New issue
Advanced search Search tips

Issue 661317 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Nov 2016
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

Corrupted document manipulation

Reported by wadih.ma...@gmail.com, Nov 1 2016 
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36

Steps to reproduce the problem:
1.open http://localhost/poc_document_corruption.html
2.wait for a crash

What is the expected behavior?
Javascript inside window.onunload event executes before the javascript called from flash via navigateToURL.
No crashes should occur.

What went wrong?
This poc shows that it is possible to execute javascript after the execution of the javascript inside window.onunload.

Multiple crashes can occur from this poc:

In itself it doesn't prove the exploitability of the bugs but the second crash seems to show that a manipulation of an already detached document took place.

Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=0591f328 edi=057478b9
eip=5e3fc042 esp=0045db80 ebp=0045db90 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
chrome_child!`anonymous namespace'::GetPrintWebViewHelper+0x27:
5e3fc042 8b10            mov     edx,dword ptr [eax]  ds:002b:00000000=????????

 Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=294e4068 ecx=294e4068 edx=5ec2ea28 esi=00000000 edi=47aee268
eip=5ce79271 esp=0021c048 ebp=0021c08c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
chrome_child!blink::Document::detachLayoutTree+0x5f [inlined in chrome_child!blink::Document::detachLayoutTree+0x5f]:
5ce79271 ff86fc000000    inc     dword ptr [esi+0FCh] ds:002b:000000fc=????????

Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=001dea04 ebx=00000000 ecx=00000000 edx=04bf635c esi=04bb4dd8 edi=06ac5c10
eip=5e4924f3 esp=001de8f4 ebp=001dea74 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
chrome_child!content::HostDispatcherWrapper::AddInstance+0x107:
5e4924f3 8b03            mov     eax,dword ptr [ebx]  ds:002b:00000000=????????

Did this work before? N/A 

Chrome version: 54.0.2840.59  Channel: n/a
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 23.0 r0

Note: Document::detachLayoutTree has been changed to Document::shutdown.
poc.zip
4.4 KB Download
Project Member

Comment 1 by ClusterFuzz, Nov 1 2016 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5606476463996928

Comment 2 by nparker@chromium.org, Nov 3 2016 

Clusterfuzz is unable to repro this case.  Is there any special config that's required?

Comment 3 by wadih.ma...@gmail.com, Nov 3 2016 

No special config is required, only the presence of the flash plugin is required. I tested it successfully on multiple windows 7 machines.

The poc is designed to restart itself until the onunload event is executed before the navigateToURL, and a renderer crash occurs (one of the listed crashes, the second one is the most frequent).

Maybe the URL in iframe.html's navigate() loads too fast in your tests? maybe you should replace that URL with another, slower to load?
Project Member

Comment 4 by ClusterFuzz, Nov 4 2016 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4792010323263488
Project Member

Comment 5 by ClusterFuzz, Nov 4 2016 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5642551773364224

Comment 6 by nparker@chromium.org, Nov 7 2016

Status: WontFix (was: Unconfirmed)
I replaced it with a slower-loading URL (latimes.com), on several different bots, no crash.  Please refile if you have a more reliable repro.  Thanks.

Comment 7 by wadih.ma...@gmail.com, Nov 7 2016 

I just tested the poc on 2 different windows 8 machines with chrome 54.0.2840.87 32 bits and 54.0.2840.71 64 bits, and it works every time.

I am intrigued by why you cannot repro the crash.  Maybe creating 100 flashprint.swf iframes (in iframe.html) is not enough when testing on powerful machines? maybe the Shockwave Flash version is different?
crash windows 8 32 bits.txt
18.0 KB View Download
crash windows 8 64 bits.txt
296 bytes View Download
Project Member

Comment 8 by sheriffbot@chromium.org, Feb 14 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment