 25 2017
> Run with: ./chrome --js-flags=--expose-gc ./dcheckgc.html
I tried this on Linux debug build (62.0.3167.0, master@{#489216}), but couldn't reproduce.
,
Jul 25 2017
ngg@tresorit.com: Thank you for the detailed report and sorry for our late action. Are you still able to reproduce this?
,
Jul 25 2017
,
Jul 25 2017
,
Jul 25 2017
We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue? For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 26 2017
,
Aug 5 2017
Sorry I didn't reply, I was on vacation. I'll be able to check this on Monday.
,
Aug 8 2017
nhiroki: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 10 2017
I couldn't reproduce the issue now, but I don't know if the bug was really fixed or just my repro test case is not good enough now. I tried to git bisect, but I couldn't compile chrome versions before http://crrev.com/d3b69783
,
Aug 22 2017
nhiroki: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 29 2017
Friendly security sheriff ping: if you're not able to reproduce now, can we mark this as fixed? If so, it would be good to identify an exact rev where it was fixed.
,
Sep 6 2017
,
Sep 19 2017
nhiroki/haraken: could you ptal at the comment in #20? Thanks!
,
Sep 19 2017
Sorry for my delayed reply. I'll do the bisect and share the update later (maybe next week because of BlinkOn).
,
Sep 19 2017
(I'd really appreciate it if someone could do the bisect on behalf of me)
,
Sep 19 2017
,
Sep 21 2017
,
Sep 21 2017
This bug requires manual review: M62 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 21 2017
Merge is not necessary.
,
Sep 25 2017
The NextAction date has arrived: 2017-09-25
,
Sep 27 2017
,
Oct 4 2017
I'll do a manual bisect to find how/when this was fixed. Assigning to me so I don't forget.
,
Oct 4 2017
FWIW the original bug report sounds weird to me. MessagePort implements HasPendingActivity, which as far as I understand it should ensure it doesn't get garbage collected as long as that method returns true. And the logic in that method is identical to the DCHECK in the destructor. So not sure how (modulo garbage collection bugs) the garbage collector could call the destructor in a way to trigger that DCHECK...
,
Oct 5 2017
There was an issue with pending activities in workers (see my other already fixed bugreport here: https://bugs.chromium.org/p/chromium/issues/detail?id=683406). It's possible the fix for that fixed this as well.
,
Oct 12 2017
The fix to this bisected to https://codereview.chromium.org/2665733002 which is issue 686563 - I think this can be duped into that, perhaps?
,
Oct 12 2017
Lacking exact context here but M57 launched the wrapper tracing GC infrastructure which has been hardened over the last couple of months including fixing issues with HasPendingActivity. Long story short, it could be this CL :)
,
Oct 12 2017
Yeah, so this was caused by the same issue as my other bug. Thanks for clarifying.
,
Oct 12 2017
Yup I think this is the same issue as issue 683406 which we've already rewarded on. We'll discuss this at the next VRP panel but I would guess it will be considered already rewarded, as it's the same root cause.
,
Oct 20 2017
(marking this as reward-0 since we already the other bug)
,
Dec 26 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by nparker@chromium.org
, Jan 23 2017