Issue metadata
Sign in to add a comment
|
Security: crash use-after-free with credit cards permission request
Reported by
jackwill...@gmail.com,
Jan 18 2017
|
||||||||||||||||||||||
Issue descriptionChromium 57.0.2986.0 - Windows 7 1. Open the testcase.html 2. Multi clicks on "submit"button to get multi bubbles requested as in 1.png 3. Open another tab and close the previous tab "testcase.html" (you will note the bubbles stay open after navigation to another origin as in 2.png). 4. Click on "No Thanks"
,
Jan 18 2017
Do you have the Server ID of the Crash, as seen on chrome://crashes?
,
Jan 18 2017
I can't reproduce the crash on Linux, M55, FWIW. I do see that the bubble(s) stay open after navigation to a different site, though.
,
Jan 18 2017
Crash ID: 6e79baeb-7223-4684-a6c1-66bece689fb2
,
Jan 18 2017
palmer@, When you tried to repro the crash did you close the testcase.html? Now I don't have a machine with Linux to see if this crash repro on Linux. :(
,
Jan 19 2017
To be clear, we need the ServerID field from Chrome://crashes; the client GUID is not useful as far as I know. This is the second report of this repro with these steps; I can't seem to find the other reported in the last few weeks.
,
Jan 19 2017
Ah, Issue 679125 is the one I was thinking of. It sounds similar, but isn't identical.
,
Jan 23 2017
,
Jan 23 2017
I cannot get the serverID from chrome://crashes.
,
Jan 23 2017
Can you explain further? Have you enabled upload of crash reports by ticking the "Automatically send usage statistics and crash reports" box inside chrome://settings/search#crash ? Thanks!
,
Jan 23 2017
As you can see on the video above I can reproduce the crash easly.
,
Jan 23 2017
Have you clicked the "Envoyer maintenant" link on the crash reporting page? This /should/ trigger the upload process and (possibly after a short delay) a refresh of the page should provide the crash report ID.
,
Jan 23 2017
I've tried many times but I couldn't get any ServerID :(
,
Jan 30 2017
I am able to consistently repro a similar-but-not-identical crash on Mac (58.0.2996.0) as follows: 1.) Open a tab to any page. 2.) Open a second tab and navigate to the testcase.html file attached to the report. 3.) Submit the form to trigger the save credit card bubble. 4.) Press Cmd+w to close the tab. Browser crashes. My crash report is at crash/de04d16680000000. I also see a couple of SaveCardBubbleControllerImpl crash reports and bugs: - issue 649840 - issue 665907 - Also see crash link: https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%20LIKE%20%27autofill%3A%3ASaveCardBubbleControllerImpl%25%27&ignore_case=false&enable_rewrite=false&omit_field_name=&omit_field_value=&omit_field_opt= mathp, can you take a look or help triage? SaveCardBubbleControllerImpl might have some lifetime issues that are causing multiple crashes. (Tentatively assigning low severity. Without a stack trace, it's not clear if it's exploitable, but if it is, the user interaction involved probably makes it low or medium severity at highest.)
,
Jan 30 2017
,
Jan 30 2017
,
Feb 1 2017
Thanks Emily. Over to Roger. Agree that it looks like bad cleanup
,
Mar 11 2017
Bump this needs to be addressed.
,
Apr 11 2017
I don't repro this anymore!
,
Jun 6 2017
,
Jun 6 2017
,
Jun 27 2017
,
Sep 13 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by jackwill...@gmail.com
, Jan 18 2017