ChromeOS was unreliably exploited at Pwnium 2013
Google has revealed that ChromeOS didn't get through its Pwnium 2013 security competition completely unscathed. The company said that while there were no winning entries, it had reserved the right to, and had, awarded a partial prize of $40,000 to "Pinkie Pie" who had submitted a "plausible bug chain involving video parsing, a Linux kernel bug and a config file error". He also included an unreliable exploit which demonstrated one of the bugs. Google released an update to ChromeOS (25.0.1364.173) on Friday 15 March which "fixes most of the bugs".
Pinkie Pie's exploit involved two high severity flaws now labelled CVE-2013-0913 and CVE-2013-0915. CVE-2013-0913 was the Linux kernel bug, for which a patch was submitted on Monday 11 March to the Linux kernel developers; this fixes a counter wrapping that is used to allocate a buffer in the drm/i915 driver.
There is less information about CVE-2013-0915, described only as an overflow in the GPU process. Pinkie Pie is no stranger to making use of GPUs in his exploits. For example, in Pwnium 2012, when exploiting Chrome, he used Native Client in the Chrome browser to gain low level access to the GPU from where he launched his attack. He appears to have followed a similar strategy in his Pwnium 2013 entry but was unable to make it reliable enough to be a winning entry by the deadline.
Google thanked Pinkie Pie for revealing the bugs by the deadline so they could fix and harden ChromeOS. The company also revealed that in the Pwn2Own competition the exploit which took down Chrome used two bugs, one on Chrome which is now fixed and another in the Windows kernel. The Pwn2Own rules, revised since last year, mean the bug and exploit details should be handed over to Microsoft.