Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Closed: Nov 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security
Nag



Sign in to add a comment
Use-after-free in speech - saying "Hello" during the incognito window has closed
Reported by chromium...@gmail.com, Aug 12 2014 Back to list
VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

VERSION
Chrome Version: Stable 36.0.1985.125 m
Operating System: Win7

REPRODUCTION CASE
1. Launch Chrome
2. Launch Incognito window, Ctrl+N
3. Open Index.html on Incognito window as a fresh page as on Screen-shot.png and keep clicking on the button "Click here" then the page will close (which is on Incognito window)
4. "Whoa! Google Chrome has crashed."

"If my explanation was unclear please watch the video on Youtube to how to repro the crash: http://youtu.be/8vvE-Tse6n4 "

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
eax=f813e16e ebx=00000000 ecx=0bf900a0 edx=00000002 esi=0bf900a0 edi=070101e0
eip=5f73f7b1 esp=002fe878 ebp=002fe978 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
chrome_5e6a0000!GetExtensionVoices+0x2d:
5f73f7b1 ff5070          call    dword ptr [eax+70h]  ds:0023:f813e1de=????????
0:000> k
  *** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr  
002fe978 5ee3eac9 chrome_5e6a0000!GetExtensionVoices+0x2d [c:\b\build\slave\win\build\src\chrome\browser\speech\extension_api\tts_engine_extension_api.cc @ 64]
002fe98c 5ee3ece2 chrome_5e6a0000!TtsController::GetVoices+0x17 [c:\b\build\slave\win\build\src\chrome\browser\speech\tts_controller.cc @ 302]
002fea60 5ee3ec90 chrome_5e6a0000!TtsController::SpeakNow+0x49 [c:\b\build\slave\win\build\src\chrome\browser\speech\tts_controller.cc @ 157]
002fea74 5ee3eb6f chrome_5e6a0000!TtsController::SpeakNextUtterance+0x36 [c:\b\build\slave\win\build\src\chrome\browser\speech\tts_controller.cc @ 330]
002fea80 5f73fec7 chrome_5e6a0000!TtsController::OnTtsEvent+0x3d [c:\b\build\slave\win\build\src\chrome\browser\speech\tts_controller.cc @ 294]
002feb04 5ea4151d chrome_5e6a0000!ExtensionTtsEngineSendTtsEventFunction::RunSync+0x343 [c:\b\build\slave\win\build\src\chrome\browser\speech\extension_api\tts_engine_extension_api.cc @ 271]
002feb2c 5ea34df1 chrome_5e6a0000!SyncExtensionFunction::Run+0x15 [c:\b\build\slave\win\build\src\extensions\browser\extension_function.cc @ 387]
002feba4 5ea34aba chrome_5e6a0000!extensions::ExtensionFunctionDispatcher::DispatchWithCallbackInternal+0x204 [c:\b\build\slave\win\build\src\extensions\browser\extension_function_dispatcher.cc @ 385]
002febd8 5ea34a19 chrome_5e6a0000!extensions::ExtensionFunctionDispatcher::Dispatch+0x9d [c:\b\build\slave\win\build\src\extensions\browser\extension_function_dispatcher.cc @ 309]
002febe8 5ea34717 chrome_5e6a0000!extensions::ExtensionHost::OnRequest+0x14 [c:\b\build\slave\win\build\src\extensions\browser\extension_host.cc @ 342]
002fecb8 5ea11649 chrome_5e6a0000!ExtensionHostMsg_Request::Dispatch<extensions::TabHelper,extensions::TabHelper,void (__thiscall extensions::TabHelper::*)(ExtensionHostMsg_Request_Params const &)>+0x4a [c:\b\build\slave\win\build\src\extensions\common\extension_messages.h @ 460]
002fed28 5ea095b0 chrome_5e6a0000!extensions::ExtensionHost::OnMessageReceived+0x106 [c:\b\build\slave\win\build\src\extensions\browser\extension_host.cc @ 329]
002fef08 5ea0955d chrome_5e6a0000!content::WebContentsImpl::OnMessageReceived+0x4f [c:\b\build\slave\win\build\src\content\browser\web_contents\web_contents_impl.cc @ 482]
002fef1c 5ea0898c chrome_5e6a0000!content::WebContentsImpl::OnMessageReceived+0x13 [c:\b\build\slave\win\build\src\content\browser\web_contents\web_contents_impl.cc @ 468]
002ff164 5ea088f2 chrome_5e6a0000!content::RenderViewHostImpl::OnMessageReceived+0x8d [c:\b\build\slave\win\build\src\content\browser\renderer_host\render_view_host_impl.cc @ 982]
002ff298 5ea0860f chrome_5e6a0000!content::RenderProcessHostImpl::OnMessageReceived+0x2d2 [c:\b\build\slave\win\build\src\content\browser\renderer_host\render_process_host_impl.cc @ 1383]
002ff2cc 5e753ae7 chrome_5e6a0000!IPC::ChannelProxy::Context::OnDispatchMessage+0x98 [c:\b\build\slave\win\build\src\ipc\ipc_channel_proxy.cc @ 275]
002ff2dc 5e709f7c chrome_5e6a0000!base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall extensions::CountingPolicy::*)(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)>,void __cdecl(extensions::CountingPolicy *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &),void __cdecl(base::internal::UnretainedWrapper<extensions::CountingPolicy>,std::basic_string<char,std::char_traits<char>,std::allocator<char> >)>,void __cdecl(extensions::CountingPolicy *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)>::Run+0x16 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 1253]
002ff374 5e7097fd chrome_5e6a0000!base::MessageLoop::RunTask+0x2a5 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 452]
002ff4b8 5e786328 chrome_5e6a0000!base::MessageLoop::DoWork+0x367 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 577]
 
Index.html
110 bytes View Download
Screen-shot.png
385 KB View Download
repro.html
204 bytes View Download
Chrome-last.dmp
324 KB Download
Comment 2 by kenrb@chromium.org, Aug 12 2014
Labels: Pri-1 Security_Severity-High Security_Impact-Stable M-36 OS-Windows Cr-Platform-Extensions-API
Owner: dmazz...@chromium.org
Status: Assigned
dmazzoni: Can you please take a look at this? It is a browser process use-after-free bug, so pretty nasty. I have only tried it in Windows but might affect other platforms also.

Crash ID: d874b06efeb1811a
Project Member Comment 3 by clusterf...@chromium.org, Aug 18 2014
Labels: -M-36 M-37
Project Member Comment 4 by clusterf...@chromium.org, Aug 20 2014
Labels: Nag
dmazzoni@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 5 by clusterf...@chromium.org, Aug 27 2014
dmazzoni@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
dmazzoni@: Could you please take a look or find someone else to own it.

Comment 7 by wfh@chromium.org, Aug 27 2014
Cc: tommi@chromium.org xians@chromium.org h...@chromium.org dmazz...@chromium.org
Owner: dtseng@chromium.org
dtseng@ can you take a look at this high priority security issue as soon as possible, please.
Project Member Comment 8 by clusterf...@chromium.org, Sep 4 2014
dtseng@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 9 by clusterf...@chromium.org, Sep 11 2014
dtseng@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
dtseng@: Can you please take a look at this issue or find someone else to own it.

Owner: dmazz...@chromium.org
I'll take this one as soon as I have a chance.

Project Member Comment 12 by clusterf...@chromium.org, Sep 19 2014
dmazzoni@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 13 by clusterf...@chromium.org, Sep 26 2014
dmazzoni@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 14 by clusterf...@chromium.org, Sep 29 2014
Labels: -M-37 M-38
Project Member Comment 15 by clusterf...@chromium.org, Oct 4 2014
dmazzoni@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 16 by clusterf...@chromium.org, Oct 14 2014
Labels: Deadline-Exceeded
You have far exceeded the 60-day deadline for fixing this high severity security vulnerability.

We commit ourselves to this deadline and appreciate your utmost priority on this issue.

If you are unable to look into this soon, please find someone else to own this.

- Your friendly ClusterFuzz
dmazzoni@ Could you please take a look at this issue or find someone to own it.

Comment 18 Deleted
The original dump actually looks like a use-after-free. 
It crashes here:

The vtable pointer of result_voice is invalid address.

result_voice->SetString(constants::kLangKey, voice.lang);

When a tab is closed while the result is performing 
speech utterance, the speech must be cancelled.

I agree that speech must be cancelled. I can repro the crash in Chrome 39 but not Chrome 40. I'm possibly suspecting this helped: https://codereview.chromium.org/625503002

chromium.khalil@, can you try this on latest canary. If this is fixed with https://codereview.chromium.org/625503002, we need to mark this as Fixes and merge-request to M-39 asap.
I am still able to repro this crash on latest canary.
Blocking: chromium:429868
Status: Fixed
Project Member Comment 27 by clusterf...@chromium.org, Nov 6 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage M-39 M-40 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in.

- Your friendly ClusterFuzz
Labels: -M-38 -Merge-Triage -M-39 Release-0-M40
Labels: reward-topanel
Blocking: -chromium:429868
Labels: -reward-topanel reward-unpaid reward-2000 CVE-2014-7935
Congratulations - $2000 for this report! Reward panel notes: "It's a browser use-after-free, but it requires two gestures to trigger".
Project Member Comment 32 by clusterf...@chromium.org, Feb 12 2015
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: -reward-unpaid reward-inprocess
Labels: -reward-inprocess
Processing via our e-payment system can take up to six weeks, but the reward should be on its way to you. Thanks again for your help!
Project Member Comment 35 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 36 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment