Issue metadata
Sign in to add a comment
|
Security: blink::LayoutObject UAF
Reported by
loves...@gmail.com,
Mar 2 2016
|
||||||||||||||||||||||
Issue description
This template is ONLY for reporting security bugs. Please use a different
template for other types of bug reports.
Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs
VULNERABILITY DETAILS
(e08.dd0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=06322370 ecx=20f2c003 edx=04691484 esi=20f2c003 edi=00000000
eip=5fc02916 esp=002bedc4 ebp=002bedd0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
chrome_child!blink::LayoutObject::container+0x12:
5fc02916 8b461c mov eax,dword ptr [esi+1Ch] ds:0023:20f2c01f=????????
3:031> u
chrome_child!blink::LayoutObject::container+0x12 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layoutobject.cpp @ 2584]:
5fc02916 8b461c mov eax,dword ptr [esi+1Ch]
5fc02919 8b5e10 mov ebx,dword ptr [esi+10h]
5fc0291c c1e80f shr eax,0Fh
5fc0291f a801 test al,1
5fc02921 0f85c7000000 jne chrome_child!blink::LayoutObject::container+0xea (5fc029ee)
5fc02927 8b06 mov eax,dword ptr [esi]
5fc02929 6a30 push 30h
5fc0292b 8b8064010000 mov eax,dword ptr [eax+164h]
3:031> u
chrome_child!blink::LayoutObject::container+0x2d [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layoutobject.cpp @ 2584]:
5fc02931 ffd0 call eax //control EIP here
5fc02933 84c0 test al,al
5fc02935 7416 je chrome_child!blink::LayoutObject::container+0x49 (5fc0294d)
5fc02937 8b06 mov eax,dword ptr [esi]
5fc02939 8bce mov ecx,esi
5fc0293b 6a31 push 31h
5fc0293d 8b8064010000 mov eax,dword ptr [eax+164h]
5fc02943 ffd0 call eax
3:031> k
ChildEBP RetAddr
002bedd0 5fc58d62 chrome_child!blink::LayoutObject::container+0x12 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layoutobject.cpp @ 2584]
002bee34 5fc55bf6 chrome_child!blink::FrameView::performLayout+0x173 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\frame\frameview.cpp @ 872]
002bef30 5ff86b76 chrome_child!blink::FrameView::layout+0x684 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\frame\frameview.cpp @ 1044]
002bef48 5ff8c618 chrome_child!blink::Document::updateLayout+0xa5 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\dom\document.cpp @ 1946]
002bef58 5ff8c5d0 chrome_child!blink::Element::hasNonEmptyLayoutSize+0x1e [c:\b\build\slave\win\build\src\third_party\webkit\source\core\dom\element.cpp @ 966]
002bef6c 5ff8e542 chrome_child!autofill::form_util::IsWebNodeVisible+0x26 [c:\b\build\slave\win\build\src\components\autofill\content\renderer\form_autofill_util.cc @ 1312]
002bef80 5ff8e51b chrome_child!autofill::form_util::IsSomeControlElementVisible+0x15 [c:\b\build\slave\win\build\src\components\autofill\content\renderer\form_autofill_util.cc @ 1236]
002bef9c 5fd9e0f4 chrome_child!autofill::form_util::AreFormContentsVisible+0x26 [c:\b\build\slave\win\build\src\components\autofill\content\renderer\form_autofill_util.cc @ 1245]
002bf174 5fda3c19 chrome_child!autofill::PasswordAutofillAgent::SendPasswordForms+0x1de [c:\b\build\slave\win\build\src\components\autofill\content\renderer\password_autofill_agent.cc @ 1008]
002bf17c 5fda32fb chrome_child!autofill::PasswordAutofillAgent::DidFinishLoad+0x7 [c:\b\build\slave\win\build\src\components\autofill\content\renderer\password_autofill_agent.cc @ 1102]
002bf28c 5fd32d40 chrome_child!content::RenderFrameImpl::didFinishLoad+0x187 [c:\b\build\slave\win\build\src\content\renderer\render_frame_impl.cc @ 3494]
002bf298 5fd2866d chrome_child!blink::WebLocalFrameImpl::didFinish+0x2c [c:\b\build\slave\win\build\src\third_party\webkit\source\web\weblocalframeimpl.cpp @ 1794]
002bf2b0 5fbf9399 chrome_child!blink::FrameLoader::checkCompleted+0x151 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\loader\frameloader.cpp @ 599]
002bf2b8 5fbf8f78 chrome_child!blink::FrameLoader::finishedParsing+0x85 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\loader\frameloader.cpp @ 500]
002bf310 5fbf8e68 chrome_child!blink::Document::finishedParsing+0x103 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\dom\document.cpp @ 4812]
002bf320 5fbeef6e chrome_child!blink::HTMLDocumentParser::end+0x4a [c:\b\build\slave\win\build\src\third_party\webkit\source\core\html\parser\htmldocumentparser.cpp @ 899]
002bf338 5fd441e5 chrome_child!blink::HTMLDocumentParser::prepareToStopParsing+0xf5 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\html\parser\htmldocumentparser.cpp @ 285]
002bf3f4 5fd43c83 chrome_child!blink::HTMLDocumentParser::processParsedChunkFromBackgroundParser+0x2c7 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\html\parser\htmldocumentparser.cpp @ 510]
002bf4f4 5fd25868 chrome_child!blink::HTMLDocumentParser::pumpPendingSpeculations+0x261 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\html\parser\htmldocumentparser.cpp @ 587]
002bf50c 5fd25808 chrome_child!WTF::PartBoundFunctionImpl<std::tuple<blink::WeakPersistentThisPointer<blink::ScriptRunner> &&>,WTF::FunctionWrapper<void (__thiscall blink::ScriptRunner::*)(void)> >::callInternal<0>+0x5f [c:\b\build\slave\win\build\src\third_party\webkit\source\wtf\functional.h @ 225]
002bf514 5fd1df93 chrome_child!WTF::PartBoundFunctionImpl<std::tuple<blink::WeakPersistentThisPointer<blink::ScriptRunner> &&>,WTF::FunctionWrapper<void (__thiscall blink::ScriptRunner::*)(void)> >::operator()+0x6 [c:\b\build\slave\win\build\src\third_party\webkit\source\wtf\functional.h @ 218]
002bf520 5fd1df7d chrome_child!scheduler::WebTaskRunnerImpl::runTask+0x10 [c:\b\build\slave\win\build\src\components\scheduler\child\web_task_runner_impl.cc @ 69]
002bf534 5fafb7da chrome_child!base::internal::Invoker<base::IndexSequence<0>,base::internal::BindState<base::internal::RunnableAdapter<void (__cdecl*)(scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)>,void __cdecl(scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >),base::internal::PassedWrapper<scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > > >,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__cdecl*)(scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)> >,void __cdecl(void)>::Run+0x21 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 354]
002bf590 5fb9f158 chrome_child!base::debug::TaskAnnotator::RunTask+0x134 [c:\b\build\slave\win\build\src\base\debug\task_annotator.cc @ 51]
002bf63c 5fb9e3fb chrome_child!scheduler::TaskQueueManager::ProcessTaskFromWorkQueue+0x1d3 [c:\b\build\slave\win\build\src\components\scheduler\base\task_queue_manager.cc @ 292]
002bf768 5fb9e2d0 chrome_child!scheduler::TaskQueueManager::DoWork+0x122 [c:\b\build\slave\win\build\src\components\scheduler\base\task_queue_manager.cc @ 200]
002bf77c 5fb9e28f chrome_child!base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall content::WebFileWriterBase::*)(__int64,bool)> >::MakeItSo<base::WeakPtr<content::WebFileWriterImpl>,__int64 const &,bool const &>+0x39 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 314]
002bf7a4 5fafb7da chrome_child!base::internal::Invoker<base::IndexSequence<0,1,2>,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)>,void __cdecl(scheduler::TaskQueueManager *,base::TimeTicks,bool),base::WeakPtr<scheduler::TaskQueueManager>,base::TimeTicks &,bool>,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)> >,void __cdecl(void)>::Run+0x2e [c:\b\build\slave\win\build\src\base\bind_internal.h @ 354]
002bf800 5fafb5e0 chrome_child!base::debug::TaskAnnotator::RunTask+0x134 [c:\b\build\slave\win\build\src\base\debug\task_annotator.cc @ 51]
002bf86c 5fafb3d3 chrome_child!base::MessageLoop::RunTask+0x185 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 478]
002bf9a8 5fafd46d chrome_child!base::MessageLoop::DoWork+0x49c [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 598]
002bf9d4 5fafad5d chrome_child!base::MessagePumpDefault::Run+0xc6 [c:\b\build\slave\win\build\src\base\message_loop\message_pump_default.cc @ 34]
002bfa00 5fafac9d chrome_child!base::RunLoop::Run+0x4a [c:\b\build\slave\win\build\src\base\run_loop.cc @ 36]
002bfa2c 5fb4d96c chrome_child!base::MessageLoop::Run+0x23 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 294]
002bfbc4 5faf23f4 chrome_child!content::RendererMain+0x32c [c:\b\build\slave\win\build\src\content\renderer\renderer_main.cc @ 220]
002bfbd8 5faf2370 chrome_child!content::RunNamedProcessTypeMain+0x61 [c:\b\build\slave\win\build\src\content\app\content_main_runner.cc @ 395]
002bfc24 5fad7d9e chrome_child!content::ContentMainRunnerImpl::Run+0x5f [c:\b\build\slave\win\build\src\content\app\content_main_runner.cc @ 764]
002bfc38 5fad7a7a chrome_child!content::ContentMain+0x28 [c:\b\build\slave\win\build\src\content\app\content_main.cc @ 19]
002bfc7c 000682cc chrome_child!ChromeMain+0x61 [c:\b\build\slave\win\build\src\chrome\app\chrome_main.cc @ 87]
002bfd14 0006796a chrome!MainDllLoader::Launch+0x1d7 [c:\b\build\slave\win\build\src\chrome\app\main_dll_loader_win.cc @ 184]
002bfe4c 00096e6a chrome!wWinMain+0x163 [c:\b\build\slave\win\build\src\chrome\app\chrome_exe_main_win.cc @ 231]
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\kernel32.dll -
002bfe98 762bee1c chrome!__tmainCRTStartup+0xfd [f:\dd\vctools\crt\crtw32\startup\crt0.c @ 251]
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
WARNING: Stack unwind information not available. Following frames may be wrong.
002bfea4 775f3a03 kernel32!BaseThreadInitThunk+0x12
002bfee4 775f39d6 ntdll!RtlInitializeExceptionChain+0xef
002bfefc 00000000 ntdll!RtlInitializeExceptionChain+0xc2
3:031> lmvm chrome_child
start end module name
5fad0000 626f8000 chrome_child (private pdb symbols) c:\chrome_symbols\chrome_child.dll.pdb\EEB27A359A2C41E6B2295AB5714C0B461\chrome_child.dll.pdb
Loaded symbol image file: C:\Users\lovesuae\AppData\Local\Google\Chrome SxS\Application\51.0.2663.0\chrome_child.dll
Image path: C:\Users\lovesuae\AppData\Local\Google\Chrome SxS\Application\51.0.2663.0\chrome_child.dll
Image name: chrome_child.dll
Timestamp: Mon Feb 29 13:46:03 2016 (56D3DB1B)
CheckSum: 02ACB703
ImageSize: 02C28000
File version: 51.0.2663.0
Product version: 51.0.2663.0
File flags: 0 (Mask 17)
File OS: 4 Unknown Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Google Inc.
ProductName: Google Chrome
InternalName: chrome_dll
OriginalFilename: chrome.dll
ProductVersion: 51.0.2663.0
FileVersion: 51.0.2663.0
FileDescription: Google Chrome
LegalCopyright: Copyright 2015 Google Inc. All rights reserved.
VERSION
Chrome Version: [50.0.2657.0 dev-m] + [51.0.2663.0 canary]
Operating System: [Please indicate OS, version, and service pack level]
REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]
,
Mar 3 2016
estade@, it looks like auto_fill calling DOM and fails. Do you happen to know someone who can look into this?
,
Mar 3 2016
someone on the passwords team
,
Mar 3 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5654335991578624
,
Mar 3 2016
dvadym@, could you take a look at this bug or re-assign to someone? Thanks!
,
Mar 3 2016
CF was unable to reproduce this with either testcases provided in the report (on both Windows and Linux). Marking as WontFix.
,
Mar 4 2016
re#6, I have no idea why those poc can't repro on the 51.0.2664.1 canary, so I reduce another poc for this bug named chrome45.poc8.reduce13.html , and submitted in issue: 591900 , it works well both on chrome dev 50.0.2657.0 and 51.0.2664.1 canary. see: https://bugs.chromium.org/p/chromium/issues/detail?id=591900
,
Jun 10 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by jialiul@chromium.org
, Mar 2 2016Components: Blink>Layout
Labels: Security_Impact-Head OS-Windows
Owner: kojii@chromium.org