Issue metadata
Sign in to add a comment
|
Security: Full browser crash when trying to open missing 'downloaded' resource file.
Reported by
greencar...@hotmail.com,
Aug 2 2016
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Complete browser crash might lead to an exploitable crash. My knowledge here is limited but as far as I can tell this crash looks nasty. View attached log for the full exception details. VERSION Chrome Version: [x.x.x.x] + [stable, beta, or dev] Operating System: [Please indicate OS, version, and service pack level] REPRODUCTION CASE 1- Go to data:text/html,<a href="chrome://resources/q" download="q">Click</a> 2- Attempt to download, it will fail. 3- Go to the downloads manager (clicking show all downloads) 4- Click on the failed downloaded file 5- Full browser crash will occur FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: Browser Crash State: 0894f6d0 0431eb50 e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x48 0894f714 0431ce65 0894f724 05009cd8 04e16f20 chrome_2e10000!_CxxThrowException+0x65 0894f730 02e37311 04a747f0 00000000 0894f7cc chrome_2e10000!std::_Xout_of_range+0x1f 0894f748 02ee11d8 0894f79c 00000001 ffffffff chrome_2e10000!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::assign+0x10d 0894f760 03ff42f7 0894f7cc 00000001 ffffffff chrome_2e10000!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::substr+0x26 0894f7e8 032bcbb5 0894f85c 0894f874 20268320 chrome_2e10000!content::SharedResourcesDataSource::GetMimeType+0x8b 0894f890 032bc971 07cb1a38 20354ac0 0894f8c4 chrome_2e10000!content::URLDataManagerBackend::StartRequest+0x20b 0894f8ac 032bc92b 00000001 0894f8dc 032bc8d5 chrome_2e10000!content::URLRequestChromeJob::StartAsync+0x23 0894f8b8 032bc8d5 032bc94e 0f952d28 20354ac0 chrome_2e10000!base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall disk_cache::Eviction::*)(bool)> >::MakeItSo<base::WeakPtr<disk_cache::Eviction>,bool const &>+0x31 0894f8dc 02e91742 20268310 0894fbe0 07ba9470 chrome_2e10000!base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall disk_cache::Eviction::*)(bool)>,void __cdecl(disk_cache::Eviction *,bool),base::WeakPtr<disk_cache::Eviction>,bool>,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall disk_cache::Eviction::*)(bool)> >,void __cdecl(void)>::Run+0x2a 0894f940 02e914ff 00000000 0894fbe0 ffffffff chrome_2e10000!base::debug::TaskAnnotator::RunTask+0x16b 0894fbbc 02e90ee9 0894fbe0 750c26e0 013d5898 chrome_2e10000!base::MessageLoop::RunTask+0x20f 0894fcc8 02e90a0c 00000000 013d5898 00000000 chrome_2e10000!base::MessageLoop::DoWork+0x42e 0894fdb0 02e90934 0894fe18 07ba9470 07ba9470 chrome_2e10000!base::MessagePumpForIO::DoRunLoop+0xcd 0894fddc 02e90753 07ba9470 07ba9470 07ba9290 chrome_2e10000!base::MessagePumpWin::Run+0x55 0894fe08 02e90647 00000000 00000000 07ba9470 chrome_2e10000!base::RunLoop::Run+0x94 0894fe34 02f75462 07ba9470 07ba9290 00000000 chrome_2e10000!base::Thread::Run+0x23 0894ff04 02f39d83 07ba9470 07ba929c 00000000 chrome_2e10000!content::BrowserThreadImpl::IOThreadRun+0x22 0894ff1c 02e8f118 07ba9470 07ad5a68 750c18e0 chrome_2e10000!content::BrowserThreadImpl::Run+0x93 0894ff58 02e8ee60 02e8edd5 02e8edd5 07ad5a68 chrome_2e10000!base::Thread::ThreadMain+0x1db 0894ff7c 750c7c04 07ad5a68 750c7be0 0b82a71e chrome_2e10000!base::`anonymous namespace'::ThreadFunc+0x8b 0894ff90 774eab8f 07ad5a68 09c0e265 00000000 KERNEL32!BaseThreadInitThunk+0x24 0894ffd8 774eab5a ffffffff 774cffd1 00000000 ntdll!__RtlUserThreadStart+0x2f 0894ffe8 00000000 02e8edd5 07ad5a68 00000000 ntdll!_RtlUserThreadStart+0x1b Client ID (if relevant): Crash reporting is disabled, will enable and reproduce then reply soon.
,
Aug 2 2016
Crash ID 137eed7e00000000 (7ac97242-a896-407b-b987-d67d79b1fab1)
,
Aug 2 2016
Using the following seems to result in a different crash signature: data:text/html,<a href="chrome://resources/qqqq/../../../../../../../../../../../../../../../../secret/secret.dat" download="q">Click</a> Note: C:/secret/secret.dat exists. Not sure if that's even relevant Crash ID 889ee8c200000000 (612cfaec-142d-4452-b989-86929f6223ba) STACK_TEXT: 07f4f00c 035543be 0c146770 22ebc868 00000000 chrome_2370000!base::debug::BreakDebugger+0x9 07f4f088 0281cbb5 07f4f0fc 07f4f114 22c712c8 chrome_2370000!content::SharedResourcesDataSource::GetMimeType+0x152 07f4f130 0281c971 22eae870 22ebc868 07f4f164 chrome_2370000!content::URLDataManagerBackend::StartRequest+0x20b 07f4f14c 0281c92b 00000001 07f4f17c 0281c8d5 chrome_2370000!content::URLRequestChromeJob::StartAsync+0x23 07f4f158 0281c8d5 0281c94e 22b07e58 22ebc868 chrome_2370000!base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall disk_cache::Eviction::*)(bool)> >::MakeItSo<base::WeakPtr<disk_cache::Eviction>,bool const &>+0x31 07f4f17c 023f1742 22c712b8 07f4f480 0719d428 chrome_2370000!base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall disk_cache::Eviction::*)(bool)>,void __cdecl(disk_cache::Eviction *,bool),base::WeakPtr<disk_cache::Eviction>,bool>,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall disk_cache::Eviction::*)(bool)> >,void __cdecl(void)>::Run+0x2a 07f4f1e0 023f14ff 00000000 07f4f480 ffffffff chrome_2370000!base::debug::TaskAnnotator::RunTask+0x16b 07f4f45c 023f0ee9 07f4f480 750c26e0 071bf750 chrome_2370000!base::MessageLoop::RunTask+0x20f 07f4f568 023f0a0c 00000000 071bf750 00000000 chrome_2370000!base::MessageLoop::DoWork+0x42e 07f4f658 023f0934 07f4f6c0 0719d428 0719d428 chrome_2370000!base::MessagePumpForIO::DoRunLoop+0xcd 07f4f684 023f0753 0719d428 0719d428 0719d1f8 chrome_2370000!base::MessagePumpWin::Run+0x55 07f4f6b0 023f0647 00000000 00000000 0719d428 chrome_2370000!base::RunLoop::Run+0x94 07f4f6dc 024d5462 0719d428 0719d1f8 00000000 chrome_2370000!base::Thread::Run+0x23 07f4f7ac 02499d83 0719d428 0719d204 00000000 chrome_2370000!content::BrowserThreadImpl::IOThreadRun+0x22 07f4f7c4 023ef118 0719d428 071c59a0 750c18e0 chrome_2370000!content::BrowserThreadImpl::Run+0x93 07f4f800 023eee60 023eedd5 023eedd5 071c59a0 chrome_2370000!base::Thread::ThreadMain+0x1db 07f4f824 750c7c04 071c59a0 750c7be0 9ab26cbb chrome_2370000!base::`anonymous namespace'::ThreadFunc+0x8b 07f4f838 774eab8f 071c59a0 98f02bdf 00000000 KERNEL32!BaseThreadInitThunk+0x24 07f4f880 774eab5a ffffffff 774cfffe 00000000 ntdll!__RtlUserThreadStart+0x2f 07f4f890 00000000 023eedd5 071c59a0 00000000 ntdll!_RtlUserThreadStart+0x1b
,
Aug 2 2016
Thanks for the report. I can reproduce the crash on M52 linux. It looks like dbeam@ may have made changes to SharedResourcesDataSource recently. In terms of severity, this looks like an out of bounds access in the browser process. However a website can't trigger it directly, and clicking the download through the downloads bar isn't enough. It must be clicked through about:downloads. Due to this we may want medium severity, but leaving as high for the moment.
,
Aug 2 2016
Thank you for the quick response. I also found a non-crash related issue with the following which I hope can be fixed along this bug: data:text/html,<a href="%00:%00" download="q">Click</a> Downloading that will break about:downloads where all other downloads are missing (also some javascript errors occur): crisper.js:1174 Uncaught Error: Assertion failed I'll be happy to file another bug for this if needed.
,
Aug 2 2016
is hitting a NOTREACHED() Security_Severity-High? https://cs.chromium.org/chromium/src/content/browser/webui/shared_resources_data_source.cc?q=SharedResourcesDataSource::GetMimeType&sq=package:chromium&dr=CSs&l=145
,
Aug 2 2016
dbeam: I was looking at the stack trace from the original report, which is similar to the stack trace that I was able to reproduce. See the crash report from my release build: go/crash/b740037e00000000 Does that make sense? Maybe I'm missing something.
,
Aug 2 2016
Actually it looks like the standard library is catching this and it's part of the API to throw an exception: http://www.cplusplus.com/reference/string/string/substr/ pos: "If this is greater than the string length, it throws out_of_range."
,
Aug 2 2016
,
Aug 3 2016
raymes@: yeah, there might be versions of the stack where they throw from empty_string[0] access, but I'm pretty sure that got fixed here: https://codereview.chromium.org/2020393002/diff/20001/content/browser/webui/shared_resources_data_source.cc
,
Aug 3 2016
,
Aug 3 2016
Hello, Since this turned out to be low severity, is it safe to assume its not eligible for a bounty? Thank you
,
Aug 4 2016
Probably not - there are probably no security implications to this bug. But thank you for finding and filing it with us!
,
Aug 4 2016
beta has the fix, btw, to only crash in debug mode. I'd say this might be worth "WontFix"ing.
,
Aug 5 2016
Will the behavior in Comment 5 be considered for a fix? Do I need to report it separately as a normal bug?
,
Aug 5 2016
Please file a separate issue for that. Thanks! dbeam: you might be interested in #5
,
Aug 6 2016
Done! Filed Bug 635220 for the stuff described in Comment #5
,
Aug 11 2016
,
Aug 12 2016
,
Nov 18 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by greencar...@hotmail.com
, Aug 2 2016