Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux, Android, Windows, Chrome, Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment
Email Subject: ZDI-CAN-4429: New Vulnerability Report
Reported by zdi-disc...@hp.com, Jan 24 2017 Back to list
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36

Steps to reproduce the problem:
ZDI-CAN-4429: Google Chrome List Item Marker Type Confusion Remote Code Execution Vulnerability

-- CVSS -----------------------------------------

6.8, AV:N/AC:M/Au:N/C:P/I:P/A:P

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:

  Google Chrome

-- VULNERABILITY DETAILS ------------------------

* Version Tested: Chrome 55.0.2883.87 m (64-bit) and Chromium (commit fd58ca0775c71238123c04453aca6b711e8ed6d8)
* Platform Tested: Windows 10 Enterprise 14393.447 (64-bit)

Type confusion in Blink. An object of type blink::LayoutListMarker is treated as an object of type blink::LayoutText. As a result, a pointer at offset +0x90 from the start of the blink::LayoutListMarker is dereferenced and a integer at the resulting address is incremented. The data at offset +0x90 can be effectively controlled from a malicious webpage by setting the dimensions of an element.

Debug log, for release version of Chrome 55.0.2883.87 m (64-bit):

```
(1208.1494): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll - 
chrome_child!ovly_debug_event+0x3c27a1:
00007ffb`93950a61 ff03            inc     dword ptr [rbx] ds:0000dead`0000beef=????????
0:000> kb
 # RetAddr           : Args to Child                                                           : Call Site
00 00007ffb`937ad686 : 000001e7`00000000 000002cf`86068000 00000158`af6e2518 00000000`00000006 : chrome_child!ovly_debug_event+0x3c27a1
01 00007ffb`935be3b1 : 00000000`00000000 00000380`15c04000 0000000b`bd35cf40 0000000b`bd35cd00 : chrome_child!ovly_debug_event+0x21f3c6
02 00007ffb`9394fb75 : 0000000b`00000000 0000000b`bd35cf40 00000158`af6e34b8 00000158`af6e34b8 : chrome_child!ovly_debug_event+0x300f1
03 00007ffb`9394f561 : 00000158`af6e34b8 0000000b`bd35cf00 00007ffb`00000000 0000000b`bd35cf40 : chrome_child!ovly_debug_event+0x3c18b5
04 00007ffb`93952797 : 00000158`af6e26c0 0000000b`bd35cfe0 00000000`00000000 00000000`00000000 : chrome_child!ovly_debug_event+0x3c12a1
05 00007ffb`93de98d7 : 00000158`00000000 00000158`af6e34b8 0000000b`bd35d0d0 00007ffb`93a0d0d1 : chrome_child!ovly_debug_event+0x3c44d7
06 00007ffb`93de982d : 000001e7`00000000 000001e7`b56d4fb0 00000000`0000c350 000001e7`b7b4a558 : chrome_child!ChromeMain+0x2b450b
07 00007ffb`936969fe : 0000000b`bd35d218 00007ffb`96c5af5e 000001e7`00000001 00000000`00000000 : chrome_child!ChromeMain+0x2b4461
08 00007ffb`936967fa : 000001e7`b7b4a538 000002f7`4bba6bc9 000001e7`b56d4fb0 0000011e`63a82351 : chrome_child!ovly_debug_event+0x10873e
09 00007ffb`938b6180 : 0000000b`bd35d3b0 000001e7`b56d4fb0 000001e7`b7b4a538 000001e7`b56d5018 : chrome_child!ovly_debug_event+0x10853a
0a 00007ffb`9369634b : 00000000`00000000 00000000`00000000 00000000`00000000 000001e7`b7b4a538 : chrome_child!ovly_debug_event+0x327ec0
0b 00007ffb`935cc4d3 : 00000000`00000001 000001e7`b7b4a530 0000000b`bd35d6a0 000001e7`b56d4fb0 : chrome_child!ovly_debug_event+0x10808b
0c 00007ffb`9369645b : 00000000`00000001 00000000`00000001 0000000b`bd35d9b0 000001e7`b56d4fb0 : chrome_child!ovly_debug_event+0x3e213
0d 00007ffb`93695ca6 : 00007ffb`93695b88 0000000b`bd35d9b8 0000000b`bd35d9b8 0000000b`bd35d9b0 : chrome_child!ovly_debug_event+0x10819b
0e 0000034b`e34843ab : 00007ffb`93695b88 00000386`6d4fe191 0000011e`63a841f9 000001e7`b56d4fb0 : chrome_child!ovly_debug_event+0x1079e6
0f 00007ffb`93695b87 : 00000386`6d4fe191 0000011e`63a841f9 000001e7`b56d4fb0 0000034b`e358875b : 0x0000034b`e34843ab
10 0000000b`bd35d9d0 : 0000034b`e3599b35 00000013`e3b889d9 0000001a`00000000 00000386`6d4b5479 : chrome_child!ovly_debug_event+0x1078c7
11 0000034b`e3599b35 : 00000013`e3b889d9 0000001a`00000000 00000386`6d4b5479 000002f7`4bba6bc9 : 0x0000000b`bd35d9d0
12 00000013`e3b889d9 : 0000001a`00000000 00000386`6d4b5479 000002f7`4bba6bc9 00000013`e3b860e1 : 0x0000034b`e3599b35
13 0000001a`00000000 : 00000386`6d4b5479 000002f7`4bba6bc9 00000013`e3b860e1 00000386`6d4fe191 : 0x00000013`e3b889d9
14 00000386`6d4b5479 : 000002f7`4bba6bc9 00000013`e3b860e1 00000386`6d4fe191 0000000b`bd35da00 : 0x0000001a`00000000
15 000002f7`4bba6bc9 : 00000013`e3b860e1 00000386`6d4fe191 0000000b`bd35da00 0000034b`e3485d15 : 0x00000386`6d4b5479
16 00000013`e3b860e1 : 00000386`6d4fe191 0000000b`bd35da00 0000034b`e3485d15 000002f7`4bba23a1 : 0x000002f7`4bba6bc9
17 00000386`6d4fe191 : 0000000b`bd35da00 0000034b`e3485d15 000002f7`4bba23a1 00000001`00000000 : 0x00000013`e3b860e1
18 0000000b`bd35da00 : 0000034b`e3485d15 000002f7`4bba23a1 00000001`00000000 00000013`e3b860e1 : 0x00000386`6d4fe191
19 0000034b`e3485d15 : 000002f7`4bba23a1 00000001`00000000 00000013`e3b860e1 0000000e`00000000 : 0x0000000b`bd35da00
1a 000002f7`4bba23a1 : 00000001`00000000 00000013`e3b860e1 0000000e`00000000 0000000b`bd35da38 : 0x0000034b`e3485d15
1b 00000001`00000000 : 00000013`e3b860e1 0000000e`00000000 0000000b`bd35da38 0000034b`e34d40c4 : 0x000002f7`4bba23a1
1c 00000013`e3b860e1 : 0000000e`00000000 0000000b`bd35da38 0000034b`e34d40c4 000002f7`4bba65f9 : 0x00000001`00000000
1d 0000000e`00000000 : 0000000b`bd35da38 0000034b`e34d40c4 000002f7`4bba65f9 000002f7`4bba23a1 : 0x00000013`e3b860e1
1e 0000000b`bd35da38 : 0000034b`e34d40c4 000002f7`4bba65f9 000002f7`4bba23a1 00000013`e3b860e1 : 0x0000000e`00000000
1f 0000034b`e34d40c4 : 000002f7`4bba65f9 000002f7`4bba23a1 00000013`e3b860e1 0000034b`e34d3fe1 : 0x0000000b`bd35da38
20 000002f7`4bba65f9 : 000002f7`4bba23a1 00000013`e3b860e1 0000034b`e34d3fe1 0000000c`00000000 : 0x0000034b`e34d40c4
21 000002f7`4bba23a1 : 00000013`e3b860e1 0000034b`e34d3fe1 0000000c`00000000 0000000b`bd35db50 : 0x000002f7`4bba65f9
22 00000013`e3b860e1 : 0000034b`e34d3fe1 0000000c`00000000 0000000b`bd35db50 0000034b`e34ad495 : 0x000002f7`4bba23a1
23 0000034b`e34d3fe1 : 0000000c`00000000 0000000b`bd35db50 0000034b`e34ad495 00000000`00000000 : 0x00000013`e3b860e1
24 0000000c`00000000 : 0000000b`bd35db50 0000034b`e34ad495 00000000`00000000 00000000`00000000 : 0x0000034b`e34d3fe1
25 0000000b`bd35db50 : 0000034b`e34ad495 00000000`00000000 00000000`00000000 00000001`00000000 : 0x0000000c`00000000
26 0000034b`e34ad495 : 00000000`00000000 00000000`00000000 00000001`00000000 00000000`00000000 : 0x0000000b`bd35db50
27 00000000`00000000 : 00000000`00000000 00000001`00000000 00000000`00000000 00000000`00000000 : 0x0000034b`e34ad495
0:000> lmvm chrome
Browse full module list
start             end                 module name
00007ff6`ac550000 00007ff6`ac665000   chrome     (deferred)             
    Image path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Image name: chrome.exe
    Browse all global symbols  functions  data
    Timestamp:        Wed Dec 07 22:02:34 2016 (5848DB5A)
    CheckSum:         00117A43
    ImageSize:        00115000
    File version:     55.0.2883.87
    Product version:  55.0.2883.87
    File flags:       0 (Mask 17)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Google Inc.
    ProductName:      Google Chrome
    InternalName:     chrome_exe
    OriginalFilename: chrome.exe
    ProductVersion:   55.0.2883.87
    FileVersion:      55.0.2883.87
    FileDescription:  Google Chrome
    LegalCopyright:   Copyright 2016 Google Inc. All rights reserved.
0:000> !gflag
Current NtGlobalFlag contents: 0x00000000
0:000> vertarget
Windows 10 Version 14393 MP (2 procs) Free x64
Product: WinNt, suite: SingleUserTS
kernelbase.dll version: 10.0.14393.321 (rs1_release_inmarket.161004-2338)
Machine Name:
Debug session time: Fri Dec 23 10:48:12.346 2016 (UTC - 6:00)
System Uptime: 0 days 8:08:12.463
Process Uptime: 0 days 0:00:50.639
  Kernel time: 0 days 0:00:00.015
  User time: 0 days 0:00:00.234
```

See Debug log 2.txt for a more detailed log on a debug build.

-- CREDIT ---------------------------------------

This vulnerability was discovered by:

   SkyLined working with Trend Micro's Zero Day Initiative

-- FURTHER DETAILS ------------------------------

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

     http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI ---------------------

Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

    http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

    http://www.zerodayinitiative.com/advisories/disclosure_policy/

What is the expected behavior?

What went wrong?
ZDI-CAN-4429: Google Chrome List Item Marker Type Confusion Remote Code Execution Vulnerability

-- CVSS -----------------------------------------

6.8, AV:N/AC:M/Au:N/C:P/I:P/A:P

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:

  Google Chrome

-- VULNERABILITY DETAILS ------------------------

* Version Tested: Chrome 55.0.2883.87 m (64-bit) and Chromium (commit fd58ca0775c71238123c04453aca6b711e8ed6d8)
* Platform Tested: Windows 10 Enterprise 14393.447 (64-bit)

Type confusion in Blink. An object of type blink::LayoutListMarker is treated as an object of type blink::LayoutText. As a result, a pointer at offset +0x90 from the start of the blink::LayoutListMarker is dereferenced and a integer at the resulting address is incremented. The data at offset +0x90 can be effectively controlled from a malicious webpage by setting the dimensions of an element.

Debug log, for release version of Chrome 55.0.2883.87 m (64-bit):

```
(1208.1494): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll - 
chrome_child!ovly_debug_event+0x3c27a1:
00007ffb`93950a61 ff03            inc     dword ptr [rbx] ds:0000dead`0000beef=????????
0:000> kb
 # RetAddr           : Args to Child                                                           : Call Site
00 00007ffb`937ad686 : 000001e7`00000000 000002cf`86068000 00000158`af6e2518 00000000`00000006 : chrome_child!ovly_debug_event+0x3c27a1
01 00007ffb`935be3b1 : 00000000`00000000 00000380`15c04000 0000000b`bd35cf40 0000000b`bd35cd00 : chrome_child!ovly_debug_event+0x21f3c6
02 00007ffb`9394fb75 : 0000000b`00000000 0000000b`bd35cf40 00000158`af6e34b8 00000158`af6e34b8 : chrome_child!ovly_debug_event+0x300f1
03 00007ffb`9394f561 : 00000158`af6e34b8 0000000b`bd35cf00 00007ffb`00000000 0000000b`bd35cf40 : chrome_child!ovly_debug_event+0x3c18b5
04 00007ffb`93952797 : 00000158`af6e26c0 0000000b`bd35cfe0 00000000`00000000 00000000`00000000 : chrome_child!ovly_debug_event+0x3c12a1
05 00007ffb`93de98d7 : 00000158`00000000 00000158`af6e34b8 0000000b`bd35d0d0 00007ffb`93a0d0d1 : chrome_child!ovly_debug_event+0x3c44d7
06 00007ffb`93de982d : 000001e7`00000000 000001e7`b56d4fb0 00000000`0000c350 000001e7`b7b4a558 : chrome_child!ChromeMain+0x2b450b
07 00007ffb`936969fe : 0000000b`bd35d218 00007ffb`96c5af5e 000001e7`00000001 00000000`00000000 : chrome_child!ChromeMain+0x2b4461
08 00007ffb`936967fa : 000001e7`b7b4a538 000002f7`4bba6bc9 000001e7`b56d4fb0 0000011e`63a82351 : chrome_child!ovly_debug_event+0x10873e
09 00007ffb`938b6180 : 0000000b`bd35d3b0 000001e7`b56d4fb0 000001e7`b7b4a538 000001e7`b56d5018 : chrome_child!ovly_debug_event+0x10853a
0a 00007ffb`9369634b : 00000000`00000000 00000000`00000000 00000000`00000000 000001e7`b7b4a538 : chrome_child!ovly_debug_event+0x327ec0
0b 00007ffb`935cc4d3 : 00000000`00000001 000001e7`b7b4a530 0000000b`bd35d6a0 000001e7`b56d4fb0 : chrome_child!ovly_debug_event+0x10808b
0c 00007ffb`9369645b : 00000000`00000001 00000000`00000001 0000000b`bd35d9b0 000001e7`b56d4fb0 : chrome_child!ovly_debug_event+0x3e213
0d 00007ffb`93695ca6 : 00007ffb`93695b88 0000000b`bd35d9b8 0000000b`bd35d9b8 0000000b`bd35d9b0 : chrome_child!ovly_debug_event+0x10819b
0e 0000034b`e34843ab : 00007ffb`93695b88 00000386`6d4fe191 0000011e`63a841f9 000001e7`b56d4fb0 : chrome_child!ovly_debug_event+0x1079e6
0f 00007ffb`93695b87 : 00000386`6d4fe191 0000011e`63a841f9 000001e7`b56d4fb0 0000034b`e358875b : 0x0000034b`e34843ab
10 0000000b`bd35d9d0 : 0000034b`e3599b35 00000013`e3b889d9 0000001a`00000000 00000386`6d4b5479 : chrome_child!ovly_debug_event+0x1078c7
11 0000034b`e3599b35 : 00000013`e3b889d9 0000001a`00000000 00000386`6d4b5479 000002f7`4bba6bc9 : 0x0000000b`bd35d9d0
12 00000013`e3b889d9 : 0000001a`00000000 00000386`6d4b5479 000002f7`4bba6bc9 00000013`e3b860e1 : 0x0000034b`e3599b35
13 0000001a`00000000 : 00000386`6d4b5479 000002f7`4bba6bc9 00000013`e3b860e1 00000386`6d4fe191 : 0x00000013`e3b889d9
14 00000386`6d4b5479 : 000002f7`4bba6bc9 00000013`e3b860e1 00000386`6d4fe191 0000000b`bd35da00 : 0x0000001a`00000000
15 000002f7`4bba6bc9 : 00000013`e3b860e1 00000386`6d4fe191 0000000b`bd35da00 0000034b`e3485d15 : 0x00000386`6d4b5479
16 00000013`e3b860e1 : 00000386`6d4fe191 0000000b`bd35da00 0000034b`e3485d15 000002f7`4bba23a1 : 0x000002f7`4bba6bc9
17 00000386`6d4fe191 : 0000000b`bd35da00 0000034b`e3485d15 000002f7`4bba23a1 00000001`00000000 : 0x00000013`e3b860e1
18 0000000b`bd35da00 : 0000034b`e3485d15 000002f7`4bba23a1 00000001`00000000 00000013`e3b860e1 : 0x00000386`6d4fe191
19 0000034b`e3485d15 : 000002f7`4bba23a1 00000001`00000000 00000013`e3b860e1 0000000e`00000000 : 0x0000000b`bd35da00
1a 000002f7`4bba23a1 : 00000001`00000000 00000013`e3b860e1 0000000e`00000000 0000000b`bd35da38 : 0x0000034b`e3485d15
1b 00000001`00000000 : 00000013`e3b860e1 0000000e`00000000 0000000b`bd35da38 0000034b`e34d40c4 : 0x000002f7`4bba23a1
1c 00000013`e3b860e1 : 0000000e`00000000 0000000b`bd35da38 0000034b`e34d40c4 000002f7`4bba65f9 : 0x00000001`00000000
1d 0000000e`00000000 : 0000000b`bd35da38 0000034b`e34d40c4 000002f7`4bba65f9 000002f7`4bba23a1 : 0x00000013`e3b860e1
1e 0000000b`bd35da38 : 0000034b`e34d40c4 000002f7`4bba65f9 000002f7`4bba23a1 00000013`e3b860e1 : 0x0000000e`00000000
1f 0000034b`e34d40c4 : 000002f7`4bba65f9 000002f7`4bba23a1 00000013`e3b860e1 0000034b`e34d3fe1 : 0x0000000b`bd35da38
20 000002f7`4bba65f9 : 000002f7`4bba23a1 00000013`e3b860e1 0000034b`e34d3fe1 0000000c`00000000 : 0x0000034b`e34d40c4
21 000002f7`4bba23a1 : 00000013`e3b860e1 0000034b`e34d3fe1 0000000c`00000000 0000000b`bd35db50 : 0x000002f7`4bba65f9
22 00000013`e3b860e1 : 0000034b`e34d3fe1 0000000c`00000000 0000000b`bd35db50 0000034b`e34ad495 : 0x000002f7`4bba23a1
23 0000034b`e34d3fe1 : 0000000c`00000000 0000000b`bd35db50 0000034b`e34ad495 00000000`00000000 : 0x00000013`e3b860e1
24 0000000c`00000000 : 0000000b`bd35db50 0000034b`e34ad495 00000000`00000000 00000000`00000000 : 0x0000034b`e34d3fe1
25 0000000b`bd35db50 : 0000034b`e34ad495 00000000`00000000 00000000`00000000 00000001`00000000 : 0x0000000c`00000000
26 0000034b`e34ad495 : 00000000`00000000 00000000`00000000 00000001`00000000 00000000`00000000 : 0x0000000b`bd35db50
27 00000000`00000000 : 00000000`00000000 00000001`00000000 00000000`00000000 00000000`00000000 : 0x0000034b`e34ad495
0:000> lmvm chrome
Browse full module list
start             end                 module name
00007ff6`ac550000 00007ff6`ac665000   chrome     (deferred)             
    Image path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Image name: chrome.exe
    Browse all global symbols  functions  data
    Timestamp:        Wed Dec 07 22:02:34 2016 (5848DB5A)
    CheckSum:         00117A43
    ImageSize:        00115000
    File version:     55.0.2883.87
    Product version:  55.0.2883.87
    File flags:       0 (Mask 17)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Google Inc.
    ProductName:      Google Chrome
    InternalName:     chrome_exe
    OriginalFilename: chrome.exe
    ProductVersion:   55.0.2883.87
    FileVersion:      55.0.2883.87
    FileDescription:  Google Chrome
    LegalCopyright:   Copyright 2016 Google Inc. All rights reserved.
0:000> !gflag
Current NtGlobalFlag contents: 0x00000000
0:000> vertarget
Windows 10 Version 14393 MP (2 procs) Free x64
Product: WinNt, suite: SingleUserTS
kernelbase.dll version: 10.0.14393.321 (rs1_release_inmarket.161004-2338)
Machine Name:
Debug session time: Fri Dec 23 10:48:12.346 2016 (UTC - 6:00)
System Uptime: 0 days 8:08:12.463
Process Uptime: 0 days 0:00:50.639
  Kernel time: 0 days 0:00:00.015
  User time: 0 days 0:00:00.234
```

See Debug log 2.txt for a more detailed log on a debug build.

-- CREDIT ---------------------------------------

This vulnerability was discovered by:

   SkyLined working with Trend Micro's Zero Day Initiative

-- FURTHER DETAILS ------------------------------

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

     http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI ---------------------

Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

    http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

    http://www.zerodayinitiative.com/advisories/disclosure_policy/

Did this work before? N/A 

Chrome version: 55.0.2883.87 m (release), 56.0.2899.0 canary  Channel: stable
OS Version: Windows 10 Enterprise 14393.447 (64-bit)
Flash Version:
 
ZDI-CAN-4429.zip
6.9 KB Download
Project Member Comment 1 by clusterf...@chromium.org, Jan 24 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5169777179099136
Components: Blink>Layout
Labels: Security_Impact-Stable Security_Severity-High OS-Android OS-Chrome OS-Linux OS-Mac
Owner: e...@chromium.org
Status: Assigned
Thanks for the report.

+eae - can you triage this please?
Comment 3 by e...@chromium.org, Jan 25 2017
Cc: e...@chromium.org
Labels: -Pri-2 Pri-1
Owner: kojii@chromium.org
This is bad. Do you have cycles to tackle this kojii?

Comment 4 by kojii@chromium.org, Jan 25 2017
Cc: cbiesin...@chromium.org r...@opera.com
The crash doesn't reproduce for me nor for clusterfuzz. Can someone advise what to do in such case? Change the bug to non-security, normal bug? I'll look into this anyway, details below, but advice appreciate from the bug process point of view.


We're doing something wrong here anyway, if I click, we hit a DCHECK() in VisibleUnits, saying the layout tree for the first letter is constructed unexpectedly.

And the test case looks familiar to me, probably the same root cause as  issue 675117 . I'm discussing with rune@ and cbiesinger@ in crrev.com/2650583003.
If you're sure the bug is fixed in HEAD, then we can unrestrict the bug. However, it's still a security bug up until we verify that there is a fix.

Otherwise, if you determine it's the same cause as  issue 675117  we can merge this into that one. :)
Comment 6 by kojii@chromium.org, Jan 25 2017
Ah, wait, I can reproduce now. I was using content-shell, but this needs Chromium to reproduce.
Comment 7 by kojii@chromium.org, Jan 25 2017
Or add:
<script>
  if (window.testRunner)
    testRunner.dumpAsText();
</script>
and run content-shell with "--run-layout-test" option.
Comment 8 by kojii@chromium.org, Jan 25 2017
Cc: yosin@chromium.org
Components: Blink>Editing
 Issue 675117  is creating a bad layout tree for ::first-letter. Editing code assumes the first child of ::first-letter is LayoutText. This bug is a combination of the two.

Talked with yosin@, I think we should add a release assertion to the editing code first to turn this issue to a normal crash.
Project Member Comment 9 by bugdroid1@chromium.org, Jan 25 2017
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e29607bd33d91db8c58127eb6469fca2ad22c16a

commit e29607bd33d91db8c58127eb6469fca2ad22c16a
Author: kojii <kojii@chromium.org>
Date: Wed Jan 25 09:26:53 2017

Check isText() when editing traverses layout tree for ::first-letter

This patch checks isText() before toLayoutText() when editing traverses
layout trees for ::first-letter pseudo elements.

Normally, the first child of ::first-letter pseudo element is
LayoutText. This patch checks if the assumption stands.

BUG= 684684 

Review-Url: https://codereview.chromium.org/2650953004
Cr-Commit-Position: refs/heads/master@{#445986}

[modify] https://crrev.com/e29607bd33d91db8c58127eb6469fca2ad22c16a/third_party/WebKit/Source/core/editing/VisibleUnits.cpp
[modify] https://crrev.com/e29607bd33d91db8c58127eb6469fca2ad22c16a/third_party/WebKit/Source/core/editing/iterators/TextIterator.cpp

Project Member Comment 10 by sheriffbot@chromium.org, Jan 25 2017
Labels: M-55
Comment 11 by kojii@chromium.org, Jan 26 2017
Status: Fixed
Please correct me if my way to handle this bug is not good -- I'm just not familiar, asked around.

With the fix in #9:
* This bug has turned to a normal crash bug.
* Locally reproduced and confirmed the fix.
* Clusterfuzz says the original report is not reproducible.
* The root cause (to lead to the crash) isn't fixed yet.

The process I'm thinking I should take is:
1. I'm marking this as Fixed.
2. I will add Merge-Request labels a few days after the Canary release, up to M55.
3. When all merges are done and releases are updated, file a regular bug to fix the root cause.

Please let me know if there were any.
Project Member Comment 12 by sheriffbot@chromium.org, Jan 26 2017
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Comment 13 by kojii@chromium.org, Jan 27 2017
The analysis of the root cause.

1. The root cause of this bug is editing code traverses ::first-letter by itself, without doing enough type check nor using existing functions in FirstLetterPseudoElement. This is filed as issue 685520.

2. CSS building incorrect layout tree is also a problem. This is triggered by:
  ::first-line { display: flex; }
  ::first-letter { float: left }
while this looks similar to  issue 675117 , this is different case because the fix for  issue 675117  uses style(firstLine=false) to check block container, so it will not fix.

2.1. We could fix this by using style(firstLine=true), but the spec says the 'display' property does not apply to ::first-line. So I think:
  ::first-line { display: flex; }
causing different layout tree is problematic here. Filed issue 685925.

2.2. Logically speaking, when ::first-letter checks its style, it should use style(firstLine=true), but given we do so to check the 'display' property, and given the spec saying so, I guess this change is not necessary. Issue not filed for this.
Labels: reward-ineligible
Labels: -M-55 M-58
Project Member Comment 16 by sheriffbot@chromium.org, Mar 17 2017
Labels: Merge-Request-58
Project Member Comment 17 by sheriffbot@chromium.org, Mar 17 2017
Labels: -Merge-Request-58 Hotlist-Merge-Approved Merge-Approved-58
Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 18 by sheriffbot@chromium.org, Mar 20 2017
Cc: keta...@chromium.org ketakid@google.com vsu...@chromium.org bhthompson@google.com
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Comment 19 by kojii@chromium.org, Mar 21 2017
This fix seemed to landed before the branch:
$ git-find-releases e29607bd33d91db8c58127eb6469fca2ad22c16a
commit e29607bd33d91db8c58127eb6469fca2ad22c16a was:
  initially in 58.0.2993.0
Cc: gov...@chromium.org
Labels: Merge-Request-57
Externally reported high severity bug impacting Stable. Bake time in Dev: 47 days. Bake time in Beta: 6 days. Requesting inclusion in 57 stable update.
Cc: amineer@chromium.org
Labels: -Merge-Approved-58
This bug was reported on M55. Can this wait until M58?

Side note: M58 was branched at #3029 and per comment #19, the change landed before M58 branch. So removing "Merge-Approved-58" label.
Merge approved for M57 branch 2987 assuming the added CHECK() will never fire unless we have an unacceptable security issue present in executing code.
Labels: -Hotlist-Merge-Approved -Merge-Request-57
Rescinding merge request after conversation with amineer@.  
Labels: Release-0-M58
Labels: CVE-2017-5059
Project Member Comment 26 by sheriffbot@chromium.org, May 4
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment