Issue metadata
Sign in to add a comment
|
Chrome Crash with Winafl
Reported by
romi0...@gmail.com,
Sep 28 2016
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 Steps to reproduce the problem: 1. use WINAFL for fuzzing 2. use the command line afl-fuzz.exe -i in -o chrome -D c:\winafl-master\dyno\bin64 -t 30000+ -m 15000 -- -coverage_module chrome_elf.dll -coverage_module chrome.exe -coverage_module ntdll.dll -target_module chrome.exe -target_offset 0x2680 -fuzz_iterations 10000 -nargs 4 -- c:\progra~2\Google\Chrome\Application\chrome.exe @@ 3. crashes will be generated in crash folder What is the expected behavior? chrome should not crash with main function fuzzing What went wrong? chrome failed with the attached test cases Did this work before? N/A Chrome version: 53.0.2785.116 Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 23.0 r0
,
Sep 28 2016
a final Dump which gives sign of possible stack corruption and test cases with winafl !exploitable -m VERSION:1.6.0.0 IDENTITY:HostMachine\HostUser PROCESSOR:X64 CLASS:USER QUALIFIER:USER_SMALL_DUMP EVENT:DEBUG_EVENT_EXCEPTION EXCEPTION_FAULTING_ADDRESS:0x7fece810606 EXCEPTION_CODE:0x80000003 EXCEPTION_LEVEL:SECOND_CHANCE EXCEPTION_TYPE:STATUS_BREAKPOINT FAULTING_INSTRUCTION:000007fe`ce810606 int 3 BASIC_BLOCK_INSTRUCTION_COUNT:1 BASIC_BLOCK_INSTRUCTION:000007fe`ce810606 int 3 MAJOR_HASH:0x18ff2d8e MINOR_HASH:0xa10b39d1 STACK_DEPTH:54 STACK_FRAME:chrome_7fece1f0000!gfx::PlatformFontWin::CreateHFontRef+0x3e STACK_FRAME:chrome_7fece1f0000!gfx::PlatformFontWin::DeriveFont+0xcd STACK_FRAME:chrome_7fece1f0000!gfx::FontList::Derive+0x6e STACK_FRAME:chrome_7fece1f0000!gfx::FontList::DeriveWithWeight+0x44 STACK_FRAME:chrome_7fece1f0000!views::LabelButton::LabelButton+0x272 STACK_FRAME:chrome_7fece1f0000!`anonymous namespace'::BookmarkButtonBase::BookmarkButtonBase+0x1d STACK_FRAME:chrome_7fece1f0000!BookmarkBarView::CreateBookmarkButton+0x5c STACK_FRAME:chrome_7fece1f0000!BookmarkBarView::Layout+0x30f STACK_FRAME:chrome_7fece1f0000!views::View::BoundsChanged+0x1e2 STACK_FRAME:chrome_7fece1f0000!views::View::SetBoundsRect+0xd6 STACK_FRAME:chrome_7fece1f0000!views::View::SetBounds+0x47 STACK_FRAME:chrome_7fece1f0000!BrowserViewLayout::LayoutBookmarkBar+0x96 STACK_FRAME:chrome_7fece1f0000!BrowserViewLayout::Layout+0x256 STACK_FRAME:chrome_7fece1f0000!views::View::Layout+0x38 STACK_FRAME:chrome_7fece1f0000!BrowserView::Layout+0x2b STACK_FRAME:chrome_7fece1f0000!BrowserView::ToolbarSizeChanged+0x66 STACK_FRAME:chrome_7fece1f0000!infobars::InfoBarContainer::ChangeInfoBarManager+0x107 STACK_FRAME:chrome_7fece1f0000!BrowserView::OnActiveTabChanged+0xc1 STACK_FRAME:chrome_7fece1f0000!Browser::ActiveTabChanged+0x79 STACK_FRAME:chrome_7fece1f0000!TabStripModel::NotifyIfActiveTabChanged+0x97 STACK_FRAME:chrome_7fece1f0000!TabStripModel::SetSelection+0x82 STACK_FRAME:chrome_7fece1f0000!TabStripModel::InsertWebContentsAt+0x265 STACK_FRAME:chrome_7fece1f0000!TabStripModel::AddWebContents+0x110 STACK_FRAME:chrome_7fece1f0000!chrome::Navigate+0x44d STACK_FRAME:chrome_7fece1f0000!StartupBrowserCreatorImpl::OpenTabsInBrowser+0x366 STACK_FRAME:chrome_7fece1f0000!StartupBrowserCreatorImpl::ProcessLaunchURLs+0x1b4 STACK_FRAME:chrome_7fece1f0000!StartupBrowserCreatorImpl::Launch+0x311 STACK_FRAME:chrome_7fece1f0000!StartupBrowserCreator::LaunchBrowser+0x188 STACK_FRAME:chrome_7fece1f0000!StartupBrowserCreator::ProcessCmdLineImpl+0x835 STACK_FRAME:chrome_7fece1f0000!StartupBrowserCreator::ProcessCommandLineAlreadyRunning+0x1e1 STACK_FRAME:chrome_7fece1f0000!`anonymous namespace'::ProcessSingletonNotificationCallback+0x2c4 STACK_FRAME:chrome_7fece1f0000!ProcessSingletonStartupLock::NotificationCallbackImpl+0xdf STACK_FRAME:chrome_7fece1f0000!`anonymous namespace'::ProcessLaunchNotification+0x8a STACK_FRAME:chrome_7fece1f0000!base::win::MessageWindow::WindowProc+0xec STACK_FRAME:chrome_7fece1f0000!base::win::WrappedWindowProc<&base::win::MessageWindow::WindowProc>+0x12 STACK_FRAME:USER32!UserCallWinProcCheckWow+0x1ad STACK_FRAME:USER32!DispatchClientMessage+0xc3 STACK_FRAME:USER32!_fnCOPYDATA+0x4b STACK_FRAME:ntdll!KiUserCallbackDispatcherContinue+0x0 STACK_FRAME:Unknown STACK_FRAME:USER32!PeekMessageW+0x105 STACK_FRAME:chrome_7fece1f0000!base::MessagePumpForUI::DoRunLoop+0x51 STACK_FRAME:chrome_7fece1f0000!base::MessagePumpWin::Run+0x54 STACK_FRAME:chrome_7fece1f0000!base::RunLoop::Run+0x90 STACK_FRAME:chrome_7fece1f0000!ChromeBrowserMainParts::MainMessageLoopRun+0xef STACK_FRAME:chrome_7fece1f0000!content::BrowserMainRunnerImpl::Run+0x71 STACK_FRAME:chrome_7fece1f0000!content::BrowserMain+0x161 STACK_FRAME:chrome_7fece1f0000!content::ContentMainRunnerImpl::Run+0x1ff STACK_FRAME:chrome_7fece1f0000!ChromeMain+0x226 STACK_FRAME:chrome!MainDllLoader::Launch+0x3c3 STACK_FRAME:chrome!wWinMain+0x4dc STACK_FRAME:chrome!__scrt_common_main_seh+0x11e STACK_FRAME:kernel32!BaseThreadInitThunk+0xd STACK_FRAME:ntdll!RtlUserThreadStart+0x1d INSTRUCTION_ADDRESS:0x000007fece810606 INVOKING_STACK_FRAME:0 SOURCE_FILE:c:\b\build\slave\win64-pgo\build\src\ui\gfx\platform_font_win.cc SOURCE_LINE:463 DESCRIPTION:Possible Stack Corruption SHORT_DESCRIPTION:PossibleStackCorruption CLASSIFICATION:UNKNOWN BUG_TITLE:Possible Stack Corruption starting at chrome_7fece1f0000!gfx::PlatformFontWin::CreateHFontRef+0x000000000000003e (Hash=0x18ff2d8e.0xa10b39d1) EXPLANATION:The stack trace contains one or more locations for which no symbol or module could be found. This may be a sign of stack corruption.
,
Sep 28 2016
Thanks for the report. Raw fuzzer output is difficult to work with on our side (we use fuzzers extensively, but their output is managed by tools). Are you able to produce straightforward reproduction cases from that, such as an HTML file that can be used to crash Chrome in a way that indicates a potential vulnerability?
,
Sep 29 2016
Thanks for the reply I am not able to CONVERT file as it is IN windows i exactly don't have the approach like afl-analyze and afl-tmin for windows but i can definitely try ant suggestions for windows for the same
,
Oct 4 2016
After a bit of triaging with command line and attaching debugger with the fuzzed process of chrome
i got a debug after a few loops of winafl which resulted in a crash in chrome while running break point
(36e4.2fd0): Break instruction exception - code 80000003 (first chance)
chrome_7fed2740000!base::debug::BreakDebugger+0xc [inlined in chrome_7fed2740000!`anonymous namespace'::FindDirectWriteFontForLOGFONT+0xcd]:
000007fe`d2d5fb25 cc
on a bit more investigation
00000000`001ec910 000007fe`d60e01ad chrome_7fed5ac0000!gfx::PlatformFontWin::CreateHFontRef(struct HFONT__ * font = 0x00000000`010a43fc)+0x3e [c:\b\build\slave\win64-pgo\build\src\ui\gfx\platform_font_win.cc @ 463]
the font parameter in question expects an expression
and rsi
@rsi struct HFONT__ * font = 0x00000000`310a2eba
00000000`002fcb68 struct tagTEXTMETRICW font_metrics = struct tagTEXTMETRICW
class base::win::ScopedGetDC screen_dc = class base::win::ScopedGetDC
<unavailable> class gfx::ScopedSetMapMode mode = <value unavailable>
0:000> dx -r1 (*((!HFONT__ *)0x310a2eba))
Error: Expected expression at ')0x310a2eba))'
0:000> dx -r1 (*((!tagTEXTMETRICW *)0x2fcb68))
Error: Expected expression at ')0x2fcb68))'
the code for this
PlatformFontWin::HFontRef* PlatformFontWin::CreateHFontRef(HFONT font) {
TEXTMETRIC font_metrics;
{
base::win::ScopedGetDC screen_dc(NULL);
ScopedSetMapMode mode(screen_dc, MM_TEXT);
GetTextMetricsForFont(screen_dc, font, &font_metrics);
}
https://chromium.googlesource.com/chromium/src.git/+/lkcr/ui/gfx/platform_font_win.cc
after second chance exception
investigating the dump
01 00000000`002fb970 00000001`3ffbcba0 KERNELBASE!SleepEx+0xab
02 00000000`002fba10 00000001`3ff9ad73 chrome!`anonymous namespace'::UnhandledExceptionHandler(struct _EXCEPTION_POINTERS * exception_pointers = 0x00000000`002fbcf0)+0x64 [c:\b\build\slave\win64-pgo\build\src\third_party\crashpad\crashpad\client\crashpad_client_win.cc @ 110]
03 (Inline Function) --------`-------- chrome!crashpad::CrashpadClient::DumpAndCrash+0x5d [c:\b\build\slave\win64-pgo\build\src\third_party\crashpad\crashpad\client\crashpad_client_win.cc @ 488]
04 00000000`002fbb50 000007fe`d826d2b5 chrome!CrashForException(struct _EXCEPTION_POINTERS * info = 0x00000000`002fbcf0)+0xc3 [c:\b\build\slave\win64-pgo\build\src\components\crash\content\app\crashpad_win.cc @ 193]
05 (Inline Function) --------`-------- chrome_7fed5ac0000!base::win::CallExceptionFilter+0x14 [c:\b\build\slave\win64-pgo\build\src\base\win\wrapped_window_proc.cc @ 42]
06 00000000`002fbc90 000007fe`d8231b14 chrome_7fed5ac0000!`base::win::WrappedWindowProc<&base::MessagePumpForUI::WndProcThunk>'::`1'::filt$0+0x25 [c:\b\build\slave\win64-pgo\build\src\base\win\wrapped_window_proc.h @ 77]
07 00000000`002fbcc0 00000000`77c67e8d chrome_7fed5ac0000!__C_specific_handler(struct _EXCEPTION_RECORD * ExceptionRecord = 0x00000000`002fc930, void * EstablisherFrame = 0x00000000`002febc0, struct _CONTEXT * ContextRecord = <Value unavailable error>, struct _DISPATCHER_CONTEXT * DispatcherContext = 0x00000000`002fbdf0)+0xa0
08 00000000`002fbd30 00000000`77c584cf ntdll!RtlpExecuteHandlerForException+0xd
09 00000000`002fbd60 00000000`77c8bac8 ntdll!RtlDispatchException+0x45a
0a 00000000`002fc440 000007fe`d60e0606 ntdll!KiUserExceptionDispatch+0x2e
gives the same exception
dx -r1 (*((!_EXCEPTION_RECORD *)0x2fc930))
Error: Expected expression at ')0x2fc930))'
which refers to Create font symbol
Attached is the dump file and crash cases of winafl with command line
,
Oct 5 2016
just for update i tried testcases in the crash folder with non coverage fuzzer MINIFUZZ by microsoft 1. given the testcases from crash folder with minifuzz chrome encountered several crashes after 30 mins of plain fuzzing without any code coverage it was reproduced on a different machine with same testcases which resulted in crashes with different unhandeled address exception 2. on giving the command line --no-sandbox in the minifuzz UI with same testcases from crashes it resulted in sudden crash of chrome with many crashes Attched are the crashes testcases and snapshot of minifuzz with a few sample dumps
,
Oct 5 2016
ifratric - is there a way to extract a reproducible test case from the filer's attahcments?
,
Oct 6 2016
crashes.zip seems to contain WinAFL output directory. The test cases that are detected as crashes are stored in the crashes/ directory. There is a single file there that I attached but I can't reproduce the problem with my version of chrome.
,
Oct 6 2016
,
Oct 6 2016
romi007r, can you try to isolate the desired test case by re-running your tests and trying the results as found in your crashes/ directory? thanks.
,
Oct 11 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5891268762927104
,
Oct 11 2016
Since we do not have a reproducible testcase, I have to close it. Please feel free to re-open it once you manage to generate the reproducder.
,
Nov 23 2016
hi @ifratric can u please validate as i am able to get the crashes with afl-fuzz.exe -i in -o elf -D c:\fuzz\dyn\bin64 -t 20000+ -m 15000 -- -coverage_module chrome_child.dll -coverage_module chrome.dll -coverage_module chrome.exe -coverage_module chrome_elf.dll -target_module chrome_elf.dll -target_offset 0x3184 -nargs 3 -- c:\progra~2\Google\Chrome\Application\chrome.exe @@ and afl-fuzz.exe -i in -o elf -D c:\fuzz\dyn\bin64 -t 20000+ -m 15000 -- -coverage_module chrome_child.dll -coverage_module chrome.dll -coverage_module chrome.exe -coverage_module chrome_elf.dll -target_module chrome_elf.dll -target_offset 0x332c -nargs 3 -- c:\progra~2\Google\Chrome\Application\chrome.exe @@ the functions in target is 000007fe`dace3184 chrome_elf!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::_Copy (unsigned int64, unsigned int64) 000007fe`dace332c chrome_elf!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::_Copy (unsigned int64, unsigned int64) it seems interesting because both offset have same functions and same crashes but again only a hang id with a dirty testcase which is not reproducible Thanks
,
Nov 24 2016
afl-fuzz.exe -i in -o elf -D c:\fuzz\dyn\bin64 -t 20000+ -m 15000 -- -coverage_module chrome_child.dll -coverage_module chrome.dll -coverage_module chrome.exe -coverage_module chrome.exe -target_module chrome.exe -target_offset 0x337c -nargs 3 -- c:\progra~2\Google\Chrome\Application\chrome.exe @@ and afl-fuzz.exe -i in -o elf -D c:\fuzz\dyn\bin64 -t 20000+ -m 15000 -- -coverage_module chrome_child.dll -coverage_module chrome.dll -coverage_module chrome.exe -coverage_module chrome.exe -target_module chrome.exe -target_offset 0x31d4 -nargs 3 -- c:\progra~2\Google\Chrome\Application\chrome.exe @@ for chrome.exe module produce same crahses
,
Jan 17 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by romi0...@gmail.com
, Sep 28 201616.3 KB
16.3 KB Download
437 KB
437 KB Download