New issue
Advanced search Search tips

Issue 638697 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Aug 2016
Cc:
och...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: _chrome.dll!gfx::win::directmanipulationhelper::initialize

Reported by romi0...@gmail.com, Aug 17 2016 


VULNERABILITY DETAILS
Chrome Crash detected with Application verifier 

VERIFIER STOP 0000000000000013: pid 0x1938: First chance access violation for current stack trace. 

	0000000000000000 : Invalid address causing the exception.
	000007FEDE744363 : Code address executing the invalid access.
	00000000002BCA70 : Exception record.
	00000000002BC580 : Context record.

ccess violation - code c0000005 (!!! second chance !!!)
chrome_7fedc890000!gfx::win::DirectManipulationHelper::Initialize+0x83:
000007fe`de744363 488b01          mov     rax,qword ptr [rcx] ds:00000000`00000000=????????????????
0:000> g 
(1938.17e8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
chrome_7fedc890000!gfx::win::DirectManipulationHelper::Initialize+0x83:
000007fe`de744363 488b01          mov     rax,qword ptr [rcx] ds:00000000`00000000=????????????????
0:000> gn 
(1938.17e8): Access violation - code c0000005 (!!! second chance !!!)
chrome_7fedc890000!gfx::win::DirectManipulationHelper::Initialize+0x83:
000007fe`de744363 488b01          mov     rax,qword ptr [rcx] ds:00000000`00000000=????????????????



VERSION
Chrome Version: 52.0.2743.116 stable
Operating System: windows 7 
REPRODUCTION CASE

Download App verifier for windows 

https://msdn.microsoft.com/en-us/library/windows/desktop/dd371695(v=vs.85).aspx

open app verifier and add chrome as an application 

enable all tests by right click include low resource simulation also 

open windows debugger windbg and open chrome executable 

start debugging until chrome dies with a crash 

again open the app verifier and uncheck the low resource simulation 

restart the windbg and again attach the chrome.exe and start debugging 

download the symbols required 

after this it will be able to reproduce with !analyze -v 

status_breakpoint_avrf_80000003_chrome.dll!gfx::win::directmanipulationhelper::initialize


on going with the debug diag tool following result will be obtained 

In chrome.exe.8224.dmp the assembly instruction at chrome_7fedca10000!gfx::win::DirectManipulationHelper::Initialize+83 in C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\chrome.dll from Google Inc. has caused an access violation exception (0xC0000005) when trying to read from memory location 0x00000000 on thread 0

Please follow up with the vendor Google Inc. for C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\chrome.dll

i have attached the crash dump also for the same
CrashDumps.zip
693 KB Download

Comment 1 by romi0...@gmail.com, Aug 17 2016 

attaching Debug diag logs
chrome.exe.8224_CrashHangAnalysis.mht
656 KB Download

Comment 2 by romi0...@gmail.com, Aug 17 2016 

same dmp file generated by chrome for the crash 

with null_pointer_read_probablyexploitable_avrf_c0000005_chrome.dll!gfx::win::directmanipulationhelper::initialize
d354a1e8-d2ed-4dbf-b548-013f7696135d.dmp
11.0 MB Download

Comment 3 by jialiul@chromium.org, Aug 17 2016

Cc: och...@chromium.org
ochang@, need your suggestion on how to deal with this type of repro?

Comment 4 by och...@chromium.org, Aug 18 2016

Status: WontFix (was: Unconfirmed)
Did you run Chrome with "--no-sandbox" as per https://www.chromium.org/developers/how-tos/debugging-on-windows ?

Either way, null ptr derefs are not security vulnerabilities.
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 24 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment