Security: Heap-use-after-free in autofill::SaveCardBubbleViews::WindowClosing
Reported by
chromium...@gmail.com,
Jan 7 2017
|
|||
Issue descriptionChrome Version: 57.0.2973.0 canary (64-bit) Operating System: Windows 7 REPRODUCTION CASE 1. Lunch two tabs 2. In the first tab visit https://dump-truck.appspot.com/usecase-address_and_cc_on_same_page/address_and_cc.html 3. Click on "Fill with default values" then click five times or... on "Submit" and close the page. 4. The auto fill prompt displays again after navigation to another origin 5. Click on "Save" or "No thanks" >> Crash! rax=000000003f800062 rbx=000000001e467700 rcx=0000000018995e40 rdx=0000000020921400 rsi=0000000018e6bf40 rdi=00000000166ced40 rip=000007fee1868477 rsp=000000000019de80 rbp=000000000019df80 r8=0000000000000000 r9=000007fedeef0000 r10=0000000020921400 r11=000000000019dea0 r12=000000000019e000 r13=0000000000000000 r14=0000000018f673c0 r15=0000000000000001 iopl=0 nv up ei pl nz na pe nc cs=0033 ss=0000 ds=0000 es=0000 fs=0053 gs=002b efl=00010202 *** WARNING: Unable to verify checksum for chrome.dll chrome_7fedeef0000!autofill::SaveCardBubbleViews::WindowClosing+0x13: 000007fe`e1868477 ff5038 call qword ptr [rax+38h] ds:00000000`3f80009a=???????????????? 0:000> k *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site 00000000`0019de80 000007fe`e135ef4c chrome_7fedeef0000!autofill::SaveCardBubbleViews::WindowClosing+0x13 [c:\b\build\slave\win64-pgo\build\src\chrome\browser\ui\views\autofill\save_card_bubble_views.cc @ 139] 00000000`0019deb0 000007fe`e137b260 chrome_7fedeef0000!views::DesktopWindowTreeHostWin::HandleDestroying+0x44 [c:\b\build\slave\win64-pgo\build\src\ui\views\widget\desktop_aura\desktop_window_tree_host_win.cc @ 766] 00000000`0019dee0 000007fe`e13786be chrome_7fedeef0000!views::HWNDMessageHandler::OnDestroy+0x5c [c:\b\build\slave\win64-pgo\build\src\ui\views\win\hwnd_message_handler.cc @ 1382] 00000000`0019df10 000007fe`e1379fa3 chrome_7fedeef0000!views::HWNDMessageHandler::_ProcessWindowMessage+0x5fa [c:\b\build\slave\win64-pgo\build\src\ui\views\win\hwnd_message_handler.h @ 400] 00000000`0019dfc0 000007fe`e035e3aa chrome_7fedeef0000!views::HWNDMessageHandler::OnWndProc+0xc7 [c:\b\build\slave\win64-pgo\build\src\ui\views\win\hwnd_message_handler.cc @ 914] 00000000`0019e060 000007fe`e035e3d3 chrome_7fedeef0000!gfx::WindowImpl::WndProc+0x92 [c:\b\build\slave\win64-pgo\build\src\ui\gfx\win\window_impl.cc @ 303] *** WARNING: Unable to verify checksum for USER32.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for USER32.dll - 00000000`0019e0a0 00000000`772ac3c1 chrome_7fedeef0000!base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc>+0xf [c:\b\build\slave\win64-pgo\build\src\base\win\wrapped_window_proc.h @ 76] 00000000`0019e0f0 00000000`772aa01b USER32!GetSystemMetrics+0x2b1 00000000`0019e1b0 00000000`772aa061 USER32!IsDialogMessageW+0x19b 00000000`0019e210 00000000`773dfdf5 USER32!IsDialogMessageW+0x1e1 00000000`0019e270 00000000`7729f5ba ntdll!KiUserCallbackDispatcher+0x1f 00000000`0019e2f8 000007fe`e13795f9 USER32!DestroyWindow+0xa 00000000`0019e300 000007fe`df07c4be chrome_7fedeef0000!views::HWNDMessageHandler::CloseNow+0x25 [c:\b\build\slave\win64-pgo\build\src\ui\views\win\hwnd_message_handler.cc @ 444] 00000000`0019e330 000007fe`df9d014c chrome_7fedeef0000!base::internal::Invoker<base::internal::BindState<void (__cdecl gpu::CommandBufferProxyImpl::*)(void) __ptr64,base::WeakPtr<gpu::CommandBufferProxyImpl> >,void __cdecl(void)>::Run+0x4a [c:\b\build\slave\win64-pgo\build\src\base\bind_internal.h @ 343] 00000000`0019e370 000007fe`dffc97c2 chrome_7fedeef0000!base::internal::RunMixin<base::Callback<void __cdecl(void),0,0> >::Run+0x24 [c:\b\build\slave\win64-pgo\build\src\base\callback.h @ 68] 00000000`0019e3a0 000007fe`dff75c74 chrome_7fedeef0000!base::debug::TaskAnnotator::RunTask+0x1c2 [c:\b\build\slave\win64-pgo\build\src\base\debug\task_annotator.cc @ 54] 00000000`0019e4c0 000007fe`dff768bd chrome_7fedeef0000!base::MessageLoop::RunTask+0x294 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 422] 00000000`0019f3a0 000007fe`dffc9dc1 chrome_7fedeef0000!base::MessageLoop::DoWork+0x42d [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 523] 00000000`0019f540 000007fe`dffc99f4 chrome_7fedeef0000!base::MessagePumpForUI::DoRunLoop+0x71 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_pump_win.cc @ 174] 00000000`0019f5b0 000007fe`dff9fff4 chrome_7fedeef0000!base::MessagePumpWin::Run+0x54 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_pump_win.cc @ 58]
,
Jan 9 2017
The same as for issue 679245 : Doesn't crash for me on 57.0.2972.0 Could you please provide a testcase that works without user interaction? It should be easy to automate button-clicking. Thanks!
,
Jan 9 2017
I can't provide a testcase that works without user interaction. Sorry :(
,
Jan 9 2017
,
Jan 9 2017
Similar to Issue 677936?
,
Jan 11 2017
I'm actually not able to reproduce this, even after following the steps in the video. The dialog doesn't seem to persist for me after changing tabs. This may still give some helpful insight into issue 677936 so I'm going to mark it as a duplicate, but think it's best to treat this as a crash bug rather than a security vulnerability. I find it hard to believe that this could be used in a controlled way in an exploit with the amount of interaction involved. |
|||
►
Sign in to add a comment |
|||
Comment 1 by chromium...@gmail.com
, Jan 7 2017355 KB
355 KB View Download