Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 603129 Security: chrome 49 stable DateTimeEditElement UAF
Starred by 1 user Reported by loves...@gmail.com, Apr 13 2016 Back to list
Status: WontFix
Owner:
Closed: Apr 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs


VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

VERSION
Chrome Version: 49.0.2623.112 m + [stable]
Operating System: windows7 32 bit

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State: 
(6c4.d00): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=1484aa05 ebx=05a90530 ecx=05aa9294 edx=00000007 esi=0025e764 edi=00000001
eip=5fccac63 esp=0025e740 ebp=0025e750 iopl=0         nv up ei ng nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010293
chrome_child!blink::DateTimeEditElement::valueAsDateTimeFieldsState+0x65:
5fccac63 ff9038020000    call    dword ptr [eax+238h] ds:0023:1484ac3d=????????

3:031> k
ChildEBP RetAddr  
0025e750 5f610049 chrome_child!blink::DateTimeEditElement::valueAsDateTimeFieldsState+0x65 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\html\shadow\datetimeeditelement.cpp @ 814]
0025e788 5f5c27cc chrome_child!blink::BaseMultipleFieldsDateAndTimeInputType::saveFormControlState+0x58 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\html\forms\basemultiplefieldsdateandtimeinputtype.cpp @ 489]
0025e794 5f226a83 chrome_child!blink::HTMLInputElement::saveFormControlState+0x14 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\html\htmlinputelement.cpp @ 544]
0025e7e8 5ef97276 chrome_child!blink::DocumentState::toStateVector+0x181 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\html\forms\formcontroller.cpp @ 431]
0025e808 5ef9723b chrome_child!blink::HistoryItem::documentState+0x1a [c:\b\build\slave\win\build\src\third_party\webkit\source\core\loader\historyitem.cpp @ 144]
0025e810 5ef96c93 chrome_child!blink::WebHistoryItem::documentState+0xa [c:\b\build\slave\win\build\src\third_party\webkit\source\web\webhistoryitem.cpp @ 129]
0025e8dc 5ef96a48 chrome_child!content::`anonymous namespace'::GenerateFrameStateFromItem+0x1cb [c:\b\build\slave\win\build\src\content\renderer\history_serialization.cc @ 101]
0025e900 5ef968d1 chrome_child!content::`anonymous namespace'::RecursivelyGenerateFrameState+0x18 [c:\b\build\slave\win\build\src\content\renderer\history_serialization.cc @ 122]
0025ea44 5ef93d3e chrome_child!content::HistoryEntryToPageState+0x3c [c:\b\build\slave\win\build\src\content\renderer\history_serialization.cc @ 182]
0025ea88 5ef9333b chrome_child!content::RenderViewImpl::SendUpdateState+0x78 [c:\b\build\slave\win\build\src\content\renderer\render_view_impl.cc @ 1521]
0025eccc 5ee90a89 chrome_child!content::RenderFrameImpl::didCommitProvisionalLoad+0x235 [c:\b\build\slave\win\build\src\content\renderer\render_frame_impl.cc @ 3131]
0025ecf0 5ee1fd87 chrome_child!blink::FrameLoaderClientImpl::dispatchDidCommitLoad+0x92 [c:\b\build\slave\win\build\src\third_party\webkit\source\web\frameloaderclientimpl.cpp @ 492]
0025ed70 5ee0b6b8 chrome_child!blink::FrameLoader::receivedFirstData+0xbb [c:\b\build\slave\win\build\src\third_party\webkit\source\core\loader\frameloader.cpp @ 429]
0025edf8 5ee0b4bd chrome_child!blink::DocumentLoader::ensureWriter+0x114 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\loader\documentloader.cpp @ 521]
0025ee78 5ef92276 chrome_child!blink::DocumentLoader::commitData+0x25 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\loader\documentloader.cpp @ 527]
0025eea8 5ef92166 chrome_child!blink::DocumentLoader::processData+0x89 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\loader\documentloader.cpp @ 597]
0025eed4 5ee9abb8 chrome_child!blink::DocumentLoader::dataReceived+0x5e [c:\b\build\slave\win\build\src\third_party\webkit\source\core\loader\documentloader.cpp @ 575]
0025ef14 5ee9a73e chrome_child!blink::RawResource::appendData+0xa8 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\fetch\rawresource.cpp @ 101]
0025ef38 5ee9a67b chrome_child!blink::ResourceLoader::didReceiveData+0x84 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\fetch\resourceloader.cpp @ 424]
0025ef5c 5ee9a4a2 chrome_child!content::WebURLLoaderImpl::Context::OnReceivedData+0x64 [c:\b\build\slave\win\build\src\content\child\web_url_loader_impl.cc @ 700]
0025efc4 5ee9a2ff chrome_child!content::ResourceDispatcher::OnReceivedData+0x1a0 [c:\b\build\slave\win\build\src\content\child\resource_dispatcher.cc @ 290]
0025efe0 5ee9a227 chrome_child!base::DispatchToMethodImpl<content::ResourceDispatcher,void (__thiscall content::ResourceDispatcher::*)(int,int,int,int),int,int,int,int,0,1,2,3>+0x2e [c:\b\build\slave\win\build\src\base\tuple.h @ 252]
0025f00c 5ee939a8 chrome_child!ResourceMsg_DataReceived::Dispatch<content::ResourceDispatcher,content::ResourceDispatcher,void,void (__thiscall content::ResourceDispatcher::*)(int,int,int,int)>+0x2e [c:\b\build\slave\win\build\src\content\common\resource_messages.h @ 366]
0025f0d8 5ed6b1c5 chrome_child!content::ResourceDispatcher::DispatchMessageW+0x24b [c:\b\build\slave\win\build\src\content\child\resource_dispatcher.cc @ 554]
0025f100 5ee9372e chrome_child!content::ResourceDispatcher::OnMessageReceived+0xae [c:\b\build\slave\win\build\src\content\child\resource_dispatcher.cc @ 123]
0025f110 5ee84ae4 chrome_child!content::`anonymous namespace'::DispatchMessageTask::run+0x2e [c:\b\build\slave\win\build\src\content\child\resource_scheduling_filter.cc @ 31]
0025f118 5ee84ac3 chrome_child!scheduler::WebTaskRunnerImpl::runTask+0xb [c:\b\build\slave\win\build\src\components\scheduler\child\web_task_runner_impl.cc @ 50]
0025f124 5ee84a9f chrome_child!base::internal::RunnableAdapter<void (__cdecl*)(scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)>::Run+0x11 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 157]
0025f130 5ee84a83 chrome_child!base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__cdecl*)(scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)>,base::internal::TypeList<scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > > >::MakeItSo+0x17 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 298]
0025f144 5ed69f55 chrome_child!base::internal::Invoker<base::IndexSequence<0>,base::internal::BindState<base::internal::RunnableAdapter<void (__cdecl*)(scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)>,void __cdecl(scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >),base::internal::PassedWrapper<scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > > >,base::internal::TypeList<base::internal::UnwrapTraits<base::internal::PassedWrapper<scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > > > >,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__cdecl*)(scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)>,base::internal::TypeList<scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > > >,void __cdecl(void)>::Run+0x19 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 350]
0025f1a4 5edf1183 chrome_child!base::debug::TaskAnnotator::RunTask+0x130 [c:\b\build\slave\win\build\src\base\debug\task_annotator.cc @ 51]
0025f250 5edf0400 chrome_child!scheduler::TaskQueueManager::ProcessTaskFromWorkQueue+0x1b1 [c:\b\build\slave\win\build\src\components\scheduler\base\task_queue_manager.cc @ 268]
0025f37c 5edf0304 chrome_child!scheduler::TaskQueueManager::DoWork+0xf8 [c:\b\build\slave\win\build\src\components\scheduler\base\task_queue_manager.cc @ 180]
0025f398 5edf02bc chrome_child!base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)>,base::internal::TypeList<base::WeakPtr<scheduler::TaskQueueManager> const &,base::TimeTicks const &,bool const &> >::MakeItSo+0x42 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 307]
0025f3b4 5ed69f55 chrome_child!base::internal::Invoker<base::IndexSequence<0,1,2>,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)>,void __cdecl(scheduler::TaskQueueManager *,base::TimeTicks,bool),base::WeakPtr<scheduler::TaskQueueManager>,base::TimeTicks,bool>,base::internal::TypeList<base::internal::UnwrapTraits<base::WeakPtr<scheduler::TaskQueueManager> >,base::internal::UnwrapTraits<base::TimeTicks>,base::internal::UnwrapTraits<bool> >,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)>,base::internal::TypeList<base::WeakPtr<scheduler::TaskQueueManager> const &,base::TimeTicks const &,bool const &> >,void __cdecl(void)>::Run+0x25 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 350]
0025f410 5ed69d5f chrome_child!base::debug::TaskAnnotator::RunTask+0x130 [c:\b\build\slave\win\build\src\base\debug\task_annotator.cc @ 51]
0025f47c 5ed69b52 chrome_child!base::MessageLoop::RunTask+0x185 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 488]
0025f5b0 5ed6bcfe chrome_child!base::MessageLoop::DoWork+0x478 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 608]
0025f5dc 5ed69620 chrome_child!base::MessagePumpDefault::Run+0xc6 [c:\b\build\slave\win\build\src\base\message_loop\message_pump_default.cc @ 34]
0025f600 5ed69528 chrome_child!base::MessageLoop::RunHandler+0x65 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 451]
0025f628 5ed69422 chrome_child!base::RunLoop::Run+0x89 [c:\b\build\slave\win\build\src\base\run_loop.cc @ 57]
0025f650 5edb854c chrome_child!base::MessageLoop::Run+0x22 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 294]
0025f7e8 5ed616f4 chrome_child!content::RendererMain+0x368 [c:\b\build\slave\win\build\src\content\renderer\renderer_main.cc @ 234]
0025f7fc 5ed61670 chrome_child!content::RunNamedProcessTypeMain+0x61 [c:\b\build\slave\win\build\src\content\app\content_main_runner.cc @ 382]
0025f848 5ed47d8b chrome_child!content::ContentMainRunnerImpl::Run+0x5f [c:\b\build\slave\win\build\src\content\app\content_main_runner.cc @ 787]
0025f858 5ed47a6f chrome_child!content::ContentMain+0x23 [c:\b\build\slave\win\build\src\content\app\content_main.cc @ 19]
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for chrome.exe - 
0025f898 00d67e6b chrome_child!ChromeMain+0x61 [c:\b\build\slave\win\build\src\chrome\app\chrome_main.cc @ 70]
WARNING: Stack unwind information not available. Following frames may be wrong.
0025f978 00d67416 chrome!GetUploadedReportsImpl+0xbf9
0025faac 00da3e1a chrome!GetUploadedReportsImpl+0x1a4
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\kernel32.dll - 
0025faf8 75f2ee1c chrome!IsSandboxedProcess+0x31c12
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
0025fb04 77153a03 kernel32!BaseThreadInitThunk+0x12
0025fb44 771539d6 ntdll!RtlInitializeExceptionChain+0xef
0025fb5c 00000000 ntdll!RtlInitializeExceptionChain+0xc2
3:031> lmvm chrome_child
start    end        module name
5ed40000 61817000   chrome_child   (private pdb symbols)  c:\symbols\chrome_child.dll.pdb\ED5E5CDDD59F46E99F980CAB8DDBC4141\chrome_child.dll.pdb
    Loaded symbol image file: C:\Program Files\Google\Chrome\Application\49.0.2623.112\chrome_child.dll
    Image path: C:\Program Files\Google\Chrome\Application\49.0.2623.112\chrome_child.dll
    Image name: chrome_child.dll
    Timestamp:        Wed Apr 06 08:29:27 2016 (57045867)
    CheckSum:         02981495
    ImageSize:        02AD7000
    File version:     49.0.2623.112
    Product version:  49.0.2623.112
    File flags:       0 (Mask 17)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Google Inc.
    ProductName:      Google Chrome
    InternalName:     chrome_dll
    OriginalFilename: chrome.dll
    ProductVersion:   49.0.2623.112
    FileVersion:      49.0.2623.112
    FileDescription:  Google Chrome
    LegalCopyright:   Copyright 2015 Google Inc. All rights reserved.
Client ID (if relevant): [see link above]

 
chrome45.poc9.reduce6.php
6.5 KB View Download
Project Member Comment 1 by clusterf...@chromium.org, Apr 13 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5310035747405824
Comment 2 by tsepez@chromium.org, Apr 14 2016
Hmm. I repro'd this locally on 49.0.2623.112 / liunx, but CF thinks it is fixed.  Redoing fixed range.
Comment 3 by loves...@gmail.com, Apr 14 2016
what's mean about "Redoing fixed range"? 
Project Member Comment 4 by clusterf...@chromium.org, Apr 14 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5310035747405824

Uploader: tsepez@chromium.org
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: 
Crash Address: 
Crash State:
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94LO2Kb5NJFbztWlRUm2yypG-z9-DWMsaRiuLfFd9AVKslCTJgB1nilpzIx3QPvxe3peZCQ0yCbnPtIgbSoF-b9ZKDqS_TjwYH5xugN4KJAQolIXuvmAMBxpC40Mu9I0jC2BGne4YdlIOb8eIpF4uYWAc_y7w


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Comment 5 by tsepez@chromium.org, Apr 14 2016
Owner: tkent@chromium.org
Status: Assigned
tkent@, looks like you've been in DateTimeEditElement.cpp from time to time, care to take a look or suggest an alternate?  thanks.
Comment 6 by tsepez@chromium.org, Apr 14 2016
Components: Blink>Forms
Labels: Security_Severity-High M-50 Security_Impact-Stable Pri-1
Setting severity high out of an abundance of caution; looks like the faulting instruction is a call to a bad address.
Comment 7 by tkent@chromium.org, Apr 14 2016
Labels: Needs-Feedback
lovesuae@, can you reproduce this with Google Chrome 50 or later?

Since Chrome 50, memory management in Blink is completely different.  So, this might be already fixed.

Comment 8 by loves...@gmail.com, Apr 14 2016
I have tested the poc can't repro on chrome 50, chrome 49.0.2623.112 is released a week ago, @tkent do you change code in DateTimeEditElement.cpp this week? 
Comment 9 by tkent@chromium.org, Apr 14 2016
Status: WontFix
ok, I assume this was already fixed.

Since Google Chrome 50, Blink uses garbage collection instead of reference counting.  So, use-after-free rarely happens in Blink.

Project Member Comment 10 by sheriffbot@chromium.org, Jul 22 2016
Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 11 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 12 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment