New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Jun 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security

Sign in to add a comment

Issue 624779: Security: Search prediction service over HTTP crashes Chrome on Linux

Reported by, Jun 30 2016

Issue description

Some of the build in search engines that come with Chrome do not use SSL for the prediction service in the OmniBar. Hijacking the connection and serving large responses will crash Chrome on Linux by running out of memory. This only happens in Linux, on Mac OS, Android and Windows, the request stops after consuming around 10-30 MBs (still not a good thing but not as bad as a crash). We didn't try testing on Android with a slow connection to see if the browser would hang while the download happens.

Search engines are defined in /src/components/search_engines/prepopulated_engines.json, two default ones (AOL and are not using SSL for US/English. We tested those.

The source of the bug seems to be in src/components/omnibox/browser/, lines 312-338, specifically:


there doesn't seem to be a limit of how big the response can be, although some sort of overall fetch protection seems to kick in for MacOS, Android and Windows.

Chrome Version: 51.0.2704.106 (Official Build) (64-bit)
Operating System: Ubuntu 16.04

1. Install DNSMASQ:
sudo apt-get install dnsmasq

2. Install NGINX:
sudo apt-get install nginx

3. Modify the /etc/hosts file to add the following entries to map to the IP of the local computer (varies by vendor of the phone):


4. Configure /etc/dnsmasq.conf file to listed on the IP:

5. Restart DNSMASQ:
sudo /etc/init.d/dnsmasq restart

6. Use fallocate to create a file in "/var/www/html/"
sudo fallocate -l 5G query

7. Modify DNS settings on the test machine or the same machine to point to "192.168.1.x". If same machine, modify resolve.conf as follows:
nameserver 192.168.1.x

8. Start Chrome, go to settings and choose "" as the default search provider.
9. Open new tab and try to type something in the omnibox.

Type of crash: browser
Crash State: browser closes, the following log message appears when logging is enabled:

tcmalloc: large alloc 1073741824 bytes == 0x2d2b6ea56000 @ 
[17724:17761:0630/] Out of memory.
Aborted (core dumped)

Comment 2 by, Jun 30 2016

Status: WontFix (was: Unconfirmed)
We don't consider DoS to be a security vulnerability. See the Chrome Security FAQ:

Comment 3 by, Jun 30 2016

Has this changed, because we see similar bugs in the past considered security bugs:

Additionally, since this is a memory overflow, can this result in a RCE?

Last, if this is not a security bug, should we refile this as a new bug or feature request, or is this just not going to be fixed?


Comment 4 by, Jul 13 2016

Also - this happens occasionally on Windows as well.

Comment 6 by, Oct 7 2016

Project Member
Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 7 by, Mar 9 2017


Sign in to add a comment