New issue
Advanced search Search tips

Issue 617495 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Jun 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Universal XSS via same document navigations

Reported by marius.mlynski@gmail.com, Jun 6 2016

Issue description

VULNERABILITY DETAILS
FrameLoader::loadInSameDocument is vulnerable to a problem similar to the one described in  issue 613266 :

----------------
void FrameLoader::loadInSameDocument(const KURL& url, (...))
{
    (...)
    // If we have a provisional request for a different document, a fragment scroll should cancel it.
    detachDocumentLoader(m_provisionalDocumentLoader);
    if (!m_frame->host())
        return;
    (...)
}
----------------

Calling FrameLoader::startLoad in the middle of detaching |m_provisionalDocumentLoader| will cause the new provisional loader to be cleared prematurely. In this case, |m_provisionalDocumentLoader| isn't set up afterwards, so the attacker has to take care of it explicitly after the hash navigation in order to avoid crashes.

VERSION
Chrome 51.0.2704.79 (Stable)
Chrome 52.0.2743.24 (Beta)
Chrome 53.0.2756.0 (Dev)
Chromium 53.0.2760.0 (Release build compiled today)
 
exploit.html
828 bytes View Download

Comment 1 by f...@chromium.org, Jun 6 2016

Components: Blink>HTML>Frame
Labels: Security_Severity-High Security_Impact-Stable Pri-1
Owner: japhet@chromium.org
Status: Assigned (was: Unconfirmed)
Thanks for the report.

japhet@, could you please look at this one too? It seems like 613266 didn't fully solve this problem.
Project Member

Comment 2 by sheriffbot@chromium.org, Jun 7 2016

Labels: M-51
Project Member

Comment 3 by bugdroid1@chromium.org, Jun 18 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/be655fd4fb9ab3291a855a939496111674037a2f

commit be655fd4fb9ab3291a855a939496111674037a2f
Author: japhet <japhet@chromium.org>
Date: Sat Jun 18 01:02:39 2016

Always use FrameNavigationDisabler during DocumentLoader detach.

BUG= 617495 

Review-Url: https://codereview.chromium.org/2079473002
Cr-Commit-Position: refs/heads/master@{#400558}

[modify] https://crrev.com/be655fd4fb9ab3291a855a939496111674037a2f/third_party/WebKit/Source/core/loader/FrameLoader.cpp

Project Member

Comment 4 by sheriffbot@chromium.org, Jun 20 2016

japhet: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by japhet@chromium.org, Jun 20 2016

Status: Started (was: Assigned)
I'm inclined to let this bake a couple of days before merging, if there are no objections.

Comment 6 by japhet@chromium.org, Jun 24 2016

Labels: Merge-Request-51 Merge-Request-52
I don't see any evidence of regressions from the bugfix. Should this be merged to M51 and/or M52?
Project Member

Comment 7 by ClusterFuzz, Jun 25 2016

Status: Fixed (was: Started)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges.

- Your friendly ClusterFuzz
Project Member

Comment 8 by sheriffbot@chromium.org, Jun 25 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 9 by tin...@google.com, Jun 27 2016

Labels: -Merge-Request-51 Merge-Review-51 Hotlist-Merge-Review
[Automated comment] There appears to be on-going work (i.e. bugroid changes), needs manual review.

Comment 10 by tin...@google.com, Jun 27 2016

Labels: -Merge-Request-52 Merge-Review-52
[Automated comment] There appears to be on-going work (i.e. bugroid changes), needs manual review.
Before we approve merge to M52, Could you please confirm whether this change is baked/verified in Canary and safe to merge?

Also is this change applicable to all OS or any specific OS?
Labels: OS-All
All OSes are affected.

This fix has been on canaries for a little over a week, and I haven't been able to find any crashes or regression reports that appear to be related to this change, so I think this is baked.
Labels: -Merge-Review-52 Merge-Approved-52
Thank you. Approving merge to M52 branch 2743 based on comment #12. Please merge asap. Thank you.
Project Member

Comment 14 by bugdroid1@chromium.org, Jun 28 2016

Labels: -merge-approved-52 merge-merged-2743
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/019484e056b10a33a91b1342de1cd1d08d18d605

commit 019484e056b10a33a91b1342de1cd1d08d18d605
Author: Nate Chapin <japhet@chromium.org>
Date: Tue Jun 28 22:03:05 2016

Always use FrameNavigationDisabler during DocumentLoader detach.

BUG= 617495 

Review-Url: https://codereview.chromium.org/2079473002
Cr-Commit-Position: refs/heads/master@{#400558}
(cherry picked from commit be655fd4fb9ab3291a855a939496111674037a2f)

Review URL: https://codereview.chromium.org/2103703004 .

Cr-Commit-Position: refs/branch-heads/2743@{#511}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[modify] https://crrev.com/019484e056b10a33a91b1342de1cd1d08d18d605/third_party/WebKit/Source/core/loader/FrameLoader.cpp

Labels: reward-topanel
Labels: -M-51 Release-0-M52 M-52
Labels: CVE-2016-1711
Labels: reward-7500 reward-unpaid
And $7,500 for this one!
Labels: -reward-topanel
Labels: -reward-unpaid reward-inprocess
Project Member

Comment 22 by sheriffbot@chromium.org, Oct 1 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 23 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment