New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 831963 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Apr 18
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , iOS , Chrome , Mac , Fuchsia
Pri: 0
Type: Bug-Security



Sign in to add a comment

Security: In-memory Cache UaF 2

Reported by nedwilli...@gmail.com, Apr 12

Issue description

VULNERABILITY DETAILS
There's another variant of  http://crbug.com/827492  for the in-memory cache when doing cache clearing (DoomAllEntries/DoomEntriesBetween).

It appears this code path isn't reachable until the network service is enabled by default, and even then I believe renderer control is needed. If it's indeed possible to clear the in-memory cache currently then this is more severe.

Let's go ahead and fix this now so we can take our time merging the fix and don't have headaches if/when it becomes reachable.

Related network service bit - note the cache comes from the url_request_context which I think can have an in-memory cache:
https://cs.chromium.org/chromium/src/services/network/http_cache_data_remover.cc?l=140&rcl=1c257c23dc3b13c22d5121401cf997341ffe475f

VERSION
Chrome Version: 65 Stable
Operating System: All that have in-memory/off-the-record cache

REPRODUCTION CASE
See attached patch and unit test (fix.patch).

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: Browser/Network Process
Crash State: See asan.log

 
fix.patch
1.5 KB Download
asan.log
9.1 KB View Download
Cc: jkarlin@chromium.org morlovich@chromium.org
Cc: -jkarlin@chromium.org
Components: Internals>Network>Cache
Labels: Security_Severity-Critical Security_Impact-Stable Pri-0
Owner: jkarlin@chromium.org
Status: Assigned (was: Unconfirmed)
Assigning Critical severity since this is out of the sandbox, jkarlin: feel free to readjust to high if that seems better (since this only happens with the network service enabled). 
Cc: -morlovich@chromium.org jkarlin@chromium.org
Owner: morlovich@chromium.org
Moving this one over to Maks as I don't have the cycles at the moment.
Cc: kcc@chromium.org
Project Member

Comment 5 by sheriffbot@chromium.org, Apr 14

Labels: M-65
Project Member

Comment 6 by sheriffbot@chromium.org, Apr 14

Labels: ReleaseBlock-Beta
This is a critical security issue. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Not sure that something requiring a non-standard flag that's not set by any experiment (but which is in chrome://flags) should be ReleaseBlock.

Having said that, IIRC NetworkContext methods are only supposed to be callable from the browser process, but I am not certain of the mechanism for that.

You can indeed have an in-memory cache for a URLRequestContext --- that's what happens in incognito mode.

(Patch does look good, on my queue for today)
Josh, are you too busy to review as well?
Nope, can review.
Cc: awhalley@chromium.org
Labels: OS-Android OS-Chrome OS-Fuchsia OS-iOS OS-Linux OS-Mac OS-Windows
Project Member

Comment 12 by bugdroid1@chromium.org, Apr 17

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9ab771022535b499e4d7a7f12fa6c60a294f7de4

commit 9ab771022535b499e4d7a7f12fa6c60a294f7de4
Author: Maks Orlovich <morlovich@chromium.org>
Date: Tue Apr 17 01:10:32 2018

[MemCache] Fix bug while iterating LRU list in range doom

This is exact same thing as https://chromium-review.googlesource.com/c/chromium/src/+/987919
but on explicit mass-erase rather than eviction.

Thanks to nedwilliamson@ (on gmail) for the report and testcase.

Bug:  831963 
Change-Id: I96a46700c1f058f7feebe038bcf983dc40eb7102
Reviewed-on: https://chromium-review.googlesource.com/1014023
Commit-Queue: Maks Orlovich <morlovich@chromium.org>
Reviewed-by: Josh Karlin <jkarlin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#551205}
[modify] https://crrev.com/9ab771022535b499e4d7a7f12fa6c60a294f7de4/net/disk_cache/backend_unittest.cc
[modify] https://crrev.com/9ab771022535b499e4d7a7f12fa6c60a294f7de4/net/disk_cache/memory/mem_backend_impl.cc

Labels: -M-65 M-68 M-66 M-67
We're not planning any further M65 releases and M66 is going to stable this week. 

Applying M-66, M-67 & M-68 labels. awhalley@, pls eveulate if for appropriate milestone merges. Thank you. 
Cc: abdulsyed@chromium.org cma...@chromium.org
Cc: kariahda@chromium.org
govind@ - good for 67

Once it's been out in Dev or Beta for a bit we can merge to 66 to pick it up in any re-spin.

Labels: Merge-Approved-67
Approving merge to M67 branch 3396 based on comment #16. Please merge ASAP so we can pick it up for this week Dev release. Thank you.
Project Member

Comment 18 by bugdroid1@chromium.org, Apr 17

Labels: -merge-approved-67 merge-merged-3396
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/76b3dbf91e4f5ebd348d53c03ef74c7fdf0b9037

commit 76b3dbf91e4f5ebd348d53c03ef74c7fdf0b9037
Author: Maks Orlovich <morlovich@chromium.org>
Date: Tue Apr 17 17:37:08 2018

[MemCache] Fix bug while iterating LRU list in range doom

This is exact same thing as https://chromium-review.googlesource.com/c/chromium/src/+/987919
but on explicit mass-erase rather than eviction.

Thanks to nedwilliamson@ (on gmail) for the report and testcase.

Bug:  831963 
Change-Id: I96a46700c1f058f7feebe038bcf983dc40eb7102
Reviewed-on: https://chromium-review.googlesource.com/1014023
Commit-Queue: Maks Orlovich <morlovich@chromium.org>
Reviewed-by: Josh Karlin <jkarlin@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#551205}(cherry picked from commit 9ab771022535b499e4d7a7f12fa6c60a294f7de4)
Reviewed-on: https://chromium-review.googlesource.com/1015321
Reviewed-by: Maks Orlovich <morlovich@chromium.org>
Cr-Commit-Position: refs/branch-heads/3396@{#49}
Cr-Branched-From: 9ef2aa869bc7bc0c089e255d698cca6e47d6b038-refs/heads/master@{#550428}
[modify] https://crrev.com/76b3dbf91e4f5ebd348d53c03ef74c7fdf0b9037/net/disk_cache/backend_unittest.cc
[modify] https://crrev.com/76b3dbf91e4f5ebd348d53c03ef74c7fdf0b9037/net/disk_cache/memory/mem_backend_impl.cc

Project Member

Comment 19 by sheriffbot@chromium.org, Apr 18

Status: Fixed (was: Assigned)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 20 by sheriffbot@chromium.org, Apr 19

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: Merge-Request-66
Now that this has been out in Dev, requesting merge to M66 in case there's a respin.
Project Member

Comment 22 by sheriffbot@chromium.org, Apr 19

Labels: -Merge-Request-66 Merge-Review-66 Hotlist-Merge-Review
This bug requires manual review: Request affecting a post-stable build
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: reward-topanel
Labels: -Merge-Review-66 Merge-Approved-66
Approving merge for M66 branch:3359
Are any special steps required for the actual merge? I've only ever done early beta ones...

(Also I am not sure of impact --- the only non-user-interaction-requiring path I can see of involves the pnacl cache, and I don't know much about that).

Project Member

Comment 26 by bugdroid1@chromium.org, Apr 25

Labels: -merge-approved-66 merge-merged-3359
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c352625fe9db8660710e9cce16a6d92c5e09a5b5

commit c352625fe9db8660710e9cce16a6d92c5e09a5b5
Author: Maks Orlovich <morlovich@chromium.org>
Date: Wed Apr 25 16:45:03 2018

[MemCache] Fix bug while iterating LRU list in range doom

This is exact same thing as https://chromium-review.googlesource.com/c/chromium/src/+/987919
but on explicit mass-erase rather than eviction.

Thanks to nedwilliamson@ (on gmail) for the report and testcase.

Bug:  831963 
Change-Id: I96a46700c1f058f7feebe038bcf983dc40eb7102
Reviewed-on: https://chromium-review.googlesource.com/1014023
Commit-Queue: Maks Orlovich <morlovich@chromium.org>
Reviewed-by: Josh Karlin <jkarlin@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#551205}(cherry picked from commit 9ab771022535b499e4d7a7f12fa6c60a294f7de4)
Reviewed-on: https://chromium-review.googlesource.com/1028430
Reviewed-by: Maks Orlovich <morlovich@chromium.org>
Cr-Commit-Position: refs/branch-heads/3359@{#765}
Cr-Branched-From: 66afc5e5d10127546cc4b98b9117aff588b5e66b-refs/heads/master@{#540276}
[modify] https://crrev.com/c352625fe9db8660710e9cce16a6d92c5e09a5b5/net/disk_cache/backend_unittest.cc
[modify] https://crrev.com/c352625fe9db8660710e9cce16a6d92c5e09a5b5/net/disk_cache/memory/mem_backend_impl.cc

Labels: -reward-topanel reward-unpaid reward-10500
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Very nicely done, nedwilliamson@! The Chrome VRP panel decided to award $10,500 for this report and patch :-) 
Labels: Release-1-M66
Wow! Thanks so much again for the generous reward!
Labels: CVE-2018-6118 CVE_description-missing
Labels: -reward-unpaid reward-inprocess
Labels: -ReleaseBlock-Beta
Project Member

Comment 34 by sheriffbot@chromium.org, Jul 26

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment