Issue metadata
Sign in to add a comment
|
Security: METHOD_LOCALTIME browser->renderer infoleak
Reported by
vibra...@microsoft.com,
Sep 15 2017
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
In the IPC method METHOD_LOCALTIME there is a full pointer infoleak when Chromium is built against glibc on Linux.
The bug is in the function HandleLocaltime(...).
It sends an entire “struct tm” from the browser process to renderer:
const struct tm* expanded_time = localtime(&time);
// ...
result_string = std::string(reinterpret_cast<const char*>(expanded_time),
sizeof(struct tm));
Inspecting “struct tm” in glibc, it looks like this:
struct tm
{
int tm_sec;
int tm_min;
int tm_hour;
int tm_mday;
int tm_mon;
int tm_year;
int tm_wday;
int tm_yday;
int tm_isdst;
# ifdef __USE_BSD
long int tm_gmtoff;
const char *tm_zone;
# else
long int __tm_gmtoff;
const char *__tm_zone;
# endif
};
The struct has GNU extensions: a pointer “tm_zone” is accidentally sent from browser to renderer.
Further, on 64-bit builds, there is 4 byte of padding between members tm_isdst and tm_gmtoff that also gets sent.
VERSION
Chrome Version: 61.0.3163.91
Operating System: Linux, ChromeOS
REPRODUCTION CASE
[Step A] Attach to a renderer process, put a breakpoint on the first memcpy() in ProxyLocaltimeCallToBrowser(...).
[Step B] Inspect the contents at src+0x30 (in this case the memcpy was inlined):
(gdb) p/x $rcx
$1 = 0x33be3209ec90
[Step C] Verify this is not a valid pointer in renderer.
(gdb) x $rcx
0x33be3209ec90: Cannot access memory at address 0x33be3209ec90
[Step D] Verify this pointer is valid in the browser process (in this case browser pid=4782).
$ cat /proc/4782/maps | grep 0x33be320
33be31ff6000-33be32015000 rw-p 00000000 00:00 0
33be32015000-33be32016000 ---p 00000000 00:00 0
33be32016000-33be3204c000 rw-p 00000000 00:00 0
33be3204c000-33be3204d000 ---p 00000000 00:00 0
33be3204d000-33be32f7c000 rw-p 00000000 00:00 0
,
Sep 15 2017
,
Sep 15 2017
,
Sep 22 2017
I'll look into fixing this while jorgelo is OOO.
,
Sep 23 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/dc5edc9c05901feeac616c075d0337e634f3a02a commit dc5edc9c05901feeac616c075d0337e634f3a02a Author: Chris Palmer <palmer@chromium.org> Date: Sat Sep 23 21:59:41 2017 Serialize struct tm in a safe way. BUG= 765512 Change-Id: If235b8677eb527be2ac0fe621fc210e4116a7566 Reviewed-on: https://chromium-review.googlesource.com/679441 Commit-Queue: Chris Palmer <palmer@chromium.org> Reviewed-by: Julien Tinnes <jln@chromium.org> Cr-Commit-Position: refs/heads/master@{#503948} [modify] https://crrev.com/dc5edc9c05901feeac616c075d0337e634f3a02a/content/browser/sandbox_ipc_linux.cc [modify] https://crrev.com/dc5edc9c05901feeac616c075d0337e634f3a02a/content/zygote/zygote_main_linux.cc
,
Sep 23 2017
,
Sep 24 2017
,
Sep 27 2017
,
Sep 27 2017
Thanks for fixing Chris!
,
Oct 4 2017
,
Oct 6 2017
*** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Oct 16 2017
,
Oct 27 2017
,
Oct 27 2017
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 27 2017
+awhalley@ (Security TPM) for M63 merge review
,
Oct 30 2017
,
Dec 4 2017
,
Dec 4 2017
,
Dec 11 2017
,
Dec 31 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
,
Apr 25 2018
,
Oct 5
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mea...@chromium.org
, Sep 15 2017Components: Internals>Sandbox
Labels: Security_Severity-High Security_Impact-Stable OS-Chrome OS-Linux
Owner: jorgelo@chromium.org
Status: Assigned (was: Unconfirmed)