Monorail Project: nativeclient Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 23 Inner Sandbox Escape (call memory dereference)
Starred by 6 users Reported by, Dec 11 2008 Back to list
Status: Fixed
User never visited
Closed: Feb 2009

Sign in to add a comment
There's an inner sandbox breakout. Apologies for not listing the versions,
i'm on my way out the door. I tested this on mac os x using the latest and
greatest versions.

When checking calls the disassembler fails to check for memory dereferences. 

  andl $0xffffffe0, %edx\n
  call *(%edx)


  andl $0xffffffe0, %edx\n
  call %edx

Suggested fix:

static void ValidateIndirect5(const struct NCDecoderState *mstate) {

    if (jmpopcode[0] != 0xff) break;
    if ((modrm_reg(mrm) != 2) && (modrm_reg(mrm) != 4)) break;
+    if ((modrm_mod(mrm)) break;
    if (targetreg == kReg_ESP) break;

I've attached the nexe demonstrating this. hownow() code gets executed @
474 KB Download
Labels: -Priority-Medium Priority-Critical
Status: Started
Congratulations! This is the first exploitable defect found by somebody outside of
Google! I'd like to send a congratulatory email to the native-client-announce list.
How may I identify you in the announcement?

Status: Fixed
Comment 3 by, Jan 29 2010
Labels: -Priority-Critical Pri-0
Sign in to add a comment