Issue metadata
Sign in to add a comment
|
Investigate of Poc for critical, remotely exploitable vulnerability in Chrome |
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 Steps to reproduce the problem: In b/29250543 a proof of concept was provided for a critical, remotely exploitable vulnerability. It produces a native crash in N when the file poc.mp4 is opened in Chrome. The root cause reported there is some code in system/core/libutils. While trying to see whether the fix https://googleplex-android-review.git.corp.google.com/#/c/1207192/ solved the issue in klp-dev, i found in klp-dev that the code in system/core/libutils is not reached by the chrome poc (as an aside, I clarify that the fault in the code there also exists in klp-dev, and is reachable via other pocs). However in the logs I can see a crash of a process related to chrome. The vulnerability will become public and it will be a problem if the poc crashes in earlier branches. We need to investigate what is the impact of that poc in Chrome as to make sure that the poc going public will not reveal a vulnerability other than the one in b/29250543 . See logs below for the crash I'm seeing. Note that a fix for b/29250543 needs to be ready for 19 July for the timeline of build cut/deployment/bulletin publishing/etc to work out Logs in klp-dev: I/ActivityManager( 752): Process com.android.chrome:sandboxed_process2 (pid 2415) has died. W/ActivityManager( 752): Scheduling restart of crashed service com.android.chrome/org.chromium.content.app.SandboxedProcessService2 in 1000ms What is the expected behavior? What went wrong? Crash. Need chrome dev to investigate. Did this work before? N/A Chrome version: 51.0.2704.106 Channel: stable OS Version: 14.04 LTS Flash Version: Shockwave Flash 22.0 r0 More details in b/29250543
,
Jul 21 2016
If the only relevant log lines are those two from ActivityManager, I do not think there's an issue here. I downloaded 51.0.2704.106 and attached to the renderer with gdb. I load the poc.mp4 file and then played it. Nothing happened so after about a minute I closed the tab, then I saw the process exit.
I/MediaRouter( 9037): Found default route: MediaRouter.RouteInfo{ uniqueId=android/.support.v7.media.W:DEFAULT_ROUTE, name=Tablet, description=null, iconUri=null, enabled=true, connecting=false, connectionState=0, canDisconnect=false, playbackType=0, playbackStream=3, deviceType=0, volumeHandling=1, volume=11, volumeMax=15, presentationDisplayId=-1, extras=null, settingsIntent=null, providerPackageName=android }
I/VideoFling( 9037): Adding remote media route controller com.google.android.apps.chrome.videofling.ChromeDefaultMediaRouteController
I/MediaFocusControl( 576): AudioFocus requestAudioFocus() from android.media.AudioManager@425727a0org.chromium.content.browser.MediaSessionDelegate@427cb908
E/MediaPlayerService( 182): error: -2147483648
E/MediaPlayer( 9037): Unable to create media player
I/MediaFocusControl( 576): Remote Control registerMediaButtonIntent() for PendingIntent{42c44328: PendingIntentRecord{42c3c6f0 com.chrome.canary broadcastIntent}}
E/MediaPlayer( 9037): Should have subtitle controller already set
I/MediaFocusControl( 576): Remote Control unregisterMediaButtonIntent() for PendingIntent{42b3ced0: PendingIntentRecord{42c3c6f0 com.chrome.canary broadcastIntent}}
W/KeyguardUpdateMonitor( 775): Ignoring generation id 40 because it's not current
W/cr_ScreenOrientation( 9037): Removing an inexistent observer!
I/MediaFocusControl( 576): AudioFocus abandonAudioFocus() from android.media.AudioManager@425727a0org.chromium.content.browser.MediaSessionDelegate@427cb908
I/ActivityManager( 576): Process com.chrome.canary:sandboxed_process0 (pid 9061) has died.
W/cr_ChildProcessConnect( 9037): onServiceDisconnected (crash or killed by oom): pid=9061
W/ActivityManager( 576): Scheduling restart of crashed service com.chrome.canary/org.chromium.content.app.SandboxedProcessService0 in 1000ms
% ./build/android/adb_gdb --pid=9061 com.chrome.canary --output-directory=tmp/out/Release/
Attaching and reading symbols, this may take a while..0x401307b4 in epoll_wait () from /tmp/rsesek-adb-gdb-libs/system/lib/libc.so
(gdb) bt
#0 0x401307b4 in epoll_wait () from /tmp/rsesek-adb-gdb-libs/system/lib/libc.so
#1 0x4019781e in android::Looper::pollInner(int) () from /tmp/rsesek-adb-gdb-libs/system/lib/libutils.so
#2 0x40197a48 in android::Looper::pollOnce(int, int*, int*, void**) () from /tmp/rsesek-adb-gdb-libs/system/lib/libutils.so
#3 0x402405b4 in android::NativeMessageQueue::pollOnce(_JNIEnv*, int) () from /tmp/rsesek-adb-gdb-libs/system/lib/libandroid_runtime.so
#4 0x4158dbd0 in dvmPlatformInvoke () from /tmp/rsesek-adb-gdb-libs/system/lib/libdvm.so
#5 0x415be126 in dvmCallJNIMethod(unsigned int const*, JValue*, Method const*, Thread*) () from /tmp/rsesek-adb-gdb-libs/system/lib/libdvm.so
#6 0x41596fe4 in dvmJitToInterpNoChain () from /tmp/rsesek-adb-gdb-libs/system/lib/libdvm.so
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) c
Continuing.
[Inferior 1 (process 9061) exited normally]
(gdb) bt
No stack.
So, why is ActivityManager considering this an abnormal death? The renderer is killing itself after its IPC pipe goes down.
Breakpoint 1, IPC::ChannelPosix::Send (this=0x76aad8f8, message=0x76aad758) at ../../ipc/ipc_channel_posix.cc:523
523 in ../../ipc/ipc_channel_posix.cc
(gdb) p pipe_
$3 = {
data_ = {
<base::internal::ScopedFDCloseTraits> = {<No data fields>},
members of base::ScopedGeneric<int, base::internal::ScopedFDCloseTraits>::Data:
generic = 63
}
}
Breakpoint 2, 0x4012edd4 in _exit () from /tmp/rsesek-adb-gdb-libs/system/lib/libc.so
(gdb) bt
#0 0x4012edd4 in _exit () from /tmp/rsesek-adb-gdb-libs/system/lib/libc.so
#1 0x78c7ecaa in content::(anonymous namespace)::SuicideOnChannelErrorFilter::OnChannelError (this=<optimized out>) at ../../content/child/child_thread_impl.cc:165
#2 0x77dab8ac in IPC::ChannelProxy::Context::OnChannelError (this=0x75de4280) at ../../ipc/ipc_channel_proxy.cc:126
#3 0x773d1fee in IPC::ChannelPosix::OnFileCanReadWithoutBlocking (this=0x76aad8f8, fd=<optimized out>) at ../../ipc/ipc_channel_posix.cc:677
#4 0x773c6328 in base::MessagePumpLibevent::FileDescriptorWatcher::OnFileCanReadWithoutBlocking (this=this@entry=0x76aae950, fd=fd@entry=63, pump=pump@entry=0x75de3fc0)
at ../../base/message_loop/message_pump_libevent.cc:97
#5 0x773bc730 in base::MessagePumpLibevent::OnLibeventNotification (fd=63, flags=<optimized out>, context=0x76aae950) at ../../base/message_loop/message_pump_libevent.cc:365
#6 0x77359710 in event_process_active (base=<optimized out>) at ../../base/third_party/libevent/event.c:388
#7 event_base_loop (base=0x75de4008, flags=1) at ../../base/third_party/libevent/event.c:540
#8 0x7735940a in base::MessagePumpLibevent::Run (this=0x75de3fc0, delegate=0x75de3420) at ../../base/message_loop/message_pump_libevent.cc:257
#9 0x7735a320 in base::RunLoop::Run (this=this@entry=0x76aa7d60) at ../../base/run_loop.cc:35
#10 0x7735a2d8 in base::MessageLoop::Run (this=<optimized out>) at ../../base/message_loop/message_loop.cc:295
#11 0x773566a4 in Run (message_loop=<optimized out>, this=0x75c359b0) at ../../base/threading/thread.cc:202
#12 base::Thread::ThreadMain (this=0x75c359b0) at ../../base/threading/thread.cc:254
#13 0x77356540 in base::(anonymous namespace)::ThreadFunc (params=<optimized out>) at ../../base/threading/platform_thread_posix.cc:70
#14 0x4011c16c in __thread_entry () from /tmp/rsesek-adb-gdb-libs/system/lib/libc.so
#15 0x4011c304 in pthread_create () from /tmp/rsesek-adb-gdb-libs/system/lib/libc.so
#16 0x00000000 in ?? ()
Note that in frame 4 the fd=63, which is the same as the IPC channel pipe. This is just Chrome's fast-close path.
,
Jul 21 2016
,
Oct 27 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by rsesek@chromium.org
, Jul 20 2016Labels: -OS-Linux OS-Android