From 38b701b44f54ff5e5b8b772d5cabe0e59569d032 Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Thu, 6 Sep 2018 12:40:36 +0200 Subject: [Backport] CVE-2018-16068 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [mojo-core] Validate data pipe endpoint metadata Ensures that we don't blindly trust specified buffer size and offset metadata when deserializing data pipe consumer and producer handles. TBR=rockot@chromium.org (cherry picked from commit 66e24a8793615bd9d5c238b1745b093090e1f72d) Bug: 877182 Change-Id: I10572a0627c282825593956b04ef235adb4add43 Reviewed-on: https://chromium-review.googlesource.com/1192922 Reviewed-on: https://chromium-review.googlesource.com/1196554 Reviewed-by: Michael BrĂ¼ning --- chromium/mojo/edk/system/data_pipe_consumer_dispatcher.cc | 8 +++++++- chromium/mojo/edk/system/data_pipe_producer_dispatcher.cc | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/chromium/mojo/edk/system/data_pipe_consumer_dispatcher.cc b/chromium/mojo/edk/system/data_pipe_consumer_dispatcher.cc index e1ecc853c25..03c1c2fcdf4 100644 --- a/chromium/mojo/edk/system/data_pipe_consumer_dispatcher.cc +++ b/chromium/mojo/edk/system/data_pipe_consumer_dispatcher.cc @@ -370,7 +370,9 @@ DataPipeConsumerDispatcher::Deserialize(const void* data, const SerializedState* state = static_cast(data); if (!state->options.capacity_num_bytes || !state->options.element_num_bytes || - state->options.capacity_num_bytes < state->options.element_num_bytes) { + state->options.capacity_num_bytes < state->options.element_num_bytes || + state->read_offset >= state->options.capacity_num_bytes || + state->bytes_available > state->options.capacity_num_bytes) { return nullptr; } @@ -404,6 +406,10 @@ DataPipeConsumerDispatcher::Deserialize(const void* data, dispatcher->peer_closed_ = state->flags & kFlagPeerClosed; if (!dispatcher->InitializeNoLock()) return nullptr; + if (state->options.capacity_num_bytes > + dispatcher->ring_buffer_mapping_->GetLength()) { + return nullptr; + } dispatcher->UpdateSignalsStateNoLock(); } diff --git a/chromium/mojo/edk/system/data_pipe_producer_dispatcher.cc b/chromium/mojo/edk/system/data_pipe_producer_dispatcher.cc index de0b768b63b..add4c004423 100644 --- a/chromium/mojo/edk/system/data_pipe_producer_dispatcher.cc +++ b/chromium/mojo/edk/system/data_pipe_producer_dispatcher.cc @@ -333,7 +333,9 @@ DataPipeProducerDispatcher::Deserialize(const void* data, const SerializedState* state = static_cast(data); if (!state->options.capacity_num_bytes || !state->options.element_num_bytes || - state->options.capacity_num_bytes < state->options.element_num_bytes) { + state->options.capacity_num_bytes < state->options.element_num_bytes || + state->write_offset >= state->options.capacity_num_bytes || + state->available_capacity > state->options.capacity_num_bytes) { return nullptr; } @@ -366,6 +368,10 @@ DataPipeProducerDispatcher::Deserialize(const void* data, dispatcher->peer_closed_ = state->flags & kFlagPeerClosed; if (!dispatcher->InitializeNoLock()) return nullptr; + if (state->options.capacity_num_bytes > + dispatcher->ring_buffer_mapping_->GetLength()) { + return nullptr; + } dispatcher->UpdateSignalsStateNoLock(); } -- cgit v1.2.3