Issue metadata
Sign in to add a comment
|
Security: memory_corruption_large_exploitable_c0000005_memory_corruption
Reported by
romi0...@gmail.com,
Aug 16 2016
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Chrome Crashes with memory corruption when after this crash installation and opening chroem results in a crash only CONTEXT: 000000000012e980 -- (.cxr 0x12e980) rax=000007feeef330f0 rbx=0000000000000000 rcx=000007feeef330f0 rdx=ffffffffffffffff rsi=0000000001e6e290 rdi=000007fffffdd000 rip=000000007793bdbf rsp=000000000012f098 rbp=0000000000000000 r8=000000000012f190 r9=0000000000000000 r10=0000000000130000 r11=0000000000000016 r12=000000000012f190 r13=00000000000000ac r14=0000000000000000 r15=0000000020000000 iopl=0 nv up ei ng nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286 ntdll!NtMapViewOfSection+0xf: 00000000`7793bdbf 004c8bd1 add byte ptr [rbx+rcx*4-2Fh],cl ds:00001ffb`bbccc391=?? Resetting default scope FAULTING_IP: ntdll!NtMapViewOfSection+f 00000000`7793bdbf 004c8bd1 add byte ptr [rbx+rcx*4-2Fh],cl EXCEPTION_RECORD: 000000000012ee70 -- (.exr 0x12ee70) ExceptionAddress: 000000007793bdbf (ntdll!NtMapViewOfSection+0x000000000000000f) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 00001ffbbbccc391 Attempt to write to address 00001ffbbbccc391 PROCESS_NAME: chrome.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE_STR: c0000005 EXCEPTION_PARAMETER1: 0000000000000001 EXCEPTION_PARAMETER2: 00001ffbbbccc391 WRITE_ADDRESS: 00001ffbbbccc391 FOLLOWUP_IP: ntdll!NtMapViewOfSection+f 00000000`7793bdbf 004c8bd1 add byte ptr [rbx+rcx*4-2Fh],cl WATSON_BKT_PROCSTAMP: 57a12717 WATSON_BKT_PROCVER: 52.0.2743.116 PROCESS_VER_PRODUCT: Google Chrome WATSON_BKT_MODULE: ntdll.dll WATSON_BKT_MODSTAMP: 5708a857 WATSON_BKT_MODOFFSET: 4bdbf WATSON_BKT_MODVER: 6.1.7601.23418 MODULE_VER_PRODUCT: Microsoft® Windows® Operating System BUILD_VERSION_STRING: 6.1.7601.23418 (win7sp1_ldr.160408-2045) MODLIST_WITH_TSCHKSUM_HASH: 7f17673c51cd05e9eeaeb307f9edc9171aa9b100 MODLIST_SHA1_HASH: 84294c5c82862de506e94508892114fc99d75804 NTGLOBALFLAG: e0 APPLICATION_VERIFIER_FLAGS: 0 VERSION Chrome Version: 52.0.2743.116 Operating System: Windows REPRODUCTION CASE FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: Browser Crash State: [see link above: stack trace, registers, exception record]
,
Aug 16 2016
hi thanks for the reply i used drmemory for initiating the crash after crashing its asked to debug the application when checked with windbg and analysis it gives User mode write access violations that are not near NULL are exploitable. MEMORY_CORRUPTION_LARGE_EXPLOITABLE results it generates an additional dump file at C:\Users\AppData\Local\Google\Chrome\User Data\Crashpad\reports after this i am able to execute the setup but chrome doesnt open
,
Aug 16 2016
this can be considered as the command line as one of the test cases drmemory.exe "c:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "c:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\52.0.2743.116.manifest"
,
Aug 16 2016
More digging... This crash seems to happen in drmemory instead of chrome. I found a couple of similar crashes in drmemory issues. https://github.com/DynamoRIO/drmemory/search?q=NtMapViewOfSection&type=Issues&utf8=%E2%9C%93
,
Aug 16 2016
yes attached crash happened in chrome for the same issues generated crashes chrome FAILURE_IMAGE_NAME: chrome_child.dll User Mode Write AV near NULL starting at chrome_child!ChromeMain+0x0000000000e6aac3 (Hash=0x4a0f3d1e.0x205c0201)
,
Aug 18 2016
attached are the files in Crashed.zip which cause crash enable appverifier for chrome.exe all tests and start fuzzing with minifuzz dump and debug diag results are also shared interesting summary 1. In 276bd086-2c0c-4da1-8a26-5723bb5e6336.dmp the assembly instruction at chrome_7fed2000000!base::debug::BreakDebugger+d in C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\chrome.dll from Google Inc. has caused a breakpoint exception (0x80000003) on thread 0 Please follow up with the vendor Google Inc. for C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\chrome.dll Detected a serious critical section related problem in 276bd086-2c0c-4da1-8a26-5723bb5e6336.dmp Lock at 0x01a41d80 is Uninitialized Impact analysis 3.57% of threads blocked 2. ntdll!ZwWaitForSingleObject+a ntdll!RtlpWaitOnCriticalSection+e8 ntdll!RtlEnterCriticalSection+d1 verifier!AVrfDebugPageHeapAllocate+12e ntdll!RtlDebugAllocateHeap+31 ntdll!RtlpAllocateHeap+114 ntdll!RtlAllocateHeap+16c vrfcore!VfCoreRtlAllocateHeap+36 vfbasics!AVrfpRtlAllocateHeap+108 chrome_7fed2000000!malloc+2f chrome_7fed2000000!utext_setup_56+52 chrome_7fed2000000!utext_openUChars_56+4b chrome_7fed2000000!icu_56::RuleBasedBreakIterator::init+24 chrome_7fed2000000!icu_56::RuleBasedBreakIterator::RuleBasedBreakIterator+2f chrome_7fed2000000!icu_56::BreakIterator::buildInstance+1fd chrome_7fed2000000!icu_56::BreakIterator::makeInstance+236 chrome_7fed2000000!icu_56::BreakIterator::createInstance+dd chrome_7fed2000000!ubrk_open_56+111 chrome_7fed2000000!base::i18n::BreakIterator::Init+a2 chrome_7fed2000000!query_parser::QueryParser::ParseQueryImpl+71 chrome_7fed2000000!query_parser::QueryParser::ParseQueryWords+2e chrome_7fed2000000!bookmarks::BookmarkIndex::ExtractQueryWords+9f chrome_7fed2000000!bookmarks::BookmarkIndex::Add+cd chrome_7fed2000000!bookmarks::`anonymous namespace'::AddBookmarksToIndex+33 chrome_7fed2000000!bookmarks::`anonymous namespace'::AddBookmarksToIndex+58 chrome_7fed2000000!bookmarks::`anonymous namespace'::LoadCallback+278 chrome_7fed2000000!base::internal::Invoker<base::IndexSequence<0,1,2,3>,base::internal::BindState<base::internal::RunnableAdapter<void (__cdecl*)(base::FilePath const & __ptr64,base::WeakPtr<bookmarks::BookmarkStorage> const & __ptr64,std::unique_ptr<bookmarks::BookmarkLoadDetails,std::default_delete<bookmarks::BookmarkLoadDetails> >,base::SequencedTaskRunner * __ptr64)>,void __cdecl(base::FilePath const & __ptr64,base::WeakPtr<bookmarks::BookmarkStorage> const & __ptr64,std::unique_ptr<bookmarks::BookmarkLoadDetails,std::default_delete<bookmarks::BookmarkLoadDetails> >,base::SequencedTaskRunner * __ptr64),base::FilePath const & __ptr64,base::WeakPtr<bookmarks::BookmarkStorage>,base::internal::PassedWrapper<std::unique_ptr<bookmarks::BookmarkLoadDetails,std::default_delete<bookmarks::BookmarkLoadDetails> > >,base::internal::RetainedRefWrapper<base::SequencedTaskRunner> >,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__cdecl*)(base::FilePath const & __ptr64,base::WeakPtr<bookmarks::BookmarkStorage> const & __ptr64,std::unique_ptr<bookmarks::BookmarkLoadDetails,std::default_delete<bookmarks::BookmarkLoadDetails> >,base::SequencedTaskRunner * __ptr64)> >,void __cdecl(void)>::Run+42 chrome_7fed2000000!base::SequencedWorkerPool::Inner::ThreadLoop+593 chrome_7fed2000000!base::SequencedWorkerPool::Worker::Run+44 chrome_7fed2000000!base::SimpleThread::ThreadMain+91 chrome_7fed2000000!base::`anonymous namespace'::ThreadFunc+160 vfbasics!AVrfpStandardThreadFunction+4d KERNEL32!BaseThreadInitThunk+d ntdll!RtlUserThreadStart+1d
,
Aug 18 2016
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" C:\Users\310222344\Desktop\minifuzz\temp\all_6c-bds4ngdayzjro0-4.html above is the command line used for fuzz
,
Aug 23 2016
Please provide the reproducible testcase to reproduce this. Will reopen if you can provide one.
,
Nov 30 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by jialiul@chromium.org
, Aug 16 2016Labels: Needs-Feedback