Chrome receives OOB byte and freezes completely

Apr 9, 2015 09:52 GMT  ·  By
Bug causes Chrome to lock up and Node.js to refuse processing other connections
   Bug causes Chrome to lock up and Node.js to refuse processing other connections

A flaw in Darwin, Apple’s kernel for iOS and OS X operating systems, allows a remote attacker to trigger a denial-of-service (DoS) condition on different apps and network services, including Google Chrome and Node.js.

Developer Kenton Varda discovered the vulnerability while doing research on the interfaces used by operating systems for handling event-driven I/O operations.

Same event raised for both regular and OOB data

One of the network events managed by the OS is called “out-of-band data,” OOB for short, and its purpose is to deliver over TCP connections messages that are urgent before any other data.

The feature is rarely used nowadays, Varda says, but if all event notification APIs are taken into consideration, regular and OOB data raise different kinds of events.

In the case of the “kqueue” event notification interface used by Apple’s Darwin, there isn’t sufficient documentation to clear the haze on how OOB data is managed.

The developer found that availability of regular data triggers an EVFILT_READ event, which is the same as in the case of the OOB information; to distinguish the two types of data, in the case of OOB data an EV_OOBAND flag is appended to the event structure.

Missing the flag sends apps in infinite service disruption loop

However, there is no check for the flag if only regular data is expected, and upon receiving the EVFILT_READ event notification, the action taken is to try to read the data. Since there isn’t any, the system returns to the event loop.

“But if you are using kqueue() in level-triggered mode (as most people do, because it’s easier), then the operating system is going to see that the OOB data is still there, and is going to give you the exact same event again,” which sets off an infinite loop, Varda said in a blog post on Wednesday.

To verify this behavior, the developer used Google Chrome to visit a web server that sent an OOB byte.

Because there is no per-tab separation for networking operations and the main process handles the tasks, the entire browser became non-operational and had to be forced to close.

The same experiment was carried out with a Node.js server that received the urgent notification from a client. This time, the server disruption manifested through failure to process any other connections.

Glitch receives patch in latest iOS and OS X updates

From a technical perspective, the service interruption condition was not caused by a buggy kernel, Varda says, but because the interface was confusing and allowed the same bug to become exploitable in different apps.

The vulnerability has been assigned tracking number CVE-2015-1105 and it is currently patched in iOS 8.3 and OS X Yosemite v10.10.3; however, it is still present in earlier versions of the operating systems.