New issue
Advanced search Search tips
Starred by 5 users

Issue metadata

Status: Fixed
Owner:
Closed: Nov 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: OOB Read in BlobStorageContext::BlobFlattener::BlobFlattener

Reported by nedwilli...@gmail.com, Oct 28 2017

Issue description

VULNERABILITY DETAILS
In storage/browser/blob/blob_storage_context.cc,
BlobStorageContext::BlobFlattener::BlobFlattener
is used to flatten blob slices.

The renderer supplied bounds for the slice are validated as follows:
```
// Validate our reference has good offset & length.
if (input_element.offset() + length > ref_entry->total_size()) {
  status = BlobStatus::ERR_INVALID_CONSTRUCTION_ARGUMENTS;
  return;
}
```

But offset + length itself is not checked for overflow, so a small
negative number can be provided for the offset and the attacker can
read arbitrarily many bytes before the start of the blob in the
browser.

When combined with  crbug.com/777728 , a full sandbox escape can be achieved.

VERSION
Chrome Version: 62 Stable
Operating System: All

REPRODUCTION CASE
Apply renderer.patch and open index.html in Chrome. A unit test and fix are attached.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: Browser
Crash State: See asan.log.

 
fix.patch
1.8 KB Download
asan.log
31.9 KB View Download
renderer.patch
676 bytes Download
index.html
167 bytes View Download
Components: Blink>Storage
Thanks for the bug and patch!
Labels: Security_Severity-Medium Security_Impact-Stable
Owner: dmu...@chromium.org
Status: Assigned (was: Unconfirmed)
dmurph: Would you mind taking a look?
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 31 2017

Labels: M-63
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 31 2017

Labels: Pri-1
Project Member

Comment 5 by bugdroid1@chromium.org, Oct 31 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/11bd4bc92f3fe704631e3e6ad1dd1a4351641f7c

commit 11bd4bc92f3fe704631e3e6ad1dd1a4351641f7c
Author: Daniel Murphy <dmurph@chromium.org>
Date: Tue Oct 31 22:21:31 2017

[BlobStorage] Fixing potential overflow

Bug:  779314 
Change-Id: I74612639d20544e4c12230569c7b88fbe669ec03
Reviewed-on: https://chromium-review.googlesource.com/747725
Reviewed-by: Victor Costan <pwnall@chromium.org>
Commit-Queue: Daniel Murphy <dmurph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#512977}
[modify] https://crrev.com/11bd4bc92f3fe704631e3e6ad1dd1a4351641f7c/storage/browser/blob/blob_storage_context.cc
[modify] https://crrev.com/11bd4bc92f3fe704631e3e6ad1dd1a4351641f7c/storage/browser/blob/blob_storage_context_unittest.cc

Comment 6 by dmu...@chromium.org, Oct 31 2017

Labels: Merge-Rejected-63 Merge-Request-62

Comment 7 by dmu...@chromium.org, Oct 31 2017

Labels: -Merge-Rejected-63 Merge-Request-63
Can you please mark which OS this impacts?

Comment 9 by dmu...@chromium.org, Oct 31 2017

Labels: OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Project Member

Comment 10 by sheriffbot@chromium.org, Oct 31 2017

Labels: -Merge-Request-63 Merge-Review-63 Hotlist-Merge-Review
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: awhalley@chromium.org
+awhalley@ for merge review
Project Member

Comment 12 by sheriffbot@chromium.org, Nov 1 2017

Status: Fixed (was: Assigned)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 13 by sheriffbot@chromium.org, Nov 2 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -Merge-Request-62
@govind - good for M63.
Labels: -Merge-Review-63 Merge-Approved-63
Approving merge to M63 branch 3239 based on comment #13. Please merge ASAP. Thank you.
Please merge your change M63 branch 3239 by 4:00 PM PT Monday (11/06/17) so we can take it for next week Beta release. Thank you.
Project Member

Comment 17 by bugdroid1@chromium.org, Nov 3 2017

Labels: -merge-approved-63 merge-merged-3239
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fbf7d5393b3765c03348ce466c7ad935eeb887f0

commit fbf7d5393b3765c03348ce466c7ad935eeb887f0
Author: Daniel Murphy <dmurph@chromium.org>
Date: Fri Nov 03 18:38:29 2017

[BlobStorage] Fixing potential overflow

Bug:  779314 
Change-Id: I74612639d20544e4c12230569c7b88fbe669ec03
Reviewed-on: https://chromium-review.googlesource.com/747725
Reviewed-by: Victor Costan <pwnall@chromium.org>
Commit-Queue: Daniel Murphy <dmurph@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#512977}(cherry picked from commit 11bd4bc92f3fe704631e3e6ad1dd1a4351641f7c)
Reviewed-on: https://chromium-review.googlesource.com/754084
Reviewed-by: Daniel Murphy <dmurph@chromium.org>
Cr-Commit-Position: refs/branch-heads/3239@{#367}
Cr-Branched-From: adb61db19020ed8ecee5e91b1a0ea4c924ae2988-refs/heads/master@{#508578}
[modify] https://crrev.com/fbf7d5393b3765c03348ce466c7ad935eeb887f0/storage/browser/blob/blob_storage_context.cc
[modify] https://crrev.com/fbf7d5393b3765c03348ce466c7ad935eeb887f0/storage/browser/blob/blob_storage_context_unittest.cc

Labels: reward-topanel
Labels: -reward-topanel reward-unpaid reward-2500
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Nice one! $2,500 for this report - cheers!
Labels: -reward-unpaid reward-inprocess
Labels: Release-0-M63
Labels: CVE-2017-15416
Project Member

Comment 24 by sheriffbot@chromium.org, Feb 8

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 25 by sheriffbot@chromium.org, Mar 27

Labels: -M-63 M-65
Labels: CVE_description-missing

Sign in to add a comment