Google Chrome OS Linux WAS Exploited at Pwnium 2013 for $40,000

From the ‘Linux Kernel Exploit’ files:

Earlier this month, Google Chrome running Chrome OS (Linux!) was hailed as being a survivor in the Pwnium/Pwn2own event that hacked IE, Firefox and Chrome browsers on Windows. Apple’s Safari running on Mac OS X was not hacked and neither (apparently) was Chrome on Chrome OS.

Google disclosed this morning that Chrome on Chrome OS had in fact been exploited – albeit, unreliably. The same researcher that took Google’s money last year for exploiting Chrome, known publicly only as ‘PinkiePie’ was awarded $40,000 for exploiting Chrome/Chrome OS via a Linux kernel bug, config file error and a video parsing flaw.

Google has already fixed the flaws in ChromeOS 25.0.1364.173, BUT seeing as this is a Linux kernel flaw, i’m very curious if this affect any/all other Linux distros.

As is typical for Google, they offer very little in the way of full-disclosure or detail on the flaw fixed. All that Google publicly has posted now is:

• [181083] High CVE-2013-0915: Overflow in the GPU process. Credit to Pinkie Pie.
• [chromium-os:39733] High CVE-2013-0913: Time-of-Check/Time-of-Use and counting overflows in i915 driver. Credit to Pinkie Pie.

Neither of those issues is specifically identified as a ‘Linux kernel’ issue. Google has also not publicly opened up those CVE’s so it’s not possible to see the exact bug (which possibly could be with the kernel). As Google is a responsible firm, I’d suspect/hope that the bug has been submitted upstream, though right now it’s not superclear to me where that is..

In any event, it’s a chained bug and not something that was a reliable exploit, but still…would/will be good to see it eliminated from the mainline Linux kernel sooner rather than later.

**UPDATE** A patch has been submitted by Google to the LKML for inclusion in the mainline kernel

“It is possible to wrap the counter used to allocate the buffer for relocation copies. This could lead to heap writing overflows,” Google developer Kees Cook wrote.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.