UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Steps to reproduce the problem:
1. attach chrome with app verifier and enable low resource simulation with --no-sandbox
2. run chrome.exe --no-sandbox and attach process in windbg
3. chrome will crash with
Faulting Instruction:00007ff6`3fe08a64 cmp byte ptr [rax+rdi],0
Basic Block:
00007ff6`3fe08a64 cmp byte ptr [rax+rdi],0
Tainted Input operands: 'rax','rdi'
00007ff6`3fe08a68 jne chrome!__std_exception_copy+0x2d (00007ff6`3fe08a61)
Tainted Input operands: 'ZeroFlag'
What is the expected behavior?
chrome should handle the exception properly
What went wrong?
1. trace of following
~* kp
. 0 Id: 2344.10fc Suspend: 1 Teb: 0000000e`9ae53000 Unfrozen
# Child-SP RetAddr Call Site
00 0000000e`9b0fee58 00007ff6`3fe040c3 chrome!__std_exception_copy(struct __std_exception_data * from = 0x0000000e`9b0feea8, struct __std_exception_data * to = 0x0000000e`9b0feef0)+0x30 [f:\dd\vctools\crt\vcruntime\src\eh\std_exception.cpp @ 27]
01 (Inline Function) --------`-------- chrome!std::exception::{ctor}+0x2e
02 (Inline Function) --------`-------- chrome!std::logic_error::{ctor}+0x2e
03 0000000e`9b0fee88 00007ff6`3fe041d5 chrome!std::length_error::length_error(char * _Message = <Value unavailable error>)+0x37 [f:\dd\vctools\crt\crtw32\stdhpp\stdexcept @ 112]
04 0000000e`9b0feec8 00007ff6`3fd70000
chrome!std::_Xlength_error(char * _Message = <Value unavailable error>)+0x11 [f:\dd\vctools\crt\crtw32\stdcpp\xthrow.cpp @ 20]
05 0000000e`9b0fef18 00000000`00000030 chrome!__acrt_signal_action_table_size
06 0000000e`9b0fef20 00000000`00000000 0x30
Source File: f:\dd\vctools\crt\vcruntime\src\eh\std_exception.cpp
Source Line: 27
dx -r1 (*((chrome!__std_exception_data *)0xe9b0feea8))
(*((chrome!__std_exception_data *)0xe9b0feea8)) [Type: __std_exception_data]
[+0x000] _What : 0xad50f1b9aaeb0000 : "--- memory read error at address 0xad50f1b9`aaeb0000 ---" [Type: char *]
[+0x008] _DoFree : true [Type: bool]
0:000> dx -r1 (*((chrome!__std_exception_data *)0xe9b0feea8))
(*((chrome!__std_exception_data *)0xe9b0feea8)) [Type: __std_exception_data]
[+0x000] _What : 0xad50f1b9aaeb0000 : "--- memory read error at address 0xad50f1b9`aaeb0000 ---" [Type: char *]
[+0x008] _DoFree : true [Type: bool]
0:000> dx -r1 (*((chrome!char *)0xad50f1b9aaeb0000))
Error: Unable to read memory at Address 0xad50f1b9aaeb0000
0:000> dx Debugger.Sessions[0].Processes[9028].Threads[4348].Stack.Frames[2].SwitchTo();dv /t /v
Debugger.Sessions[0].Processes[9028].Threads[4348].Stack.Frames[2].SwitchTo()
0:000> dx Debugger.Sessions[0].Processes[9028].Threads[4348].Stack.Frames[3].SwitchTo();dv /t /v
Debugger.Sessions[0].Processes[9028].Threads[4348].Stack.Frames[3].SwitchTo()
@rbx class std::length_error * this = 0x0000000e`9b0feee8
<unavailable> char * _Message = <value unavailable>
0:000> dx -r1 (*((chrome!std::length_error *)0xe9b0feee8))
(*((chrome!std::length_error *)0xe9b0feee8)) [Type: std::length_error]
[+0x008] _Ptr : 0x0 [Type: char *]
Did this work before? N/A
Chrome version: <Copy from: 'about:version'> Channel: n/a
OS Version: 10.0
Flash Version: VLC media player Web Plugin
|
Deleted:
chrome.zip
22.1 MB
|
Comment 1 by romi0...@gmail.com
, Sep 13 2016