Email Subject: ZDI-CAN-4429: New Vulnerability Report
Reported by
zdi-disc...@hp.com,
Jan 24 2017
|
||||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36 Steps to reproduce the problem: ZDI-CAN-4429: Google Chrome List Item Marker Type Confusion Remote Code Execution Vulnerability -- CVSS ----------------------------------------- 6.8, AV:N/AC:M/Au:N/C:P/I:P/A:P -- ABSTRACT ------------------------------------- Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: Google Chrome -- VULNERABILITY DETAILS ------------------------ * Version Tested: Chrome 55.0.2883.87 m (64-bit) and Chromium (commit fd58ca0775c71238123c04453aca6b711e8ed6d8) * Platform Tested: Windows 10 Enterprise 14393.447 (64-bit) Type confusion in Blink. An object of type blink::LayoutListMarker is treated as an object of type blink::LayoutText. As a result, a pointer at offset +0x90 from the start of the blink::LayoutListMarker is dereferenced and a integer at the resulting address is incremented. The data at offset +0x90 can be effectively controlled from a malicious webpage by setting the dimensions of an element. Debug log, for release version of Chrome 55.0.2883.87 m (64-bit): ``` (1208.1494): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll - chrome_child!ovly_debug_event+0x3c27a1: 00007ffb`93950a61 ff03 inc dword ptr [rbx] ds:0000dead`0000beef=???????? 0:000> kb # RetAddr : Args to Child : Call Site 00 00007ffb`937ad686 : 000001e7`00000000 000002cf`86068000 00000158`af6e2518 00000000`00000006 : chrome_child!ovly_debug_event+0x3c27a1 01 00007ffb`935be3b1 : 00000000`00000000 00000380`15c04000 0000000b`bd35cf40 0000000b`bd35cd00 : chrome_child!ovly_debug_event+0x21f3c6 02 00007ffb`9394fb75 : 0000000b`00000000 0000000b`bd35cf40 00000158`af6e34b8 00000158`af6e34b8 : chrome_child!ovly_debug_event+0x300f1 03 00007ffb`9394f561 : 00000158`af6e34b8 0000000b`bd35cf00 00007ffb`00000000 0000000b`bd35cf40 : chrome_child!ovly_debug_event+0x3c18b5 04 00007ffb`93952797 : 00000158`af6e26c0 0000000b`bd35cfe0 00000000`00000000 00000000`00000000 : chrome_child!ovly_debug_event+0x3c12a1 05 00007ffb`93de98d7 : 00000158`00000000 00000158`af6e34b8 0000000b`bd35d0d0 00007ffb`93a0d0d1 : chrome_child!ovly_debug_event+0x3c44d7 06 00007ffb`93de982d : 000001e7`00000000 000001e7`b56d4fb0 00000000`0000c350 000001e7`b7b4a558 : chrome_child!ChromeMain+0x2b450b 07 00007ffb`936969fe : 0000000b`bd35d218 00007ffb`96c5af5e 000001e7`00000001 00000000`00000000 : chrome_child!ChromeMain+0x2b4461 08 00007ffb`936967fa : 000001e7`b7b4a538 000002f7`4bba6bc9 000001e7`b56d4fb0 0000011e`63a82351 : chrome_child!ovly_debug_event+0x10873e 09 00007ffb`938b6180 : 0000000b`bd35d3b0 000001e7`b56d4fb0 000001e7`b7b4a538 000001e7`b56d5018 : chrome_child!ovly_debug_event+0x10853a 0a 00007ffb`9369634b : 00000000`00000000 00000000`00000000 00000000`00000000 000001e7`b7b4a538 : chrome_child!ovly_debug_event+0x327ec0 0b 00007ffb`935cc4d3 : 00000000`00000001 000001e7`b7b4a530 0000000b`bd35d6a0 000001e7`b56d4fb0 : chrome_child!ovly_debug_event+0x10808b 0c 00007ffb`9369645b : 00000000`00000001 00000000`00000001 0000000b`bd35d9b0 000001e7`b56d4fb0 : chrome_child!ovly_debug_event+0x3e213 0d 00007ffb`93695ca6 : 00007ffb`93695b88 0000000b`bd35d9b8 0000000b`bd35d9b8 0000000b`bd35d9b0 : chrome_child!ovly_debug_event+0x10819b 0e 0000034b`e34843ab : 00007ffb`93695b88 00000386`6d4fe191 0000011e`63a841f9 000001e7`b56d4fb0 : chrome_child!ovly_debug_event+0x1079e6 0f 00007ffb`93695b87 : 00000386`6d4fe191 0000011e`63a841f9 000001e7`b56d4fb0 0000034b`e358875b : 0x0000034b`e34843ab 10 0000000b`bd35d9d0 : 0000034b`e3599b35 00000013`e3b889d9 0000001a`00000000 00000386`6d4b5479 : chrome_child!ovly_debug_event+0x1078c7 11 0000034b`e3599b35 : 00000013`e3b889d9 0000001a`00000000 00000386`6d4b5479 000002f7`4bba6bc9 : 0x0000000b`bd35d9d0 12 00000013`e3b889d9 : 0000001a`00000000 00000386`6d4b5479 000002f7`4bba6bc9 00000013`e3b860e1 : 0x0000034b`e3599b35 13 0000001a`00000000 : 00000386`6d4b5479 000002f7`4bba6bc9 00000013`e3b860e1 00000386`6d4fe191 : 0x00000013`e3b889d9 14 00000386`6d4b5479 : 000002f7`4bba6bc9 00000013`e3b860e1 00000386`6d4fe191 0000000b`bd35da00 : 0x0000001a`00000000 15 000002f7`4bba6bc9 : 00000013`e3b860e1 00000386`6d4fe191 0000000b`bd35da00 0000034b`e3485d15 : 0x00000386`6d4b5479 16 00000013`e3b860e1 : 00000386`6d4fe191 0000000b`bd35da00 0000034b`e3485d15 000002f7`4bba23a1 : 0x000002f7`4bba6bc9 17 00000386`6d4fe191 : 0000000b`bd35da00 0000034b`e3485d15 000002f7`4bba23a1 00000001`00000000 : 0x00000013`e3b860e1 18 0000000b`bd35da00 : 0000034b`e3485d15 000002f7`4bba23a1 00000001`00000000 00000013`e3b860e1 : 0x00000386`6d4fe191 19 0000034b`e3485d15 : 000002f7`4bba23a1 00000001`00000000 00000013`e3b860e1 0000000e`00000000 : 0x0000000b`bd35da00 1a 000002f7`4bba23a1 : 00000001`00000000 00000013`e3b860e1 0000000e`00000000 0000000b`bd35da38 : 0x0000034b`e3485d15 1b 00000001`00000000 : 00000013`e3b860e1 0000000e`00000000 0000000b`bd35da38 0000034b`e34d40c4 : 0x000002f7`4bba23a1 1c 00000013`e3b860e1 : 0000000e`00000000 0000000b`bd35da38 0000034b`e34d40c4 000002f7`4bba65f9 : 0x00000001`00000000 1d 0000000e`00000000 : 0000000b`bd35da38 0000034b`e34d40c4 000002f7`4bba65f9 000002f7`4bba23a1 : 0x00000013`e3b860e1 1e 0000000b`bd35da38 : 0000034b`e34d40c4 000002f7`4bba65f9 000002f7`4bba23a1 00000013`e3b860e1 : 0x0000000e`00000000 1f 0000034b`e34d40c4 : 000002f7`4bba65f9 000002f7`4bba23a1 00000013`e3b860e1 0000034b`e34d3fe1 : 0x0000000b`bd35da38 20 000002f7`4bba65f9 : 000002f7`4bba23a1 00000013`e3b860e1 0000034b`e34d3fe1 0000000c`00000000 : 0x0000034b`e34d40c4 21 000002f7`4bba23a1 : 00000013`e3b860e1 0000034b`e34d3fe1 0000000c`00000000 0000000b`bd35db50 : 0x000002f7`4bba65f9 22 00000013`e3b860e1 : 0000034b`e34d3fe1 0000000c`00000000 0000000b`bd35db50 0000034b`e34ad495 : 0x000002f7`4bba23a1 23 0000034b`e34d3fe1 : 0000000c`00000000 0000000b`bd35db50 0000034b`e34ad495 00000000`00000000 : 0x00000013`e3b860e1 24 0000000c`00000000 : 0000000b`bd35db50 0000034b`e34ad495 00000000`00000000 00000000`00000000 : 0x0000034b`e34d3fe1 25 0000000b`bd35db50 : 0000034b`e34ad495 00000000`00000000 00000000`00000000 00000001`00000000 : 0x0000000c`00000000 26 0000034b`e34ad495 : 00000000`00000000 00000000`00000000 00000001`00000000 00000000`00000000 : 0x0000000b`bd35db50 27 00000000`00000000 : 00000000`00000000 00000001`00000000 00000000`00000000 00000000`00000000 : 0x0000034b`e34ad495 0:000> lmvm chrome Browse full module list start end module name 00007ff6`ac550000 00007ff6`ac665000 chrome (deferred) Image path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Image name: chrome.exe Browse all global symbols functions data Timestamp: Wed Dec 07 22:02:34 2016 (5848DB5A) CheckSum: 00117A43 ImageSize: 00115000 File version: 55.0.2883.87 Product version: 55.0.2883.87 File flags: 0 (Mask 17) File OS: 4 Unknown Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Google Inc. ProductName: Google Chrome InternalName: chrome_exe OriginalFilename: chrome.exe ProductVersion: 55.0.2883.87 FileVersion: 55.0.2883.87 FileDescription: Google Chrome LegalCopyright: Copyright 2016 Google Inc. All rights reserved. 0:000> !gflag Current NtGlobalFlag contents: 0x00000000 0:000> vertarget Windows 10 Version 14393 MP (2 procs) Free x64 Product: WinNt, suite: SingleUserTS kernelbase.dll version: 10.0.14393.321 (rs1_release_inmarket.161004-2338) Machine Name: Debug session time: Fri Dec 23 10:48:12.346 2016 (UTC - 6:00) System Uptime: 0 days 8:08:12.463 Process Uptime: 0 days 0:00:50.639 Kernel time: 0 days 0:00:00.015 User time: 0 days 0:00:00.234 ``` See Debug log 2.txt for a more detailed log on a debug build. -- CREDIT --------------------------------------- This vulnerability was discovered by: SkyLined working with Trend Micro's Zero Day Initiative -- FURTHER DETAILS ------------------------------ If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number. Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time: Zero Day Initiative zdi-disclosures@trendmicro.com The PGP key used for all ZDI vendor communications is available from: http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc -- INFORMATION ABOUT THE ZDI --------------------- Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Please contact us for further details or refer to: http://www.zerodayinitiative.com -- DISCLOSURE POLICY ---------------------------- Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ What is the expected behavior? What went wrong? ZDI-CAN-4429: Google Chrome List Item Marker Type Confusion Remote Code Execution Vulnerability -- CVSS ----------------------------------------- 6.8, AV:N/AC:M/Au:N/C:P/I:P/A:P -- ABSTRACT ------------------------------------- Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: Google Chrome -- VULNERABILITY DETAILS ------------------------ * Version Tested: Chrome 55.0.2883.87 m (64-bit) and Chromium (commit fd58ca0775c71238123c04453aca6b711e8ed6d8) * Platform Tested: Windows 10 Enterprise 14393.447 (64-bit) Type confusion in Blink. An object of type blink::LayoutListMarker is treated as an object of type blink::LayoutText. As a result, a pointer at offset +0x90 from the start of the blink::LayoutListMarker is dereferenced and a integer at the resulting address is incremented. The data at offset +0x90 can be effectively controlled from a malicious webpage by setting the dimensions of an element. Debug log, for release version of Chrome 55.0.2883.87 m (64-bit): ``` (1208.1494): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll - chrome_child!ovly_debug_event+0x3c27a1: 00007ffb`93950a61 ff03 inc dword ptr [rbx] ds:0000dead`0000beef=???????? 0:000> kb # RetAddr : Args to Child : Call Site 00 00007ffb`937ad686 : 000001e7`00000000 000002cf`86068000 00000158`af6e2518 00000000`00000006 : chrome_child!ovly_debug_event+0x3c27a1 01 00007ffb`935be3b1 : 00000000`00000000 00000380`15c04000 0000000b`bd35cf40 0000000b`bd35cd00 : chrome_child!ovly_debug_event+0x21f3c6 02 00007ffb`9394fb75 : 0000000b`00000000 0000000b`bd35cf40 00000158`af6e34b8 00000158`af6e34b8 : chrome_child!ovly_debug_event+0x300f1 03 00007ffb`9394f561 : 00000158`af6e34b8 0000000b`bd35cf00 00007ffb`00000000 0000000b`bd35cf40 : chrome_child!ovly_debug_event+0x3c18b5 04 00007ffb`93952797 : 00000158`af6e26c0 0000000b`bd35cfe0 00000000`00000000 00000000`00000000 : chrome_child!ovly_debug_event+0x3c12a1 05 00007ffb`93de98d7 : 00000158`00000000 00000158`af6e34b8 0000000b`bd35d0d0 00007ffb`93a0d0d1 : chrome_child!ovly_debug_event+0x3c44d7 06 00007ffb`93de982d : 000001e7`00000000 000001e7`b56d4fb0 00000000`0000c350 000001e7`b7b4a558 : chrome_child!ChromeMain+0x2b450b 07 00007ffb`936969fe : 0000000b`bd35d218 00007ffb`96c5af5e 000001e7`00000001 00000000`00000000 : chrome_child!ChromeMain+0x2b4461 08 00007ffb`936967fa : 000001e7`b7b4a538 000002f7`4bba6bc9 000001e7`b56d4fb0 0000011e`63a82351 : chrome_child!ovly_debug_event+0x10873e 09 00007ffb`938b6180 : 0000000b`bd35d3b0 000001e7`b56d4fb0 000001e7`b7b4a538 000001e7`b56d5018 : chrome_child!ovly_debug_event+0x10853a 0a 00007ffb`9369634b : 00000000`00000000 00000000`00000000 00000000`00000000 000001e7`b7b4a538 : chrome_child!ovly_debug_event+0x327ec0 0b 00007ffb`935cc4d3 : 00000000`00000001 000001e7`b7b4a530 0000000b`bd35d6a0 000001e7`b56d4fb0 : chrome_child!ovly_debug_event+0x10808b 0c 00007ffb`9369645b : 00000000`00000001 00000000`00000001 0000000b`bd35d9b0 000001e7`b56d4fb0 : chrome_child!ovly_debug_event+0x3e213 0d 00007ffb`93695ca6 : 00007ffb`93695b88 0000000b`bd35d9b8 0000000b`bd35d9b8 0000000b`bd35d9b0 : chrome_child!ovly_debug_event+0x10819b 0e 0000034b`e34843ab : 00007ffb`93695b88 00000386`6d4fe191 0000011e`63a841f9 000001e7`b56d4fb0 : chrome_child!ovly_debug_event+0x1079e6 0f 00007ffb`93695b87 : 00000386`6d4fe191 0000011e`63a841f9 000001e7`b56d4fb0 0000034b`e358875b : 0x0000034b`e34843ab 10 0000000b`bd35d9d0 : 0000034b`e3599b35 00000013`e3b889d9 0000001a`00000000 00000386`6d4b5479 : chrome_child!ovly_debug_event+0x1078c7 11 0000034b`e3599b35 : 00000013`e3b889d9 0000001a`00000000 00000386`6d4b5479 000002f7`4bba6bc9 : 0x0000000b`bd35d9d0 12 00000013`e3b889d9 : 0000001a`00000000 00000386`6d4b5479 000002f7`4bba6bc9 00000013`e3b860e1 : 0x0000034b`e3599b35 13 0000001a`00000000 : 00000386`6d4b5479 000002f7`4bba6bc9 00000013`e3b860e1 00000386`6d4fe191 : 0x00000013`e3b889d9 14 00000386`6d4b5479 : 000002f7`4bba6bc9 00000013`e3b860e1 00000386`6d4fe191 0000000b`bd35da00 : 0x0000001a`00000000 15 000002f7`4bba6bc9 : 00000013`e3b860e1 00000386`6d4fe191 0000000b`bd35da00 0000034b`e3485d15 : 0x00000386`6d4b5479 16 00000013`e3b860e1 : 00000386`6d4fe191 0000000b`bd35da00 0000034b`e3485d15 000002f7`4bba23a1 : 0x000002f7`4bba6bc9 17 00000386`6d4fe191 : 0000000b`bd35da00 0000034b`e3485d15 000002f7`4bba23a1 00000001`00000000 : 0x00000013`e3b860e1 18 0000000b`bd35da00 : 0000034b`e3485d15 000002f7`4bba23a1 00000001`00000000 00000013`e3b860e1 : 0x00000386`6d4fe191 19 0000034b`e3485d15 : 000002f7`4bba23a1 00000001`00000000 00000013`e3b860e1 0000000e`00000000 : 0x0000000b`bd35da00 1a 000002f7`4bba23a1 : 00000001`00000000 00000013`e3b860e1 0000000e`00000000 0000000b`bd35da38 : 0x0000034b`e3485d15 1b 00000001`00000000 : 00000013`e3b860e1 0000000e`00000000 0000000b`bd35da38 0000034b`e34d40c4 : 0x000002f7`4bba23a1 1c 00000013`e3b860e1 : 0000000e`00000000 0000000b`bd35da38 0000034b`e34d40c4 000002f7`4bba65f9 : 0x00000001`00000000 1d 0000000e`00000000 : 0000000b`bd35da38 0000034b`e34d40c4 000002f7`4bba65f9 000002f7`4bba23a1 : 0x00000013`e3b860e1 1e 0000000b`bd35da38 : 0000034b`e34d40c4 000002f7`4bba65f9 000002f7`4bba23a1 00000013`e3b860e1 : 0x0000000e`00000000 1f 0000034b`e34d40c4 : 000002f7`4bba65f9 000002f7`4bba23a1 00000013`e3b860e1 0000034b`e34d3fe1 : 0x0000000b`bd35da38 20 000002f7`4bba65f9 : 000002f7`4bba23a1 00000013`e3b860e1 0000034b`e34d3fe1 0000000c`00000000 : 0x0000034b`e34d40c4 21 000002f7`4bba23a1 : 00000013`e3b860e1 0000034b`e34d3fe1 0000000c`00000000 0000000b`bd35db50 : 0x000002f7`4bba65f9 22 00000013`e3b860e1 : 0000034b`e34d3fe1 0000000c`00000000 0000000b`bd35db50 0000034b`e34ad495 : 0x000002f7`4bba23a1 23 0000034b`e34d3fe1 : 0000000c`00000000 0000000b`bd35db50 0000034b`e34ad495 00000000`00000000 : 0x00000013`e3b860e1 24 0000000c`00000000 : 0000000b`bd35db50 0000034b`e34ad495 00000000`00000000 00000000`00000000 : 0x0000034b`e34d3fe1 25 0000000b`bd35db50 : 0000034b`e34ad495 00000000`00000000 00000000`00000000 00000001`00000000 : 0x0000000c`00000000 26 0000034b`e34ad495 : 00000000`00000000 00000000`00000000 00000001`00000000 00000000`00000000 : 0x0000000b`bd35db50 27 00000000`00000000 : 00000000`00000000 00000001`00000000 00000000`00000000 00000000`00000000 : 0x0000034b`e34ad495 0:000> lmvm chrome Browse full module list start end module name 00007ff6`ac550000 00007ff6`ac665000 chrome (deferred) Image path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Image name: chrome.exe Browse all global symbols functions data Timestamp: Wed Dec 07 22:02:34 2016 (5848DB5A) CheckSum: 00117A43 ImageSize: 00115000 File version: 55.0.2883.87 Product version: 55.0.2883.87 File flags: 0 (Mask 17) File OS: 4 Unknown Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Google Inc. ProductName: Google Chrome InternalName: chrome_exe OriginalFilename: chrome.exe ProductVersion: 55.0.2883.87 FileVersion: 55.0.2883.87 FileDescription: Google Chrome LegalCopyright: Copyright 2016 Google Inc. All rights reserved. 0:000> !gflag Current NtGlobalFlag contents: 0x00000000 0:000> vertarget Windows 10 Version 14393 MP (2 procs) Free x64 Product: WinNt, suite: SingleUserTS kernelbase.dll version: 10.0.14393.321 (rs1_release_inmarket.161004-2338) Machine Name: Debug session time: Fri Dec 23 10:48:12.346 2016 (UTC - 6:00) System Uptime: 0 days 8:08:12.463 Process Uptime: 0 days 0:00:50.639 Kernel time: 0 days 0:00:00.015 User time: 0 days 0:00:00.234 ``` See Debug log 2.txt for a more detailed log on a debug build. -- CREDIT --------------------------------------- This vulnerability was discovered by: SkyLined working with Trend Micro's Zero Day Initiative -- FURTHER DETAILS ------------------------------ If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number. Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time: Zero Day Initiative zdi-disclosures@trendmicro.com The PGP key used for all ZDI vendor communications is available from: http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc -- INFORMATION ABOUT THE ZDI --------------------- Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Please contact us for further details or refer to: http://www.zerodayinitiative.com -- DISCLOSURE POLICY ---------------------------- Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Did this work before? N/A Chrome version: 55.0.2883.87 m (release), 56.0.2899.0 canary Channel: stable OS Version: Windows 10 Enterprise 14393.447 (64-bit) Flash Version:
,
Jan 25 2017
Thanks for the report. +eae - can you triage this please?
,
Jan 25 2017
This is bad. Do you have cycles to tackle this kojii?
,
Jan 25 2017
The crash doesn't reproduce for me nor for clusterfuzz. Can someone advise what to do in such case? Change the bug to non-security, normal bug? I'll look into this anyway, details below, but advice appreciate from the bug process point of view. We're doing something wrong here anyway, if I click, we hit a DCHECK() in VisibleUnits, saying the layout tree for the first letter is constructed unexpectedly. And the test case looks familiar to me, probably the same root cause as issue 675117 . I'm discussing with rune@ and cbiesinger@ in crrev.com/2650583003.
,
Jan 25 2017
If you're sure the bug is fixed in HEAD, then we can unrestrict the bug. However, it's still a security bug up until we verify that there is a fix. Otherwise, if you determine it's the same cause as issue 675117 we can merge this into that one. :)
,
Jan 25 2017
Ah, wait, I can reproduce now. I was using content-shell, but this needs Chromium to reproduce.
,
Jan 25 2017
Or add:
<script>
if (window.testRunner)
testRunner.dumpAsText();
</script>
and run content-shell with "--run-layout-test" option.
,
Jan 25 2017
Issue 675117 is creating a bad layout tree for ::first-letter. Editing code assumes the first child of ::first-letter is LayoutText. This bug is a combination of the two. Talked with yosin@, I think we should add a release assertion to the editing code first to turn this issue to a normal crash.
,
Jan 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e29607bd33d91db8c58127eb6469fca2ad22c16a commit e29607bd33d91db8c58127eb6469fca2ad22c16a Author: kojii <kojii@chromium.org> Date: Wed Jan 25 09:26:53 2017 Check isText() when editing traverses layout tree for ::first-letter This patch checks isText() before toLayoutText() when editing traverses layout trees for ::first-letter pseudo elements. Normally, the first child of ::first-letter pseudo element is LayoutText. This patch checks if the assumption stands. BUG= 684684 Review-Url: https://codereview.chromium.org/2650953004 Cr-Commit-Position: refs/heads/master@{#445986} [modify] https://crrev.com/e29607bd33d91db8c58127eb6469fca2ad22c16a/third_party/WebKit/Source/core/editing/VisibleUnits.cpp [modify] https://crrev.com/e29607bd33d91db8c58127eb6469fca2ad22c16a/third_party/WebKit/Source/core/editing/iterators/TextIterator.cpp
,
Jan 25 2017
,
Jan 26 2017
Please correct me if my way to handle this bug is not good -- I'm just not familiar, asked around. With the fix in #9: * This bug has turned to a normal crash bug. * Locally reproduced and confirmed the fix. * Clusterfuzz says the original report is not reproducible. * The root cause (to lead to the crash) isn't fixed yet. The process I'm thinking I should take is: 1. I'm marking this as Fixed. 2. I will add Merge-Request labels a few days after the Canary release, up to M55. 3. When all merges are done and releases are updated, file a regular bug to fix the root cause. Please let me know if there were any.
,
Jan 26 2017
,
Jan 27 2017
The analysis of the root cause. 1. The root cause of this bug is editing code traverses ::first-letter by itself, without doing enough type check nor using existing functions in FirstLetterPseudoElement. This is filed as issue 685520. 2. CSS building incorrect layout tree is also a problem. This is triggered by: ::first-line { display: flex; } ::first-letter { float: left } while this looks similar to issue 675117 , this is different case because the fix for issue 675117 uses style(firstLine=false) to check block container, so it will not fix. 2.1. We could fix this by using style(firstLine=true), but the spec says the 'display' property does not apply to ::first-line. So I think: ::first-line { display: flex; } causing different layout tree is problematic here. Filed issue 685925. 2.2. Logically speaking, when ::first-letter checks its style, it should use style(firstLine=true), but given we do so to check the 'display' property, and given the spec saying so, I guess this change is not necessary. Issue not filed for this.
,
Jan 30 2017
,
Mar 6 2017
,
Mar 17 2017
,
Mar 17 2017
Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 20 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 21 2017
This fix seemed to landed before the branch: $ git-find-releases e29607bd33d91db8c58127eb6469fca2ad22c16a commit e29607bd33d91db8c58127eb6469fca2ad22c16a was: initially in 58.0.2993.0
,
Mar 22 2017
Externally reported high severity bug impacting Stable. Bake time in Dev: 47 days. Bake time in Beta: 6 days. Requesting inclusion in 57 stable update.
,
Mar 22 2017
This bug was reported on M55. Can this wait until M58? Side note: M58 was branched at #3029 and per comment #19, the change landed before M58 branch. So removing "Merge-Approved-58" label.
,
Mar 22 2017
Merge approved for M57 branch 2987 assuming the added CHECK() will never fire unless we have an unacceptable security issue present in executing code.
,
Mar 22 2017
Rescinding merge request after conversation with amineer@.
,
Apr 18 2017
,
Apr 19 2017
,
May 4 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2018
|
||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jan 24 2017