New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 765512 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
OOO until 26 Nov 2018
Closed: Sep 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: METHOD_LOCALTIME browser->renderer infoleak

Reported by vibra...@microsoft.com, Sep 15 2017

Issue description

VULNERABILITY DETAILS

In the IPC method METHOD_LOCALTIME there is a full pointer infoleak when Chromium is built against glibc on Linux.

The bug is in the function HandleLocaltime(...).
It sends an entire “struct tm” from the browser process to renderer:

  const struct tm* expanded_time = localtime(&time);
  // ...
  result_string = std::string(reinterpret_cast<const char*>(expanded_time),
                             sizeof(struct tm));

Inspecting “struct tm” in glibc, it looks like this:

struct tm
{
  int tm_sec;
  int tm_min;
  int tm_hour;
  int tm_mday;
  int tm_mon;
  int tm_year;
  int tm_wday;
  int tm_yday;
  int tm_isdst;

# ifdef              __USE_BSD
  long int tm_gmtoff;
  const char *tm_zone;
# else
  long int __tm_gmtoff;
  const char *__tm_zone;
# endif
};

The struct has GNU extensions: a pointer “tm_zone” is accidentally sent from browser to renderer.

Further, on 64-bit builds, there is 4 byte of padding between members tm_isdst and tm_gmtoff that also gets sent.


VERSION
Chrome Version: 61.0.3163.91
Operating System: Linux, ChromeOS

REPRODUCTION CASE

[Step A] Attach to a renderer process, put a breakpoint on the first memcpy() in ProxyLocaltimeCallToBrowser(...).

[Step B] Inspect the contents at src+0x30 (in this case the memcpy was inlined):

(gdb) p/x $rcx
$1 = 0x33be3209ec90

[Step C] Verify this is not a valid pointer in renderer.

(gdb) x $rcx
0x33be3209ec90: Cannot access memory at address 0x33be3209ec90

[Step D] Verify this pointer is valid in the browser process (in this case browser pid=4782).

$ cat /proc/4782/maps | grep 0x33be320
33be31ff6000-33be32015000 rw-p 00000000 00:00 0 
33be32015000-33be32016000 ---p 00000000 00:00 0 
33be32016000-33be3204c000 rw-p 00000000 00:00 0 
33be3204c000-33be3204d000 ---p 00000000 00:00 0 
33be3204d000-33be32f7c000 rw-p 00000000 00:00 0

 

Comment 1 by mea...@chromium.org, Sep 15 2017

Cc: kerrnel@chromium.org jln@chromium.org
Components: Internals>Sandbox
Labels: Security_Severity-High Security_Impact-Stable OS-Chrome OS-Linux
Owner: jorgelo@chromium.org
Status: Assigned (was: Unconfirmed)
Thank you for the report once again!

jorgelo: Mind if I assign this to you? Feel free to reassign.
Project Member

Comment 2 by sheriffbot@chromium.org, Sep 15 2017

Labels: M-61
Project Member

Comment 3 by sheriffbot@chromium.org, Sep 15 2017

Labels: Pri-1

Comment 4 by palmer@chromium.org, Sep 22 2017

Cc: jorgelo@chromium.org
Owner: palmer@chromium.org
Status: Started (was: Assigned)
I'll look into fixing this while jorgelo is OOO.
Project Member

Comment 5 by bugdroid1@chromium.org, Sep 23 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/dc5edc9c05901feeac616c075d0337e634f3a02a

commit dc5edc9c05901feeac616c075d0337e634f3a02a
Author: Chris Palmer <palmer@chromium.org>
Date: Sat Sep 23 21:59:41 2017

Serialize struct tm in a safe way.

BUG= 765512 

Change-Id: If235b8677eb527be2ac0fe621fc210e4116a7566
Reviewed-on: https://chromium-review.googlesource.com/679441
Commit-Queue: Chris Palmer <palmer@chromium.org>
Reviewed-by: Julien Tinnes <jln@chromium.org>
Cr-Commit-Position: refs/heads/master@{#503948}
[modify] https://crrev.com/dc5edc9c05901feeac616c075d0337e634f3a02a/content/browser/sandbox_ipc_linux.cc
[modify] https://crrev.com/dc5edc9c05901feeac616c075d0337e634f3a02a/content/zygote/zygote_main_linux.cc

Comment 6 by palmer@chromium.org, Sep 23 2017

Status: Fixed (was: Started)
Project Member

Comment 7 by sheriffbot@chromium.org, Sep 24 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Thanks for fixing Chris!
Labels: -Security_Severity-High Security_Severity-Medium
Labels: -reward-topanel reward-unpaid reward-3337
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Labels: -M-61 M-63
Project Member

Comment 13 by sheriffbot@chromium.org, Oct 27 2017

Labels: Merge-Request-63
Project Member

Comment 14 by sheriffbot@chromium.org, Oct 27 2017

Labels: -Merge-Request-63 Merge-Review-63 Hotlist-Merge-Review
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: awhalley@chromium.org
+awhalley@ (Security TPM) for M63 merge review
Labels: -Hotlist-Merge-Review -Merge-Review-63
Labels: Release-0-M63
Labels: CVE-2017-15415
Labels: -reward-unpaid reward-decline
Project Member

Comment 20 by sheriffbot@chromium.org, Dec 31 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 21 by sheriffbot@chromium.org, Mar 27 2018

Labels: -M-63 M-65
Labels: CVE_description-missing
Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment