New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 672847 link

Starred by 5 users
Status: Fixed
Owner:
kenrb@chromium.org
Closed: Mar 2017
Cc:
kenrb@chromium.org
dtapu...@chromium.org
creis@chromium.org
dcheng@chromium.org
nasko@chromium.org
mgiuca@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security
Team-Security-UX



Sign in to add a comment

Security: Address spoofing when switching away from tab and back

Reported by gnehs...@gmail.com, Dec 9 2016 

DESCRIPTION:
Address spoofing in Omnibox

VERSION
Chrome Version: Version 55.0.2883.75 (64-bit) stable
Operating System: Ubuntu 16.04.1 LTS

Chrome Version: Version 54.0.2840.85 stable
Operating System: Android 6.0.1

POC:

http://192.243.113.21/spoof/chrome/url1.html
Screenshot from 2016-12-09 22-59-39.png
22.6 KB View Download

Comment 1 by elawrence@chromium.org, Dec 9 2016

Components: UI>Browser>Navigation UI>Browser>Omnibox>SecurityIndicators
Status: Untriaged (was: Unconfirmed)
Thanks for reporting!

This looks like some sort of race condition in navigation. It's reproducible in the current Canary 57.2945. I end up with a few random other tabs open, but the markup shown in the screenshot does appear. I can't get script to run if I put it in the injected HTML (when I try, Amazon actually loads), but if I query the document's location via devtools, it thinks it's on Amazon. The markup appears to be inactive (I can't select the fake text, for instance).
Spoofing.png
19.3 KB View Download

Comment 2 by wrengr@chromium.org, Dec 12 2016

Labels: Security_Severity-Medium M-54 Security_Impact-Stable Pri-1
Status: Available (was: Untriaged)

Comment 3 by nasko@chromium.org, Dec 12 2016

Cc: kenrb@chromium.org creis@chromium.org nasko@chromium.org

Comment 4 by creis@chromium.org, Dec 12 2016

Cc: dcheng@chromium.org
Components: UI>Security>UrlFormatting
Owner: creis@chromium.org
Status: Assigned (was: Available)
Yes, looks like a real bug.  I can also repro in 57.0.2949.0 on Windows.  Source of the attack page is attached.

There's something strange going on in the renderer, since DevTools says document.body is null.  And yes, no way to select the text or interact with the spoofed page.

That said, there's no heavy CPU use after the spoof is visible, and the omnibox doesn't reset after switch tabs and back or hitting escape in the omnibox.  This will be worth looking at in a debugger.
spoof.html
1.2 KB View Download

Comment 5 by dcheng@chromium.org, Dec 13 2016 

I'm not able to repro, but there are various ways to end up with a null document.body: it's possible to do something like document.documentElement.removeChild(document.body).
Project Member

Comment 6 by sheriffbot@chromium.org, Dec 13 2016

Labels: -M-54 M-55

Comment 7 by mbarbe...@chromium.org, Dec 15 2016

Labels: OS-Chrome OS-Linux OS-Mac OS-Windows

Comment 8 by creis@chromium.org, Dec 16 2016

Cc: dtapu...@chromium.org
Owner: kenrb@chromium.org
Ok, I've narrowed this down to a simpler repro case, which is attached.  The bug is that switching away from a tab and coming back seems to break Ken's unresponsiveness timer from  issue 497588  (or rather, it somehow breaks the blank paint that happens after the timer fires).  Ken, can you take a look?

In more depth:

The attack page opens a popup and puts some content into it.  It starts navigating to amazon.com, but it interrupts that load immediately after it commits and (usually) before the first paint.  (It interrupts by navigating to URL with a 204 response: https://www.google.com/csi.)  Because amazon.com has already committed, we leave that in the address bar, but because there was no paint, the attacker's content is still there.

If you take out all the alerts, you can see Ken's unresponsiveness timer kick in after 4 seconds and paint the entire page white.  However, switching to another tab and back (which the alerts accomplish) makes the attacker's content visible again.

I strongly suspect this is also related to what's happening in  issue 648117 , but I haven't verified that yet.

I'm also CC'ing dtapuska@, because this reliably shows an unresponsiveness dialog after 30 seconds when visited in a Linux debug build, despite the fact that the other tab in the same process is responsive.  I suspect this is one way to get to issue 615090, where the renderer is killed for being unresponsive when it isn't, perhaps due to a missing ack somewhere.  (Note that I'm not seeing that dialog on Windows Canary.)
spoof-simplified.html
1.1 KB View Download
Project Member

Comment 9 by sheriffbot@chromium.org, Dec 24 2016 

kenrb: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 10 by creis@chromium.org, Jan 3 2017

Status: Started (was: Assigned)
Summary: Security: Address spoofing when switching away from tab and back (was: Security: Address spoofing in Omnibox)
Ken has started looking.  We're wondering if something is holding onto the old image after EvictDelegatedFrame is called, but he hasn't found anything yet.  So far, it's unclear how the old image comes back after we clear it in the unresponsiveness timer.

He said there's no new compositor frame coming up from the renderer, so perhaps there's something in the Surfaces code that keeps it around.  We'll keep looking.
Project Member

Comment 11 by sheriffbot@chromium.org, Jan 26 2017

Labels: -M-55 M-56
Project Member

Comment 12 by bugdroid1@chromium.org, Mar 3 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/efd1189a0b3febada2bceb4c037fff1718306a3a

commit efd1189a0b3febada2bceb4c037fff1718306a3a
Author: kenrb <kenrb@chromium.org>
Date: Fri Mar 03 14:44:13 2017

Discard compositor frames from unloaded web content

After a navigation commits, it is still possible for the compositor to
resend a frame that draws the previous (now unloaded) page. In some
situations this works against the browser process' new content
rendering timer that attempts to clear a page after 4 seconds if a
navigation has committed but not yet painted in that time.

This CL adds a counter called content_source_id to that increments on
every non-same-page navigation commit under a given top-level
RenderWidget. It tags the CompositorFrameMetadata with this identifier,
and also sends it to the browser process with the
DidCommitProvisionaLoad IPC message. This enables the browser to
recognize compositor frames with stale IDs, corresponding to unloaded
pages.

BUG= 672847 
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2707243005
Cr-Commit-Position: refs/heads/master@{#454578}

[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/cc/ipc/cc_param_traits_macros.h
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/cc/ipc/compositor_frame_metadata.mojom
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/cc/ipc/compositor_frame_metadata_struct_traits.cc
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/cc/ipc/compositor_frame_metadata_struct_traits.h
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/cc/ipc/struct_traits_unittest.cc
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/cc/output/compositor_frame_metadata.h
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/cc/trees/layer_tree_host.cc
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/cc/trees/layer_tree_host.h
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/cc/trees/layer_tree_host_impl.cc
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/cc/trees/layer_tree_host_unittest.cc
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/cc/trees/layer_tree_impl.cc
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/cc/trees/layer_tree_impl.h
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/content/browser/frame_host/render_frame_host_impl.cc
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/content/browser/renderer_host/render_widget_host_impl.cc
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/content/browser/renderer_host/render_widget_host_impl.h
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/content/browser/renderer_host/render_widget_host_unittest.cc
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/content/common/frame_messages.h
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/content/renderer/gpu/render_widget_compositor.cc
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/content/renderer/gpu/render_widget_compositor.h
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/content/renderer/render_widget.cc
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/content/renderer/render_widget.h
[modify] https://crrev.com/efd1189a0b3febada2bceb4c037fff1718306a3a/content/test/test_render_view_host.h

Comment 13 by kenrb@chromium.org, Mar 3 2017

Status: Fixed (was: Started)
Project Member

Comment 14 by bugdroid1@chromium.org, Mar 4 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cee456faba216e014f2ce2ded37e2cde5fc19cfd

commit cee456faba216e014f2ce2ded37e2cde5fc19cfd
Author: sclittle <sclittle@chromium.org>
Date: Sat Mar 04 00:57:08 2017

Revert of Discard compositor frames from unloaded web content (patchset #11 id:200001 of https://codereview.chromium.org/2707243005/ )

Reason for revert:
It looks like this broke the MSAN bot:

https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Linux%20Trusty%20MSAN

https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Linux%20Trusty%20MSAN/builds/731

Original issue's description:
> Discard compositor frames from unloaded web content
>
> After a navigation commits, it is still possible for the compositor to
> resend a frame that draws the previous (now unloaded) page. In some
> situations this works against the browser process' new content
> rendering timer that attempts to clear a page after 4 seconds if a
> navigation has committed but not yet painted in that time.
>
> This CL adds a counter called content_source_id to that increments on
> every non-same-page navigation commit under a given top-level
> RenderWidget. It tags the CompositorFrameMetadata with this identifier,
> and also sends it to the browser process with the
> DidCommitProvisionaLoad IPC message. This enables the browser to
> recognize compositor frames with stale IDs, corresponding to unloaded
> pages.
>
> BUG= 672847 
> CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_site_isolation
>
> Review-Url: https://codereview.chromium.org/2707243005
> Cr-Commit-Position: refs/heads/master@{#454578}
> Committed: https://chromium.googlesource.com/chromium/src/+/efd1189a0b3febada2bceb4c037fff1718306a3a

TBR=enne@chromium.org,creis@chromium.org,danakj@chromium.org,kenrb@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= 672847 

Review-Url: https://codereview.chromium.org/2730203002
Cr-Commit-Position: refs/heads/master@{#454732}

[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/cc/ipc/cc_param_traits_macros.h
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/cc/ipc/compositor_frame_metadata.mojom
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/cc/ipc/compositor_frame_metadata_struct_traits.cc
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/cc/ipc/compositor_frame_metadata_struct_traits.h
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/cc/ipc/struct_traits_unittest.cc
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/cc/output/compositor_frame_metadata.h
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/cc/trees/layer_tree_host.cc
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/cc/trees/layer_tree_host.h
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/cc/trees/layer_tree_host_impl.cc
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/cc/trees/layer_tree_host_unittest.cc
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/cc/trees/layer_tree_impl.cc
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/cc/trees/layer_tree_impl.h
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/content/browser/frame_host/render_frame_host_impl.cc
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/content/browser/renderer_host/render_widget_host_impl.cc
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/content/browser/renderer_host/render_widget_host_impl.h
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/content/browser/renderer_host/render_widget_host_unittest.cc
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/content/common/frame_messages.h
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/content/renderer/gpu/render_widget_compositor.cc
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/content/renderer/gpu/render_widget_compositor.h
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/content/renderer/render_widget.cc
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/content/renderer/render_widget.h
[modify] https://crrev.com/cee456faba216e014f2ce2ded37e2cde5fc19cfd/content/test/test_render_view_host.h
Project Member

Comment 15 by sheriffbot@chromium.org, Mar 4 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 16 by awhalley@chromium.org, Mar 5 2017

Labels: -M-56 reward-topanel Merge-Request-58 M-58
Project Member

Comment 17 by sheriffbot@chromium.org, Mar 5 2017

Labels: -Merge-Request-58 Merge-Review-58 Hotlist-Merge-Review
This bug requires manual review: Reverts referenced in bugdroid comments after merge request.
Please contact the milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), bhthompson@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 18 by kenrb@chromium.org, Mar 6 2017

Labels: -Restrict-View-SecurityNotify -Merge-Review-58 Restrict-View-SecurityTeam
Status: Started (was: Fixed)
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 6 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34

commit 5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34
Author: kenrb <kenrb@chromium.org>
Date: Mon Mar 06 21:06:01 2017

(Reland) Discard compositor frames from unloaded web content

This is a reland of https://codereview.chromium.org/2707243005/ with a
small change to fix an uninitialized memory error that fails on MSAN
bots.

BUG= 672847 
TBR=danakj@chromium.org, creis@chromium.org
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2731283003
Cr-Commit-Position: refs/heads/master@{#454954}

[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/cc/ipc/cc_param_traits_macros.h
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/cc/ipc/compositor_frame_metadata.mojom
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/cc/ipc/compositor_frame_metadata_struct_traits.cc
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/cc/ipc/compositor_frame_metadata_struct_traits.h
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/cc/ipc/struct_traits_unittest.cc
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/cc/output/compositor_frame_metadata.h
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/cc/trees/layer_tree_host.cc
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/cc/trees/layer_tree_host.h
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/cc/trees/layer_tree_host_impl.cc
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/cc/trees/layer_tree_host_unittest.cc
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/cc/trees/layer_tree_impl.cc
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/cc/trees/layer_tree_impl.h
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/content/browser/frame_host/render_frame_host_impl.cc
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/content/browser/renderer_host/render_widget_host_impl.cc
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/content/browser/renderer_host/render_widget_host_impl.h
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/content/browser/renderer_host/render_widget_host_unittest.cc
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/content/common/frame_messages.h
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/content/renderer/gpu/render_widget_compositor.cc
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/content/renderer/gpu/render_widget_compositor.h
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/content/renderer/render_widget.cc
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/content/renderer/render_widget.h
[modify] https://crrev.com/5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34/content/test/test_render_view_host.h
Project Member

Comment 20 by sheriffbot@chromium.org, Mar 7 2017

Status: Fixed (was: Started)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 21 by kenrb@chromium.org, Mar 8 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 22 by awhalley@chromium.org, Mar 13 2017

Labels: -Hotlist-Merge-Review

Comment 23 by awhalley@chromium.org, Mar 13 2017

Labels: -reward-topanel reward-unpaid reward-2000

Comment 24 by awhalley@chromium.org, Mar 13 2017 

Nice one!  The VRP panel decided to award $2,000 for this bug.

Comment 25 by awhalley@chromium.org, Mar 15 2017

Labels: -reward-unpaid reward-inprocess

Comment 26 by kenrb@chromium.org, Apr 3 2017 

I had cleared merge labels for this, perhaps in error. A merge has been approved anyway on  bug 648117 , which happens to be also fixed by this CL, so it is going into the M58 branch anyway.
Project Member

Comment 27 by bugdroid1@chromium.org, Apr 3 2017

Labels: merge-merged-3029
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728

commit 5aa9a4a70f65068dcc5d8b84ca42cb05fb380728
Author: Ken Buchanan <kenrb@chromium.org>
Date: Mon Apr 03 15:21:16 2017

(Reland) Discard compositor frames from unloaded web content

This is a reland of https://codereview.chromium.org/2707243005/ with a
small change to fix an uninitialized memory error that fails on MSAN
bots.

BUG= 672847 , 648117 
TBR=danakj@chromium.org, creis@chromium.org
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2731283003
Cr-Commit-Position: refs/heads/master@{#454954}
(cherry picked from commit 5d78b84d39bd34bc9fce9d01c0dcd5a22a330d34)

Review-Url: https://codereview.chromium.org/2793013002 .
Cr-Commit-Position: refs/branch-heads/3029@{#547}
Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471}

[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/ipc/cc_param_traits_macros.h
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/ipc/compositor_frame_metadata.mojom
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/ipc/compositor_frame_metadata_struct_traits.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/ipc/compositor_frame_metadata_struct_traits.h
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/ipc/struct_traits_unittest.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/output/compositor_frame_metadata.h
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/trees/layer_tree_host.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/trees/layer_tree_host.h
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/trees/layer_tree_host_impl.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/trees/layer_tree_host_unittest.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/trees/layer_tree_impl.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/cc/trees/layer_tree_impl.h
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/browser/frame_host/render_frame_host_impl.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/browser/renderer_host/render_widget_host_impl.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/browser/renderer_host/render_widget_host_impl.h
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/browser/renderer_host/render_widget_host_unittest.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/common/frame_messages.h
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/renderer/gpu/render_widget_compositor.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/renderer/gpu/render_widget_compositor.h
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/renderer/render_widget.cc
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/renderer/render_widget.h
[modify] https://crrev.com/5aa9a4a70f65068dcc5d8b84ca42cb05fb380728/content/test/test_render_view_host.h

Comment 28 by awhalley@google.com, Apr 18 2017

Labels: Release-0-M58

Comment 29 by awhalley@chromium.org, Apr 19 2017

Labels: CVE-2017-5061

Comment 30 by kenrb@chromium.org, Apr 21 2017 

 Issue 712024  has been merged into this issue.
Project Member

Comment 31 by sheriffbot@chromium.org, Jun 14 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 32 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment