Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Email to this user bounced
Closed: Jan 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
safe_browsing::SignatureUtil::CheckSignature() - crash
Reported by slaw...@gmail.com, Jan 9 2012 Back to list
Crashes on windows beta 17.0.963.26 (116225), dev and canary 18.0.1001.0 (116852). Doesn't crash on stable.
It looks like null ptr only but filled security template because it's browser crash.
To reproduce open crash1.msi using http:// scheme.

$ diff crash1.orig.msi.hexdump crash1.msi.hexdump
2269,2270c2269,2270
< 00009d80  74 73 2f 74 73 70 63 61  2e 63 72 74 30 13 06 03  |ts/tspca.crt0...|
< 00009d90  55 1d 25 04 0c 30 0a 06  08 2b 06 01 05 05 07 03  |U.%..0...+......|
---
> 00009d80  74 73 2f 74 73 70 63 61  2e 63 72 ff f9 5e 23 38  |ts/tspca.cr..^#8|
> 00009d90  33 75 ad 04 0c 30 0a 06  08 2b 06 01 05 05 07 03  |3u...0...+......|

(1ed0.1f84): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=06489678 ebx=00000000 ecx=00303b00 edx=00000000 esi=02fe3940 edi=00000000
eip=58013742 esp=02d7f948 ebp=02d7fa60 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
chrome_57bb0000!safe_browsing::SignatureUtil::CheckSignature+0x1bd:
58013742 395f0c          cmp     dword ptr [edi+0Ch],ebx ds:0023:0000000c=????????

ExceptionAddress: 58013742 (chrome_57bb0000!safe_browsing::SignatureUtil::CheckSignature+0x000001bd)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 0000000c
Attempt to read from address 0000000c

ChildEBP RetAddr  
02d7fa60 57f5b1f9 chrome_57bb0000!safe_browsing::SignatureUtil::CheckSignature(
			class FilePath * file_path = 0x02fe3848, 
			class safe_browsing::ClientDownloadRequest_SignatureInfo * signature_info = 0x02fe3940)+0x1bd
02d7fc84 57c572f9 chrome_57bb0000!safe_browsing::DownloadProtectionService::CheckClientDownloadRequest::ExtractFileFeatures(void)+0x2b
02d7fcb0 57c57390 chrome_57bb0000!MessageLoop::RunTask(
			struct base::PendingTask * pending_task = 0x02d7fcd0)+0x93
02d7fcc0 57c57720 chrome_57bb0000!MessageLoop::DeferOrRunPendingTask(
			struct base::PendingTask * pending_task = 0x00303b00)+0x26
02d7fd08 57c70201 chrome_57bb0000!MessageLoop::DoWork(void)+0x87
02d7fd3c 57c7000e chrome_57bb0000!base::MessagePumpForUI::DoRunLoop(void)+0x52
02d7fd58 57c6fecf chrome_57bb0000!base::MessagePumpWin::RunWithDispatcher(
			class base::MessagePump::Delegate * delegate = 0x06489678, 
			class base::MessagePumpWin::Dispatcher * dispatcher = 0x00000000)+0x38
02d7fd64 57c57209 chrome_57bb0000!base::MessagePumpWin::Run(
			class base::MessagePump::Delegate * delegate = 0x585e0387)+0xe
02d7fd70 57c5718e chrome_57bb0000!MessageLoop::RunInternal(void)+0x31
02d7fd78 57c57111 chrome_57bb0000!MessageLoop::RunHandler(void)+0x17
02d7fd98 585e0387 chrome_57bb0000!MessageLoop::Run(void)+0x15
02d7fd9c 585e0475 chrome_57bb0000!base::Thread::Run(
			class MessageLoop * message_loop = 0x57c5e5cc)+0x9
02d7fef8 57c5e5cc chrome_57bb0000!base::Thread::ThreadMain(void)+0x83
02d7ff04 774bed6c chrome_57bb0000!base::`anonymous namespace'::ThreadFunc(
			void * params = 0x77ad37f5)+0x16
02d7ff10 77ad37f5 kernel32!BaseThreadInitThunk+0xe
02d7ff50 77ad37c8 ntdll!__RtlUserThreadStart+0x70
02d7ff68 00000000 ntdll!_RtlUserThreadStart+0x1b

 
crash1.msi
41.0 KB Download
crash1.orig.msi
41.0 KB Download
Comment 1 by cdn@chromium.org, Jan 9 2012
Labels: -Pri-0 -Area-Undefined Pri-2 Area-Internals Mstone-16 SecSeverity-Low OS-Windows Feature-Safebrowsing
Owner: cdn@chromium.org
Status: Assigned
I have a patch. uploading shortly
Comment 2 by cdn@chromium.org, Jan 9 2012
Cc: bryner@chromium.org
Comment 3 by cdn@chromium.org, Jan 10 2012
Cc: rsleevi@chromium.org
Comment 4 by cdn@chromium.org, Jan 10 2012
Labels: Merge-Approved
Status: FixUnreleased
This is a really easy fix. Not sure if it is worth merging given that it is just a DoS but it is certainly simple enough.
Project Member Comment 5 by bugdroid1@chromium.org, Jan 10 2012
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=117080

------------------------------------------------------------------------
r117080 | cdn@chromium.org | Tue Jan 10 11:41:28 PST 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/safe_browsing/signature_util_win.cc?r1=117080&r2=117079&pathrev=117080

Fix null deref when walking cert chain.

BUG= 109664 
TEST=N/A
Review URL: http://codereview.chromium.org/9150013
------------------------------------------------------------------------
Comment 6 by cdn@chromium.org, Jan 18 2012
Labels: SecImpacts-Stable SecImpacts-Beta
Labels: -Mstone-16 Mstone-17
Comment 8 by tsepez@chromium.org, Jan 24 2012
Labels: -Merge-Approved Merge-Merged merge-merged-963
Merged into m17 at r118903.
Project Member Comment 9 by bugdroid1@chromium.org, Jan 24 2012
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=118903

------------------------------------------------------------------------
r118903 | tsepez@chromium.org | Tue Jan 24 13:34:35 PST 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/963/src/chrome/browser/safe_browsing/signature_util_win.cc?r1=118903&r2=118902&pathrev=118903

Merge 117080 - Fix null deref when walking cert chain.

BUG= 109664 
TEST=N/A
Review URL: http://codereview.chromium.org/9150013

TBR=cdn@chromium.org
Review URL: https://chromiumcodereview.appspot.com/9283039
------------------------------------------------------------------------
Labels: CVE-2011-3965
Comment 11 by cdn@chromium.org, May 15 2012
Status: Fixed
Marking old security bugs Fixed..
Project Member Comment 12 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 13 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-Internals -SecSeverity-Low -Feature-Safebrowsing -SecImpacts-Stable -SecImpacts-Beta -Mstone-17 Security-Severity-Low Cr-UI-Browser-SafeBrowsing Security-Impact-Stable Security-Impact-Beta Cr-Internals Type-Bug-Security M-17
Project Member Comment 14 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 15 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-EditIssue
Labels: -Restrict-View-SecurityTeam
Project Member Comment 18 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Low Security_Severity-Low
Project Member Comment 19 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 20 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 21 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 22 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 23 by sheriffbot@chromium.org, Oct 1 2016
Labels: Restrict-View-SecurityNotify
Project Member Comment 24 by sheriffbot@chromium.org, Oct 2 2016
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment