My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 254159: Security: Chrome shared memory file can be world readable and lacks security checks when opening existing mappings.
1 person starred this issue and may be notified of changes. Back to list
 
Project Member Reported by jln@chromium.org, Jun 25, 2013
Initially seen in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=709413

It looks like SharedMemory::Create and the subsequently called functions don't do anything about the user's default umask. Files seem to be created with that umask.

Any temporary file should be only readable to the current user.
Jun 25, 2013
#1 jln@chromium.org
(No comment was entered for this change.)
Labels: M-29
Jul 1, 2013
#3 jln@chromium.org
Looks like Android is vulnerable as well and it could be worse on that OS. I need to take a look.
Labels: OS-Android
Jul 1, 2013
#4 jln@chromium.org
Adding Christian, the original reporter to the bug.
Cc: chr...@gmail.com
Jul 1, 2013
#5 scarybea...@gmail.com
It's a good catch. We recently started using POSIX SHM more heavily for some builds of Chrome (including Chrome OS and Android, plus the Aura build of Linux desktop). In particular, we started using POSIX SHM to transport rendered web pages from renderer to browser, so there is definitely sensitive content.

I suspect the bug has always been there, it just got more obvious recently.
Labels: reward-topanel
Jul 2, 2013
#6 jln@chromium.org
In addition to Christian's report on file permissions, I'm fixing the two following issues:

- When opening an existing file, make sure we're not tricked into opening a file planted by an attacker.
- When opening an existing shared memory file, check for an attacker tricking us into opening another file via a symlink.
Summary: Security: Chrome shared memory file can be world readable and lacks security checks when opening existing mappings. (was: Security: Chrome temporary file can be world readable)
Jul 2, 2013
#7 bugdro...@chromium.org
------------------------------------------------------------------------
r209814 | jln@chromium.org | 2013-07-02T23:31:55.432358Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/base/memory/shared_memory_posix.cc?r1=209814&r2=209813&pathrev=209814
   M http://src.chromium.org/viewvc/chrome/trunk/src/base/memory/shared_memory_unittest.cc?r1=209814&r2=209813&pathrev=209814

Posix: fix named SHM mappings permissions.

Make sure that named mappings in /dev/shm/ aren't created with
broad permissions.

BUG=254159
R=mark@chromium.org, markus@chromium.org

Review URL: https://codereview.chromium.org/17779002
------------------------------------------------------------------------
Jul 11, 2013
#8 jln@chromium.org
I would like to merge this security fix to M29, is the branch open ?
Labels: Merge-Requested
Jul 12, 2013
#9 kerz@google.com
How safe is this?
Jul 12, 2013
#10 jln@chromium.org
It's Mac / Linux only. I'd say it's fairly safe to merge, but not "absolutely" safe.
Jul 12, 2013
#11 kerz@google.com
Please keep a close eye on it in beta and on trunk.
Labels: -Merge-Requested Merge-Approved
Jul 12, 2013
#12 bugdro...@chromium.org
------------------------------------------------------------------------
r211461 | jln@chromium.org | 2013-07-12T21:32:04.715122Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1547/src/base/memory/shared_memory_unittest.cc?r1=211461&r2=211460&pathrev=211461
   M http://src.chromium.org/viewvc/chrome/branches/1547/src/base/memory/shared_memory_posix.cc?r1=211461&r2=211460&pathrev=211461

Merge 209814 "Posix: fix named SHM mappings permissions."

> Posix: fix named SHM mappings permissions.
> 
> Make sure that named mappings in /dev/shm/ aren't created with
> broad permissions.
> 
> BUG=254159
> R=mark@chromium.org, markus@chromium.org
> 
> Review URL: https://codereview.chromium.org/17779002

TBR=jln@chromium.org

Review URL: https://codereview.chromium.org/19106006
------------------------------------------------------------------------
Labels: merge-merged-1547
Jul 18, 2013
#13 jln@chromium.org
(No comment was entered for this change.)
Status: Fixed
Jul 22, 2013
#14 benhenry@chromium.org
Is this merged to M-29?  If so, please update the merge label to "Merge-Merged" before closing the bug.
Jul 22, 2013
#15 jln@chromium.org
The bot updated with merge-merged-1547. Is there a manual step to do ? I don't remember ever doing something manually.
Jul 30, 2013
#16 scarybea...@gmail.com
- Merge-Approved -> Merge-Merged
- Added Release-0
- Restrict-View set to Notify
Labels: -Restrict-View-SecurityTeam -Merge-Approved Restrict-View-SecurityNotify Merge-Merged Release-0
Aug 16, 2013
#17 par...@chromium.org
(No comment was entered for this change.)
Labels: -reward-topanel reward-unpaid reward-500
Aug 19, 2013
#18 par...@chromium.org
Hey Christian,

The reward panel would like to send you $500 for this security bug :) Someone should get in contact within the next 2 weeks to get some payment info.

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties.
          *********************************
Labels: -reward-unpaid reward-inprocess
Nov 6, 2013
#19 patri...@chromium.org
(No comment was entered for this change.)
Labels: VerifyIn-32
Nov 6, 2013
#20 patri...@chromium.org
(No comment was entered for this change.)
Labels: -VerifyIn-32
Nov 18, 2013
#21 jschuh@chromium.org
Bulk release of old security bug reports.

Nov 18, 2013
#22 jschuh@chromium.org
Bulk release of old security bug reports.

Labels: -Restrict-View-SecurityNotify
Nov 19, 2013
#23 kr...@chromium.org
Old bugs that are for milestones that are way before the current stable.
Status: Verified
Feb 28, 2014
#24 timwil...@chromium.org
(No comment was entered for this change.)
Labels: -reward-inprocess
Sign in to add a comment

Powered by Google Project Hosting