New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 6 users
Status: Fixed
User never visited
Closed: Feb 2009

Sign in to add a comment
Inner Sandbox Escape (call memory dereference)
Reported by, Dec 11 2008 Back to list
There's an inner sandbox breakout. Apologies for not listing the versions,
i'm on my way out the door. I tested this on mac os x using the latest and
greatest versions.

When checking calls the disassembler fails to check for memory dereferences. 

  andl $0xffffffe0, %edx\n
  call *(%edx)


  andl $0xffffffe0, %edx\n
  call %edx

Suggested fix:

static void ValidateIndirect5(const struct NCDecoderState *mstate) {

    if (jmpopcode[0] != 0xff) break;
    if ((modrm_reg(mrm) != 2) && (modrm_reg(mrm) != 4)) break;
+    if ((modrm_mod(mrm)) break;
    if (targetreg == kReg_ESP) break;

I've attached the nexe demonstrating this. hownow() code gets executed @
474 KB Download
Labels: -Priority-Medium Priority-Critical
Status: Started
Congratulations! This is the first exploitable defect found by somebody outside of
Google! I'd like to send a congratulatory email to the native-client-announce list.
How may I identify you in the announcement?

Status: Fixed
Comment 3 by, Jan 29 2010
Labels: -Priority-Critical Pri-0
Sign in to add a comment