New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 613370 link

Starred by 1 user

Issue metadata

Status: Duplicate
Owner: ----
Closed: May 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Chrome Crash/Kill Proccess

Reported by redheads...@gmail.com, May 19 2016

Issue description

This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs


VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.
Google Chrome Crash/Proccess Kill

VERSION
Chrome Version: 50.0.2661.102 m
Operating System: Windows 8.1 (should work for any)

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.
Attached html files to demonstrate.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: Browser

Thanks,
Monir Al-Taher

 
crash html files.rar
138 KB Download
Labels: ReleaseBlock-Stable Security_Severity-High OS-Windows
Status: Untriaged (was: Unconfirmed)
Files from the .rar attached.

crash3.html is an attempted history.pushState DoS, but I can't repro on OSX 10.11 or Windows 8.1 using the given file, and it's already known [1].

crash.html and crash2.html do crash Chrome on Windows 8.1.
crash.html tries to navigate to: data:application/x-x509-user-cert;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
Opening crash2.html leaves a debug.log file with 36 lines similar to:

> [0520/145816:ERROR:process_info.cc(608)] range at 0xfefe8000, size 0x230 fully unreadable

(The hex address varies in each message, but the size is the same.)

[1] https://bugs.chromium.org/p/chromium/issues/list?can=1&q=pushstate+dos&colspec=ID+Pri+M+Status+Owner+Summary+OS+Modified&x=m&y=releaseblock&cells=tiles
crash.html
134 bytes View Download
crash2.html
321 KB View Download
crash3.html
286 bytes View Download
Project Member

Comment 2 by ClusterFuzz, May 20 2016

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4550658913206272
Project Member

Comment 3 by ClusterFuzz, May 20 2016

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5676150429057024
Project Member

Comment 4 by ClusterFuzz, May 20 2016

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6668085708980224
Project Member

Comment 5 by ClusterFuzz, May 20 2016

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5407343022178304
Cc: davidben@chromium.org
ClusterFuzz is still going, but here's the backtrace I get:

* thread #18: tid = 0xb3452, 0x0000000108901c34 libnet.dylib`net::HttpResponseHeaders::HasHeader(base::BasicStringPiece<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > const&) const + 20, name = 'Chrome_IOThread', stop reason = EXC_BAD_ACCESS (code=1, address=0x8)
  * frame #0: 0x0000000108901c34 libnet.dylib`net::HttpResponseHeaders::HasHeader(base::BasicStringPiece<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > const&) const + 20
    frame #1: 0x0000000105ea0d7f libcontent.dylib`content::MimeTypeResourceHandler::SelectNextHandler(bool*) + 175
    frame #2: 0x0000000105ea05a1 libcontent.dylib`content::MimeTypeResourceHandler::ProcessResponse(bool*) + 49
    frame #3: 0x0000000105ea03f4 libcontent.dylib`content::MimeTypeResourceHandler::OnResponseStarted(content::ResourceResponse*, bool*) + 356
    frame #4: 0x0000000105ebae69 libcontent.dylib`content::ThrottlingResourceHandler::OnResponseStarted(content::ResourceResponse*, bool*) + 249
    frame #5: 0x0000000105ebb2c1 libcontent.dylib`content::ThrottlingResourceHandler::ResumeResponse() + 49
    frame #6: 0x0000000105ea2c63 libcontent.dylib`base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<void (content::NavigationResourceThrottle::*)(content::NavigationThrottle::ThrottleCheckResult)>, void (content::NavigationResourceThrottle*, content::NavigationThrottle::ThrottleCheckResult), base::WeakPtr<content::NavigationResourceThrottle> >, base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void (content::NavigationResourceThrottle::*)(content::NavigationThrottle::ThrottleCheckResult)> >, void (content::NavigationThrottle::ThrottleCheckResult)>::Run(base::internal::BindStateBase*, content::NavigationThrottle::ThrottleCheckResult&&) + 115
    frame #7: 0x0000000105ea2b3f libcontent.dylib`base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::Callback<void (content::NavigationThrottle::ThrottleCheckResult), (base::internal::CopyMode)1>, void (content::NavigationThrottle::ThrottleCheckResult), content::NavigationThrottle::ThrottleCheckResult&>, base::internal::InvokeHelper<false, void, base::Callback<void (content::NavigationThrottle::ThrottleCheckResult), (base::internal::CopyMode)1> >, void ()>::Run(base::internal::BindStateBase*) + 47
    frame #8: 0x000000010061292b libbase.dylib`base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) + 187
    frame #9: 0x000000010063db43 libbase.dylib`base::MessageLoop::RunTask(base::PendingTask const&) + 499
    frame #10: 0x000000010063de5c libbase.dylib`base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) + 44
    frame #11: 0x000000010063e22b libbase.dylib`base::MessageLoop::DoWork() + 299
    frame #12: 0x0000000100602071 libbase.dylib`base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) + 465
    frame #13: 0x000000010065d4f1 libbase.dylib`base::RunLoop::Run() + 113
    frame #14: 0x000000010063d28d libbase.dylib`base::MessageLoop::Run() + 29
    frame #15: 0x0000000105d1cbc8 libcontent.dylib`content::BrowserThreadImpl::IOThreadRun(base::MessageLoop*) + 24
    frame #16: 0x0000000105d1cdab libcontent.dylib`content::BrowserThreadImpl::Run(base::MessageLoop*) + 379
    frame #17: 0x000000010068fab8 libbase.dylib`base::Thread::ThreadMain() + 248
    frame #18: 0x0000000100688fa7 libbase.dylib`base::(anonymous namespace)::ThreadFunc(void*) + 87
    frame #19: 0x00007fff91dc999d libsystem_pthread.dylib`_pthread_body + 131
    frame #20: 0x00007fff91dc991a libsystem_pthread.dylib`_pthread_start + 168
    frame #21: 0x00007fff91dc7351 libsystem_pthread.dylib`thread_start + 13

CCing davidben@ since the cause is a client cert navigation.
Cc: svaldez@chromium.org
+svaldez. I'm going to be OOO until the 31st and the x-x509-user-cert stuff is his.

I'm guessing that one of the fields along the way to the HasHeader line is NULL, so it's just crashing there. If so, this would just be a DoS. But someone should confirm.

https://code.google.com/p/chromium/codesearch#chromium/src/content/browser/loader/mime_type_resource_handler.cc&q=application/x-x509-user-cert&sq=package:chromium&type=cs&l=375
Specifically, I bet the issue is pretty tame and just that data URL responses don't have headers or something. We don't actually process x-x509-user-cert at all anymore.
Mergedinto: 613379
Status: Duplicate (was: Untriaged)
Project Member

Comment 10 by sheriffbot@chromium.org, Aug 28 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 11 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 12 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment