Status Update
No update yet.
Comments
cl...@appspot.gserviceaccount.com
ma...@google.com
Thank you for the detailed report and root cause analysis, nice work!
Setting Severity High/S1 for memory corruption potentially leading to a renderer compromise.
From what I can tell, the RubyLB feature was enabled, but only for Chromium developer builds and maybe some bots, in
tkent@, could you PTAL? Does this issue affect stable channel users at all?
tk...@chromium.org
Does this issue affect stable channel users at all?
Yes. RubyLB was enabled by default for M128. So a fix for this issue should be merged to M128, M129, and M130.
ap...@google.com
Branch: main
commit 56be91796b858a088f67add4e074b9b016f25757
Author: Kent Tamura <tkent@chromium.org>
Date: Thu Sep 19 03:15:18 2024
RubyLB: Fix a crash with a parent with a non-default text-align
Update the LineInfo::GetTextAlign() logic so that it align with
ApplyRubyAlign() behavior.
This CL also removes stale comments.
Bug: 367764861
Change-Id: Idfe0f3c2f77c7a33ff9317c2b0f36ffa397405d1
Reviewed-on:
Commit-Queue: Koji Ishii <kojii@chromium.org>
Reviewed-by: Koji Ishii <kojii@chromium.org>
Auto-Submit: Kent Tamura <tkent@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1357460}
M third_party/blink/renderer/core/layout/inline/line_info.cc
A third_party/blink/web_tests/fast/ruby/ruby-align-in-text-align-crash.html
pe...@google.com
Setting milestone because of s0/s1 severity.
24...@project.gserviceaccount.com
If this is incorrect, please add the hotlistid:5433040 and re-open the issue.
pe...@google.com
Merge approved: your change passed merge requirements and is auto-approved for M130. Please go ahead and merge the CL to branch 6723 (refs/branch-heads/6723) manually. Please contact milestone owner if you have questions.
Merge instructions:
pe...@google.com
Merge review required: M129 is already shipping to stable.
Please answer the following questions so that we can safely process your merge request:
- Why does your merge fit within the merge criteria for these milestones?
- Chrome Browser:
https://chromiumdash.appspot.com/branches - Chrome OS:
https://goto.google.com/cros-release-branch-merge-guidelines
- What changes specifically would you like to merge? Please link to Gerrit.
- Have the changes been released and tested on canary?
- Is this a new feature? If yes, is it behind a Finch flag and are experiments active in any release channels?
- [Chrome OS only]: Was the change reviewed and approved by the Eng Prod Representative?
https://goto.google.com/cros-engprodcomponents - If this merge addresses a major issue in the stable channel, does it require manual verification by the test team? If so, please describe required testing.
Please contact the milestone owner if you have questions. Owners: govind (Android), govind (iOS), matthewjoseph (ChromeOS), srinivassista (Desktop)
pe...@google.com
Merge review required: M128 is already shipping to stable.
Please answer the following questions so that we can safely process your merge request:
- Why does your merge fit within the merge criteria for these milestones?
- Chrome Browser:
https://chromiumdash.appspot.com/branches - Chrome OS:
https://goto.google.com/cros-release-branch-merge-guidelines
- What changes specifically would you like to merge? Please link to Gerrit.
- Have the changes been released and tested on canary?
- Is this a new feature? If yes, is it behind a Finch flag and are experiments active in any release channels?
- [Chrome OS only]: Was the change reviewed and approved by the Eng Prod Representative?
https://goto.google.com/cros-engprodcomponents - If this merge addresses a major issue in the stable channel, does it require manual verification by the test team? If so, please describe required testing.
Please contact the milestone owner if you have questions. Owners: harrysouders (Android), harrysouders (iOS), obenedict (ChromeOS), pbommana (Desktop)
am...@chromium.org
merges approved for M129 and M128, please merge this fix (
Note: M129 Stable RC for weekly security respin is being cut today at 10am Pacific; if merges cannot be completed until that time, this fix can go into next week's Stable channel update
ap...@google.com
Branch: refs/branch-heads/6613
commit ef8ddcab1d8eda46254ac92614fa53699dda4ef3
Author: Kent Tamura <tkent@chromium.org>
Date: Mon Sep 23 18:53:40 2024
RubyLB: Fix a crash with a parent with a non-default text-align
Update the LineInfo::GetTextAlign() logic so that it align with
ApplyRubyAlign() behavior.
This CL also removes stale comments.
(cherry picked from commit 56be91796b858a088f67add4e074b9b016f25757)
Bug: 367764861
Change-Id: Idfe0f3c2f77c7a33ff9317c2b0f36ffa397405d1
Reviewed-on:
Commit-Queue: Koji Ishii <kojii@chromium.org>
Reviewed-by: Koji Ishii <kojii@chromium.org>
Auto-Submit: Kent Tamura <tkent@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1357460}
Reviewed-on:
Owners-Override: Prudhvikumar Bommana <pbommana@google.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Prudhvikumar Bommana <pbommana@google.com>
Commit-Queue: Prudhvikumar Bommana <pbommana@google.com>
Cr-Commit-Position: refs/branch-heads/6613@{#2032}
Cr-Branched-From: 03c1799e6f9c7239802827eab5e935b9e14fceae-refs/heads/main@{#1331488}
M third_party/blink/renderer/core/layout/inline/line_info.cc
A third_party/blink/web_tests/fast/ruby/ruby-align-in-text-align-crash.html
pe...@google.com
LTS Milestone M126
This issue has been flagged as a merge candidate for Chrome OS' LTS channel. If selected, our merge team will handle any additional merges. To help us determine if this issue requires a merge to LTS, please answer this short questionnaire:
- Was this issue a regression for the milestone it was found in?
- Is this issue related to a change or feature merged after the latest LTS Milestone?
sr...@chromium.org
ap...@google.com
Branch: refs/branch-heads/6668
commit 9900d924764b82a094b6488c430c69a0867d8ae2
Author: Kent Tamura <tkent@chromium.org>
Date: Mon Sep 23 23:09:37 2024
RubyLB: Fix a crash with a parent with a non-default text-align
Update the LineInfo::GetTextAlign() logic so that it align with
ApplyRubyAlign() behavior.
This CL also removes stale comments.
(cherry picked from commit 56be91796b858a088f67add4e074b9b016f25757)
Bug: 367764861
Change-Id: Idfe0f3c2f77c7a33ff9317c2b0f36ffa397405d1
Reviewed-on:
Commit-Queue: Koji Ishii <kojii@chromium.org>
Reviewed-by: Koji Ishii <kojii@chromium.org>
Auto-Submit: Kent Tamura <tkent@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1357460}
Reviewed-on:
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Kent Tamura <tkent@chromium.org>
Owners-Override: Srinivas Sista <srinivassista@chromium.org>
Cr-Commit-Position: refs/branch-heads/6668@{#1429}
Cr-Branched-From: 05bc664984ca075216b7f2198c88b9725bfa1b9b-refs/heads/main@{#1343869}
M third_party/blink/renderer/core/layout/inline/line_info.cc
A third_party/blink/web_tests/fast/ruby/ruby-align-in-text-align-crash.html
ap...@google.com
Branch: refs/branch-heads/6723
commit 66a556bd168d36beff7aa351722aa50996fdb2b4
Author: Kent Tamura <tkent@chromium.org>
Date: Tue Sep 24 00:01:38 2024
Merge "RubyLB: Fix a crash with a parent with a non-default text-align" to M130 branch
Update the LineInfo::GetTextAlign() logic so that it align with
ApplyRubyAlign() behavior.
This CL also removes stale comments.
(cherry picked from commit 56be91796b858a088f67add4e074b9b016f25757)
Bug: 367764861
Change-Id: Idfe0f3c2f77c7a33ff9317c2b0f36ffa397405d1
Reviewed-on:
Commit-Queue: Koji Ishii <kojii@chromium.org>
Reviewed-by: Koji Ishii <kojii@chromium.org>
Auto-Submit: Kent Tamura <tkent@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1357460}
Reviewed-on:
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/branch-heads/6723@{#353}
Cr-Branched-From: 985f2961df230630f9cbd75bd6fe463009855a11-refs/heads/main@{#1356013}
M third_party/blink/renderer/core/layout/inline/line_info.cc
A third_party/blink/web_tests/fast/ruby/ruby-align-in-text-align-crash.html
qk...@google.com
sp...@google.com
Hello,
Congratulations! The Chrome Vulnerability Rewards Program (VRP) Panel has decided to award you $10000.00 for this report.
Rationale for this decision:
high quality report of demonstrated memory corruption in a sandboxed process / the renderer
Important: If you aren't already registered with Google as a supplier, p2p-vrp@google.com will reach out to you. If you have registered in the past, no need to repeat the process – you can sit back and relax, and we will process the payment soon.
If you have any payment related requests, please direct them to p2p-vrp@google.com. Please remember to include the subject of this email and the email address that the report was sent from.
Thank you for your efforts and helping us make Chrome more secure for all users!
Cheers,
Chrome VRP Panel Bot
P.S. One other thing we'd like to mention:
* Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
Please contact security-vrp@chromium.org with any questions.
am...@chromium.org
Congratulations Tashita team! Thank you for your efforts and reporting this issue to us!
ta...@gmail.com
Thanks for the quick response and for considering our report as high quality! We really appreciate it!
pe...@google.com
This bug has been closed for more than 14 weeks. Removing issue access restrictions.
Description
Security Bug
Important: Please do not change the component of this bug manually.
Please READ THIS FAQ before filing a bug:https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/faq.md
Please see the following link for instructions on filing security bugs:https://www.chromium.org/Home/chromium-security/reporting-security-bugs
Reports may be eligible for reward payments under the Chrome VRP:https://g.co/chrome/vrp
NOTE: Security bugs are normally made public once a fix has been widely deployed.
VULNERABILITY DETAILS
string_view.h Security DCHECK failed: length <= impl.length() - offsetInitial Considerations
The
Security DCHECKwas recently introduced on Chrome 129.0.6668.42, but the root cause is anInteger Overflowintroduced on Chrome 127.0.6533.57 (see Bisect part).Stack Trace
Reproduction Steps
./chrome URL_TO/security_dcheck_reduced.html.SECURITY_DCHECKmentioned on the Stack Trace.Root Cause
SECURITY_DCHECK
The evaluation of the
SECURITY_DCHECKis:SECURITY_DCHECK(length <= impl.length() - offset). The values at the invalid check when using thesecurity_dcheck_reduced.htmltestcase are:At that moment,
lengthhas suffered anInteger Overflow.The Integer Overflow
The variable
end_offset(A) is assigned a value of 0, whileline_text_start_offset(B) is set to 1. Both variables,end_offset(A) andline_text_start_offset(B), are passed as arguments to theBuildJustificationText(C) function.The variables
end_offsetandline_text_start_offsetare subtracted (D), resulting in a value of -1. As both areunsigned, the resulting value of0xffffffffis passed to theStringViewconstructor (E).The parameter
lengthofStringViewis set to0xffffffff.StringView::Setreceives it (G), triggering theSECURITY_DCHECK(H)Integer Overflow: Root Cause
The
LineInfobeing computed is not updated before executing "Justification" operations, leading to a mismatch between the actions performed and theLineInfoinvolved.This can be observed following the
text_align_member of theLineInfobeing computed on the "Justification" operations. It contains the value ofETextAlign::kWebkitCenterbut it should beETextAlign::kJustify.This is proved on
EndOffsetForJustifymethod atline_info.hfile, as theDCHECK_EQ(I) is hit by the testcase:FATAL:line_info.h(211)] Check failed: text_align_ == ETextAlign::kJustify (-webkit-center vs. justify).This mismatch begins at
ApplyRubyAlignfunction ofruby_utils.ccfile:First,
text_align(J) starts with the valueETextAlign::kWebkitCenter. Second,text_align(K) value is modified, set asETextAlign::kJustify. Third,if conditionis taken to peformJustificationoperations (L). Fourth, a non-updatedline_infois passed as argument (M), which mismatches with theJustificationoperations to be performed.Resulting on the
Integer Overflowdescribed before.The Patch
Proposal patch is attached as:
line_info_int_overflow_proposal.patchBefore jumping into "Justification" operations (via
ApplyJustificationfunction),line_infoshould be updated by settingis_ruby_base_and updating the "Text Align" to set a value toend_offset_for_justify_. This can be performed by adding the calls to the methods:SetIsRubyBase(N) andUpdateTextAlign(O).Bisect: Introduced Commit
SECURITY_DCHECKintroduced at (Branch Base Position: 1340005)Integer Overflowintroduced on theRubyLB Featureat: (Branch Base Position: 1309784)--enable-features=RubyLineBreakable,CssRubyAlign,RubyLineEdgeAlignment,RubyShortHeuristicsRubyLB Featureenabled at (Branch Base Position: 1312396)Bisect: Introduced Major Chrome
Integer Overflow- Chrome Stable: 127.0.6533.57SECURITY_DCHECK- Chrome Stable: 129.0.6668.42VERSION
Chrome Version: [129.0.6668.42] + [stable] Operating System: [All]
REPRODUCTION CASE
Attached:
security_dcheck_reduced.htmlPATCH
Attached:
line_info_int_overflow_proposal.patchFOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [Browser]
CREDIT INFORMATION
Reporter credit: Tashita Software Security