New issue
Advanced search Search tips

Issue 677739 link

Starred by 1 user
Status: WontFix
Owner:
mmoroz@chromium.org
Closed: Jan 2017
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Possible stack-based buffer overflow in Chrome version 55.00.2883.87

Reported by tristan....@gmail.com, Jan 1 2017 
Dear Security Team,

Please find below a bug report regarding a possible stack-based buffer overflow in Google Chrome.

[0x01] Problem

Possible stack-based buffer overflow in Google Chrome version 55.00.2883.87

>> Error: Unhandled exception at 0x00007FFC9E1B455C (chrome.dll) in chrome.exe: 
>>        Stack cookie instrumentation code detected a stack-based buffer overrun.

Note: I just had this crash and I did not check if the bug is exploitable.


[0x02] PC configuration

OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.14393 N/A Build 14393
System Type:               x64-based PC
Hotfix(s):                 5 Hotfix(s) Installed.
                           [01]: KB3176936
                           [02]: KB3199209
                           [03]: KB3199986
                           [04]: KB3209498
                           [05]: KB3206632

[0x03] Chrome configuration

>> Version: 55.00.2883.87
>> DLL: C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome.dll
>> Process: chrome.exe
>> RIP at crash (chrome.dll): 0x00007FFC9E1B455C

Note: Adblock was the only installed plugins and the crash may be related to this plugin, but this issue has crashed the main (Chrome) thread.


[0x04] Debugging

Debugger's Output:
../..
The thread 0x3094 has exited with code 0 (0x0).
Unhandled exception at 0x00007FFC9E1B455C (chrome.dll) in chrome.exe: Stack cookie instrumentation code detected a stack-based buffer overrun.

All registers at crash time:

RAX = 0000000000000001 
RBX = 0000000000000000 
RCX = 0000000000000002 
RDX = 0000000000000000 
RSI = 000000E35159A200 
RDI = 0000000000000000 
R8  = 00007FFC9E962C1C 
R9  = 000000E35159A920 
R10 = 000000E35159A920 
R11 = 0000000000000AF0 
R12 = 000000E35159A6F0 
R13 = 00007FFC9B780000 
R14 = 000000E35159A920 
R15 = 00007FFC9CFA5A64 
RIP = 00007FFC9E1B455C 
RSP = 000000E351599A60 
RBP = 000000E351599C00 
EFL = 00000302 


[0x05] Additional files

Please find herein:
- Disassembly output
- Memory dump
- Screenshots

I have taken a complete dump of the process if you need additional information.

Please keep me posted. Thanks.

Kind regards,

Tristan Madani
Chrome crash - Disassembly.txt
8.8 KB View Download
Chrome crash - Memory dump.txt
36.5 KB View Download
Chrome crash debug 1.png
92.4 KB View Download
Chrome crash debug 2.png
73.3 KB View Download
Chrome crash debug - Call stack.png
36.3 KB View Download

Comment 1 by tristan....@gmail.com, Jan 1 2017 

Few additional information.
Chrome crash - Disassembly 00007FFC9CFA5A58.txt
11.6 KB View Download
Chrome crash - Disassembly 00007FFC9CFCFEF2.txt
11.3 KB View Download
Chrome crash - Disassembly 00007FFC9E1B4BB7.txt
10.7 KB View Download
Chrome crash - Disassembly 00007FFC9E1B44B8.txt
10.7 KB View Download
Chrome crash - Disassembly 00007FFC9E1B455C.txt
10.7 KB View Download

Comment 2 by mmoroz@chromium.org, Jan 2 2017

Labels: Needs-Feedback
Thanks for your report. Do you have an input reproducing the crash?

Comment 3 by tristan....@gmail.com, Jan 2 2017 

Sorry, I did not reproduced the issue. 
Maybe we could try with targeted fuzzing?
Project Member

Comment 4 by sheriffbot@chromium.org, Jan 9 2017

Labels: -Needs-Feedback Needs-Review
Owner: mmoroz@chromium.org
Thank you for providing more feedback. Adding requester "mmoroz@chromium.org" for another review and adding "Needs-Review" label for tracking.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Jan 10 2017

Status: Assigned (was: Unconfirmed)

Comment 6 by mbarbe...@chromium.org, Jan 11 2017

Labels: -Restrict-View-SecurityTeam allpublic
Status: WontFix (was: Assigned)
Sadly, there's not much we can do without a way to reproduce the issue. If you're able to find a way to do so or have any other insight into what might be causing it, please file a new bug.

Sign in to add a comment