New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 551044 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Nov 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: AppCacheUpdateJob accesses map::end()

Reported by gzo...@gmail.com, Nov 3 2015

Issue description

AppCacheHost destructor notifies any pending cache update jobs by calling AppCacheUpdateJob::OnDestructionImminent(), which does:

content/browser/appcache/appcache_update_job.cc:1104:
  PendingMasters::iterator found =
      pending_master_entries_.find(host->pending_master_entry_url());
  DCHECK(found != pending_master_entries_.end());
  PendingHosts& hosts = found->second;

It doesn't expect the new_master_entry_url_ of the host to change since job creation. This url can change with a compromised renderer though, and a browser crash occurs. The renderer can send AppCacheHostMsg_MarkAsForeignEntry, which reaches AppCacheHost::FinishCacheSelection():

content/browser/appcache/appcache_host.cc:428:
  new_master_entry_url_ = GURL();

As a fix, MarkAsForeignEntry should probably be disallowed after cache has been selected.

Chrome Version: 48.0.2547.0 dev
Operating System: all

REPRODUCTION CASE
- Unpack appcache_poc.tar.gz
- Apply poc.patch and do a release build
- Run ./webserver and navigate to http://localhost:8000
 
crash.txt
6.4 KB View Download
fix.patch
1.4 KB Download
appcache_poc.tar.gz
1.3 KB Download

Comment 1 by aarya@google.com, Nov 4 2015

Labels: Pri-1 Security_Impact-Stable Security_Severity-High OS-All Cr-Blink-Storage-AppCache
Owner: michaeln@chromium.org
Status: Assigned
gzobqq@, can you please upload patch via codereview and get it reviewed by Michael. We will definitely make sure that this patch goes under reward consideration.
Project Member

Comment 2 by ClusterFuzz, Nov 4 2015

Labels: M-46
Status: Fixed
Project Member

Comment 6 by ClusterFuzz, Nov 10 2015

Labels: -Restrict-View-SecurityTeam Merge-Triage M-48 M-47 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in.

- Your friendly ClusterFuzz
Labels: -M-46 -Merge-Triage Merge-Request-47
Cc: timwillis@chromium.org

Comment 9 by tin...@google.com, Nov 23 2015

Labels: -Merge-Request-47 Merge-Review-47 Hotlist-Merge-Review
[Automated comment] Less than 2 weeks to go before stable on M47, manual review required.
Labels: -Merge-Review-47 -Hotlist-Merge-Review Merge-Approved-47 Hotlist-Merge-Approved
Merge Approved for M47 (branch 2526)
Labels: reward-topanel
Labels: Release-0-M47
Labels: -reward-topanel reward-unpaid reward-11337 CVE-2015-6766
What's better than $10k? $10k + $1.337k for a total of $11,337.00 :)
Cc: scvitti@google.com
Labels: -reward-unpaid reward-inprocess
Labels: -reward-inprocess
Project Member

Comment 18 by ClusterFuzz, Feb 17 2016

Labels: -Restrict-View-SecurityNotify
This security bug has been closed for more than 14 weeks. Removing view restrictions.

- Your friendly ClusterFuzz
Project Member

Comment 19 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment