New issue
Advanced search Search tips

Issue 690181 link

Starred by 1 user
Status: Untriaged
Owner: ----
Cc:
kenrb@chromium.org
dcheng@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment

WebKeyboardEvent::text possible non-null terminated overflow

Project Member Reported by allada@chromium.org, Feb 8 2017 
I am not sure if it's a security risk, but I figured I'd error on the side of caution. (flagged as Restricted-View-Google just in case)

Details:
WebKeyboardEvent::text and WebKeyboardEvent::unmodifiedText here:
https://cs.chromium.org/chromium/src/third_party/WebKit/public/platform/WebKeyboardEvent.h?l=64&gsn=text

looks like it can be set publicly examples:
here: https://cs.chromium.org/chromium/src/content/renderer/pepper/event_conversion.cc?type=cs&l=429
here: https://cs.chromium.org/chromium/src/content/browser/devtools/protocol/input_handler.cc?type=cs&l=99
here: https://cs.chromium.org/chromium/src/content/browser/renderer_host/input/web_input_event_builders_mac.mm?type=cs&q=WebKeyboardEvent+unmodifiedText+f:mm$&l=243
(just a few)

It also looks like we sometimes try and convert this value to other kinds of strings using 0-terminated strings, examples:

here: https://cs.chromium.org/chromium/src/chrome/browser/password_manager/chrome_password_manager_client.cc?type=cs&l=425
here: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/editing/EditorKeyBindings.cpp?type=cs&l=80
here: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/editing/EditorKeyBindings.cpp?type=cs&l=76
(+more)

I am not sure if we are for sure transporting this to browser without sanitizing it or if it ever goes from renderer to browser.

Can someone please take a look at this and give a security assessment to ensure it's not a high/medium risk before I send it off as a "please-fix" bug to another team.

Thanks!

Comment 1 by palmer@chromium.org, Feb 8 2017 

It does seem bad to assume that the WebUChar array is terminated, as those call sites seem to assume. (Although I have not read and understood them in depth.)

But are there any ways that web contents (as opposed to Chromium C++ in Pepper or DevTools) can cause a |WebKeyboardEvent.text| to not be terminated or even to overflow?

For example, https://developer.mozilla.org/en-US/docs/Web/API/KeyboardEvent/initKeyboardEvent seems pretty tightly specified, and deprecated anyway. Is there another way to control the text field of WebKeyboardEvent from web contents?

Comment 2 by kenrb@chromium.org, Feb 13 2017

Cc: kenrb@chromium.org dcheng@chromium.org
+dcheng, who might find this interesting

This doesn't look like a security issue to me, although it isn't hard to imagine scenarios in which it might become one in future. As palmer@ notes, there doesn't seem to be a way for the text to be set from web-based content. It would also be problematic if it could be set by a renderer process and then used as a null-terminated string by a non-renderer process. Fortunately, there is a strong tendency for input events to traverse security boundaries in order of descending privilege.

This possibly causes a vulnerability when running with --site-per-process, because a compromised renderer could send a keyboard event back to the browser process, which causes a non-null-terminated string to be copied. That is not especially concerning because that is not a default flag.

Comment 3 by jialiul@chromium.org, Feb 13 2017

Labels: -Type-Bug-Security -Restrict-View-Google -Pri-1 -Security Pri-2 Type-Bug
Adjust bug types based on #2.

Sign in to add a comment