Security: Video streams sourced from cross-origin videos aren't tainted |
|||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS The content of cross-origin <video>s are not supposed to be accessible. In discussing a Firefox bug Maarten Breddels noted that if you captured the stream of the cross origin video and placed it into a second <video> then it appears to no longer be tainted. He was able to draw that into a canvas and get the image data out without a security exception, and could send the second video stream (but not the first) over webRTC. This affects Chrome 62. In Chrome 60 you need to set the flag to enable stream capture; I didn't try Chrome 61 to see what the default for the flag was in that version. For more information see https://bugzilla.mozilla.org/show_bug.cgi?id=1177793#c24 and following (mail me or security@mozilla.org to be added to that bug) VERSION Chrome Version: 62.0.3188.0 (Official Build) canary (64-bit) Operating System: macOS 10.11.6 (also on 10.12) plus whatever Maarten and Jan-Ivar use. Doesn't seem to be relevant. REPRODUCTION CASE My attempt to combine the fiddles into a stand-alone testcase resulted in a consistent tab crash so all I have for you are jsfiddle links Getting image data from a cross-origin video: https://jsfiddle.net/j5yxec3b/ Sending cross-origin video over webRTC: https://jsfiddle.net/jib1/1kz9hfaL/9/ WebGL: https://www.astro.rug.nl/~breddels/ipyvolume/tainted/ I will attach my crashing testcase here because it's basically the testcase for this same-origin violation security bug, but the crash itself is probably unrelated. Tab crash, Crash ID: crash/a976ba002102678a
,
Aug 21 2017
hbos: The crash is because there's a DCHECK right before AddObserver, so this is hitting a null-deref. Thread 0 (id: 9742556) CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x00000018 ] 0x000000010b86af7c (Google Chrome Framework -vector:1579 ) content::MediaStream::AddObserver(content::MediaStreamObserver*) 0x000000010b8b8107 (Google Chrome Framework -webrtc_media_stream_adapter.cc:40 ) content::WebRtcMediaStreamAdapter::WebRtcMediaStreamAdapter(content::PeerConnectionDependencyFactory*, scoped_refptr<content::WebRtcMediaStreamTrackAdapterMap>, blink::WebMediaStream const&) 0x000000010b8b88fa (Google Chrome Framework -memory:3026 ) content::WebRtcMediaStreamAdapterMap::GetOrCreateLocalStreamAdapter(blink::WebMediaStream const&) 0x000000010b891498 (Google Chrome Framework -rtc_peer_connection_handler.cc:1544 ) content::RTCPeerConnectionHandler::AddStream(blink::WebMediaStream const&, blink::WebMediaConstraints const&) 0x000000010b4d33f7 (Google Chrome Framework -RTCPeerConnection.cpp:1110 ) blink::RTCPeerConnection::addStream(blink::ScriptState*, blink::MediaStream*, blink::Dictionary const&, blink::ExceptionState&) 0x000000010b21f7b9 (Google Chrome Framework -V8RTCPeerConnection.cpp:1201 ) blink::V8RTCPeerConnection::addStreamMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&) 0x0000000106b82e40 (Google Chrome Framework -api-arguments.cc:25 ) v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) 0x0000000106c07562 (Google Chrome Framework -builtins-api.cc:112 ) v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) 0x0000000106c06b93 (Google Chrome Framework -builtins-api.cc:142 ) v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) 0x00001b67779042fc 0x00001b6777a06c56 0x00001b67779c5d53 0x00001b6777a0790e 0x00001b67779c5d53 0x00001b6777a0629c 0x00001b67779c5d53 0x00001b6777904238 0x00001b6777904100 0x0000000106e73792 (Google Chrome Framework -execution.cc:145 ) v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling) 0x0000000106e734cb (Google Chrome Framework -execution.cc:181 ) v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) 0x0000000106b9dba7 (Google Chrome Framework -api.cc:5321 ) v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) 0x000000010a35f278 (Google Chrome Framework -V8ScriptRunner.cpp:694 ) blink::V8ScriptRunner::CallFunction(v8::Local<v8::Function>, blink::ExecutionContext*, v8::Local<v8::Value>, int, v8::Local<v8::Value>*, v8::Isolate*) 0x000000010a35afce (Google Chrome Framework -V8LazyEventListener.cpp:115 ) blink::V8LazyEventListener::CallListenerFunction(blink::ScriptState*, v8::Local<v8::Value>, blink::Event*) 0x000000010a34ede2 (Google Chrome Framework -V8AbstractEventListener.cpp:146 ) blink::V8AbstractEventListener::InvokeEventHandler(blink::ScriptState*, blink::Event*, v8::Local<v8::Value>) 0x000000010a34ec9e (Google Chrome Framework -V8AbstractEventListener.cpp:104 ) blink::V8AbstractEventListener::HandleEvent(blink::ScriptState*, blink::Event*) 0x000000010a34ebc0 (Google Chrome Framework -V8AbstractEventListener.cpp:92 ) blink::V8AbstractEventListener::handleEvent(blink::ExecutionContext*, blink::Event*) 0x000000010aa9f78a (Google Chrome Framework -EventTarget.cpp:770 ) blink::EventTarget::FireEventListeners(blink::Event*, blink::EventTargetData*, blink::HeapVector<blink::RegisteredEventListener, 1ul>&) 0x000000010aa9ee7b (Google Chrome Framework -EventTarget.cpp:631 ) blink::EventTarget::FireEventListeners(blink::Event*) 0x000000010aa96a0f (Google Chrome Framework -EventDispatcher.cpp:236 ) blink::EventDispatcher::Dispatch() 0x000000010aaa5e7e (Google Chrome Framework -MouseEvent.cpp:480 ) blink::MouseEventDispatchMediator::DispatchEvent(blink::EventDispatcher&) const 0x000000010aa95fe5 (Google Chrome Framework -EventDispatcher.cpp:59 ) blink::EventDispatcher::DispatchEvent(blink::Node&, blink::EventDispatchMediator*) 0x000000010acfc8b7 (Google Chrome Framework -MouseEventManager.cpp:221 ) blink::MouseEventManager::DispatchMouseEvent(blink::EventTarget*, WTF::AtomicString const&, blink::WebMouseEvent const&, WTF::String const&, blink::EventTarget*, bool) 0x000000010acfcd39 (Google Chrome Framework -MouseEventManager.cpp:301 ) blink::MouseEventManager::DispatchMouseClickIfNeeded(blink::EventWithHitTestResults<blink::WebMouseEvent> const&, blink::Element&) 0x000000010acf5142 (Google Chrome Framework -EventHandler.cpp:1018 ) blink::EventHandler::HandleMouseReleaseEvent(blink::WebMouseEvent const&) 0x000000010af82c7f (Google Chrome Framework -PageWidgetDelegate.cpp:259 ) blink::PageWidgetEventHandler::HandleMouseUp(blink::LocalFrame&, blink::WebMouseEvent const&) 0x000000010aadef41 (Google Chrome Framework -WebViewImpl.cpp:542 ) non-virtual thunk to blink::WebViewImpl::HandleMouseUp(blink::LocalFrame&, blink::WebMouseEvent const&) 0x000000010af829da (Google Chrome Framework -PageWidgetDelegate.cpp:171 ) blink::PageWidgetDelegate::HandleInputEvent(blink::PageWidgetEventHandler&, blink::WebCoalescedInputEvent const&, blink::LocalFrame*) 0x000000010aae1474 (Google Chrome Framework -WebViewImpl.cpp:2238 ) blink::WebViewImpl::HandleInputEvent(blink::WebCoalescedInputEvent const&) 0x000000010b797edb (Google Chrome Framework -render_widget_input_handler.cc:258 ) content::RenderWidgetInputHandler::HandleInputEvent(blink::WebCoalescedInputEvent const&, ui::LatencyInfo const&, base::Callback<void (content::InputEventAckState, ui::LatencyInfo const&, std::__1::unique_ptr<ui::DidOverscrollParams, std::__1::default_delete<ui::DidOverscrollParams> >), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>) 0x000000010b82553f (Google Chrome Framework -render_widget.cc:853 ) <name omitted> 0x000000010b81b9ac (Google Chrome Framework -render_view_impl.cc:2533 ) content::RenderViewImpl::HandleInputEvent(blink::WebCoalescedInputEvent const&, ui::LatencyInfo const&, base::Callback<void (content::InputEventAckState, ui::LatencyInfo const&, std::__1::unique_ptr<ui::DidOverscrollParams, std::__1::default_delete<ui::DidOverscrollParams> >), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>) 0x000000010b7958a8 (Google Chrome Framework -main_thread_event_queue.cc:543 ) content::QueuedWebInputEvent::Dispatch(content::MainThreadEventQueue*) 0x000000010b795125 (Google Chrome Framework -main_thread_event_queue.cc:416 ) content::MainThreadEventQueue::DispatchEvents() 0x0000000107880b61 (Google Chrome Framework -callback.h:91 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0x00000001073277c7 (Google Chrome Framework -task_queue_manager.cc:532 ) blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, bool, blink::scheduler::LazyNow, base::TimeTicks*) 0x0000000107325841 (Google Chrome Framework -task_queue_manager.cc:330 ) blink::scheduler::TaskQueueManager::DoWork(bool) 0x0000000107880b61 (Google Chrome Framework -callback.h:91 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0x00000001078a6eaa (Google Chrome Framework -message_loop.cc:410 ) base::MessageLoop::RunTask(base::PendingTask*) 0x00000001078a754a (Google Chrome Framework -message_loop.cc:421 ) base::MessageLoop::DoWork() 0x00000001078a9d39 (Google Chrome Framework -message_pump_mac.mm:421 ) base::MessagePumpCFRunLoopBase::RunWork() 0x000000010789acd9 (Google Chrome Framework + 0x01b12cd9 ) base::mac::CallWithEHFrame(void () block_pointer) 0x00000001078a962e (Google Chrome Framework -message_pump_mac.mm:397 ) base::MessagePumpCFRunLoopBase::RunWorkSource(void*)
,
Aug 22 2017
,
Aug 22 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 22 2017
,
Aug 22 2017
,
Aug 22 2017
,
Aug 22 2017
Assigning to mcasas@ since this appears to be an issue with element capture. I'll take a look at the crash.
,
Aug 22 2017
dveditz@ can you send code that repros the DCHECK crash?
,
Aug 22 2017
+awhalley@ security TPM
,
Aug 23 2017
I still crash using the file I attached in the initial comment ("bug1179993.html"). On Mac 10.11.6 if it matters, and still reproduces with Chrome 62.0.3193.0. You have to click the button with the text "Snap".
I have reset all chrome://flags to default just in case something I was fiddling with had an effect, but doesn't make a difference.
,
Aug 24 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6175241830400000.
,
Aug 24 2017
Detailed report: https://clusterfuzz.com/testcase?key=6175241830400000 Job Type: linux_asan_chrome_mp Crash Type: Null-dereference READ Crash Address: 0x000000000018 Crash State: content::WebRtcMediaStreamAdapter::WebRtcMediaStreamAdapter content::RTCPeerConnectionHandler::AddStream blink::RTCPeerConnection::addStream Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=490547:490630 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6175241830400000 See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 24 2017
I hope this bug isn't being hijacked by the crash analysis. I'm not really worried about a null dereference and only mentioned it here because the testcase hints at the SOP problem. My primary concern is the apparent SOP violation with video streams.
,
Aug 24 2017
dveditz@: The crash analysis is completed and a patch will land soon to take care of the crash. It should not distract from the actual bug.
,
Aug 26 2017
ClusterFuzz has detected this issue as fixed in range 497363:497373. Detailed report: https://clusterfuzz.com/testcase?key=6175241830400000 Job Type: linux_asan_chrome_mp Crash Type: Null-dereference READ Crash Address: 0x000000000018 Crash State: content::WebRtcMediaStreamAdapter::WebRtcMediaStreamAdapter content::RTCPeerConnectionHandler::AddStream blink::RTCPeerConnection::addStream Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=490547:490630 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=497363:497373 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6175241830400000 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 26 2017
ClusterFuzz testcase 6175241830400000 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 26 2017
,
Aug 26 2017
Tracking the SOP violation, not the crash.
,
Aug 28 2017
mcasas@ - mind confirming if the feature required for this to trigger is on in 61?
,
Aug 28 2017
Looks like it's not, moving to M62.
,
Aug 29 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 1 2017
guidou@ assigning it back to you since you seem (#15) to have a fix for the crash; the crash stack doesn't imply capture-from-element code in any thread, which seems to confirm that the fiddle crashing is the > Sending cross-origin video over webRTC: > https://jsfiddle.net/jib1/1kz9hfaL/9/ so there's two things in this bug: one the crash, and another the lack-of-tainting. Let's fix the crash to please sheriffbot; dveditz@, we can continue in a sibling bug with the tainting story. awhalley@ correct - the code was landed pre M62 behind a flag which has been flipped to stable in M62.
,
Sep 1 2017
The crash was caused by a capture-from-element MediaStream lacking an ExtraData pointer pointing to a content::MediaStream, resulting in a null-pointer dereference when the stream was added to a PeerConnection. This was fixed by r498039, which removes content::MediaStream and the ExtraData pointer. There was a bug already for that, so the CL referenced it and I forgot to also include a reference to this bug. Assigning back to mcasas@ to continue the work on the lack-of-tainting issue.
,
Sep 1 2017
guidou@ thanks! I guess the crash is then addressed and sheriffbot should be happy. Based on that I'll close this bug. dveditz@mozilla.com if what you're saying is that a <video>.captureStream() allows bypassing a cross-origin restriction, please open another bug and add a jsfiddle or pseudocode to it describing the sequence of steps in a recent Canary. Thanks!
,
Sep 1 2017
re #25 - This bug was originally reporting cross-origin restriction. We should have spun off another bug to track the crash but didn't (mea culpa). Re-opening and adding ClusterFuzz-Wrong so it doesn't get closed out again. mcasas@ - the jsfiddles in the initial report still seem to reproduce the error on today's Canary (62.0.3202.0) Pardon the confusion >_<
,
Sep 2 2017
#2 added the Labels: Security_Severity-High Security_Impact-Beta OS-Mac Pri-1 because of the crash (IIUC); I understand the preference stated in #26 for keeping this bug, however reusing this bug would prevent tracking e.g. clusterfuzz-related encountered bugs etc. So I created another bug in https://crbug.com/761622 and I'm closing this one as Fixed by guidou@ per #24
,
Sep 6 2017
,
Sep 6 2017
The crash isn't a security bug, so removing labels, but keeping the view restrictions until they are lifted from issue 761622 . dveditz@ - I'm sorry your fears in #14 turned out to be well founded.
,
Sep 6 2017
,
Sep 6 2017
Given my years of experience in bugzilla I should have known better than to mention two different things in the first place :-)
,
Dec 9 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Aug 18 2017Status: Untriaged (was: Unconfirmed)