Issue metadata
Sign in to add a comment
|
Security: Heap-use-after-free in MessagingBindings::DispatchOnConnect |
||||||||||||||||||||||
Issue descriptionChrome version: 50.0.2661.75 MessagingBindings::DispatchOnConnect dereferences a RenderFrame pointer right after running scripts in that frame. The scripts may invalidate that pointer, resulting in a UAF. To reproduce: Load the attached extension. It will open a new tab, set up an onConnect listener and trigger this listener. The resulting symbolized ASAN log is also attached. NOTE: This report is not elligible for the reward program because I authored the patch that introduced this vulnerability in Chrome 49: https://chromium.googlesource.com/chromium/src/+blame/f6f806674c4f6ebbb8b20197ae5b6c7a40bba08f/extensions/renderer/messaging_bindings.cc#458
,
May 2 2016
,
May 2 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/02aac0ffcff2e9830e0c9e0bdcc34b45fb666fcf commit 02aac0ffcff2e9830e0c9e0bdcc34b45fb666fcf Author: rob <rob@robwu.nl> Date: Mon May 02 17:07:47 2016 Determine routing ID before potentially invalidating the frame BUG= 608156 Review-Url: https://codereview.chromium.org/1931253004 Cr-Commit-Position: refs/heads/master@{#390971} [modify] https://crrev.com/02aac0ffcff2e9830e0c9e0bdcc34b45fb666fcf/extensions/renderer/messaging_bindings.cc
,
May 3 2016
,
May 3 2016
Your change meets the bar and is auto-approved for M51 (branch: 2704)
,
May 3 2016
Please merge your change to M51 branch 2704 by 4:00 PM PST today so we can take it for this week beta release tomorrow.Thank you.
,
May 3 2016
,
May 3 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2cdf32b96d5729e9be91d49cc8898c6470759962 commit 2cdf32b96d5729e9be91d49cc8898c6470759962 Author: Rob Wu <rob@robwu.nl> Date: Tue May 03 21:26:37 2016 Determine routing ID before potentially invalidating the frame BUG= 608156 Review-Url: https://codereview.chromium.org/1931253004 Cr-Commit-Position: refs/heads/master@{#390971} (cherry picked from commit 02aac0ffcff2e9830e0c9e0bdcc34b45fb666fcf) Review URL: https://codereview.chromium.org/1951583002 . Cr-Commit-Position: refs/branch-heads/2704@{#363} Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251} [modify] https://crrev.com/2cdf32b96d5729e9be91d49cc8898c6470759962/extensions/renderer/messaging_bindings.cc
,
May 9 2016
,
May 29 2016
,
May 31 2016
,
Jun 1 2016
Ah, missed your comment in the OP about eligibility. Updating labels. We'll reference this with the "internal fixes" section in the next M51 release.
,
Aug 9 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by rob@robwu.nl
, Apr 30 2016