New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 625682 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 625598
Owner:
Closed: Jul 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Security: Crash in content_settings::ContentSettingsPref::SetWebsiteSetting

Reported by chromium...@gmail.com, Jul 4 2016

Issue description

VERSION
Chrome Version: 54.0.2787.0 canary (64-bit)
Operating System: Windows 7

REPRODUCTION CASE
1. Navigate to chrome://md-settings/siteSettings/all
2. Click on "Add site exception" and enter anything in the field 
3. Click on "Add" >> Crash!!

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION

rax=baadf00dbaadf00d rbx=0000000000000004 rcx=baadf00dbaadf00d
rdx=000000000030b1f0 rsi=000000000030b350 rdi=0000000007e00700
rip=000007fedfec97b0 rsp=000000000030add0 rbp=000000000030b1a8
 r8=000000000030b350  r9=000000000030b1a8 r10=000000000000000e
r11=000000000030a908 r12=baadf00dbaadf045 r13=000000000b40c090
r14=000000000030b1f0 r15=0000000007e22600
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
chrome_7fedf2f0000!content_settings::ContentSettingsPref::SetWebsiteSetting+0x18:
000007fe`dfec97b0 80792000        cmp     byte ptr [rcx+20h],0 ds:baadf00d`baadf02d=??
0:000> k
Child-SP          RetAddr           Call Site
00000000`0030add0 000007fe`dfec6817 chrome_7fedf2f0000!content_settings::ContentSettingsPref::SetWebsiteSetting+0x18 [c:\b\build\slave\win64\build\src\components\content_settings\core\browser\content_settings_pref.cc @ 113]
00000000`0030ae50 000007fe`dfebd5bd chrome_7fedf2f0000!content_settings::PrefProvider::SetWebsiteSetting+0xf3 [c:\b\build\slave\win64\build\src\components\content_settings\core\browser\content_settings_pref_provider.cc @ 150]
00000000`0030b050 000007fe`dfebd9e1 chrome_7fedf2f0000!HostContentSettingsMap::SetWebsiteSettingCustomScope+0x61 [c:\b\build\slave\win64\build\src\components\content_settings\core\browser\host_content_settings_map.cc @ 359]
00000000`0030b0b0 000007fe`e0ed0636 chrome_7fedf2f0000!HostContentSettingsMap::SetContentSettingCustomScope+0xb1 [c:\b\build\slave\win64\build\src\components\content_settings\core\browser\host_content_settings_map.cc @ 435]
00000000`0030b110 000007fe`dfd8ba94 chrome_7fedf2f0000!settings::SiteSettingsHandler::HandleSetCategoryPermissionForOrigin+0x23a [c:\b\build\slave\win64\build\src\chrome\browser\ui\webui\settings\site_settings_handler.cc @ 278]
00000000`0030b440 000007fe`dfd8b1cc chrome_7fedf2f0000!content::WebUIImpl::ProcessWebUIMessage+0x94 [c:\b\build\slave\win64\build\src\content\browser\webui\web_ui_impl.cc @ 258]
00000000`0030b480 000007fe`dfd8bf65 chrome_7fedf2f0000!content::WebUIImpl::OnWebUISend+0x90 [c:\b\build\slave\win64\build\src\content\browser\webui\web_ui_impl.cc @ 109]
00000000`0030b4d0 000007fe`dfd8b111 chrome_7fedf2f0000!IPC::MessageT<ViewHostMsg_WebUISend_Meta,std::tuple<GURL,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,base::ListValue>,void>::Dispatch<content::WebUIImpl,content::WebUIImpl,void,void (__cdecl content::WebUIImpl::*)(GURL const & __ptr64,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const & __ptr64,base::ListValue const & __ptr64) __ptr64>+0x191 [c:\b\build\slave\win64\build\src\ipc\ipc_message_templates.h @ 121]
00000000`0030b680 000007fe`dfc9a41e chrome_7fedf2f0000!content::WebUIImpl::OnMessageReceived+0x99 [c:\b\build\slave\win64\build\src\content\browser\webui\web_ui_impl.cc @ 91]
00000000`0030b710 000007fe`dfc4efb9 chrome_7fedf2f0000!content::WebContentsImpl::OnMessageReceived+0x5e [c:\b\build\slave\win64\build\src\content\browser\web_contents\web_contents_impl.cc @ 637]
00000000`0030c380 000007fe`dfc77e61 chrome_7fedf2f0000!content::RenderViewHostImpl::OnMessageReceived+0x89 [c:\b\build\slave\win64\build\src\content\browser\renderer_host\render_view_host_impl.cc @ 836]
00000000`0030cad0 000007fe`dfd02fc6 chrome_7fedf2f0000!content::RenderWidgetHostImpl::OnMessageReceived+0x4d [c:\b\build\slave\win64\build\src\content\browser\renderer_host\render_widget_host_impl.cc @ 443]
00000000`0030d210 000007fe`dfa9e9b8 chrome_7fedf2f0000!content::RenderProcessHostImpl::OnMessageReceived+0x56e [c:\b\build\slave\win64\build\src\content\browser\renderer_host\render_process_host_impl.cc @ 1768]
00000000`0030d540 000007fe`df48da5f chrome_7fedf2f0000!IPC::ChannelProxy::Context::OnDispatchMessage+0x28 [c:\b\build\slave\win64\build\src\ipc\ipc_channel_proxy.cc @ 285]
00000000`0030d570 000007fe`df430638 chrome_7fedf2f0000!base::debug::TaskAnnotator::RunTask+0x1ef [c:\b\build\slave\win64\build\src\base\debug\task_annotator.cc @ 53]
00000000`0030d6a0 000007fe`df4317c2 chrome_7fedf2f0000!base::MessageLoop::RunTask+0x448 [c:\b\build\slave\win64\build\src\base\message_loop\message_loop.cc @ 494]
00000000`0030e9b0 000007fe`df48e208 chrome_7fedf2f0000!base::MessageLoop::DoWork+0x582 [c:\b\build\slave\win64\build\src\base\message_loop\message_loop.cc @ 625]
00000000`0030eea0 000007fe`df48ded4 chrome_7fedf2f0000!base::MessagePumpForUI::DoRunLoop+0x78 [c:\b\build\slave\win64\build\src\base\message_loop\message_pump_win.cc @ 263]
00000000`0030ef10 000007fe`df473fc0 chrome_7fedf2f0000!base::MessagePumpWin::Run+0x54 [c:\b\build\slave\win64\build\src\base\message_loop\message_pump_win.cc @ 142]
00000000`0030ef60 000007fe`e01f24ff chrome_7fedf2f0000!base::RunLoop::Run+0x90 [c:\b\build\slave\win64\build\src\base\run_loop.cc @ 36]

 
Cc: raymes@chromium.org jochen@chromium.org
Components: UI>Settings
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Chrome OS-Linux OS-Mac OS-Windows Type-Bug
Owner: bauerb@chromium.org
Status: Assigned (was: Unconfirmed)
Thanks for reporting this crash! (Note that we don't consider DoS a security issue; see https://www.chromium.org/Home/chromium-security/security-faq#TOC-Are-denial-of-service-issues-considered-security-bugs-.)
Hmm... thank you for your help!

Comment 3 by raymes@chromium.org, Jul 12 2016

Cc: bauerb@chromium.org
Labels: Pri-2
Owner: finnur@chromium.org
Finnur: could you ptal? I think it might be passing an invalid content settings type.

Comment 4 by finnur@chromium.org, Jul 13 2016

Mergedinto: 625598
Status: Duplicate (was: Assigned)

Sign in to add a comment