CVE-2024-9123 - Integer Overflow in Skia Lets Hackers Attack Google Chrome Before 129..6668.70

CVE-2024-9123 is a high-severity security hole affecting Google Chrome, caused by an integer overflow in Skia (the graphics engine). If you use Chrome versions older than 129..6668.70 and land on a malicious website, hackers could exploit this bug to run code and potentially take over your system by tricking Chrome into corrupting its own memory.

Let’s break it down:
- What is Skia? It’s the part of Chrome responsible for graphics: drawing images, text, and everything visual.
- What is integer overflow? It’s when a number gets too big for its space in the code, causing things to wrap around in unpredictable and insecure ways.
- Why should you care? Attackers can craft web pages to take advantage of this and attack your device.

How the Bug Works

This bug lives in the way Skia handles operations that need to multiply or add big numbers—like allocating space for images. If an attacker sends a specially-crafted HTML page, that page can trick Skia into thinking it has enough room to draw something, when it doesn’t. The result: Skia can write data way outside the bounds of what should be allowed. This creates a classic "out-of-bounds write" vulnerability, opening the door to serious attacks.

Imagine a code chunk like this (simplified for understanding)

size_t num_pixels = width * height;   // Imagine very big values from attacker
size_t buffer_size = num_pixels * sizeof(Pixel);  // Integer overflow risk!

Pixel* pixels = (Pixel*)malloc(buffer_size);
if (!pixels) return;
memcpy(pixels, data, buffer_size);    // Writes more than expected if buffer_size overflowed!

An attacker sends extreme values for width and height (say, both are 70,000). The multiplication overflows, making buffer_size smaller than needed. The code naively allocates too little space. When it copies the image, it writes far beyond the end—possibly overwriting other critical data.

Exploit Details

How can an attacker use this?
A criminal can upload a webpage using a <canvas> or other image-handling code with huge sizes or special crafted images. If you visit that page, it triggers the bug:

1. The malicious webpage feeds huge width and height to Skia through JavaScript/Canvas.

Out-of-bounds write happens when Skia draws or copies data.

4. If the overwritten memory holds something valuable (executable code pointers, security settings, etc.), the attacker could hijack Chrome’s process, break out of the browser sandbox, or execute arbitrary code on your computer.

A skilled attacker could create something like

<canvas id="evil" width="70000" height="70000"></canvas>
<script>
let canvas = document.getElementById("evil");
let ctx = canvas.getContext("2d");
// Try to trigger the bug by creating enormous images
let imgData = ctx.createImageData(70000, 70000);
// Fill image with some data
for(let i = ; i < 10; ++i) {
  imgData.data[i] = 255;
}
ctx.putImageData(imgData, , );
</script>

This JavaScript tries to push Chrome to hit the overflow condition in vulnerable Skia code.

*Note: This is a theoretical example! Working exploits usually require more tricks to bypass Chrome's built-in security.*

Google's official advisory:

https://chromereleases.googleblog.com/

Chromium Security Bug:

https://bugs.chromium.org/p/chromium/issues/detail?id=3261811

Skia Graphics Engine:

https://skia.org/
- Mitre CVE Record for CVE-2024-9123

Final Thoughts

CVE-2024-9123 shows us that even smallest math mistake in code can lead to serious dangers. Bugs like these prove why browsers must patch quickly, and users need to keep up to date. If you’re a developer: always check for overflows in your math, especially anywhere you allocate memory. If you’re a user: update today!

Timeline

Published on: 09/25/2024 01:15:48 UTC
Last modified on: 09/26/2024 13:32:02 UTC