Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Email to this user bounced
Closed: Feb 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security
Nag



Sign in to add a comment
Google Chrome SpeechRecognitionClient Use-After-Free Remote Code Execution Vulnerability
Reported by zdi-disc...@hp.com, Feb 5 2015 Back to list

```
Tested on: Google Chrome
Platform tested on: Windows 8.1

The vulnerability exists in the following code:

/*
 * Copyright (C) 2012 Google Inc. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *  * Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *  * Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ``AS IS'' AND ANY
 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef SpeechRecognitionController_h
#define SpeechRecognitionController_h

#include "core/page/Page.h"
#include "modules/speech/SpeechRecognitionClient.h"
#include "wtf/PassOwnPtr.h"

namespace blink {

class MediaStreamTrack;

class SpeechRecognitionController final
    : public NoBaseWillBeGarbageCollectedFinalized<SpeechRecognitionController>
    , public WillBeHeapSupplement<LocalFrame> {
    WILL_BE_USING_GARBAGE_COLLECTED_MIXIN(SpeechRecognitionController);
public:
    virtual ~SpeechRecognitionController();

    void start(SpeechRecognition* recognition, const SpeechGrammarList* grammars, const String& lang, bool continuous, bool interimResults, unsigned long maxAlternatives, MediaStreamTrack* audioTrack)
    {
        m_client->start(recognition, grammars, lang, continuous, interimResults, maxAlternatives, audioTrack);  // free reuse here
    }

    void stop(SpeechRecognition* recognition) { m_client->stop(recognition); }
    void abort(SpeechRecognition* recognition) { m_client->abort(recognition); }

    static const char* supplementName();
    static void provideTo(LocalFrame&, PassOwnPtr<SpeechRecognitionClient>);
    static SpeechRecognitionController* from(LocalFrame&);

    void trace(Visitor*) override;

private:
    explicit SpeechRecognitionController(PassOwnPtr<SpeechRecognitionClient>);

    OwnPtr<SpeechRecognitionClient> m_client;
};

} // namespace blink

#endif // SpeechRecognitionController_h



========================================================================
windbg session running with Debug\chrome.exe --no-sandbox

1:038> g
ModLoad: 76d50000 76d77000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 76bd0000 76ce3000   C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 75480000 7672d000   C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 71d70000 71dfb000   C:\Windows\SysWOW64\shcore.dll
ModLoad: 10000000 2532a000   C:\workspace\src\out\Debug\chrome_child.dll
ModLoad: 711e0000 713b6000   C:\Windows\SysWOW64\WININET.dll
ModLoad: 71170000 711d5000   C:\Windows\SysWOW64\WINSPOOL.DRV
ModLoad: 76e30000 76ecb000   C:\Windows\SysWOW64\COMDLG32.dll
ModLoad: 751e0000 75308000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 76b30000 76bc5000   C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 71bd0000 71bda000   C:\Windows\SysWOW64\Secur32.dll
ModLoad: 716b0000 716d0000   C:\Windows\SysWOW64\IPHLPAPI.DLL
ModLoad: 77220000 77270000   C:\Windows\SysWOW64\WS2_32.dll
ModLoad: 71c40000 71c56000   C:\Windows\SysWOW64\USP10.dll
ModLoad: 70f30000 71162000   C:\Windows\SysWOW64\iertutil.dll
ModLoad: 72360000 72566000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_a9ed7f470139b3c1\COMCTL32.dll
ModLoad: 76900000 76907000   C:\Windows\SysWOW64\NSI.dll
ModLoad: 716a0000 716a8000   C:\Windows\SysWOW64\WINNSI.DLL
ModLoad: 71980000 719fd000   C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll
ModLoad: 03fe0000 05632000   C:\workspace\src\out\Debug\pdf.dll
ModLoad: 05940000 05c2c000   C:\workspace\src\out\Debug\ffmpegsumo.dll
[3560:3620:0107/190053:ERROR:renderer_main.cc(212)] Running without renderer sandbox
ModLoad: 71a20000 71ba2000   C:\Windows\SysWOW64\dwrite.dll
ModLoad: 72240000 7232d000   C:\Windows\SysWOW64\uxtheme.dll
[3560:3620:0107/190054:ERROR:singleton_hwnd.cc(49)] Cannot create windows on non-UI thread!
(de8.e24): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\workspace\src\out\Debug\chrome_child.dll
eax=3d8818f0 ebx=0606392d ecx=feeefeee edx=5b861830 esi=0018e718 edi=0018e7b8
eip=126974b9 esp=0018e6fc ebp=0018e724 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
chrome_child!blink::SpeechRecognitionController::start+0x49:
126974b9 8b11            mov     edx,dword ptr [ecx]  ds:002b:feeefeee=????????
1:038> ub .; u .
chrome_child!blink::SpeechRecognitionController::start+0x39 [c:\workspace\src\third_party\webkit\source\modules\speech\speechrecognitioncontroller.h @ 46]:
126974a9 50              push    eax
126974aa 8b4d10          mov     ecx,dword ptr [ebp+10h]
126974ad 51              push    ecx
126974ae 8b550c          mov     edx,dword ptr [ebp+0Ch]
126974b1 52              push    edx
126974b2 8b4508          mov     eax,dword ptr [ebp+8]
126974b5 50              push    eax
126974b6 8b4df8          mov     ecx,dword ptr [ebp-8]
chrome_child!blink::SpeechRecognitionController::start+0x49 [c:\workspace\src\third_party\webkit\source\modules\speech\speechrecognitioncontroller.h @ 46]:
126974b9 8b11            mov     edx,dword ptr [ecx]
126974bb 8b4df8          mov     ecx,dword ptr [ebp-8]
126974be 8b02            mov     eax,dword ptr [edx]
126974c0 ffd0            call    eax
126974c2 3bf4            cmp     esi,esp
126974c4 e867906601      call    chrome_child!_RTC_CheckEsp (13d00530)
126974c9 5e              pop     esi
126974ca 83c408          add     esp,8
1:038> !heap -p -a ebp-8

1:038> kv
ChildEBP RetAddr  Args to Child              
0018e724 12697458 3d8818f0 5b861830 3d88193c chrome_child!blink::SpeechRecognitionController::start+0x49 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\third_party\webkit\source\modules\speech\speechrecognitioncontroller.h @ 46]
0018e758 127d2226 0018e778 0018e834 0018e840 chrome_child!blink::SpeechRecognition::start+0xe8 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\third_party\webkit\source\modules\speech\speechrecognition.cpp @ 58]
0018e7b8 127c44d9 0018e7ec 00000001 1119f947 chrome_child!blink::SpeechRecognitionV8Internal::startMethod+0x66 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\workspace\src\out\debug\gen\blink\bindings\modules\v8\v8speechrecognition.cpp @ 547]
0018e7c4 1119f947 0018e7ec 05d7efd8 00000002 chrome_child!blink::SpeechRecognitionV8Internal::startMethodCallback+0x19 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\workspace\src\out\debug\gen\blink\bindings\modules\v8\v8speechrecognition.cpp @ 556]
0018e7f8 11155c1e 0018e820 127c44c0 00000002 chrome_child!v8::internal::FunctionCallbackArguments::Call+0x57 (FPO: [2,9,0]) (CONV: thiscall) [c:\workspace\src\v8\src\arguments.cc @ 34]
0018e864 111550a5 00000002 0018e8a4 2ec08091 chrome_child!v8::internal::HandleApiCallHelper<0>+0x47e (FPO: [3,20,0]) (CONV: cdecl) [c:\workspace\src\v8\src\builtins.cc @ 1140]
0018e90c 110351bd 0715d040 060643fd 2ec77ad1 chrome_child!v8::internal::Builtin_HandleApiCall+0x55 (FPO: [3,0,4]) (CONV: cdecl) [c:\workspace\src\v8\src\builtins.cc @ 1155]
0018e95c 1103407a 0018e9c4 00000000 05da9994 chrome_child!v8::internal::Invoke+0x29d (FPO: [6,10,0]) (CONV: cdecl) [c:\workspace\src\v8\src\execution.cc @ 103]
0018e98c 10f9c262 0018e9c4 05d7efd8 05da9994 chrome_child!v8::internal::Execution::Call+0x1ba (FPO: [7,3,0]) (CONV: cdecl) [c:\workspace\src\v8\src\execution.cc @ 153]
0018e9d4 125a2b38 0018e9f4 05da9990 00000000 chrome_child!v8::Function::Call+0x1b2 (FPO: [4,6,0]) (CONV: thiscall) [c:\workspace\src\v8\src\api.cc @ 4183]
0018ea3c 12281e72 0018ea74 05da9994 2f404080 chrome_child!blink::V8ScriptRunner::callFunction+0x168 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\workspace\src\third_party\webkit\source\bindings\core\v8\v8scriptrunner.cpp @ 388]
0018ead8 12281cbf 0018eba0 2f404080 05da9994 chrome_child!blink::ScriptController::callFunction+0x162 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\workspace\src\third_party\webkit\source\bindings\core\v8\scriptcontroller.cpp @ 170]
0018eb14 124324c0 0018eba0 05da9994 05da9990 chrome_child!blink::ScriptController::callFunction+0x7f (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\third_party\webkit\source\bindings\core\v8\scriptcontroller.cpp @ 154]
0018ec14 12432855 50ea8010 0018ecd4 50ea8010 chrome_child!blink::ScheduledAction::execute+0x1b0 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\third_party\webkit\source\bindings\core\v8\scheduledaction.cpp @ 116]
0018ec2c 11b1a595 2f404080 0018ed3c cccccccc chrome_child!blink::ScheduledAction::execute+0xa5 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\third_party\webkit\source\bindings\core\v8\scheduledaction.cpp @ 77]
0018eccc 151842d1 0018ede4 0018ed4c cccccccc chrome_child!blink::DOMTimer::fired+0x245 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\third_party\webkit\source\core\frame\domtimer.cpp @ 149]
0018ed3c 151840d3 0018ed54 12c17f4b 0018ed5c chrome_child!blink::ThreadTimers::sharedTimerFiredInternal+0x1e1 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\third_party\webkit\source\platform\threadtimers.cpp @ 137]
0018ed44 12c17f4b 0018ed5c 05ce9810 0018ed64 chrome_child!blink::ThreadTimers::sharedTimerFired+0x23 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\workspace\src\third_party\webkit\source\platform\threadtimers.cpp @ 109]
0018ed54 12c1858b 0018ed9c 0018ed78 0018ed70 chrome_child!content::BlinkPlatformImpl::DoTimeout+0x2b (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\content\child\blink_platform_impl.h @ 174]
0018ed64 12c182da 05ce9810 0018ed90 12c1852a chrome_child!base::internal::RunnableAdapter<void (__thiscall content::BlinkPlatformImpl::*)(void)>::Run+0x1b (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\base\bind_internal.h @ 185]
0018ed70 12c1852a 12c17f20 05ce9810 cccccccc chrome_child!base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__thiscall content::BlinkPlatformImpl::*)(void)>,void __cdecl(content::BlinkPlatformImpl *)>::MakeItSo+0x1a (FPO: [Non-Fpo]) (CONV: cdecl) [c:\workspace\src\base\bind_internal.h @ 382]
0018ed90 1022f3bf 05e1e5f0 0018edb0 12c184e0 chrome_child!base::internal::Invoker<1,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall content::BlinkPlatformImpl::*)(void)>,void __cdecl(content::BlinkPlatformImpl *),void __cdecl(base::internal::UnretainedWrapper<content::BlinkPlatformImpl>)>,void __cdecl(content::BlinkPlatformImpl *)>::Run+0x4a (FPO: [Non-Fpo]) (CONV: cdecl) [c:\workspace\src\base\bind_internal.h @ 478]
0018eda8 104f0624 0018ef10 0018edfc cccccccc chrome_child!base::Callback<void __cdecl(void)>::Run+0x2f (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\base\callback.h @ 396]
0018ede4 104f0526 05ce9828 07c1f840 0018ee04 chrome_child!base::Timer::RunScheduledTask+0xe4 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\base\timer\timer.cc @ 214]
0018edf4 104f04bb 0018ee3c 0018ee18 0018ee10 chrome_child!base::BaseTimerTaskInternal::Run+0x46 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\base\timer\timer.cc @ 50]
0018ee04 104eff0a 07c1f840 0018ee30 104f045a chrome_child!base::internal::RunnableAdapter<void (__thiscall base::BaseTimerTaskInternal::*)(void)>::Run+0x1b (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\base\bind_internal.h @ 185]
0018ee10 104f045a 104f04e0 07c1f840 cccccccc chrome_child!base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__thiscall base::BaseTimerTaskInternal::*)(void)>,void __cdecl(base::BaseTimerTaskInternal *)>::MakeItSo+0x1a (FPO: [Non-Fpo]) (CONV: cdecl) [c:\workspace\src\base\bind_internal.h @ 382]
0018ee30 1022f3bf 05873440 0018f050 104f0410 chrome_child!base::internal::Invoker<1,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall base::BaseTimerTaskInternal::*)(void)>,void __cdecl(base::BaseTimerTaskInternal *),void __cdecl(base::internal::OwnedWrapper<base::BaseTimerTaskInternal>)>,void __cdecl(base::BaseTimerTaskInternal *)>::Run+0x4a (FPO: [Non-Fpo]) (CONV: cdecl) [c:\workspace\src\base\bind_internal.h @ 478]
0018ee48 105392fb 0018ef70 cccccccc cccccccc chrome_child!base::Callback<void __cdecl(void)>::Run+0x2f (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\base\callback.h @ 396]
0018ef10 1325d16a 200604d0 200604b4 0018ef2c chrome_child!base::debug::TaskAnnotator::RunTask+0x22b (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\base\debug\task_annotator.cc @ 65]
0018ef70 1325c412 00000000 0018f168 cccccccc chrome_child!content::TaskQueueManager::RunTaskFromWorkQueue+0x5a (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\content\renderer\scheduler\task_queue_manager.cc @ 367]
0018f044 1325d0ed 00000001 0018f094 0018f070 chrome_child!content::TaskQueueManager::DoWork+0xd2 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\content\renderer\scheduler\task_queue_manager.cc @ 346]
0018f058 1325c77f 00a8e3d8 05dcdfd8 0018f088 chrome_child!base::internal::RunnableAdapter<void (__thiscall content::TaskQueueManager::*)(bool)>::Run+0x2d (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\base\bind_internal.h @ 185]
0018f068 1325d05b 1325c340 05dcdfd0 05dcdfd8 chrome_child!base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall content::TaskQueueManager::*)(bool)>,void __cdecl(base::WeakPtr<content::TaskQueueManager> const &,bool const &)>::MakeItSo+0x2f (FPO: [Non-Fpo]) (CONV: cdecl) [c:\workspace\src\base\bind_internal.h @ 392]
0018f088 1022f3bf 05dcdfc0 0018f17c 1325cff0 chrome_child!base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall content::TaskQueueManager::*)(bool)>,void __cdecl(content::TaskQueueManager *,bool),void __cdecl(base::WeakPtr<content::TaskQueueManager>,bool)>,void __cdecl(content::TaskQueueManager *,bool)>::Run+0x6b (FPO: [Non-Fpo]) (CONV: cdecl) [c:\workspace\src\base\bind_internal.h @ 562]
0018f0a0 105392fb 0018f334 cccccccc cccccccc chrome_child!base::Callback<void __cdecl(void)>::Run+0x2f (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\base\callback.h @ 396]
0018f168 104853dd 16e9d184 16e9d16c 0018f364 chrome_child!base::debug::TaskAnnotator::RunTask+0x22b (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\base\debug\task_annotator.cc @ 65]
0018f334 10483114 0018f364 00a74c28 0018f3a4 chrome_child!base::MessageLoop::RunTask+0x1ed (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\base\message_loop\message_loop.cc @ 439]
0018f344 104836fd 0018f364 0018f4b4 0018f3ac chrome_child!base::MessageLoop::DeferOrRunPendingTask+0x34 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\base\message_loop\message_loop.cc @ 449]
0018f3a4 10540f04 0018f58c 0018f4c0 fffde000 chrome_child!base::MessageLoop::DoWork+0xdd (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\base\message_loop\message_loop.cc @ 554]
0018f4b4 104851c7 00a74c28 0018f5c0 0018f98c chrome_child!base::MessagePumpDefault::Run+0xf4 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\base\message_loop\message_pump_default.cc @ 32]
0018f58c 1054f876 0018f5f4 cccccccc 003b942a chrome_child!base::MessageLoop::RunHandler+0xf7 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\base\message_loop\message_loop.cc @ 405]
0018f5c0 1048507b 0018f980 cccccccc 00a74c28 chrome_child!base::RunLoop::Run+0x46 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\base\run_loop.cc @ 56]
0018f5f4 12e4d10a 0018fa54 00a85378 00000000 chrome_child!base::MessageLoop::Run+0x2b (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\base\message_loop\message_loop.cc @ 299]
0018f980 1046a5c9 0018fbf0 0018fc4c 0018fc54 chrome_child!content::RendererMain+0x42a (FPO: [Non-Fpo]) (CONV: cdecl) [c:\workspace\src\content\renderer\renderer_main.cc @ 236]
0018fa54 1046a491 0018fc20 0018fbf0 0018fcb8 chrome_child!content::RunNamedProcessTypeMain+0xa9 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\workspace\src\content\app\content_main_runner.cc @ 423]
0018fc4c 10462f60 0018fc88 cccccccc 00a2e960 chrome_child!content::ContentMainRunnerImpl::Run+0x1f1 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\content\app\content_main_runner.cc @ 789]
0018fc7c 101f4e47 0018fca0 0018fdfc 0018fcec chrome_child!content::ContentMain+0x90 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\workspace\src\content\app\content_main.cc @ 19]
0018fcdc 0041ed9b 00400000 0018fd54 0018ff20 chrome_child!ChromeMain+0x87 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\workspace\src\chrome\app\chrome_main.cc @ 66]
0018fdfc 0041ab9d 00400000 006602f0 006602f0 chrome!MainDllLoader::Launch+0x39b (FPO: [Non-Fpo]) (CONV: thiscall) [c:\workspace\src\chrome\app\client_util.cc @ 219]
0018ff20 006601b8 00400000 00000000 00991c4c chrome!wWinMain+0x10d (FPO: [Non-Fpo]) (CONV: stdcall) [c:\workspace\src\chrome\app\chrome_exe_main_win.cc @ 157]
0018ff78 006602fd 0018ff94 767d7c04 fffde000 chrome!__tmainCRTStartup+0x128 (FPO: [Non-Fpo]) (CONV: cdecl) [f:\dd\vctools\crt\crtw32\startup\crt0.c @ 251]
0018ff80 767d7c04 fffde000 767d7be0 00aa6c1f chrome!wWinMainCRTStartup+0xd (FPO: [Non-Fpo]) (CONV: cdecl) [f:\dd\vctools\crt\crtw32\startup\crt0.c @ 165]
0018ff94 778ab90f fffde000 01b37193 00000000 KERNEL32!BaseThreadInitThunk+0x24 (FPO: [Non-Fpo])
0018ffdc 778ab8da ffffffff 77890700 00000000 ntdll!__RtlUserThreadStart+0x2f (FPO: [SEH])
0018ffec 00000000 006602f0 fffde000 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])
1:038> lmvm chrome_child
start    end        module name
10000000 2532a000   chrome_child C (private pdb symbols)  C:\workspace\src\out\Debug\chrome_child.dll.pdb
    Loaded symbol image file: C:\workspace\src\out\Debug\chrome_child.dll
    Image path: C:\workspace\src\out\Debug\chrome_child.dll
    Image name: chrome_child.dll
    Timestamp:        Tue Jan 06 14:30:01 2015 (54AC45C9)
    CheckSum:         00000000
    ImageSize:        1532A000
    File version:     41.0.2268.0
    Product version:  41.0.2268.0
    File flags:       1 (Mask 17) Debug
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      The Chromium Authors
    ProductName:      Chromium
    InternalName:     chrome_dll
    OriginalFilename: chrome.dll
    ProductVersion:   41.0.2268.0
    FileVersion:      41.0.2268.0
    FileDescription:  Chromium
    LegalCopyright:   Copyright 2014 The Chromium Authors. All rights reserved.
1:038> vertarget
Windows 8 Version 9200 MP (2 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 6.3.9600.17415 (winblue_r4.141028-1500)
Machine Name:
Debug session time: Wed Jan  7 19:05:01.631 2015 (UTC - 6:00)
System Uptime: 0 days 1:09:12.858
Process Uptime: 0 days 0:04:18.411
  Kernel time: 0 days 0:00:00.171
  User time: 0 days 0:00:01.562


====================
On chrome official builds:
ModLoad: 6a9f0000 6a9ff000   C:\Windows\SysWOW64\mssprxy.dll
(f14.224): Break instruction exception - code 80000003 (first chance)
eax=feeb8000 ebx=00000000 ecx=77901610 edx=77901610 esi=77901610 edi=77901610
eip=77877480 esp=098efef0 ebp=098eff1c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!DbgBreakPoint:
77877480 cc              int     3
0:032> .childdbg 1
Processes created by the current process will be debugged
0:032> g
Application "\??\C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" found in cache
ModLoad: 09a00000 09ad7000   chrome.exe
Symbol search path is: SRV*c:\symbols\*http://msdl.microsoft.com/download/symbols;SRV*c:\symbols\*http://symbols.mozilla.org/firefox*https://chromium-browser-symsrv.commondatastorage.googleapis.com
Executable search path is: 
ModLoad: 00d30000 00e07000   chrome.exe
ModLoad: 77850000 779be000   ntdll.dll
ModLoad: 767c0000 76900000   C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 77310000 773e7000   C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 728c0000 72960000   C:\Windows\SysWOW64\apphelp.dll
SHIMVIEW: ShimInfo(Complete)
ModLoad: 72650000 728b5000   C:\Windows\AppPatch\AcGenral.DLL
ModLoad: 75310000 753d3000   C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 76d00000 76d41000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 75050000 7506e000   C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 76d80000 76dc5000   C:\Windows\SysWOW64\SHLWAPI.dll
ModLoad: 72560000 7264d000   C:\Windows\SysWOW64\UxTheme.dll
ModLoad: 769d0000 76b23000   C:\Windows\SysWOW64\USER32.dll
ModLoad: 773f0000 774fe000   C:\Windows\SysWOW64\GDI32.dll
ModLoad: 72530000 72553000   C:\Windows\SysWOW64\WINMM.dll
ModLoad: 72510000 72523000   C:\Windows\SysWOW64\samcli.dll
ModLoad: 751e0000 75308000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 76b30000 76bc5000   C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 724f0000 72507000   C:\Windows\SysWOW64\MSACM32.dll
ModLoad: 724e0000 724e8000   C:\Windows\SysWOW64\VERSION.dll
ModLoad: 75480000 7672d000   C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 724c0000 724db000   C:\Windows\SysWOW64\USERENV.dll
ModLoad: 724a0000 724ba000   C:\Windows\SysWOW64\dwmapi.dll
ModLoad: 72350000 7249a000   C:\Windows\SysWOW64\urlmon.dll
ModLoad: 77270000 772ec000   C:\Windows\SysWOW64\ADVAPI32.dll
ModLoad: 722e0000 72345000   C:\Windows\SysWOW64\WINSPOOL.DRV
ModLoad: 722c0000 722d6000   C:\Windows\SysWOW64\MPR.dll
ModLoad: 77500000 775ba000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 75040000 7504a000   C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 770a0000 7721d000   C:\Windows\SysWOW64\combase.dll
ModLoad: 72290000 722b3000   C:\Windows\SysWOW64\WINMMBASE.dll
ModLoad: 72280000 7228f000   C:\Windows\SysWOW64\profapi.dll
ModLoad: 72040000 72272000   C:\Windows\SysWOW64\iertutil.dll
ModLoad: 71e60000 72036000   C:\Windows\SysWOW64\WININET.dll
ModLoad: 74fe0000 75034000   C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 753e0000 7541c000   C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 72960000 72981000   C:\Windows\SysWOW64\DEVOBJ.dll
ModLoad: 71dd0000 71e5b000   C:\Windows\SysWOW64\SHCORE.DLL
ModLoad: 76d50000 76d77000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 76bd0000 76ce3000   C:\Windows\SysWOW64\MSCTF.dll
ModLoad: 71da0000 71dc6000   C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\chrome_elf.dll
ModLoad: 71d90000 71d9f000   C:\Windows\SysWOW64\WTSAPI32.dll
(be8.524): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=dc1b0000 edx=00000000 esi=fe208000 edi=00000000
eip=7790415d esp=00f8f948 ebp=00f8f974 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
7790415d cc              int     3
1:032> g
ModLoad: 6d430000 6f519000   C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\chrome_child.dll
ModLoad: 769c0000 769c6000   C:\Windows\SysWOW64\PSAPI.DLL
ModLoad: 76e30000 76ecb000   C:\Windows\SysWOW64\COMDLG32.dll
ModLoad: 76f10000 77098000   C:\Windows\SysWOW64\CRYPT32.dll
ModLoad: 6f750000 6f770000   C:\Windows\SysWOW64\IPHLPAPI.DLL
ModLoad: 77220000 77270000   C:\Windows\SysWOW64\WS2_32.dll
ModLoad: 71d70000 71d86000   C:\Windows\SysWOW64\USP10.dll
ModLoad: 71cf0000 71cfa000   C:\Windows\SysWOW64\Secur32.dll
ModLoad: 71ae0000 71ce6000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_a9ed7f470139b3c1\COMCTL32.dll
ModLoad: 76920000 7692e000   C:\Windows\SysWOW64\MSASN1.dll
ModLoad: 76900000 76907000   C:\Windows\SysWOW64\NSI.dll
ModLoad: 6f740000 6f748000   C:\Windows\SysWOW64\WINNSI.DLL
ModLoad: 6c510000 6c692000   C:\Windows\SysWOW64\dwrite.dll
ModLoad: 6bc60000 6c501000   C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\pdf.dll
ModLoad: 6b9f0000 6bc53000   C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\libpeerconnection.dll
ModLoad: 6b710000 6b9e3000   C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\ffmpegsumo.dll
(be8.524): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\chrome_child.dll - 
eax=00000000 ebx=00000000 ecx=feeefeee edx=170c55c1 esi=40321828 edi=00f8f2e4
eip=6e42d24b esp=00f8f238 ebp=00f8f24c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
chrome_child!ovly_debug_event+0xfe7e7d:
6e42d24b 8b11            mov     edx,dword ptr [ecx]  ds:002b:feeefeee=????????
1:032> ub .
chrome_child!ovly_debug_event+0xfe7e63:
6e42d231 8d4e58          lea     ecx,[esi+58h]
6e42d234 e830ffffff      call    chrome_child!ovly_debug_event+0xfe7d9b (6e42d169)
6e42d239 8b4650          mov     eax,dword ptr [esi+50h]
6e42d23c ff764c          push    dword ptr [esi+4Ch]
6e42d23f 8b4804          mov     ecx,dword ptr [eax+4]
6e42d242 0fb64649        movzx   eax,byte ptr [esi+49h]
6e42d246 50              push    eax
6e42d247 0fb64648        movzx   eax,byte ptr [esi+48h]
1:032> u .
chrome_child!ovly_debug_event+0xfe7e7d:
6e42d24b 8b11            mov     edx,dword ptr [ecx]
6e42d24d 50              push    eax
6e42d24e 8d4644          lea     eax,[esi+44h]
6e42d251 50              push    eax
6e42d252 ff7640          push    dword ptr [esi+40h]
6e42d255 56              push    esi
6e42d256 ff12            call    dword ptr [edx]
6e42d258 c6465501        mov     byte ptr [esi+55h],1

1:032> lmvm chrome_child
start    end        module name
6d430000 6f519000   chrome_child   (export symbols)       C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\chrome_child.dll
    Loaded symbol image file: C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\chrome_child.dll
    Image path: C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\chrome_child.dll
    Image name: chrome_child.dll
    Timestamp:        Fri Dec 05 17:45:54 2014 (548243B2)
    CheckSum:         02078C2A
    ImageSize:        020E9000
    File version:     39.0.2171.95
    Product version:  39.0.2171.95
    File flags:       0 (Mask 17)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Google Inc.
    ProductName:      Google Chrome
    InternalName:     chrome_dll
    OriginalFilename: chrome.dll
    ProductVersion:   39.0.2171.95
    FileVersion:      39.0.2171.95
    FileDescription:  Google Chrome
    LegalCopyright:   Copyright 2012 Google Inc. All rights reserved.
1:032> lmvm chrome.dll
start    end        module name
1:032> vertarget
Windows 8 Version 9200 MP (2 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 6.3.9600.17415 (winblue_r4.141028-1500)
Machine Name:
Debug session time: Wed Jan  7 19:14:42.371 2015 (UTC - 6:00)
System Uptime: 0 days 1:18:53.598
Process Uptime: 0 days 0:02:02.064
  Kernel time: 0 days 0:00:00.046
  User time: 0 days 0:00:00.859


This looks to be a freed blink::SpeechRecognitionClient object
from the following disassembly:
1269748E  call        WTF::OwnPtr<blink::SpeechRecognitionClient>::operator-> (12696340h)  
12697493  mov         dword ptr [ebp-8],eax //stored here 
12697496  mov         esi,esp  
12697498  mov         eax,dword ptr [audioTrack]  
1269749B  push        eax  
1269749C  mov         ecx,dword ptr [maxAlternatives]  
1269749F  push        ecx  
126974A0  movzx       edx,byte ptr [interimResults]  
126974A4  push        edx  
126974A5  movzx       eax,byte ptr [continuous]  
126974A9  push        eax  
126974AA  mov         ecx,dword ptr [lang]  
126974AD  push        ecx  
126974AE  mov         edx,dword ptr [grammars]  
126974B1  push        edx  
126974B2  mov         eax,dword ptr [recognition]  
126974B5  push        eax  
126974B6  mov         ecx,dword ptr [ebp-8] // ECX set 
126974B9  mov         edx,dword ptr [ecx]  // deref ECX to EDX 
126974BB  mov         ecx,dword ptr [ebp-8]  
126974BE  mov         eax,dword ptr [edx] // deref EDX to EAX 
126974C0  call        eax // call to EAX 

```

-- CREDIT ---------------------------------------

This vulnerability was discovered by:

   SkyLined working with HP's Zero Day Initiative
 
Cc: mlamouri@chromium.org
Mergedinto: 449739
Status: Duplicate
Interesting, so this implies that the SpeechRecognitionController was freed as well. I reproed the on older versions you mentioned with the attached file, but I believe this has already been fixed on the latest stable (https://codereview.chromium.org/899853002). Going to mark this as a dupe for now, but please let me know if it's still triggerable on the latest stable.

Also CCing mlamouri@ as a heads up in case the test case is useful for testing.
speech.html
456 bytes View Download
Cc: rickyz@chromium.org
rickyz@ - is this actually a dupe? This report seems to hit on the current stable release (branch 2214), though by my reading  Issue 449739  was only merged to branch 2271 / M41 beta.

So as I understand it, either this report isn't a dupe of an existing issue OR  issue 449739  is incorrectly tagged and actually affects stable.

Can you clarify or should I chase with mlamouri@?
Comment 3 by rickyz@chromium.org, Feb 10 2015
Labels: -Pri-2 -OS-Windows Pri-1 OS-All Security_Impact-Stable Security_Severity-High M-40
Mergedinto:
Status: Available
From talking with timwillis@, it sounds like this ZDI is still able to reproduce this on stable. Reopening this, and will analyze further once we get their PoC.
Project Member Comment 4 by clusterf...@chromium.org, Feb 11 2015
Labels: Cr-Blink-Speech Owner-Triage
Owner: tommyw@chromium.org
Status: Assigned
tommyw@: Can you please take a look or find someone else to own it.

- Your friendly ClusterFuzz
Comment 5 by jsc...@chromium.org, Feb 11 2015
Cc: tommyw@chromium.org
Owner: ----
Status: Unconfirmed
CF got aggressive on a bad label. There's nothing to do until we get a PoC uploaded.
Labels: ZDI-CAN-2707
PoC attached for ZDI-CAN-2707. If you're asked for a password, it's 2707.
ZDI-CAN-2707.zip
357 bytes Download
Comment 7 by rickyz@chromium.org, Feb 11 2015
Correction in case anybody else hits this: the password is ZDI-CAN-2707
Comment 8 by rickyz@chromium.org, Feb 11 2015
Looks like the difference from mine is that they used a window instead of an iframe. Does this mean that a Page object cannot be guaranteed to remain alive after the user has run javascript?

I wish these lifetime issues were documented a little more clearly somewhere - I guess it's best to always be very paranoid about pointers any user code is run.
Labels: -Owner-Triage
Owner: mlamouri@chromium.org
Status: Assigned
mlamouri@, please take a look or help with an owner. repro in c#6.
Project Member Comment 10 by clusterf...@chromium.org, Feb 20 2015
Labels: -M-40 M-41
Project Member Comment 11 by clusterf...@chromium.org, Feb 26 2015
Labels: Nag
mlamouri@: Uh oh! This issue is still open and hasn't been updated in the last 14 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Owner: sigbjo...@opera.com
Sorry for the delay. I got a couple of bugs filed on a change that I made and reverted. I thought that one was one of them and during the M42 branch point crunch, I did not pay more attention to it.

Unfortunately, given that I reverted my change, it is very unlikely a regression from it. I do not own that code so I'm probably not the best owner for this bug.

I re-assigned the bug to sigbjornf@ because he is the person with the most recent changes in the module. He might not be the right person but that's my best guess.
Status: Started
Project Member Comment 14 by bugdroid1@chromium.org, Feb 27 2015
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=190993

------------------------------------------------------------------
r190993 | sigbjornf@opera.com | 2015-02-27T12:41:47.597164Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/modules/speech/SpeechRecognition.cpp?r1=190993&r2=190992&pathrev=190993
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/fast/speech/scripted/speechrecognition-detached-no-crash-expected.txt?r1=190993&r2=190992&pathrev=190993
   M http://src.chromium.org/viewvc/blink/trunk/Source/modules/speech/SpeechRecognition.h?r1=190993&r2=190992&pathrev=190993
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/fast/speech/scripted/speechrecognition-detached-no-crash.html?r1=190993&r2=190992&pathrev=190993

Detach SpeechRecognitionController upon page detach.

When a page is notified destroyed, it is no longer safe to access
the page's SpeechRecognitionController as its lifetime is that of
the page.

R=haraken
BUG= 455857 

Review URL: https://codereview.chromium.org/960223002
-----------------------------------------------------------------
Status: Fixed
Thank you so much for working on that sigbjornf! :)
Project Member Comment 17 by clusterf...@chromium.org, Feb 27 2015
Labels: -Restrict-View-SecurityTeam M-42 Merge-Triage Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Cc: timwillis@chromium.org
Labels: -Merge-Triage Merge-Requested
Merge requested to M42 (branch 2311)
Labels: -Merge-Requested Merge-Review Hotlist-Merge-Review
[Automated comment] Request affecting a post-stable build (M41), manual review required.
Labels: Merge-Approved Hotlist-Merge-Approved
Approved for M42 (branch: 2311)
Labels: reward-ineligible
Project Member Comment 22 by bugdroid1@chromium.org, Mar 6 2015
Labels: -Merge-Approved merge-merged-2311
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=191416

------------------------------------------------------------------
r191416 | sigbjornf@opera.com | 2015-03-06T07:20:15.682588Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/branches/chromium/2311/LayoutTests/fast/speech/scripted/speechrecognition-detached-no-crash.html?r1=191416&r2=191415&pathrev=191416
   M http://src.chromium.org/viewvc/blink/branches/chromium/2311/Source/modules/speech/SpeechRecognition.cpp?r1=191416&r2=191415&pathrev=191416
   A http://src.chromium.org/viewvc/blink/branches/chromium/2311/LayoutTests/fast/speech/scripted/speechrecognition-detached-no-crash-expected.txt?r1=191416&r2=191415&pathrev=191416
   M http://src.chromium.org/viewvc/blink/branches/chromium/2311/Source/modules/speech/SpeechRecognition.h?r1=191416&r2=191415&pathrev=191416

Merge 190993 "Detach SpeechRecognitionController upon page detach."

> Detach SpeechRecognitionController upon page detach.
> 
> When a page is notified destroyed, it is no longer safe to access
> the page's SpeechRecognitionController as its lifetime is that of
> the page.
> 
> R=haraken
> BUG= 455857 
> 
> Review URL: https://codereview.chromium.org/960223002

TBR=sigbjornf@opera.com

Review URL: https://codereview.chromium.org/989473002
-----------------------------------------------------------------
Labels: -Merge-Review -Hotlist-Merge-Review Merge-Approved
Approved for M41 branch 2272.
Not a clean merge, will take a while.
Project Member Comment 25 by bugdroid1@chromium.org, Mar 11 2015
Labels: -Merge-Approved merge-merged-2272
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=191727

------------------------------------------------------------------
r191727 | sigbjornf@opera.com | 2015-03-11T19:24:10.638598Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/branches/chromium/2272/LayoutTests/fast/speech/scripted/speechrecognition-detached-no-crash-expected.txt?r1=191727&r2=191726&pathrev=191727
   M http://src.chromium.org/viewvc/blink/branches/chromium/2272/Source/modules/speech/SpeechRecognition.h?r1=191727&r2=191726&pathrev=191727
   A http://src.chromium.org/viewvc/blink/branches/chromium/2272/LayoutTests/fast/speech/scripted/speechrecognition-detached-no-crash.html?r1=191727&r2=191726&pathrev=191727
   M http://src.chromium.org/viewvc/blink/branches/chromium/2272/Source/modules/speech/SpeechRecognition.cpp?r1=191727&r2=191726&pathrev=191727

Merge 190993 "Detach SpeechRecognitionController upon page detach."

> Detach SpeechRecognitionController upon page detach.
> 
> When a page is notified destroyed, it is no longer safe to access
> the page's SpeechRecognitionController as its lifetime is that of
> the page.
> 
> R=haraken
> BUG= 455857 
> 
> Review URL: https://codereview.chromium.org/960223002

TBR=sigbjornf@opera.com

Review URL: https://codereview.chromium.org/1002453004
-----------------------------------------------------------------
Labels: Release-1-M41
Labels: CVE-2015-1251
Project Member Comment 28 by clusterf...@chromium.org, Jun 5 2015
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 29 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 30 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment