New issue
Advanced search Search tips

Issue 675581 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Dec 2016
Cc:
mbarbe...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: null pointer in last Chromium version

Reported by vvva...@gmail.com, Dec 19 2016 

VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

VERSION
Chrome Version: 55.0.2883.75  
Operating System: Windows

REPRODUCTION CASE
This vulnerability very stranges, for me) 
For begin need open gmail and press new message button.
Write this text Hi, AAAA. And need this text change to bold, italic and underlining (gmail message.png)
Original HTML have this form.  (gmail.png)
Open word and write AAAA and use this transformation. (word.png)
After this, copy and change gmail's AAAA text.

```
0:000> g
(2a34.25e4): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=30ae9eb8 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=548ab374 esp=0046da4c ebp=0046da60 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
chrome_child!ovly_debug_event+0x1e374:
548ab374 8b01            mov     eax,dword ptr [ecx]  ds:002b:00000000=????????
```
see video (google chrome.mp4)




FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State: chrome_child!ovly_debug_event+0x1e374:
             548ab374 8b01            mov     eax,dword ptr [ecx]  ds:002b:00000000=????????
gmail message.png
10.9 KB View Download
word.png
3.0 KB View Download
gmail.png
89.5 KB View Download
google chrome.mp4
1.2 MB View Download
9f2a571b-33c9-47e6-a029-49cfb1219d41.dmp
575 KB Download
7a34c5ba-9264-43b0-a0ea-177a2c430c4b.dmp
621 KB Download

Comment 1 by vvva...@gmail.com, Dec 19 2016

PoC.docx
11.6 KB Download

Comment 2 Deleted

Comment 3 by vvva...@gmail.com, Dec 19 2016 

stack
0039D5DC  0FE0A876  sub_FE0A862+14
0039D5E0  3966E65C  debug1421:3966E65C
0039D5E4  3966E5A0  debug1421:3966E5A0

Comment 4 by vvva...@gmail.com, Dec 19 2016 

.text:0FE0B374 sub_FE0B374 proc near                   ; CODE XREF: sub_FE0A115+15p
.text:0FE0B374                                         ; sub_FE0A209+3Dp ...
.text:0FE0B374 mov     eax, [ecx] //ecx = 00000000
.text:0FE0B376 call    dword ptr [eax+78h]
.text:0FE0B379 neg     eax
.text:0FE0B37B sbb     eax, eax
.text:0FE0B37D neg     eax
.text:0FE0B37F retn
.text:0FE0B37F sub_FE0B374 endp

Comment 5 by vvva...@gmail.com, Dec 19 2016 

it's not use-after-free?

BOOL __thiscall sub_FD31C51(void *this)
{
  return (*(int (**)(void))(*(_DWORD *)this + 120))() != 0;
}

Comment 6 by vvva...@gmail.com, Dec 19 2016 

Now I am trying compile the Chrome in Linux for getting more information about the crash.

Comment 7 by mbarbe...@chromium.org, Dec 19 2016

Cc: mbarbe...@chromium.org
Status: WontFix (was: Unconfirmed)
Due to the amount of specific user interaction involved, it's unlikely we'd treat this as a security bug. I'm also having quite a bit of trouble reproducing this.

If you're able to provide a crash report id (from chrome://crashes if you have crash reporting enabled) or a simpler reproduction case, I can take another look.

Comment 8 by vvva...@gmail.com, Dec 19 2016 

Yes, now I'm trying to write another reproduce case.
Project Member

Comment 9 by sheriffbot@chromium.org, Mar 28 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment