New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 591900 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Mar 2016
Cc:
jialiul@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: blink::LayoutObject UAF (update POC)

Reported by loves...@gmail.com, Mar 4 2016 
This template is ONLY for reporting security bugs. Please use a different
template for other types of bug reports.

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs


VULNERABILITY DETAILS
(4e8.760): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=80000700 ebx=0020006f ecx=02000000 edx=04691484 esi=02000000 edi=00000000
eip=80000700 esp=0018e67c ebp=0018e690 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
80000700 ??              ???

3:033> k
ChildEBP RetAddr  
WARNING: Frame IP not in any known module. Following frames may be wrong.
0018e678 5e6443a6 0x80000700
0018e690 5e68b039 chrome_child!blink::LayoutObject::container+0x2f [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layoutobject.cpp @ 2584]
0018e6f4 5e68805a chrome_child!blink::FrameView::performLayout+0x173 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\frame\frameview.cpp @ 872]
0018e7f8 5e9d5c19 chrome_child!blink::FrameView::layout+0x684 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\frame\frameview.cpp @ 1044]
0018e810 5e9d5a53 chrome_child!blink::Document::updateLayout+0xa5 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\dom\document.cpp @ 1946]
0018e824 5e9d5a2b chrome_child!blink::Document::updateLayoutIgnorePendingStylesheets+0x16 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\dom\document.cpp @ 2032]
0018e834 5e9d553a chrome_child!blink::WebNode::isFocusable+0x3b [c:\b\build\slave\win\build\src\third_party\webkit\source\web\webnode.cpp @ 191]
0018e8c8 5e9d5148 chrome_child!autofill::form_util::WebFormControlElementToFormField+0x20b [c:\b\build\slave\win\build\src\components\autofill\content\renderer\form_autofill_util.cc @ 1369]
0018e8ec 5e9d4d82 chrome_child!autofill::form_util::`anonymous namespace'::ExtractFieldsFromControlElements+0x5b [c:\b\build\slave\win\build\src\components\autofill\content\renderer\form_autofill_util.cc @ 966]
0018ea38 5e9d4a54 chrome_child!autofill::form_util::`anonymous namespace'::FormOrFieldsetsToFormData+0xd2 [c:\b\build\slave\win\build\src\components\autofill\content\renderer\form_autofill_util.cc @ 1075]
0018eb0c 5e805ea4 chrome_child!autofill::form_util::WebFormElementToFormData+0x1b5 [c:\b\build\slave\win\build\src\components\autofill\content\renderer\form_autofill_util.cc @ 1444]
0018ed8c 5e805d12 chrome_child!autofill::FormCache::ExtractNewForms+0x13f [c:\b\build\slave\win\build\src\components\autofill\content\renderer\form_cache.cc @ 126]
0018edb4 5e9d34c1 chrome_child!autofill::AutofillAgent::ProcessForms+0x34 [c:\b\build\slave\win\build\src\components\autofill\content\renderer\autofill_agent.cc @ 785]
0018edd0 5e9d339d chrome_child!autofill::AutofillAgent::didAssociateFormControls+0x6e [c:\b\build\slave\win\build\src\components\autofill\content\renderer\autofill_agent.cc @ 812]
0018edec 5e9d3065 chrome_child!blink::ChromeClientImpl::didAssociateFormControls+0x45 [c:\b\build\slave\win\build\src\third_party\webkit\source\web\chromeclientimpl.cpp @ 936]
0018ee10 5e80262e chrome_child!blink::Document::didAssociateFormControlsTimerFired+0x6a [c:\b\build\slave\win\build\src\third_party\webkit\source\core\dom\document.cpp @ 5718]
0018ee20 5e6a2cfd chrome_child!blink::Timer<blink::Document>::fired+0x24 [c:\b\build\slave\win\build\src\third_party\webkit\source\platform\timer.h @ 172]
0018ee54 5e6a2bc9 chrome_child!blink::TimerBase::runInternal+0x108 [c:\b\build\slave\win\build\src\third_party\webkit\source\platform\timer.cpp @ 135]
0018ee5c 5e69982d chrome_child!blink::TimerBase::CancellableTimerTask::run+0x16 [c:\b\build\slave\win\build\src\third_party\webkit\source\platform\timer.h @ 114]
0018ee68 5e699817 chrome_child!scheduler::WebTaskRunnerImpl::runTask+0x10 [c:\b\build\slave\win\build\src\components\scheduler\child\web_task_runner_impl.cc @ 69]
0018ee7c 5e55b86d chrome_child!base::internal::Invoker<base::IndexSequence<0>,base::internal::BindState<base::internal::RunnableAdapter<void (__cdecl*)(scoped_ptr<webcrypto::`anonymous namespace'::DeriveBitsState,std::default_delete<webcrypto::`anonymous namespace'::DeriveBitsState> >)>,void __cdecl(scoped_ptr<webcrypto::`anonymous namespace'::DeriveBitsState,std::default_delete<webcrypto::`anonymous namespace'::DeriveBitsState> >),base::internal::PassedWrapper<scoped_ptr<webcrypto::`anonymous namespace'::DeriveBitsState,std::default_delete<webcrypto::`anonymous namespace'::DeriveBitsState> > > >,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__cdecl*)(scoped_ptr<webcrypto::`anonymous namespace'::DeriveBitsState,std::default_delete<webcrypto::`anonymous namespace'::DeriveBitsState> >)> >,void __cdecl(void)>::Run+0x21 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 354]
0018eed8 5e5fc869 chrome_child!base::debug::TaskAnnotator::RunTask+0x134 [c:\b\build\slave\win\build\src\base\debug\task_annotator.cc @ 51]
0018ef84 5e5fbb51 chrome_child!scheduler::TaskQueueManager::ProcessTaskFromWorkQueue+0x1d3 [c:\b\build\slave\win\build\src\components\scheduler\base\task_queue_manager.cc @ 292]
0018f0b0 5e5fba26 chrome_child!scheduler::TaskQueueManager::DoWork+0x122 [c:\b\build\slave\win\build\src\components\scheduler\base\task_queue_manager.cc @ 200]
0018f0c4 5e5fb9e5 chrome_child!base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)> >::MakeItSo<base::WeakPtr<scheduler::TaskQueueManager>,base::TimeTicks const &,bool const &>+0x39 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 314]
0018f0ec 5e55b86d chrome_child!base::internal::Invoker<base::IndexSequence<0,1,2>,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)>,void __cdecl(scheduler::TaskQueueManager *,base::TimeTicks,bool),base::WeakPtr<scheduler::TaskQueueManager>,base::TimeTicks &,bool>,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)> >,void __cdecl(void)>::Run+0x2e [c:\b\build\slave\win\build\src\base\bind_internal.h @ 354]
0018f148 5e55b673 chrome_child!base::debug::TaskAnnotator::RunTask+0x134 [c:\b\build\slave\win\build\src\base\debug\task_annotator.cc @ 51]
0018f1b4 5e55b466 chrome_child!base::MessageLoop::RunTask+0x185 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 478]
0018f2f0 5e55d500 chrome_child!base::MessageLoop::DoWork+0x49c [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 598]
0018f31c 5e55adf0 chrome_child!base::MessagePumpDefault::Run+0xc6 [c:\b\build\slave\win\build\src\base\message_loop\message_pump_default.cc @ 34]
0018f348 5e55ad30 chrome_child!base::RunLoop::Run+0x4a [c:\b\build\slave\win\build\src\base\run_loop.cc @ 36]
0018f374 5e5aa85d chrome_child!base::MessageLoop::Run+0x23 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 294]
0018f50c 5e552484 chrome_child!content::RendererMain+0x32c [c:\b\build\slave\win\build\src\content\renderer\renderer_main.cc @ 220]
0018f520 5e552400 chrome_child!content::RunNamedProcessTypeMain+0x61 [c:\b\build\slave\win\build\src\content\app\content_main_runner.cc @ 395]
0018f56c 5e537e34 chrome_child!content::ContentMainRunnerImpl::Run+0x5f [c:\b\build\slave\win\build\src\content\app\content_main_runner.cc @ 764]
0018f580 5e537b10 chrome_child!content::ContentMain+0x28 [c:\b\build\slave\win\build\src\content\app\content_main.cc @ 19]
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for chrome.exe - 
0018f5c4 013f82cc chrome_child!ChromeMain+0x61 [c:\b\build\slave\win\build\src\chrome\app\chrome_main.cc @ 87]
0018f65c 013f796a chrome!GetUploadedReportsImpl+0xb06
0018f794 01426a2a chrome!GetUploadedReportsImpl+0x1a4
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\kernel32.dll - 
0018f7e0 77b8ee1c chrome!IsSandboxedProcess+0x2600e
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
0018f7ec 77a33a03 kernel32!BaseThreadInitThunk+0x12
0018f82c 77a339d6 ntdll!RtlInitializeExceptionChain+0xef
0018f844 00000000 ntdll!RtlInitializeExceptionChain+0xc2
3:033> lmvm chrome_child
start    end        module name
5e530000 6115e000   chrome_child   (private pdb symbols)  c:\symbols\chrome_child.dll.pdb\AC420FF4EFAB48CFB1715026986A90F11\chrome_child.dll.pdb
    Loaded symbol image file: C:\Users\lovesuae\AppData\Local\Google\Chrome SxS\Application\51.0.2664.1\chrome_child.dll
    Image path: C:\Users\lovesuae\AppData\Local\Google\Chrome SxS\Application\51.0.2664.1\chrome_child.dll
    Image name: chrome_child.dll
    Timestamp:        Wed Mar 02 01:28:17 2016 (56D5D131)
    CheckSum:         02ACE32C
    ImageSize:        02C2E000
    File version:     51.0.2664.1
    Product version:  51.0.2664.1
    File flags:       0 (Mask 17)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Google Inc.
    ProductName:      Google Chrome
    InternalName:     chrome_dll
    OriginalFilename: chrome.dll
    ProductVersion:   51.0.2664.1
    FileVersion:      51.0.2664.1
    FileDescription:  Google Chrome
    LegalCopyright:   Copyright 2015 Google Inc. All rights reserved.


VERSION
Chrome Version: 51.0.2664.1 canary, 
Operating System: [Please indicate OS, version, and service pack level]

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]
chrome45.poc8.reduce13.html
8.0 KB View Download
Project Member

Comment 1 by ClusterFuzz, Mar 4 2016 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5723716014571520

Comment 2 by jialiul@chromium.org, Mar 4 2016

Cc: jialiul@chromium.org
Status: WontFix (was: Unconfirmed)
Hi lovesuae,
Thanks for reporting this issue again. 
It appears our system still cannot reproduce the problem you're experiencing. It might be the case that problem is already fixed by our nightly updates. The latest canary version is 51.0.2667.0. 
I'm marking it "won'tfix" for now. Please feel free to reopen if you have any updates on this issue.  Thanks!
Project Member

Comment 3 by sheriffbot@chromium.org, Jun 11 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment