New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 318791 link

Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Closed: Nov 2013
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Crash in aura::Window::NotifyWindowHierarchyChangeAtReceiver

Reported by chromium...@gmail.com, Nov 13 2013

Issue description

Version: 
Google Chrome Canary - Version 33.0.1708.0 canary
OS: Window 7

Steps : 
Youtube Video - http://youtu.be/3G-iRblQrT8

Or

1. launch the browser.
2. Open PoC.html and click on the page (anywhere on the page) the you gonna see there is Print() and Speech API on the page.
3. Open a New-Tab
4. back to the page (PoC.html) then click on Cancel button which is on Print(), then Click Again on the page and you gonna see same things (Print() and Speech API).
5. then Close that New-Tab.
6. Crash !!


eax=08845660 ebx=00000000 ecx=08845660 edx=f8500156 esi=01225140 edi=04c94b40
eip=5f1d8c07 esp=001cf0a4 ebp=001cf0d0 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
chrome_5efd0000!aura::Window::NotifyWindowHierarchyChangeAtReceiver+0x94:
5f1d8c07 ff12            call    dword ptr [edx]      ds:0023:f8500156=????????
0:000> k
ChildEBP RetAddr  
001cf0d0 5f1d92c4 chrome_5efd0000!aura::Window::NotifyWindowHierarchyChangeAtReceiver+0x94 [c:\b\build\slave\win\build\src\ui\aura\window.cc @ 1078]
001cf0e0 5f1d8b42 chrome_5efd0000!aura::Window::NotifyWindowHierarchyChangeUp+0x12 [c:\b\build\slave\win\build\src\ui\aura\window.cc @ 1067]
001cf0f4 5f327dc4 chrome_5efd0000!aura::Window::NotifyWindowHierarchyChange+0x31 [c:\b\build\slave\win\build\src\ui\aura\window.cc @ 1043]
001cf11c 5f327aa3 chrome_5efd0000!aura::Window::RemoveChild+0x24 [c:\b\build\slave\win\build\src\ui\aura\window.cc @ 408]
001cf158 5f3279d5 chrome_5efd0000!aura::Window::~Window+0xba [c:\b\build\slave\win\build\src\ui\aura\window.cc @ 129]
001cf164 5f3279c9 chrome_5efd0000!aura::Window::`scalar deleting destructor'+0xb
001cf16c 5f32ff8e chrome_5efd0000!content::RenderWidgetHostViewAura::Destroy+0x18 [c:\b\build\slave\win\build\src\content\browser\renderer_host\render_widget_host_view_aura.cc @ 969]
001cf184 5f32ff42 chrome_5efd0000!content::RenderWidgetHostImpl::Destroy+0x49 [c:\b\build\slave\win\build\src\content\browser\renderer_host\render_widget_host_impl.cc @ 1378]
001cf194 5f32fdf5 chrome_5efd0000!content::RenderWidgetHostImpl::Shutdown+0x5d [c:\b\build\slave\win\build\src\content\browser\renderer_host\render_widget_host_impl.cc @ 431]
001cf19c 5f32c947 chrome_5efd0000!content::RenderViewHostManager::~RenderViewHostManager+0x2e [c:\b\build\slave\win\build\src\content\browser\frame_host\render_view_host_manager.cc @ 80]
001cf1c8 5f32c695 chrome_5efd0000!content::WebContentsImpl::~WebContentsImpl+0x29e [c:\b\build\slave\win\build\src\content\browser\web_contents\web_contents_impl.cc @ 431]
001cf1d4 5f32c141 chrome_5efd0000!content::WebContentsImpl::`scalar deleting destructor'+0xb
001cf1f8 5f32bed4 chrome_5efd0000!TabStripModel::InternalCloseTab+0x63 [c:\b\build\slave\win\build\src\chrome\browser\ui\tabs\tab_strip_model.cc @ 1264]
001cf23c 5fc3d65f chrome_5efd0000!TabStripModel::InternalCloseTabs+0x139 [c:\b\build\slave\win\build\src\chrome\browser\ui\tabs\tab_strip_model.cc @ 1248]
001cf268 5fd0022e chrome_5efd0000!TabStripModel::CloseWebContentsAt+0x32 [c:\b\build\slave\win\build\src\chrome\browser\ui\tabs\tab_strip_model.cc @ 556]
001cf27c 5fcc66c8 chrome_5efd0000!BrowserTabStripController::CloseTab+0x29 [c:\b\build\slave\win\build\src\chrome\browser\ui\views\tabs\browser_tab_strip_controller.cc @ 289]
001cf29c 5fcc97f3 chrome_5efd0000!TabStrip::CloseTab+0x8f [c:\b\build\slave\win\build\src\chrome\browser\ui\views\tabs\tab_strip.cc @ 1034]
001cf2b4 5f834b40 chrome_5efd0000!Tab::ButtonPressed+0x30 [c:\b\build\slave\win\build\src\chrome\browser\ui\views\tabs\tab.cc @ 729]
001cf2c4 5f834785 chrome_5efd0000!views::Button::NotifyClick+0x1c [c:\b\build\slave\win\build\src\ui\views\controls\button\button.cc @ 59]
001cf2e0 5fcc8198 chrome_5efd0000!views::CustomButton::OnMouseReleased+0x60 [c:\b\build\slave\win\build\src\ui\views\controls\button\custom_button.cc @ 131]

 
PoC.html
606 bytes View Download

Comment 1 Deleted

Comment 2 by tsepez@chromium.org, Nov 13 2013

Labels: Pri-1 M-32 OS-Windows Cr-Internals-Aura Security_Impact-None Security_Severity-Medium
Owner: e...@chromium.org
Repro'd on Windows / chrome 33. DNR on chrome 32.  Severity medium because of the steps involved to trigger although it is unclear how much control over the faulting address can be had.

Comment 3 by e...@chromium.org, Nov 13 2013

Cc: e...@chromium.org
Owner: sky@chromium.org
Giving to a windows folk who knows aura::Window.
tsepez@ : Yes, you right about the steps, but now I have clear explain to repro the crash.

Comment 5 Deleted

Comment 6 Deleted

Comment 7 Deleted

Comment 8 Deleted

Comment 9 Deleted

Project Member

Comment 10 by ClusterFuzz, Nov 13 2013

Labels: reward-topanel
Project Member

Comment 11 by ClusterFuzz, Nov 13 2013

Labels: -Security_Impact-None Security_Impact-Beta
Fixing impact labels.

Comment 12 Deleted

Comment 13 Deleted

Comment 14 Deleted

Comment 15 Deleted

Comment 16 Deleted

Comment 17 Deleted

mini repro PoC.html: 

<button onclick="crash()">Click</button>
<script>
setTimeout(function() {print();location.reload();}, 1000)

function crash()
{
window.open("http://www.google.com" )
}
</script>

Steps : 

1. Click on the button to open Google's page
2. Go back to PoC.html (1.png).
3. Click on Cancel to close Print() Method.
4. Then wait 6 sec for opining the Print() Method again then close Google's page (2.png)
Crash ID 4ec4b90f7dd0de5b
Crash ID 041c2199cd6ef1e7
Crash ID e89852309711993a

Comment 20 by sky@chromium.org, Nov 14 2013

Cc: sky@chromium.org
Owner: jam@chromium.org
I suspect this is from John's recent changes to RWHVA. He may have fixed it too.

Comment 21 by jam@chromium.org, Nov 14 2013

Status: WontFix
the buggy change was landed in 234708, reverted in 234770, and landed correctly in r234823. see  bug 299224 .

Comment 22 by jam@chromium.org, Nov 14 2013

Status: Started
actually, nvm, sorry this case is still broken. investigating more

Comment 23 by jam@chromium.org, Nov 14 2013

I found a more reduced test case:
-open an empty page
-print preview
-open a new tab
-go back to original tab
-close print preview
-switch to the new tab
Nice steps to repro the crash !

Comment 25 by jam@chromium.org, Nov 15 2013

Issue 318899 has been merged into this issue.
Project Member

Comment 26 by bugdroid1@chromium.org, Nov 15 2013

------------------------------------------------------------------------
r235267 | jam@chromium.org | 2013-11-15T00:52:31.225116Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/webui/print_preview/print_preview_ui_browsertest.cc?r1=235267&r2=235266&pathrev=235267
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/web_contents/web_contents_view_aura.cc?r1=235267&r2=235266&pathrev=235267

Fix crash in WebContentsViewAura::WindowObserver that happens when switching tabs. The exact repro steps were:

1) open an empty page
2) print preview
3) open a new tab
4) go back to original tab
5) close print preview
6) switch to the new tab

The crash happened at step 4 because the second tab got removed from the same root window as the print preview's observer. We weren't unobserving all the children of the root window at that point.

BUG= 318791 
R=ben@chromium.org

Review URL: https://codereview.chromium.org/69813005
------------------------------------------------------------------------
Project Member

Comment 27 by bugdroid1@chromium.org, Nov 15 2013

------------------------------------------------------------------------
r235277 | jam@chromium.org | 2013-11-15T02:19:31.996193Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/webui/print_preview/print_preview_ui_browsertest.cc?r1=235277&r2=235276&pathrev=235277
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/web_contents/web_contents_view_aura.cc?r1=235277&r2=235276&pathrev=235277

Revert 235267 "Fix crash in WebContentsViewAura::WindowObserver ..."

> Fix crash in WebContentsViewAura::WindowObserver that happens when switching tabs. The exact repro steps were:
> 
> 1) open an empty page
> 2) print preview
> 3) open a new tab
> 4) go back to original tab
> 5) close print preview
> 6) switch to the new tab
> 
> The crash happened at step 4 because the second tab got removed from the same root window as the print preview's observer. We weren't unobserving all the children of the root window at that point.
> 
> BUG= 318791 
> R=ben@chromium.org
> 
> Review URL: https://codereview.chromium.org/69813005

TBR=jam@chromium.org

Review URL: https://codereview.chromium.org/63013004
------------------------------------------------------------------------

Comment 28 by jam@chromium.org, Nov 15 2013

Labels: Merge-Requested
Project Member

Comment 29 by bugdroid1@chromium.org, Nov 15 2013

------------------------------------------------------------------------
r235302 | jam@chromium.org | 2013-11-15T07:47:16.521342Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/webui/print_preview/print_preview_ui_browsertest.cc?r1=235302&r2=235301&pathrev=235302
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/web_contents/web_contents_view_aura.cc?r1=235302&r2=235301&pathrev=235302

Fix crash in WebContentsViewAura::WindowObserver that happens when switching tabs. The exact repro steps were:

1) open an empty page
2) print preview
3) open a new tab
4) go back to original tab
5) close print preview
6) switch to the new tab

The crash happened at step 4 because the second tab got removed from the same root window as the print preview's observer. We weren't unobserving all the children of the root window at that point.

BUG= 318791 
R=ben@chromium.org

Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=235267

Review URL: https://codereview.chromium.org/69813005
------------------------------------------------------------------------
Status: Fixed
Project Member

Comment 31 by ClusterFuzz, Nov 15 2013

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 32 by kareng@google.com, Nov 15 2013

Labels: -Merge-Requested Merge-Approved
Project Member

Comment 33 by bugdroid1@chromium.org, Nov 15 2013

Labels: -Merge-Approved merge-merged-1700
------------------------------------------------------------------------
r235443 | jam@chromium.org | 2013-11-15T21:55:32.680685Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1700/src/chrome/browser/ui/webui/print_preview/print_preview_ui_browsertest.cc?r1=235443&r2=235442&pathrev=235443
   M http://src.chromium.org/viewvc/chrome/branches/1700/src/content/browser/web_contents/web_contents_view_aura.cc?r1=235443&r2=235442&pathrev=235443

Merge 235302 "Fix crash in WebContentsViewAura::WindowObserver t..."

> Fix crash in WebContentsViewAura::WindowObserver that happens when switching tabs. The exact repro steps were:
> 
> 1) open an empty page
> 2) print preview
> 3) open a new tab
> 4) go back to original tab
> 5) close print preview
> 6) switch to the new tab
> 
> The crash happened at step 4 because the second tab got removed from the same root window as the print preview's observer. We weren't unobserving all the children of the root window at that point.
> 
> BUG= 318791 
> R=ben@chromium.org
> 
> Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=235267
> 
> Review URL: https://codereview.chromium.org/69813005

TBR=jam@chromium.org

Review URL: https://codereview.chromium.org/73693004
------------------------------------------------------------------------

Comment 34 by jam@chromium.org, Nov 15 2013

Cc: vivianz@chromium.org
Labels: -reward-topanel reward-ineligible
Thanks for the report! I'm sorry to say that this one did not qualify for a reward. Too much user-interaction is involved for this to be reasonably exploited.
You're welcome!
Labels: Release-0-M32
Labels: CVE-2013-6645
Labels: -Release-0-M32
Project Member

Comment 40 by ClusterFuzz, Mar 28 2014

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 41 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 42 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment