Security: OOB Read in BlobStorageContext::BlobFlattener::BlobFlattener
Reported by
nedwilli...@gmail.com,
Oct 28 2017
|
|||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
In storage/browser/blob/blob_storage_context.cc,
BlobStorageContext::BlobFlattener::BlobFlattener
is used to flatten blob slices.
The renderer supplied bounds for the slice are validated as follows:
```
// Validate our reference has good offset & length.
if (input_element.offset() + length > ref_entry->total_size()) {
status = BlobStatus::ERR_INVALID_CONSTRUCTION_ARGUMENTS;
return;
}
```
But offset + length itself is not checked for overflow, so a small
negative number can be provided for the offset and the attacker can
read arbitrarily many bytes before the start of the blob in the
browser.
When combined with crbug.com/777728 , a full sandbox escape can be achieved.
VERSION
Chrome Version: 62 Stable
Operating System: All
REPRODUCTION CASE
Apply renderer.patch and open index.html in Chrome. A unit test and fix are attached.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: Browser
Crash State: See asan.log.
,
Oct 30 2017
dmurph: Would you mind taking a look?
,
Oct 31 2017
,
Oct 31 2017
,
Oct 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/11bd4bc92f3fe704631e3e6ad1dd1a4351641f7c commit 11bd4bc92f3fe704631e3e6ad1dd1a4351641f7c Author: Daniel Murphy <dmurph@chromium.org> Date: Tue Oct 31 22:21:31 2017 [BlobStorage] Fixing potential overflow Bug: 779314 Change-Id: I74612639d20544e4c12230569c7b88fbe669ec03 Reviewed-on: https://chromium-review.googlesource.com/747725 Reviewed-by: Victor Costan <pwnall@chromium.org> Commit-Queue: Daniel Murphy <dmurph@chromium.org> Cr-Commit-Position: refs/heads/master@{#512977} [modify] https://crrev.com/11bd4bc92f3fe704631e3e6ad1dd1a4351641f7c/storage/browser/blob/blob_storage_context.cc [modify] https://crrev.com/11bd4bc92f3fe704631e3e6ad1dd1a4351641f7c/storage/browser/blob/blob_storage_context_unittest.cc
,
Oct 31 2017
,
Oct 31 2017
,
Oct 31 2017
Can you please mark which OS this impacts?
,
Oct 31 2017
,
Oct 31 2017
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 1 2017
+awhalley@ for merge review
,
Nov 1 2017
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 2 2017
,
Nov 3 2017
@govind - good for M63.
,
Nov 3 2017
Approving merge to M63 branch 3239 based on comment #13. Please merge ASAP. Thank you.
,
Nov 3 2017
Please merge your change M63 branch 3239 by 4:00 PM PT Monday (11/06/17) so we can take it for next week Beta release. Thank you.
,
Nov 3 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fbf7d5393b3765c03348ce466c7ad935eeb887f0 commit fbf7d5393b3765c03348ce466c7ad935eeb887f0 Author: Daniel Murphy <dmurph@chromium.org> Date: Fri Nov 03 18:38:29 2017 [BlobStorage] Fixing potential overflow Bug: 779314 Change-Id: I74612639d20544e4c12230569c7b88fbe669ec03 Reviewed-on: https://chromium-review.googlesource.com/747725 Reviewed-by: Victor Costan <pwnall@chromium.org> Commit-Queue: Daniel Murphy <dmurph@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#512977}(cherry picked from commit 11bd4bc92f3fe704631e3e6ad1dd1a4351641f7c) Reviewed-on: https://chromium-review.googlesource.com/754084 Reviewed-by: Daniel Murphy <dmurph@chromium.org> Cr-Commit-Position: refs/branch-heads/3239@{#367} Cr-Branched-From: adb61db19020ed8ecee5e91b1a0ea4c924ae2988-refs/heads/master@{#508578} [modify] https://crrev.com/fbf7d5393b3765c03348ce466c7ad935eeb887f0/storage/browser/blob/blob_storage_context.cc [modify] https://crrev.com/fbf7d5393b3765c03348ce466c7ad935eeb887f0/storage/browser/blob/blob_storage_context_unittest.cc
,
Nov 3 2017
,
Nov 9 2017
*** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Nov 9 2017
Nice one! $2,500 for this report - cheers!
,
Nov 10 2017
,
Dec 4 2017
,
Dec 4 2017
,
Feb 8 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
,
Apr 25 2018
,
Oct 5
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Oct 28 2017