New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 23 link

Starred by 6 users

Issue metadata

Status: Fixed
User never visited
Closed: Feb 2009

Sign in to add a comment

Inner Sandbox Escape (call memory dereference)

Reported by, Dec 11 2008

Issue description

There's an inner sandbox breakout. Apologies for not listing the versions,
i'm on my way out the door. I tested this on mac os x using the latest and
greatest versions.

When checking calls the disassembler fails to check for memory dereferences. 

  andl $0xffffffe0, %edx\n
  call *(%edx)


  andl $0xffffffe0, %edx\n
  call %edx

Suggested fix:

static void ValidateIndirect5(const struct NCDecoderState *mstate) {

    if (jmpopcode[0] != 0xff) break;
    if ((modrm_reg(mrm) != 2) && (modrm_reg(mrm) != 4)) break;
+    if ((modrm_mod(mrm)) break;
    if (targetreg == kReg_ESP) break;

I've attached the nexe demonstrating this. hownow() code gets executed @
474 KB Download
Labels: -Priority-Medium Priority-Critical
Status: Started
Congratulations! This is the first exploitable defect found by somebody outside of
Google! I'd like to send a congratulatory email to the native-client-announce list.
How may I identify you in the announcement?

Status: Fixed

Comment 3 by, Jan 29 2010

Labels: -Priority-Critical Pri-0

Sign in to add a comment