Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 4 users
Status: Fixed
Owner:
Closed: Nov 2013
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment
Security: Crash in aura::Window::NotifyWindowHierarchyChangeAtReceiver
Reported by chromium...@gmail.com, Nov 13 2013 Back to list
Version: 
Google Chrome Canary - Version 33.0.1708.0 canary
OS: Window 7

Steps : 
Youtube Video - http://youtu.be/3G-iRblQrT8

Or

1. launch the browser.
2. Open PoC.html and click on the page (anywhere on the page) the you gonna see there is Print() and Speech API on the page.
3. Open a New-Tab
4. back to the page (PoC.html) then click on Cancel button which is on Print(), then Click Again on the page and you gonna see same things (Print() and Speech API).
5. then Close that New-Tab.
6. Crash !!


eax=08845660 ebx=00000000 ecx=08845660 edx=f8500156 esi=01225140 edi=04c94b40
eip=5f1d8c07 esp=001cf0a4 ebp=001cf0d0 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
chrome_5efd0000!aura::Window::NotifyWindowHierarchyChangeAtReceiver+0x94:
5f1d8c07 ff12            call    dword ptr [edx]      ds:0023:f8500156=????????
0:000> k
ChildEBP RetAddr  
001cf0d0 5f1d92c4 chrome_5efd0000!aura::Window::NotifyWindowHierarchyChangeAtReceiver+0x94 [c:\b\build\slave\win\build\src\ui\aura\window.cc @ 1078]
001cf0e0 5f1d8b42 chrome_5efd0000!aura::Window::NotifyWindowHierarchyChangeUp+0x12 [c:\b\build\slave\win\build\src\ui\aura\window.cc @ 1067]
001cf0f4 5f327dc4 chrome_5efd0000!aura::Window::NotifyWindowHierarchyChange+0x31 [c:\b\build\slave\win\build\src\ui\aura\window.cc @ 1043]
001cf11c 5f327aa3 chrome_5efd0000!aura::Window::RemoveChild+0x24 [c:\b\build\slave\win\build\src\ui\aura\window.cc @ 408]
001cf158 5f3279d5 chrome_5efd0000!aura::Window::~Window+0xba [c:\b\build\slave\win\build\src\ui\aura\window.cc @ 129]
001cf164 5f3279c9 chrome_5efd0000!aura::Window::`scalar deleting destructor'+0xb
001cf16c 5f32ff8e chrome_5efd0000!content::RenderWidgetHostViewAura::Destroy+0x18 [c:\b\build\slave\win\build\src\content\browser\renderer_host\render_widget_host_view_aura.cc @ 969]
001cf184 5f32ff42 chrome_5efd0000!content::RenderWidgetHostImpl::Destroy+0x49 [c:\b\build\slave\win\build\src\content\browser\renderer_host\render_widget_host_impl.cc @ 1378]
001cf194 5f32fdf5 chrome_5efd0000!content::RenderWidgetHostImpl::Shutdown+0x5d [c:\b\build\slave\win\build\src\content\browser\renderer_host\render_widget_host_impl.cc @ 431]
001cf19c 5f32c947 chrome_5efd0000!content::RenderViewHostManager::~RenderViewHostManager+0x2e [c:\b\build\slave\win\build\src\content\browser\frame_host\render_view_host_manager.cc @ 80]
001cf1c8 5f32c695 chrome_5efd0000!content::WebContentsImpl::~WebContentsImpl+0x29e [c:\b\build\slave\win\build\src\content\browser\web_contents\web_contents_impl.cc @ 431]
001cf1d4 5f32c141 chrome_5efd0000!content::WebContentsImpl::`scalar deleting destructor'+0xb
001cf1f8 5f32bed4 chrome_5efd0000!TabStripModel::InternalCloseTab+0x63 [c:\b\build\slave\win\build\src\chrome\browser\ui\tabs\tab_strip_model.cc @ 1264]
001cf23c 5fc3d65f chrome_5efd0000!TabStripModel::InternalCloseTabs+0x139 [c:\b\build\slave\win\build\src\chrome\browser\ui\tabs\tab_strip_model.cc @ 1248]
001cf268 5fd0022e chrome_5efd0000!TabStripModel::CloseWebContentsAt+0x32 [c:\b\build\slave\win\build\src\chrome\browser\ui\tabs\tab_strip_model.cc @ 556]
001cf27c 5fcc66c8 chrome_5efd0000!BrowserTabStripController::CloseTab+0x29 [c:\b\build\slave\win\build\src\chrome\browser\ui\views\tabs\browser_tab_strip_controller.cc @ 289]
001cf29c 5fcc97f3 chrome_5efd0000!TabStrip::CloseTab+0x8f [c:\b\build\slave\win\build\src\chrome\browser\ui\views\tabs\tab_strip.cc @ 1034]
001cf2b4 5f834b40 chrome_5efd0000!Tab::ButtonPressed+0x30 [c:\b\build\slave\win\build\src\chrome\browser\ui\views\tabs\tab.cc @ 729]
001cf2c4 5f834785 chrome_5efd0000!views::Button::NotifyClick+0x1c [c:\b\build\slave\win\build\src\ui\views\controls\button\button.cc @ 59]
001cf2e0 5fcc8198 chrome_5efd0000!views::CustomButton::OnMouseReleased+0x60 [c:\b\build\slave\win\build\src\ui\views\controls\button\custom_button.cc @ 131]

 
PoC.html
606 bytes View Download
Comment 1 Deleted
Comment 2 by tsepez@chromium.org, Nov 13 2013
Labels: Pri-1 M-32 OS-Windows Cr-Internals-Aura Security_Impact-None Security_Severity-Medium
Owner: e...@chromium.org
Repro'd on Windows / chrome 33. DNR on chrome 32.  Severity medium because of the steps involved to trigger although it is unclear how much control over the faulting address can be had.
Comment 3 by e...@chromium.org, Nov 13 2013
Cc: e...@chromium.org
Owner: sky@chromium.org
Giving to a windows folk who knows aura::Window.
tsepez@ : Yes, you right about the steps, but now I have clear explain to repro the crash.
Comment 5 Deleted
Comment 6 Deleted
Comment 7 Deleted
Comment 8 Deleted
Comment 9 Deleted
Project Member Comment 10 by clusterf...@chromium.org, Nov 13 2013
Labels: reward-topanel
Project Member Comment 11 by clusterf...@chromium.org, Nov 13 2013
Labels: -Security_Impact-None Security_Impact-Beta
Fixing impact labels.
Comment 12 Deleted
Comment 13 Deleted
Comment 14 Deleted
Comment 15 Deleted
Comment 16 Deleted
Comment 17 Deleted
mini repro PoC.html: 

<button onclick="crash()">Click</button>
<script>
setTimeout(function() {print();location.reload();}, 1000)

function crash()
{
window.open("http://www.google.com" )
}
</script>

Steps : 

1. Click on the button to open Google's page
2. Go back to PoC.html (1.png).
3. Click on Cancel to close Print() Method.
4. Then wait 6 sec for opining the Print() Method again then close Google's page (2.png)
1.png
45.7 KB View Download
2.png
46.5 KB View Download
Crash ID 4ec4b90f7dd0de5b
Crash ID 041c2199cd6ef1e7
Crash ID e89852309711993a
Comment 20 by sky@chromium.org, Nov 14 2013
Cc: sky@chromium.org
Owner: jam@chromium.org
I suspect this is from John's recent changes to RWHVA. He may have fixed it too.
Comment 21 by jam@chromium.org, Nov 14 2013
Status: WontFix
the buggy change was landed in 234708, reverted in 234770, and landed correctly in r234823. see  bug 299224 .
Comment 22 by jam@chromium.org, Nov 14 2013
Status: Started
actually, nvm, sorry this case is still broken. investigating more
Comment 23 by jam@chromium.org, Nov 14 2013
I found a more reduced test case:
-open an empty page
-print preview
-open a new tab
-go back to original tab
-close print preview
-switch to the new tab
Nice steps to repro the crash !
Comment 25 by jam@chromium.org, Nov 15 2013
Issue 318899 has been merged into this issue.
Project Member Comment 26 by bugdroid1@chromium.org, Nov 15 2013
------------------------------------------------------------------------
r235267 | jam@chromium.org | 2013-11-15T00:52:31.225116Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/webui/print_preview/print_preview_ui_browsertest.cc?r1=235267&r2=235266&pathrev=235267
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/web_contents/web_contents_view_aura.cc?r1=235267&r2=235266&pathrev=235267

Fix crash in WebContentsViewAura::WindowObserver that happens when switching tabs. The exact repro steps were:

1) open an empty page
2) print preview
3) open a new tab
4) go back to original tab
5) close print preview
6) switch to the new tab

The crash happened at step 4 because the second tab got removed from the same root window as the print preview's observer. We weren't unobserving all the children of the root window at that point.

BUG= 318791 
R=ben@chromium.org

Review URL: https://codereview.chromium.org/69813005
------------------------------------------------------------------------
Project Member Comment 27 by bugdroid1@chromium.org, Nov 15 2013
------------------------------------------------------------------------
r235277 | jam@chromium.org | 2013-11-15T02:19:31.996193Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/webui/print_preview/print_preview_ui_browsertest.cc?r1=235277&r2=235276&pathrev=235277
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/web_contents/web_contents_view_aura.cc?r1=235277&r2=235276&pathrev=235277

Revert 235267 "Fix crash in WebContentsViewAura::WindowObserver ..."

> Fix crash in WebContentsViewAura::WindowObserver that happens when switching tabs. The exact repro steps were:
> 
> 1) open an empty page
> 2) print preview
> 3) open a new tab
> 4) go back to original tab
> 5) close print preview
> 6) switch to the new tab
> 
> The crash happened at step 4 because the second tab got removed from the same root window as the print preview's observer. We weren't unobserving all the children of the root window at that point.
> 
> BUG= 318791 
> R=ben@chromium.org
> 
> Review URL: https://codereview.chromium.org/69813005

TBR=jam@chromium.org

Review URL: https://codereview.chromium.org/63013004
------------------------------------------------------------------------
Comment 28 by jam@chromium.org, Nov 15 2013
Labels: Merge-Requested
Project Member Comment 29 by bugdroid1@chromium.org, Nov 15 2013
------------------------------------------------------------------------
r235302 | jam@chromium.org | 2013-11-15T07:47:16.521342Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/webui/print_preview/print_preview_ui_browsertest.cc?r1=235302&r2=235301&pathrev=235302
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/web_contents/web_contents_view_aura.cc?r1=235302&r2=235301&pathrev=235302

Fix crash in WebContentsViewAura::WindowObserver that happens when switching tabs. The exact repro steps were:

1) open an empty page
2) print preview
3) open a new tab
4) go back to original tab
5) close print preview
6) switch to the new tab

The crash happened at step 4 because the second tab got removed from the same root window as the print preview's observer. We weren't unobserving all the children of the root window at that point.

BUG= 318791 
R=ben@chromium.org

Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=235267

Review URL: https://codereview.chromium.org/69813005
------------------------------------------------------------------------
Status: Fixed
Project Member Comment 31 by clusterf...@chromium.org, Nov 15 2013
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Comment 32 by kareng@google.com, Nov 15 2013
Labels: -Merge-Requested Merge-Approved
Project Member Comment 33 by bugdroid1@chromium.org, Nov 15 2013
Labels: -Merge-Approved merge-merged-1700
------------------------------------------------------------------------
r235443 | jam@chromium.org | 2013-11-15T21:55:32.680685Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1700/src/chrome/browser/ui/webui/print_preview/print_preview_ui_browsertest.cc?r1=235443&r2=235442&pathrev=235443
   M http://src.chromium.org/viewvc/chrome/branches/1700/src/content/browser/web_contents/web_contents_view_aura.cc?r1=235443&r2=235442&pathrev=235443

Merge 235302 "Fix crash in WebContentsViewAura::WindowObserver t..."

> Fix crash in WebContentsViewAura::WindowObserver that happens when switching tabs. The exact repro steps were:
> 
> 1) open an empty page
> 2) print preview
> 3) open a new tab
> 4) go back to original tab
> 5) close print preview
> 6) switch to the new tab
> 
> The crash happened at step 4 because the second tab got removed from the same root window as the print preview's observer. We weren't unobserving all the children of the root window at that point.
> 
> BUG= 318791 
> R=ben@chromium.org
> 
> Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=235267
> 
> Review URL: https://codereview.chromium.org/69813005

TBR=jam@chromium.org

Review URL: https://codereview.chromium.org/73693004
------------------------------------------------------------------------
Comment 34 by jam@chromium.org, Nov 15 2013
Cc: vivianz@chromium.org
Labels: -reward-topanel reward-ineligible
Thanks for the report! I'm sorry to say that this one did not qualify for a reward. Too much user-interaction is involved for this to be reasonably exploited.
You're welcome!
Labels: Release-0-M32
Labels: CVE-2013-6645
Labels: -Release-0-M32
Project Member Comment 40 by clusterf...@chromium.org, Mar 28 2014
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 41 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 42 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment