New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 551044 link

Starred by 1 user

Issue metadata

Status: Fixed
Last visit > 30 days ago
Closed: Nov 2015
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Sign in to add a comment

Security: AppCacheUpdateJob accesses map::end()

Reported by, Nov 3 2015

Issue description

AppCacheHost destructor notifies any pending cache update jobs by calling AppCacheUpdateJob::OnDestructionImminent(), which does:

  PendingMasters::iterator found =
  DCHECK(found != pending_master_entries_.end());
  PendingHosts& hosts = found->second;

It doesn't expect the new_master_entry_url_ of the host to change since job creation. This url can change with a compromised renderer though, and a browser crash occurs. The renderer can send AppCacheHostMsg_MarkAsForeignEntry, which reaches AppCacheHost::FinishCacheSelection():

  new_master_entry_url_ = GURL();

As a fix, MarkAsForeignEntry should probably be disallowed after cache has been selected.

Chrome Version: 48.0.2547.0 dev
Operating System: all

- Unpack appcache_poc.tar.gz
- Apply poc.patch and do a release build
- Run ./webserver and navigate to http://localhost:8000
6.4 KB View Download
1.4 KB Download
1.3 KB Download

Comment 1 by, Nov 4 2015

Labels: Pri-1 Security_Impact-Stable Security_Severity-High OS-All Cr-Blink-Storage-AppCache
Status: Assigned
gzobqq@, can you please upload patch via codereview and get it reviewed by Michael. We will definitely make sure that this patch goes under reward consideration.
Project Member

Comment 2 by ClusterFuzz, Nov 4 2015

Labels: M-46
Status: Fixed
Project Member

Comment 6 by ClusterFuzz, Nov 10 2015

Labels: -Restrict-View-SecurityTeam Merge-Triage M-48 M-47 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on

Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in.

- Your friendly ClusterFuzz
Labels: -M-46 -Merge-Triage Merge-Request-47

Comment 9 by, Nov 23 2015

Labels: -Merge-Request-47 Merge-Review-47 Hotlist-Merge-Review
[Automated comment] Less than 2 weeks to go before stable on M47, manual review required.
Labels: -Merge-Review-47 -Hotlist-Merge-Review Merge-Approved-47 Hotlist-Merge-Approved
Merge Approved for M47 (branch 2526)
Labels: reward-topanel
Labels: Release-0-M47
Labels: -reward-topanel reward-unpaid reward-11337 CVE-2015-6766
What's better than $10k? $10k + $1.337k for a total of $11,337.00 :)
Labels: -reward-unpaid reward-inprocess
Labels: -reward-inprocess
Project Member

Comment 18 by ClusterFuzz, Feb 17 2016

Labels: -Restrict-View-SecurityNotify
This security bug has been closed for more than 14 weeks. Removing view restrictions.

- Your friendly ClusterFuzz
Project Member

Comment 19 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 20 by, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment