关键信息 标题: PartialCircularBuffer is unsafe to use across security boundaries 类型: Vulnerability 优先级: P1 严重性: S1 状态: Fixed 描述: When used cross process with BufferData stored in shared memory like ChromeWebRtcLogMessageDelegate, WebRtcLoggingHandlerHost, and WebRtcLogUploader the less privileged process influence reads and writes in the more privileged process leading to memory corruption. For example, this can be accomplished by writing bad value BufferData->wrap_position from an unprivileged process before the privileged process enters PartialCircularBuffer::Write() where position_ will be equal to data_size... On the next Write() the privileged process will write to an invalid offset from the buffer allowing a write to an arbitrary address. Similar conditions can be created within Read() which would allow arbitrary memory to be read. This mechanism seems over engineered, I would be much happier if we simply passed log messages as strings across the IPC channel rather than setting up a shared memory region. 评论: Accepted by gr...@chromium.org. Thanks for noticing this. This has slipped through the security review even though we had a discussion about the different approaches and I even think this particular question was brought up at some point. The reason I didn't use IPC for each message was a concern (by Justin Schuh) that it would cause IPC churn. If this is not the case then that would perfectly fine. I put a sample log in https://docs.google.com/a/google.com/document/d/1qeRC11Gy_wqk8cFbheULLt8cbZnpODJGE8EBKVoso3I/edit?usp=sharing were you can see timestamps. (Oddly, there seems to be a bug with two parallel timestamp timelines but you'll get the idea.) What do you think about the alternative to write to files in the render process? We need a "partially circular" type of data storage, i.e. keep the x first bytes and the y last bytes. It could be one file for the x part and 3-4 files rotating for the y part. We may switch to writing to files anyway (be it in the browser or renderer) due to another feature request. Writing the files from the renderer shouldn't be an issue you'll just have to pass in handles from the browser.