Issue metadata
Sign in to add a comment
|
Read access violation in ppapi process and renderer process
Reported by
wadih.ma...@gmail.com,
Aug 2 2016
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 Steps to reproduce the problem: 1. open http://localhost/attackmanager.html 2. click on start 3. click on start attack 4. here we can either wait and the ppapi process will crash, or open devtools (f12) and both ppapi and renderer processes will crash What is the expected behavior? No crashs What went wrong? The renderer process crash looks like: Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\chrome_child.dll - eax=00000358 ebx=4027b4b0 ecx=00000000 edx=00000000 esi=29615118 edi=05e5cbd8 eip=5aef8fed esp=0025c5f8 ebp=0025c668 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 chrome_child!GetHandleVerifier+0x5caf3d: 5aef8fed 8b00 mov eax,dword ptr [eax] ds:002b:00000358=???????? The ppapi process crashes looks like one of these: Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\ass\AppData\Local\Google\Chrome\User Data\PepperFlash\22.0.0.209\pepflashplayer.dll - eax=0237a410 ebx=00000000 ecx=b5bd8375 edx=02350048 esi=023b8050 edi=0055cce4 eip=60bc2523 esp=0055cccc ebp=0055cd64 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 pepflashplayer!PPP_ShutdownBroker+0x11330: 60bc2523 8b7004 mov esi,dword ptr [eax+4] ds:002b:0237a414=???????? Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\chrome_child.dll - eax=ec8b5500 ebx=001bd774 ecx=002faacc edx=3377cfe7 esi=002faacc edi=001bd714 eip=5c187e26 esp=001bd698 ebp=001bd69c iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286 chrome_child!ChromeMain+0x7aae78: 5c187e26 ff4004 inc dword ptr [eax+4] ds:002b:ec8b5504=???????? Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\chrome_child.dll - eax=0033d930 ebx=0033d8c4 ecx=0033d8c4 edx=0404e008 esi=00000000 edi=0033d864 eip=5c18828a esp=0033d7f8 ebp=0033d818 iopl=0 nv up ei ng nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010282 chrome_child!ChromeMain+0x7ab2dc: 5c18828a ffb6e4000000 push dword ptr [esi+0E4h] ds:002b:000000e4=???????? Did this work before? N/A Chrome version: 51.0.2704.106 Channel: n/a OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 22.0 r0 .attackmanager.html uses a trick to be able to close the attack page automatically: the script doing the closing is hosted in another process (otherwise it won't execute) and is able to close the attack page if it comes back on the same domain as attackmanager.html. .one of the ppapi process crashs may be exploitable.
,
Aug 3 2016
2 of the ppapi process stack traces: Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\user\AppData\Local\Google\Chrome\User Data\PepperFlash\22.0.0.209\pepflashplayer.dll - eax=0227fea8 ebx=00000000 ecx=5a886d84 edx=02250048 esi=0229eb20 edi=0023d144 eip=5fe92523 esp=0023d12c ebp=0023d1c4 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 pepflashplayer!PPP_ShutdownBroker+0x11330: 5fe92523 8b7004 mov esi,dword ptr [eax+4] ds:002b:0227feac=???????? 0:000> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0023d1c4 6005cfd7 0452b958 0023d2ec 00000000 pepflashplayer!PPP_ShutdownBroker+0x11330 0023d244 5ffbe92f 005c6120 0023d268 3b5c6126 pepflashplayer!PPP_ShutdownBroker+0x1dbde4 0023d2cc 5ff9a8c8 0258d6f8 0023d2fc 00000083 pepflashplayer!PPP_ShutdownBroker+0x13d73c 00000000 00000000 00000000 00000000 00000000 pepflashplayer!PPP_ShutdownBroker+0x1196d5 Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\chrome_child.dll - eax=ec8b5500 ebx=0059dba4 ecx=011c7efc edx=050e0a08 esi=011c7efc edi=0059db44 eip=68b87e26 esp=0059dac8 ebp=0059dacc iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286 chrome_child!ChromeMain+0x7aae78: 68b87e26 ff4004 inc dword ptr [eax+4] ds:002b:ec8b5504=???????? 0:000> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0059dacc 68b8829a ec8b5500 0059db54 0059db24 chrome_child!ChromeMain+0x7aae78 0059daf8 68bac076 68461a9f 0059db44 00000000 chrome_child!ChromeMain+0x7ab2ec 0059db58 68babbe3 03b073e8 00000000 02a2fa10 chrome_child!ChromeMain+0x7cf0c8 0059dbac 68bab945 0059dc24 68babfd4 00000000 chrome_child!ChromeMain+0x7cec35 0059dc18 68babfb7 01243be8 071403e0 071403e0 chrome_child!ChromeMain+0x7ce997 0059dc6c 68b8cbab 01243be8 01243be8 00000000 chrome_child!ChromeMain+0x7cf009 0059dc80 68b9a68a 01243be8 01243be8 011634c0 chrome_child!ChromeMain+0x7afbfd 0059dd08 684642c7 01243be8 011a0350 011634c0 chrome_child!ChromeMain+0x7bd6dc 0059dd1c 68461a33 01243be8 00000000 011634c0 chrome_child!ChromeMain+0x87319 0059dd50 68461a75 011634c0 684622bc 00000000 chrome_child!ChromeMain+0x84a85 0059dd7c 684620d1 011634c0 00000000 403c5c40 chrome_child!ChromeMain+0x84ac7 0059ddb8 68b9a90e 403c5c40 69e827fb 0059de04 chrome_child!ChromeMain+0x85123 0059ddc8 68b9a800 403c5c40 011c8764 403c5c40 chrome_child!ChromeMain+0x7bd960 0059de04 68ba2290 403c5c40 0059de74 0059df5c chrome_child!ChromeMain+0x7bd852 0059de54 69270d55 0059df60 e92bdb4d 00000005 chrome_child!ChromeMain+0x7c52e2 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\user\AppData\Local\Google\Chrome\User Data\PepperFlash\22.0.0.209\pepflashplayer.dll - 0059df74 033157b0 0059dfa8 e92bdb4d 00000005 chrome_child!IsSandboxedProcess+0x694dcb 0059dff0 02bb4a7e 0059e058 00000000 040bb000 pepflashplayer!IAEModule_IAEKernel_UnloadModule+0xb42ed 0059e098 02f0ccbe 06249358 3fc24400 040e3020 pepflashplayer!PPP_ShutdownBroker+0x388b 0059e0cc 02daeb93 40a70880 40a80fb8 34f4f018 pepflashplayer!PPP_ShutdownBroker+0x35bacb 0059e1c8 02c6bad8 41a062f8 00000001 0059e210 pepflashplayer!PPP_ShutdownBroker+0x1fd9a0 0059e1f0 02c6bd00 00000001 0059e210 40b02a88 pepflashplayer!PPP_ShutdownBroker+0xba8e5 0059e23c 02c8b2a2 41a062f8 40a70881 354a7fc8 pepflashplayer!PPP_ShutdownBroker+0xbab0d 0059e25c 02c5daba 40a70881 0059e388 34f4df4f pepflashplayer!PPP_ShutdownBroker+0xda0af 0059e2d8 02c8476d 41a06250 00000001 0059e388 pepflashplayer!PPP_ShutdownBroker+0xac8c7 0059e2f8 02c8b418 41a06250 00000001 0059e388 pepflashplayer!PPP_ShutdownBroker+0xd357a 0059e3dc 02e62277 ffffffff ffffffff 56433230 pepflashplayer!PPP_ShutdownBroker+0xda225 0059e424 02e61dfc 40a70998 040e3020 00000000 pepflashplayer!PPP_ShutdownBroker+0x2b1084 0059e460 02e61d44 40a70998 0059e4a8 0059e52c pepflashplayer!PPP_ShutdownBroker+0x2b0c09 0059e470 02e61c5d 40a70998 0059e4a8 0059e4c3 pepflashplayer!PPP_ShutdownBroker+0x2b0b51 0059e52c 02df0692 41a10060 3f19c1d8 34f4e323 pepflashplayer!PPP_ShutdownBroker+0x2b0a6a 0059e5f8 02c8476d 41a06190 00000000 0059e64c pepflashplayer!PPP_ShutdownBroker+0x23f49f 0059e60c 02c84757 41a06190 00000000 0059e6a8 pepflashplayer!PPP_ShutdownBroker+0xd357a 0059e61c 02c8b418 41a06190 00000000 0059e64c pepflashplayer!PPP_ShutdownBroker+0xd3564 0059e6a8 02f456e5 41a10060 02e9c5b0 06702ff8 pepflashplayer!PPP_ShutdownBroker+0xda225 0059e6e8 02e9c943 06245060 00005fd5 00000001 pepflashplayer!PPP_ShutdownBroker+0x3944f2 0059e744 02d1bfe0 e57f3a70 040bb000 02ce7a62 pepflashplayer!PPP_ShutdownBroker+0x2eb750 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\WINMM.dll - 0059e79c 70cb270c 0effc9e9 00000000 00002710 pepflashplayer!PPP_ShutdownBroker+0x16aded 0059e7b8 02ce8e54 00005f00 00005ff7 0059e8d4 WINMM!timeGetTime+0x2c 0059e8ac 02bbbe90 040bb000 0059e8dc 0000003a pepflashplayer!PPP_ShutdownBroker+0x137c61 0059e8c0 02bbbbe9 03dc2ac0 03dc2ab8 69e82701 pepflashplayer!PPP_ShutdownBroker+0xac9d 0059e954 02bc3852 03dc2a01 0059e9e0 1fccb708 pepflashplayer!PPP_ShutdownBroker+0xa9f6 0059e988 68bae879 0059e9d4 00000000 0059e9cc pepflashplayer!PPP_ShutdownBroker+0x1265f 0059e998 68b9d5a8 68896d45 0059e9c4 0059e9e0 chrome_child!ChromeMain+0x7d18cb 0059e9cc 68b9d6ae 02bcf390 1fccb708 00000000 chrome_child!ChromeMain+0x7c05fa 0059e9ec 68896c04 01203770 0716b110 00000000 chrome_child!ChromeMain+0x7c0700 0059ea00 692f89d8 129d9ab0 00000000 129d9ab0 chrome_child!ChromeMain+0x4b9c56 0059ea14 67367e3f 0716b110 69e827f0 011b2ac0 chrome_child!IsSandboxedProcess+0x71ca4e 0059ea78 6732fd2d 69b3cd38 0059f608 ffffffff chrome_child!GetHandleVerifier+0x39d8f 0059f5e4 67330802 0059f608 01198b98 01198b88 chrome_child!GetHandleVerifier+0x1c7d 0059f6f0 67369516 0059f758 0059f780 011a27b0 chrome_child!GetHandleVerifier+0x2752 0059f71c 67369109 0059f780 0119c3d8 00000000 chrome_child!GetHandleVerifier+0x3b466 0059f748 6732f313 69494360 00000000 0059f780 chrome_child!GetHandleVerifier+0x3b059 0059f770 68e0ac74 69493d4c 00000000 69b3cd88 chrome_child!GetHandleVerifier+0x1263 0059f8e0 6844565e 0059f918 011a0998 00000000 chrome_child!IsSandboxedProcess+0x22ecea 0059f8f4 684455cc 0059f92c 0059f918 0059f970 chrome_child!ChromeMain+0x686b0 0059f948 68442fb6 00000000 0118ab48 0059f99c chrome_child!ChromeMain+0x6861e 0059f958 683dd00f 0059f98c 00352ecd 011881b8 chrome_child!ChromeMain+0x66008 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\chrome.exe - 0059f99c 0034fcd7 00320000 0059f9b8 00320000 chrome_child!ChromeMain+0x61 0059fa34 0034f3b7 00320000 00000000 003de418 chrome!GetUploadedReportsImpl+0xad8 0059fb6c 0037a424 00320000 00000000 01161fd0 chrome!GetUploadedReportsImpl+0x1b8 0059fbb8 75fc338a fffde000 0059fc04 77049902 chrome!IsSandboxedProcess+0x22061 0059fbc4 77049902 fffde000 628bdc21 00000000 kernel32!BaseThreadInitThunk+0x12 0059fc04 770498d5 0037a49d fffde000 ffffffff ntdll!RtlInitializeExceptionChain+0x63 0059fc1c 00000000 0037a49d fffde000 00000000 ntdll!RtlInitializeExceptionChain+0x36 The stack trace of the renderer process: Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\chrome_child.dll - eax=00000358 ebx=588ece38 ecx=00000000 edx=00000000 esi=32816498 edi=04620b18 eip=678f8fed esp=002dc2c8 ebp=002dc338 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 chrome_child!GetHandleVerifier+0x5caf3d: 678f8fed 8b00 mov eax,dword ptr [eax] ds:002b:00000358=???????? 0:000> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 002dc338 678f91ee 002dc35c 32816498 588ece38 chrome_child!GetHandleVerifier+0x5caf3d 002dc3d4 678f973b 002dc3e4 588ece38 0000000c chrome_child!GetHandleVerifier+0x5cb13e 002dc474 678f8527 002dc488 588e1ad0 04620b48 chrome_child!GetHandleVerifier+0x5cb68b 002dc48c 690a763b 002dc4b8 002dc4b4 05cd2fd0 chrome_child!GetHandleVerifier+0x5ca477 002dc4bc 690aca6c 00000001 00000004 04620ba8 chrome_child!IsSandboxedProcess+0x4cb6b1 002dc530 6874126b 00000001 3291cc78 588e2ea8 chrome_child!IsSandboxedProcess+0x4d0ae2 002dc54c 687412c5 00000001 3281c5a0 588e2ea8 chrome_child!ChromeMain+0x3642bd 002dc564 6893e7d2 00000001 002dc594 07c30ce8 chrome_child!ChromeMain+0x364317 002dc598 6893e27c 00000001 002dc5c8 03e00240 chrome_child!ChromeMain+0x561824 002dc5e8 6893e94c 07c30ce8 03e00240 03e00240 chrome_child!ChromeMain+0x5612ce 002dc63c 6890ff0c 07c30ce8 07c30ce8 07c30ce8 chrome_child!ChromeMain+0x56199e 002dc740 68e30a6a 07c30ce8 00867038 002dc75c chrome_child!ChromeMain+0x532f5e 002dc750 68e30a36 07c30ce8 002dc7a0 688c4823 chrome_child!IsSandboxedProcess+0x254ae0 002dc75c 688c4823 07c30ce8 07c30ce8 008672d8 chrome_child!IsSandboxedProcess+0x254aac 002dc7a0 684642c7 07c30ce8 002dc868 684642aa chrome_child!ChromeMain+0x4e7875 002dc7b4 6846455a 07c30ce8 00000047 002dc82c chrome_child!ChromeMain+0x87319 002dc7c4 67367e3f 07c30cd8 00847cd8 0083b568 chrome_child!ChromeMain+0x875ac 002dc82c 692f2dd1 69abc1a8 002dc868 00847cd8 chrome_child!GetHandleVerifier+0x39d8f 002dc8dc 692f280a 00847eb0 002dc9b8 0081ee58 chrome_child!IsSandboxedProcess+0x716e47 002dca08 692f1df8 00000000 00000000 00000000 chrome_child!IsSandboxedProcess+0x716880 002dca1c 692f2ffb 692f26e4 0083b578 00847cd8 chrome_child!IsSandboxedProcess+0x715e6e 002dca44 67367e3f 0081ee38 69e827f0 008d0530 chrome_child!IsSandboxedProcess+0x717071 002dcaa8 6732fd2d 69b3cd38 002dd638 ffffffff chrome_child!GetHandleVerifier+0x39d8f 002dd614 67330802 002dd638 00851950 00851940 chrome_child!GetHandleVerifier+0x1c7d 002dd720 67369516 002dd788 00847c08 00000001 chrome_child!GetHandleVerifier+0x2752 002dd74c 67369109 00847c08 695903a0 0611c120 chrome_child!GetHandleVerifier+0x3b466 002dd778 6732f313 588e1ad0 00000000 00847c08 chrome_child!GetHandleVerifier+0x3b059 002dd7a0 689ef8f0 695903a0 00000a6a 00847c08 chrome_child!GetHandleVerifier+0x1263 002dd7b8 68b9dd82 002dd7f0 00000000 69e82801 chrome_child!ChromeMain+0x612942 002dd7f8 68b9d941 002dd828 0611fe70 0440d3e8 chrome_child!ChromeMain+0x7c0dd4 002dd830 68b9dbde 067098f0 0440d3e8 00000000 chrome_child!ChromeMain+0x7c0993 002dd880 68b8cbab 067098f0 00866a48 00000000 chrome_child!ChromeMain+0x7c0c30 002dd894 68b8a596 067098f0 067098f0 03e2d840 chrome_child!ChromeMain+0x7afbfd 002dd8f4 684642c7 017098f0 0085bd48 03e2d840 chrome_child!ChromeMain+0x7ad5e8 002dd908 68461a33 067098f0 00000000 03e2d840 chrome_child!ChromeMain+0x87319 002dd93c 68461a75 03e2d840 684622bc 00000000 chrome_child!ChromeMain+0x84a85 002dd968 684620d1 03e2d840 00000000 69e82835 chrome_child!ChromeMain+0x84ac7 002dd9a4 68b8a7a2 06470a38 06470a38 066b2178 chrome_child!ChromeMain+0x85123 002dd9fc 68bab03d 06470a38 002dda88 002ddb98 chrome_child!ChromeMain+0x7ad7f4 002dda68 68972056 002ddb50 066b2178 00000005 chrome_child!ChromeMain+0x7ce08f 002ddbdc 68eefc3d 0696e438 002ddc3c 002ddc18 chrome_child!ChromeMain+0x5950a8 002ddbec 689727a9 68971f25 00000000 05ccbfd0 chrome_child!IsSandboxedProcess+0x313cb3 002ddc18 6894206a 0696e428 002ddc28 002ddc3c chrome_child!ChromeMain+0x5957fb 002ddc2c 68959eb5 0696e428 68972779 0087f328 chrome_child!ChromeMain+0x5650bc 002ddc5c 67f83424 002ddc9c 002ddde4 68959e51 chrome_child!ChromeMain+0x57cf07 002ddcb0 67e9de6f 002ddd38 68959e51 0087f328 chrome_child!GetHandleVerifier+0xc55374 002ddd50 67e97ca0 00000002 002dddec 0087f328 chrome_child!GetHandleVerifier+0xb6fdbf 002ddd78 67e97c31 00000002 002dddec 00000002 chrome_child!GetHandleVerifier+0xb69bf0 002dde8c 6802124a 0900818d 0ae2935d 17255325 chrome_child!GetHandleVerifier+0xb69b81 002ddee0 68021452 00000000 008cdd74 008cdd9c chrome_child!GetHandleVerifier+0xcf319a 002ddf20 6756b49d 008cdd74 008cdd9c 00000000 chrome_child!GetHandleVerifier+0xcf33a2 002ddf88 67bd5b21 002ddfc4 008cdd94 56921948 chrome_child!GetHandleVerifier+0x23d3ed 002ddff0 67bbc9f5 008cdd74 45902a70 56921948 chrome_child!GetHandleVerifier+0x8a7a71 002de094 67bbd99c 002de0bc 008cdd44 002de11c chrome_child!GetHandleVerifier+0x88e945 002de0e4 67bbd8a5 002de2b8 002de11c 00000000 chrome_child!GetHandleVerifier+0x88f8ec 002de100 687286c5 002de2b8 002de11c 00000001 chrome_child!GetHandleVerifier+0x88f7f5 002de1d8 6891dc6c 002de2b8 329dc048 002de314 chrome_child!ChromeMain+0x34b717 002de2f4 68ba30d8 002de344 ab31fd5d 00000005 chrome_child!ChromeMain+0x540cbe 002de368 68ba16fd ab31fd5d 002de3e0 002de3ec chrome_child!ChromeMain+0x7c612a 002de3a0 68ba0a9a 002de3fc 68ba3043 00000000 chrome_child!ChromeMain+0x7c474f 002de3f0 68ba41bd 078636f0 0436afc0 0436afc0 chrome_child!ChromeMain+0x7c3aec 002de448 68b8cbab 078636f0 00866a48 00000000 chrome_child!ChromeMain+0x7c720f 002de45c 68b8a596 078636f0 078636f0 03e2d840 chrome_child!ChromeMain+0x7afbfd 002de4bc 684642c7 008636f0 0085bd48 03e2d840 chrome_child!ChromeMain+0x7ad5e8 002de4d0 68461a33 078636f0 00000000 03e2d840 chrome_child!ChromeMain+0x87319 002de504 68461a75 03e2d840 684622bc 00000000 chrome_child!ChromeMain+0x84a85 002de530 684620d1 03e2d840 00000000 69e82835 chrome_child!ChromeMain+0x84ac7 002de56c 68b8a7a2 065db688 0465e040 065db688 chrome_child!ChromeMain+0x85123 002de5c4 68baf7d9 065db688 00000000 00000000 chrome_child!ChromeMain+0x7ad7f4 002de5d8 68bae85d 6cf42899 002de5f4 692591cd chrome_child!ChromeMain+0x7d282b 002de5e4 692591cd 68baf79a 002de5fc 002de638 chrome_child!ChromeMain+0x7d18af 002de5f4 6891d727 6cf42899 002de65c 0465e008 chrome_child!IsSandboxedProcess+0x67d243 002de638 68950a44 25ae823c 25ae8220 00000000 chrome_child!ChromeMain+0x540779 002de660 6874315d 25ae8220 3261cf20 00000000 chrome_child!ChromeMain+0x573a96 002de678 676cb857 56927188 588ece38 459fc8c8 chrome_child!ChromeMain+0x3661af 002de6b8 675fae3f 459fc8c8 588ece38 459029f0 chrome_child!GetHandleVerifier+0x39d7a7 002de71c 677463a2 002de740 3acee644 3acee7d0 chrome_child!GetHandleVerifier+0x2ccd8f 002de754 67741099 00000000 588e1b48 00000000 chrome_child!GetHandleVerifier+0x4182f2 002de778 677a8abe 588e1b48 588edf78 530743e8 chrome_child!GetHandleVerifier+0x412fe9 002de7a8 677a8c8f 000000d7 588edf78 05e70000 chrome_child!GetHandleVerifier+0x47aa0e 002de7c8 678885da 588edf78 588edf78 002de800 chrome_child!GetHandleVerifier+0x47abdf 002de7d8 67888447 05e70000 000000d7 000000d7 chrome_child!GetHandleVerifier+0x55a52a 002de800 6780c9da 588ee5f0 05e70000 000000d7 chrome_child!GetHandleVerifier+0x55a397 002de834 6790ddb2 05e70000 000000d7 05e70000 chrome_child!GetHandleVerifier+0x4de92a 002de850 692dcb66 06a45078 05e70000 000000d7 chrome_child!GetHandleVerifier+0x5dfd02 002de878 692dcbb3 04407e98 002de8e8 688d1a9a chrome_child!IsSandboxedProcess+0x700bdc 002de884 688d1a9a 00000000 00869618 69e82801 chrome_child!IsSandboxedProcess+0x700c29 002de8e8 688d04a9 00000067 00000000 05e70000 chrome_child!ChromeMain+0x4f4aec 002de92c 688d1620 0789ea1c 00869618 00869618 chrome_child!ChromeMain+0x4f34fb 002de978 688d1934 0789ea1c 0789ea10 07bec170 chrome_child!ChromeMain+0x4f4672 002de9a0 688d91a8 00000067 002dea70 07bec170 chrome_child!ChromeMain+0x4f4986 002de9b8 692f89d8 0789ea10 00000000 0789ea10 chrome_child!ChromeMain+0x4fc1fa 002de9cc 67367e3f 07bec170 00847cd8 0083b568 chrome_child!IsSandboxedProcess+0x71ca4e 002dea34 692f2dd1 69abc1a8 002dea70 00847cd8 chrome_child!GetHandleVerifier+0x39d8f 002deae4 692f280a 03df6ce0 002debc0 0081ee58 chrome_child!IsSandboxedProcess+0x716e47 002dec10 692f1df8 00000000 00000000 00000000 chrome_child!IsSandboxedProcess+0x716880 002dec24 692f2ffb 692f26e4 0083b578 00847cd8 chrome_child!IsSandboxedProcess+0x715e6e 002dec4c 67367e3f 0081ee38 69e827f0 008d0530 chrome_child!IsSandboxedProcess+0x717071 002decb0 6732fd2d 69b3cd38 002df840 ffffffff chrome_child!GetHandleVerifier+0x39d8f 002df81c 67330802 002df840 00851950 00851940 chrome_child!GetHandleVerifier+0x1c7d 002df928 67369516 002df990 00847c08 69b3ccfc chrome_child!GetHandleVerifier+0x2752 002df954 67369109 00847c08 00000000 6951f408 chrome_child!GetHandleVerifier+0x3b466 002df980 6732f313 69b3ccfc 00000000 00847c08 chrome_child!GetHandleVerifier+0x3b059 002df9ac 68923d32 0081e6d8 00000003 00837d60 chrome_child!GetHandleVerifier+0x1263 002dfaa4 6844565e 002dfadc 0084fa78 00000000 chrome_child!ChromeMain+0x546d84 002dfab8 684455cc 002dfaf0 002dfadc 002dfb34 chrome_child!ChromeMain+0x686b0 002dfb0c 68442fb6 00000000 00829738 002dfb60 chrome_child!ChromeMain+0x6861e 002dfb1c 683dd00f 002dfb50 00352ecd 0081c190 chrome_child!ChromeMain+0x66008 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\chrome.exe - 002dfb60 0034fcd7 00320000 002dfb7c 00320000 chrome_child!ChromeMain+0x61 002dfbf8 0034f3b7 00320000 00000000 003de418 chrome!GetUploadedReportsImpl+0xad8 002dfd30 0037a424 00320000 00000000 007f1fd0 chrome!GetUploadedReportsImpl+0x1b8 002dfd7c 75fc338a fffde000 002dfdc8 77049902 chrome!IsSandboxedProcess+0x22061 002dfd88 77049902 fffde000 62f5b48c 00000000 kernel32!BaseThreadInitThunk+0x12 002dfdc8 770498d5 0037a49d fffde000 ffffffff ntdll!RtlInitializeExceptionChain+0x63 002dfde0 00000000 0037a49d fffde000 00000000 ntdll!RtlInitializeExceptionChain+0x36
,
Aug 3 2016
Those stacks don't look very useful. Are you able to give crash IDs for some of the crashes (see about:crashes)? It looks like the crash may be in flash code.
,
Aug 3 2016
about:crashes indicates 0 errors. I sent the feedback from the crashed renderer process.
In attackmanager.html changing the timeout of "setTimeout(function(){ w.close(); }, 10000);" might make the poc more reliable.
If attack.html redirected to "attackfailed.html" before it was closed, try setting the limit of the loop "for (var n = 0; n < 100; n++)" in attack.html to a higher value.
,
Aug 3 2016
,
Aug 3 2016
,
Aug 16 2016
I tested the poc on chrome 52.0.2743.116 m, it works.
,
Aug 16 2016
Hi, sorry I still am unable to reproduce this. If you can create a variant of this that runs automatically (without user interaction) we can upload it to our fuzzer to run in a bunch of configurations. I would add that this relies on allocating a lot of memory (in the gigabytes range) so I wouldn't be surprised if something is crashing because it's failing to allocate memory. If we can't reproduce this or obtain a crash report then there isn't much action we can take.
,
Aug 17 2016
Some hints, when put together, seem to show that it's not just a memory problem. -when the crash happens, it happens just after the execution of w.close(); in attackmanager.html. -trying to read inside unauthorized memory range in some crashes seems to indicate that something is wrong before hitting any memory limit problem. My guess is that the ppapi process doesn't expect the renderer process to close or to crash during the execution of the l() function, and crashes. The first poc was designed to give you time and to be able to press f12 (open the dev tools) during the execution of the attack. Here is another version of the poc: it restarts the attack automatically until it does a read access violation in the ppapi process.
,
Aug 22 2016
Thanks for the poc. A few additional requests to make this : 1) Can you name the initial file that should run: run.html (it's not currently clear which file to run). 2) Is it possible to reproduce this by running from local disk rather than a webserver (e.g. opening the file directly as a file: URL)? If so please modify the case to work like this. Otherwise please modify the case to run the content from localhost:8000 (port 8000 as opposed to 80). Thanks!
,
Aug 22 2016
For the poc to work, the attacker needs to control 2 domains. In the poc, i used localhost and 127.0.1.1. How would you like to replace them? To answer your first question, attackmanager.html should be renamed to run.html. Also attackmanager.html needs a button click to start the attack (to bypass the popup blocker). Do you want the attack to start automatically?
,
Aug 23 2016
Ahh I understand now - I wasn't running the poc correctly because I didn't realize it needs 2 webservers running, is that correct? Please setup the poc with the following configuration: -The first file to run is run.html, and it should start automatically if possible, without user input -The first webserver is serving the content from localhost:8000, such that to start the poc we navigate to localhost:8000. -The second webserver is serving the content from localhost:8080 Is this ok? Thanks for your patience.
,
Aug 23 2016
I made the changes. If Chrome recognize localhost:8000 and localhost:8080 as 2 different domains, it should work.
,
Aug 24 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5352786898452480
,
Aug 29 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5742170076348416
,
Aug 30 2016
Hi there, sorry I wasn't able to reproduce this and it wouldn't reproduce on our bots either. Another way forward would be if we could trigger a crash report from this crash, if you could help pinpoint the issue in the code, or if you could provide a URL which more reliably triggers the crash. Thanks for reporting this. I will close this as WontFix for now.
,
Aug 31 2016
Hi, i can get the same crashs of the ppapi process and a renderer process crash like this: 1-open http://localhost/devtoolscrash.html (attached file) 2-press "start" then open the dev tools (f12) What results do you get? does the "/attackfailed" url open? do the dev tools open?
,
Sep 1 2016
dev tools opens and I see the attackfailed URL
,
Sep 1 2016
For me, the attack page stays about 10 seconds before navigating to the "attackfailed" URL. During those 10 seconds, if i open the dev tools, the renderer process crashes. I tried it on kali and windows 7 on 2 different machines.
,
Sep 5 2016
Re: #20 - you were also able to reproduce this on linux?
,
Sep 5 2016
Re: #21 - Yes
,
Dec 6 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by raymes@chromium.org
, Aug 3 2016Labels: Needs-Feedback
Owner: raymes@chromium.org
Status: Assigned (was: Unconfirmed)