New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 633687 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 3
Type: Bug-Security



Sign in to add a comment

Security: Full browser crash when trying to open missing 'downloaded' resource file.

Reported by greencar...@hotmail.com, Aug 2 2016

Issue description

VULNERABILITY DETAILS
Complete browser crash might lead to an exploitable crash. My knowledge here is limited but as far as I can tell this crash looks nasty.
View attached log for the full exception details.

VERSION
Chrome Version: [x.x.x.x] + [stable, beta, or dev]
Operating System: [Please indicate OS, version, and service pack level]

REPRODUCTION CASE
1- Go to data:text/html,<a href="chrome://resources/q" download="q">Click</a>
2- Attempt to download, it will fail.
3- Go to the downloads manager (clicking show all downloads)
4- Click on the failed downloaded file
5- Full browser crash will occur

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: Browser
Crash State: 
0894f6d0 0431eb50 e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x48
0894f714 0431ce65 0894f724 05009cd8 04e16f20 chrome_2e10000!_CxxThrowException+0x65
0894f730 02e37311 04a747f0 00000000 0894f7cc chrome_2e10000!std::_Xout_of_range+0x1f
0894f748 02ee11d8 0894f79c 00000001 ffffffff chrome_2e10000!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::assign+0x10d
0894f760 03ff42f7 0894f7cc 00000001 ffffffff chrome_2e10000!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::substr+0x26
0894f7e8 032bcbb5 0894f85c 0894f874 20268320 chrome_2e10000!content::SharedResourcesDataSource::GetMimeType+0x8b
0894f890 032bc971 07cb1a38 20354ac0 0894f8c4 chrome_2e10000!content::URLDataManagerBackend::StartRequest+0x20b
0894f8ac 032bc92b 00000001 0894f8dc 032bc8d5 chrome_2e10000!content::URLRequestChromeJob::StartAsync+0x23
0894f8b8 032bc8d5 032bc94e 0f952d28 20354ac0 chrome_2e10000!base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall disk_cache::Eviction::*)(bool)> >::MakeItSo<base::WeakPtr<disk_cache::Eviction>,bool const &>+0x31
0894f8dc 02e91742 20268310 0894fbe0 07ba9470 chrome_2e10000!base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall disk_cache::Eviction::*)(bool)>,void __cdecl(disk_cache::Eviction *,bool),base::WeakPtr<disk_cache::Eviction>,bool>,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall disk_cache::Eviction::*)(bool)> >,void __cdecl(void)>::Run+0x2a
0894f940 02e914ff 00000000 0894fbe0 ffffffff chrome_2e10000!base::debug::TaskAnnotator::RunTask+0x16b
0894fbbc 02e90ee9 0894fbe0 750c26e0 013d5898 chrome_2e10000!base::MessageLoop::RunTask+0x20f
0894fcc8 02e90a0c 00000000 013d5898 00000000 chrome_2e10000!base::MessageLoop::DoWork+0x42e
0894fdb0 02e90934 0894fe18 07ba9470 07ba9470 chrome_2e10000!base::MessagePumpForIO::DoRunLoop+0xcd
0894fddc 02e90753 07ba9470 07ba9470 07ba9290 chrome_2e10000!base::MessagePumpWin::Run+0x55
0894fe08 02e90647 00000000 00000000 07ba9470 chrome_2e10000!base::RunLoop::Run+0x94
0894fe34 02f75462 07ba9470 07ba9290 00000000 chrome_2e10000!base::Thread::Run+0x23
0894ff04 02f39d83 07ba9470 07ba929c 00000000 chrome_2e10000!content::BrowserThreadImpl::IOThreadRun+0x22
0894ff1c 02e8f118 07ba9470 07ad5a68 750c18e0 chrome_2e10000!content::BrowserThreadImpl::Run+0x93
0894ff58 02e8ee60 02e8edd5 02e8edd5 07ad5a68 chrome_2e10000!base::Thread::ThreadMain+0x1db
0894ff7c 750c7c04 07ad5a68 750c7be0 0b82a71e chrome_2e10000!base::`anonymous namespace'::ThreadFunc+0x8b
0894ff90 774eab8f 07ad5a68 09c0e265 00000000 KERNEL32!BaseThreadInitThunk+0x24
0894ffd8 774eab5a ffffffff 774cffd1 00000000 ntdll!__RtlUserThreadStart+0x2f
0894ffe8 00000000 02e8edd5 07ad5a68 00000000 ntdll!_RtlUserThreadStart+0x1b

Client ID (if relevant): Crash reporting is disabled, will enable and reproduce then reply soon.

 
ChromeCrash.log
8.1 KB View Download
Whoops, forgot about the OS details:
VERSION
Chrome Version: Version 52.0.2743.82 m + stable (32-bit)
Operating System: Window 8.1 64-bit
Crash ID 137eed7e00000000 (7ac97242-a896-407b-b987-d67d79b1fab1)
Using the following seems to result in a different crash signature:
data:text/html,<a href="chrome://resources/qqqq/../../../../../../../../../../../../../../../../secret/secret.dat" download="q">Click</a>

Note: C:/secret/secret.dat exists. Not sure if that's even relevant


Crash ID 889ee8c200000000 (612cfaec-142d-4452-b989-86929f6223ba)


STACK_TEXT:  
07f4f00c 035543be 0c146770 22ebc868 00000000 chrome_2370000!base::debug::BreakDebugger+0x9
07f4f088 0281cbb5 07f4f0fc 07f4f114 22c712c8 chrome_2370000!content::SharedResourcesDataSource::GetMimeType+0x152
07f4f130 0281c971 22eae870 22ebc868 07f4f164 chrome_2370000!content::URLDataManagerBackend::StartRequest+0x20b
07f4f14c 0281c92b 00000001 07f4f17c 0281c8d5 chrome_2370000!content::URLRequestChromeJob::StartAsync+0x23
07f4f158 0281c8d5 0281c94e 22b07e58 22ebc868 chrome_2370000!base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall disk_cache::Eviction::*)(bool)> >::MakeItSo<base::WeakPtr<disk_cache::Eviction>,bool const &>+0x31
07f4f17c 023f1742 22c712b8 07f4f480 0719d428 chrome_2370000!base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall disk_cache::Eviction::*)(bool)>,void __cdecl(disk_cache::Eviction *,bool),base::WeakPtr<disk_cache::Eviction>,bool>,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall disk_cache::Eviction::*)(bool)> >,void __cdecl(void)>::Run+0x2a
07f4f1e0 023f14ff 00000000 07f4f480 ffffffff chrome_2370000!base::debug::TaskAnnotator::RunTask+0x16b
07f4f45c 023f0ee9 07f4f480 750c26e0 071bf750 chrome_2370000!base::MessageLoop::RunTask+0x20f
07f4f568 023f0a0c 00000000 071bf750 00000000 chrome_2370000!base::MessageLoop::DoWork+0x42e
07f4f658 023f0934 07f4f6c0 0719d428 0719d428 chrome_2370000!base::MessagePumpForIO::DoRunLoop+0xcd
07f4f684 023f0753 0719d428 0719d428 0719d1f8 chrome_2370000!base::MessagePumpWin::Run+0x55
07f4f6b0 023f0647 00000000 00000000 0719d428 chrome_2370000!base::RunLoop::Run+0x94
07f4f6dc 024d5462 0719d428 0719d1f8 00000000 chrome_2370000!base::Thread::Run+0x23
07f4f7ac 02499d83 0719d428 0719d204 00000000 chrome_2370000!content::BrowserThreadImpl::IOThreadRun+0x22
07f4f7c4 023ef118 0719d428 071c59a0 750c18e0 chrome_2370000!content::BrowserThreadImpl::Run+0x93
07f4f800 023eee60 023eedd5 023eedd5 071c59a0 chrome_2370000!base::Thread::ThreadMain+0x1db
07f4f824 750c7c04 071c59a0 750c7be0 9ab26cbb chrome_2370000!base::`anonymous namespace'::ThreadFunc+0x8b
07f4f838 774eab8f 071c59a0 98f02bdf 00000000 KERNEL32!BaseThreadInitThunk+0x24
07f4f880 774eab5a ffffffff 774cfffe 00000000 ntdll!__RtlUserThreadStart+0x2f
07f4f890 00000000 023eedd5 071c59a0 00000000 ntdll!_RtlUserThreadStart+0x1b
Components: UI>Browser>WebUI
Labels: Security_Severity-High Security_Impact-Stable OS-Linux OS-Windows Pri-1
Owner: dbeam@chromium.org
Status: Assigned (was: Unconfirmed)
Thanks for the report. I can reproduce the crash on M52 linux. It looks like dbeam@ may have made changes to SharedResourcesDataSource recently. 

In terms of severity, this looks like an out of bounds access in the browser process. However a website can't trigger it directly, and clicking the download through the downloads bar isn't enough. It must be clicked through about:downloads. Due to this we may want medium severity, but leaving as high for the moment.
Thank you for the quick response.

I also found a non-crash related issue with the following which I hope can be fixed along this bug:

data:text/html,<a href="%00:%00" download="q">Click</a>

Downloading that will break about:downloads where all other downloads are missing (also some javascript errors occur):

crisper.js:1174 Uncaught Error: Assertion failed

I'll be happy to file another bug for this if needed.
dbeam: I was looking at the stack trace from the original report, which is similar to the stack trace that I was able to reproduce. See the crash report from my release build:  go/crash/b740037e00000000

Does that make sense? Maybe I'm missing something.
Labels: -Security_Severity-High Security_severity-None
Actually it looks like the standard library is catching this and it's part of the API to throw an exception: http://www.cplusplus.com/reference/string/string/substr/
pos: "If this is greater than the string length, it throws out_of_range."
Labels: -Security_severity-None Security_Severity-Low
raymes@: yeah, there might be versions of the stack where they throw from empty_string[0] access, but I'm pretty sure that got fixed here:
https://codereview.chromium.org/2020393002/diff/20001/content/browser/webui/shared_resources_data_source.cc
Project Member

Comment 11 by sheriffbot@chromium.org, Aug 3 2016

Labels: -Pri-1 Pri-2
Hello,

Since this turned out to be low severity, is it safe to assume its not eligible for a bounty? 

Thank you
Probably not - there are probably no security implications to this bug. But thank you for finding and filing it with us!
Labels: -Pri-2 Pri-3
beta has the fix, btw, to only crash in debug mode.

I'd say this might be worth "WontFix"ing.
Will the behavior in Comment 5 be considered for a fix? Do I need to report it separately as a normal bug?
Please file a separate issue for that. Thanks!

dbeam: you might be interested in #5
Done!

Filed  Bug 635220  for the stuff described in Comment #5

Comment 18 by dbeam@chromium.org, Aug 11 2016

Status: Fixed (was: Assigned)
Project Member

Comment 19 by sheriffbot@chromium.org, Aug 12 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 20 Deleted

Project Member

Comment 21 by sheriffbot@chromium.org, Nov 18 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment