New issue
Advanced search Search tips

Issue 638334 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Aug 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Faulting Address controls Code Flow

Reported by romi0...@gmail.com, Aug 16 2016 

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Data from Faulting Address controls Code Flow starting at chrome_7fed4560000!RelaunchChromeBrowserWithNewCommandLineIfNeeded+0x000000000140081f (Hash=0x49276361.0x44625774)
EXPLANATION:The data from the faulting address is later used as the target for a branch.

Short Description: TaintedDataControlsCodeFlow


Chrome Version: 52.0.2743.116 
Operating System: Windows 7 
REPRODUCTION CASE
f910453f-e871-4ab8-b3dc-70df365114ee.dmp
10.8 MB Download

Comment 2 by romi0...@gmail.com, Aug 16 2016 

dont have access to the link 

i found the crash with app verifier tool and opening with debugger 

Thanks

Comment 3 by jialiul@chromium.org, Aug 16 2016

Labels: Needs-Feedback
Could you provide more detailed repro cases? Without specific repro cases, there is little thing we can do.

Comment 4 by romi0...@gmail.com, Aug 16 2016 

i used a mix of tools like Dr. Memory Appverifier Global flags and windbg 

1. Tried to instrument chrome.exe with Dr. Memory Which resulted in crash 
2. once Chrome crashed completely and on opening chrome resulted in Dead tabs only 
3. Then i used Appverifer with all tests enabled and found this bug 
4. its true dr. memory but helps tracing the real leaks also in some cases 

Error #1: UNADDRESSABLE ACCESS: writing 0x0000000000000000-0x0000000000000004 4 byte(s)
# 0 chrome.dll!GetHandleVerifier         +0x9dcd74 (0x000007fed8173ab4 <chrome.dll+0xa43ab4>)
# 1 chrome.dll!GetHandleVerifier         +0x9dcdb2 (0x000007fed8173af3 <chrome.dll+0xa43af3>)
# 2 ntdll.dll!RtlIsDosDeviceName_U       +0x267d   (0x000000007794616e <ntdll.dll+0x5616e>)
# 3 CRYPTBASE.dll!?                      +0x0      (0x000007fefd4d1081 <CRYPTBASE.dll+0x1081>)
# 4 ntdll.dll!LdrShutdownProcess         +0x1d0    (0x00000000779129b1 <ntdll.dll+0x229b1>)
# 5 ntdll.dll!LdrShutdownProcess         +0x1b8    (0x0000000077912999 <ntdll.dll+0x22999>)
# 6 ntdll.dll!RtlExitUserProcess         +0x8f     (0x00000000779127c0 <ntdll.dll+0x227c0>)
# 7 KERNEL32.dll!GetNumberOfConsoleFonts +0xce     (0x000000007781133f <KERNEL32.dll+0x4133f>)
# 8 KERNEL32.dll!CtrlRoutine             +0x1d2    (0x0000000077824c53 <KERNEL32.dll+0x54c53>)
# 9 KERNEL32.dll!BaseThreadInitThunk     +0xc      (0x00000000777e59bd <KERNEL32.dll+0x159bd>)


and 

Error #1: LEAK 256 direct bytes 0x0000000001dd4e60-0x0000000001dd4f60 + 0 indirect bytes
# 0 replace_RtlAllocateHeap               [d:\drmemory_package\common\alloc_replace.c:3770]
# 1 IsSandboxedProcess                   +0x4410b  (0x000000013f510370 <chrome.exe+0x90370>)
# 2 IsSandboxedProcess                   +0x44144  (0x000000013f5103a9 <chrome.exe+0x903a9>)
# 3 IsSandboxedProcess                   +0x49226  (0x000000013f51548b <chrome.exe+0x9548b>)
# 4 IsSandboxedProcess                   +0x47758  (0x000000013f5139bd <chrome.exe+0x939bd>)
# 5 IsSandboxedProcess                   +0x51a05  (0x000000013f51dc6a <chrome.exe+0x9dc6a>)
# 6 IsSandboxedProcess                   +0x474fc  (0x000000013f513761 <chrome.exe+0x93761>)
# 7 IsSandboxedProcess                   +0x4795d  (0x000000013f513bc2 <chrome.exe+0x93bc2>)
# 8 IsSandboxedProcess                   +0x36110  (0x000000013f502375 <chrome.exe+0x82375>)
# 9 IsSandboxedProcess                   +0x3613c  (0x000000013f5023a1 <chrome.exe+0x823a1>)
#10 IsSandboxedProcess                   +0x36259  (0x000000013f5024be <chrome.exe+0x824be>)
#11 IsSandboxedProcess                   +0x47cb8  (0x000000013f513f1d <chrome.exe+0x93f1d>)

Error #2: POSSIBLE LEAK 88 direct bytes 0x0000000001dfb7e0-0x0000000001dfb838 + 1 indirect bytes
# 0 replace_RtlAllocateHeap                     [d:\drmemory_package\common\alloc_replace.c:3770]
# 1 ntdll.dll!RtlGetOwnerSecurityDescriptor    +0x255    (0x00000000778f87c6 <ntdll.dll+0x87c6>)
# 2 ntdll.dll!RtlGetOwnerSecurityDescriptor    +0x14c    (0x00000000778f86bd <ntdll.dll+0x86bd>)
# 3 ntdll.dll!RtlUserThreadStart               +0x9e     (0x000000007791a35f <ntdll.dll+0x2a35f>)



as above example

which helps finding the crash point with offset

Comment 5 by romi0...@gmail.com, Aug 16 2016 

with Appverifier it crashed with 

APPLICATION_VERIFIER_LUAPRIV_FAILED_API_CALL (332e)
The application called an API that failed unexpectedly, possibly due to bad parameters.
The application called the listed API, which failed with an access error suggesting a potential LUA issue.

Comment 6 by jialiul@chromium.org, Aug 16 2016

Status: WontFix (was: Unconfirmed)
Without a concrete repro (for example start up command line argument, or a webpage/script causes crashing), there is very little things I can use to reproduce this issue.

We'll keep on monitoring crash caused by RelaunchChromeBrowserWithNewCommandLineIfNeeded. But for now I'll close this bug.
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 23 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment