New issue
Advanced search Search tips

Issue 868619 link

Starred by 1 user
Status: Fixed
Owner:
qin...@chromium.org
Closed: Aug 1
Cc:
dtrainor@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: Kernel Level Memory Leak as a result of GDI object creations

Reported by bryan.ka...@gmail.com, Jul 28 

VULNERABILITY DETAILS
Steps to reproduce:
   1. enable 'select where to save downloads' feature in chrome settings so each file download prompts user for destination directory to save new file.
   2. visit https://script.google.com/macros/s/AKfycbzGfimeGFEvigB66-uW5id2-JeDGmfoNcudh2n2GsVdZ7OxhXm5/exec

Expected result:
GDI resource leak causing crash of ; heap based buffer overflow vulnerability; kernel-level memory leak

Opening a url containing octect/pdf data bypasses CORS restrictions, allowing <x>.pdf to be written to victims disk <N> times; no sanity check on the number of GDI object count in Chrome before calling "CreatePlatformCanvas" results in browser crash if user has enabled "select where to save downloads" feature in chrome settings.

Browser crashed with fatal error: "Failed to create DC in BeginPaint(). GLE = 1425, GDI object count: 10000, GDI peak count: 10001"


VERSION
Browser/OS(s):

Win32 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134

Win32 Mozilla Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/65.0.3325.181

MacIntel Mozilla Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML like Gecko) Chrome/65.0.3325.181

Win32 Mozilla Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/67.0.3396.99


REPRODUCTION CASE

active web-app: https://script.google.com/macros/s/AKfycbzGfimeGFEvigB66-uW5id2-JeDGmfoNcudh2n2GsVdZ7OxhXm5/exec

video: https://youtu.be/m9SD_7e-dQs

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: browser


Local Crash IDs: 
02d1dc60-fdf3-45d4-81ff-990ff8c1b7de
e2102c48-254c-4ff4-83a9-bdc6cd19aa1c
issue_111617701.log
15.7 KB View Download

Comment 1 by mbarbe...@chromium.org, Jul 30

Cc: dtrainor@chromium.org
Components: UI>Browser>Downloads
Labels: Security_Severity-Low Security_Impact-Stable OS-Chrome OS-Linux OS-Mac OS-Windows
Owner: qin...@chromium.org
Status: Assigned (was: Unconfirmed)
Tentatively setting low severity for consistency with  issue 127522 , but I'm a bit torn since it does require that the user accept a permission prompt to download multiple files.

The crash certainly isn't ideal, but we generally don't consider denial of service to be a vulnerability. More information on that at https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Are-denial-of-service-issues-considered-security-bugs

qinmin, dtrainor: Are either of you the right people to take a look at this? Feel free to close if you don't think there's much that can be done here, or pass it back to me for re-triage if necessary.
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 31

Labels: Pri-2
Project Member

Comment 3 by bugdroid1@chromium.org, Aug 1 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b7fa845960fcf21001dbd3adf409e5c19046e4eb

commit b7fa845960fcf21001dbd3adf409e5c19046e4eb
Author: Min Qin <qinmin@chromium.org>
Date: Wed Aug 01 21:45:06 2018

Fix an DOS issue using download prompt dialog

This CL changes the behavior to show dialog one by one,
not showing all of them at once.
This CL also fixes an issue that DownloadFilePicker is not
deleted in some cases.

BUG= 868619 

Change-Id: I71958b8c8d1383d95996d00c58c84c5523e08bd1
Reviewed-on: https://chromium-review.googlesource.com/1157141
Commit-Queue: Min Qin <qinmin@chromium.org>
Reviewed-by: Xing Liu <xingliu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#579955}
[modify] https://crrev.com/b7fa845960fcf21001dbd3adf409e5c19046e4eb/chrome/browser/download/chrome_download_manager_delegate.cc
[modify] https://crrev.com/b7fa845960fcf21001dbd3adf409e5c19046e4eb/chrome/browser/download/chrome_download_manager_delegate.h
[modify] https://crrev.com/b7fa845960fcf21001dbd3adf409e5c19046e4eb/chrome/browser/download/download_file_picker.cc
[modify] https://crrev.com/b7fa845960fcf21001dbd3adf409e5c19046e4eb/chrome/browser/download/download_test_file_activity_observer.cc

Comment 4 by qin...@chromium.org, Aug 1

Status: Fixed (was: Assigned)
Changed the implementation to show only 1 file selection dialog at a time, this should solve the issue
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 2

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 6 by awhalley@chromium.org, Aug 8

Labels: reward-topanel

Comment 7 by awhalley@google.com, Aug 13

Labels: -reward-topanel reward-0
Thanks for the report! I'm afraid, however, that the VRP declined to reward for this bug.

Comment 8 by bryan.ka...@gmail.com, Aug 13 

Do the changes get merged into the stable version of Chrome though?

Will this report go on the list of security fixes in the next release as "n/a", while still mentioning what was fixed?

Comment 9 by bryan.ka...@gmail.com, Aug 16 

For CVE-2012-2848, you guys decided to reward a low impact security bug with the following comment:

"The panel decided to award $500 for this bug. The bug itself has little security value, but the fix is a good hardening measure. Thanks!"

https://bugs.chromium.org/p/chromium/issues/detail?id=127525

I know that was in the early stages of the rewards program, but is there any possibility for this report to also be reconsidered based on "the fix being a good hardening measure"?
Project Member

Comment 10 by sheriffbot@chromium.org, Nov 8

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment