New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 626638 link

Starred by 3 users
Status: Archived
Owner:
durga.behera@chromium.org
Last visit > 30 days ago
Closed: Mar 2018
Cc:
durga.behera@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

Exploitable Crash in Google Chrome

Reported by jaakash2...@gmail.com, Jul 8 2016 
UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36

Steps to reproduce the problem:
1. Just visit https://www.3bfab.com/ from latest version of Google Chrome on Windows 7 32 bit system.
2. This crash is only happening in 32 bit operating system.

What is the expected behavior?

The tab with website https://www.3bfab.com/ should not crash with "Aw-Snap" message.

What went wrong?
The tab with website https://www.3bfab.com/ crashes with "Aw-Snap" message.

Crashed report ID: No

How much crashed? Just one tab

Is it a problem with a plugin? N/A 

Did this work before? N/A 

Chrome version: 51.0.2704.106  Channel: stable
OS Version: 6.1 (Windows 7)
Flash Version: Shockwave Flash 22.0 r0

This crash seems to be an exploitable crash.
Here are the Register Values from the crash dump:

0:000> r
eax=76770829 ebx=00000000 ecx=0048d50e edx=774870d4 esi=0048d410 edi=00000000
eip=774870d4 esp=0048d3cc ebp=0048d434 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!KiFastSystemCallRet:
774870d4 c3              ret

Operating System Information:

0:000> vertarget
Windows 7 Version 7601 (19135) MP (4 procs) Free x86 compatible
Product: WinNt
kernel32.dll version: 6.1.7601.19135 (win7sp1_gdr.160121-1718)
Machine Name:
Debug session time: Fri Jul  8 16:16:49.000 2016 (UTC + 5:30)
System Uptime: not available
Process Uptime: not available
  Kernel time: 0 days 0:00:00.000
  User time: 0 days 0:00:00.000
f9c5f5f6-5ca0-4706-bb98-d4992dbbe40e.dmp
4.2 MB Download

Comment 1 by jaakash2...@gmail.com, Jul 8 2016 

Chrome Version from Crash Dump:

0:000> lmvm chrome
Browse full module list
start    end        module name
00270000 0035c000   chrome   T (no symbols)           
    Loaded symbol image file: chrome.exe
    Image path: C:\Program Files\Google\Chrome\Application\chrome.exe
    Image name: chrome.exe
    Browse all global symbols  functions  data
    Timestamp:        Thu Jun 23 08:04:11 2016 (576B4AA3)
    CheckSum:         00000000
    ImageSize:        000EC000
    File version:     51.0.2704.106
    Product version:  51.0.2704.106
    File flags:       0 (Mask 0)
    File OS:          0 Unknown Base
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Comment 2 by jaakash2...@gmail.com, Jul 8 2016 

Another Crash dump generated along with previous dump:
19c34a11-1359-4677-bc64-59d33da1d846.dmp
372 KB Download

Comment 3 by durga.behera@chromium.org, Jul 19 2016

Cc: durga.behera@chromium.org
Labels: M-51 Needs-Feedback
Thanks for the report.Could you please help providing sample crash reports for these crashes(chrome://crashes pick the one relevant to this crash occurrence).
Unable to reproduce it on a Win 7(64-bit though) using 51.0.2704.106.

Comment 4 by jaakash2...@gmail.com, Jul 25 2016 

As mentioned in the ticket, This issue is happening only in 32 bit version of chrome on 32 bit Windows operating system.
Project Member

Comment 5 by sheriffbot@chromium.org, Jul 25 2016

Labels: -Needs-Feedback Needs-Review
Owner: durga.behera@chromium.org
Thank you for providing more feedback. Adding requester "durga.behera@chromium.org" for another review and adding "Needs-Review" label for tracking.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by cda...@chromium.org, Mar 13 2017

Labels: -Needs-Review
Cleaning up "Needs-Review" label as we are not using this label for triage anymore. Ref bug for this cleanup 684919
Project Member

Comment 7 by sheriffbot@chromium.org, Mar 15 2018

Status: Archived (was: Unconfirmed)
Issue has not been modified or commented on in the last 365 days, please re-open or file a new bug if this is still an issue.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment