Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 694382 Security: Heap-use-after-free in PrintPreviewHandler::HandleGetPreview
Starred by 0 users Reported by chromium...@gmail.com, Feb 21 Back to list
Status: Fixed
Owner:
Closed: Mar 17
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment
VERSION
Chrome Version: 58.0.3018.0 (Build officiel) canary (64 bits)
Operating System: Windows 7

REPRODUCTION CASE
1. Visit http://localhost/testcase.html
2. Observe an alert is being displayed at the same time try to visit https://example.com
3. Crash!

Crash/1e71b6b580000000


rax=00000000101e7df0 rbx=0000000011202b90 rcx=000000000c264fc0
rdx=01fd00010001ffff rsi=0000000000000000 rdi=00000000101e7df0
rip=000007fee0bc6e84 rsp=000000000027bfb0 rbp=000000000027c0b0
 r8=00000000101e7de0  r9=00000000101e7df0 r10=000007fee1a99210
r11=000000000027bf50 r12=000000000c264fc0 r13=0000000000000000
r14=000000000fb9a3a0 r15=000000000027c330
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=0000  ds=0000  es=0000  fs=0053  gs=002b             efl=00010206
*** WARNING: Unable to verify checksum for chrome.dll
chrome_7fedf160000!PrintPreviewHandler::HandleGetPreview+0x534:
000007fe`e0bc6e84 ff5230          call    qword ptr [rdx+30h] ds:01fd0001`0002002f=????????????????
0:000> k
  *** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
00000000`0027bfb0 000007fe`df7a9cf2 chrome_7fedf160000!PrintPreviewHandler::HandleGetPreview+0x534 [c:\b\build\slave\win64-pgo\build\src\chrome\browser\ui\webui\print_preview\print_preview_handler.cc @ 821]
00000000`0027c200 000007fe`df7a9493 chrome_7fedf160000!content::WebUIImpl::ProcessWebUIMessage+0xa2 [c:\b\build\slave\win64-pgo\build\src\content\browser\webui\web_ui_impl.cc @ 252]
00000000`0027c240 000007fe`df7aa1d0 chrome_7fedf160000!content::WebUIImpl::OnWebUISend+0x93 [c:\b\build\slave\win64-pgo\build\src\content\browser\webui\web_ui_impl.cc @ 112]
00000000`0027c280 000007fe`df7a939f chrome_7fedf160000!IPC::MessageT<ViewHostMsg_WebUISend_Meta,std::tuple<GURL,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,base::ListValue>,void>::Dispatch<content::WebUIImpl,content::WebUIImpl,void,void (__cdecl content::WebUIImpl::*)(GURL const & __ptr64,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const & __ptr64,base::ListValue const & __ptr64) __ptr64>+0x154 [c:\b\build\slave\win64-pgo\build\src\ipc\ipc_message_templates.h @ 121]
00000000`0027c430 000007fe`df787752 chrome_7fedf160000!content::WebUIImpl::OnMessageReceived+0xdf [c:\b\build\slave\win64-pgo\build\src\content\browser\webui\web_ui_impl.cc @ 94]
00000000`0027c540 000007fe`df6cbe47 chrome_7fedf160000!content::WebContentsImpl::OnMessageReceived+0x62 [c:\b\build\slave\win64-pgo\build\src\content\browser\web_contents\web_contents_impl.cc @ 695]
00000000`0027ce20 000007fe`df6cfd62 chrome_7fedf160000!content::RenderViewHostImpl::OnMessageReceived+0x117 [c:\b\build\slave\win64-pgo\build\src\content\browser\renderer_host\render_view_host_impl.cc @ 732]
00000000`0027d6b0 000007fe`df6bef47 chrome_7fedf160000!content::RenderWidgetHostImpl::OnMessageReceived+0x152 [c:\b\build\slave\win64-pgo\build\src\content\browser\renderer_host\render_widget_host_impl.cc @ 517]
00000000`0027e670 000007fe`dfebb728 chrome_7fedf160000!content::RenderProcessHostImpl::OnMessageReceived+0x5f7 [c:\b\build\slave\win64-pgo\build\src\content\browser\renderer_host\render_process_host_impl.cc @ 2076]
00000000`0027eaf0 000007fe`df531b14 chrome_7fedf160000!IPC::ChannelProxy::Context::OnDispatchMessage+0x28 [c:\b\build\slave\win64-pgo\build\src\ipc\ipc_channel_proxy.cc @ 330]
00000000`0027eb20 000007fe`dfb48d83 chrome_7fedf160000!base::internal::RunMixin<base::Callback<void __cdecl(void),0,0> >::Run+0x24 [c:\b\build\slave\win64-pgo\build\src\base\callback.h @ 68]
00000000`0027eb50 000007fe`dfaf7887 chrome_7fedf160000!base::debug::TaskAnnotator::RunTask+0x183 [c:\b\build\slave\win64-pgo\build\src\base\debug\task_annotator.cc @ 61]
00000000`0027ece0 000007fe`dfaf843a chrome_7fedf160000!base::MessageLoop::RunTask+0x217 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 424]
00000000`0027ee50 000007fe`dfb492f1 chrome_7fedf160000!base::MessageLoop::DoWork+0x48a [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 527]
00000000`0027f050 000007fe`dfb48f44 chrome_7fedf160000!base::MessagePumpForUI::DoRunLoop+0x71 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_pump_win.cc @ 174]
00000000`0027f0c0 000007fe`dfb1f630 chrome_7fedf160000!base::MessagePumpWin::Run+0x54 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_pump_win.cc @ 58]
00000000`0027f110 000007fe`dfa261f8 chrome_7fedf160000!base::RunLoop::Run+0xc0 [c:\b\build\slave\win64-pgo\build\src\base\run_loop.cc @ 38]
00000000`0027f1c0 000007fe`df4be7ec chrome_7fedf160000!ChromeBrowserMainParts::MainMessageLoopRun+0x138 [c:\b\build\slave\win64-pgo\build\src\chrome\browser\chrome_browser_main.cc @ 2005]
00000000`0027f240 000007fe`df4b6679 chrome_7fedf160000!content::BrowserMainRunnerImpl::Run+0x6c [c:\b\build\slave\win64-pgo\build\src\content\browser\browser_main_runner.cc @ 140]
00000000`0027f290 000007fe`df9d7b13 chrome_7fedf160000!content::BrowserMain+0x169 [c:\b\build\slave\win64-pgo\build\src\content\browser\browser_main.cc @ 46]

 
testcase.html
87 bytes View Download
Rec.mp4
617 KB View Download
Able to repro this on Dev (58.0.3013.3).
Labels: Needs-Feedback
Thanks for the report. I could not reproduce this on canary. Can you give it a quick try on canary and confirm if you are using an ASAN build or not, plus the canary version you reproduced this with? Thank you.
Comment 3 Deleted
Comment 4 Deleted
On my machine I have the latest version of canary (58.0.3023.0).

- Able to reproduce this crash on Canary/Dev.
- Unable to reproduce this crash on Stable/Beta/ASan build.

Sometimes this crash can take several tries to repro. 

What happens is that PrintPreviewHandler::HandleGetPreview was called after the render_view_host_ has been destroyed by navigation to another origin.
Recording.mp4
471 KB View Download
Cc: rbpotter@chromium.org
Components: UI>Browser>PrintPreview
Owner: skau@chromium.org
I was able to repro this. See: crash/0671d73300000000

skau@ -- if you are not the right owner, please help identify the right owner. Thanks.
Project Member Comment 7 by clusterf...@chromium.org, Mar 1
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4960837371691008
Project Member Comment 8 by sheriffbot@chromium.org, Mar 1
Cc: kerrnel@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "kerrnel@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: OS-Windows
Status: Assigned
FWIW: I can't repro this on Chrom Dev on Linux.
Status: Started
Yes.  I'm the right owner. I'm looking into it.
Owner: thestig@chromium.org
I edited that file recently but I didn't touch that section.  Looks like it was last edited by thestig@ in this commit https://chromium.googlesource.com/chromium/src/+/cb959ce66a9a8%5E%21/#F11

Message handling must not be sequenced with whatever cleans up the RenderFrame.  Reassigning as I'm not sure how to mitigate this.
Project Member Comment 13 by clusterf...@chromium.org, Mar 1
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5615695061843968
Labels: Security_Severity-Low Security_Impact-Head
Setting the severity as Low since it requires too many user gestures.
Project Member Comment 15 by sheriffbot@chromium.org, Mar 2
Labels: Pri-2
 Bug 698622  may be the same issue, but without user gestures. It's weird that skau@ assigned it to me but left it in with Started status. I guess I should start looking at this...
I guess print preview needs to listen for RFH deletion and null out print_preview_rfh() if needed.
https://codereview.chromium.org/2742853003 should be backported to M58 and M57, as it fixes a nasty bug with printing and extensions described in  issue 702085 .
Labels: Merge-Request-58
Yes, I'll do M58 today and M57 early next week assuming there's no issues.
Project Member Comment 21 by sheriffbot@chromium.org, Mar 17
Labels: -Merge-Request-58 Hotlist-Merge-Approved Merge-Approved-58
Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 22 by sheriffbot@chromium.org, Mar 17
Status: Fixed
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 23 by sheriffbot@chromium.org, Mar 18
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
I've found a way to reduce too many user gestures for this crash. I tested on stable 57.0.2987.110 (64-bit).

1- Open http://localhost/UAF.html.
2- click "click here" then "then here" buttons.
3- click "OK" in the alert box.
4- Wait 4 seconds >> Crash.

Note: there are two different crashes "render/browser" (I'm talking about the browser crash).

In this case is this report qualified for "Severity-Medium" at leaset?
Recording.mp4
467 KB View Download
PoC.rar
972 bytes Download
Project Member Comment 25 by sheriffbot@chromium.org, Mar 20
Cc: keta...@chromium.org ketakid@google.com vsu...@chromium.org bhthompson@google.com
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Security_Severity-Low Security_Severity-Medium
Medium per c24.
Labels: -Hotlist-Merge-Approved -Merge-Approved-58 merge-merged-3029 M-57 M-58
M58 merge from last week: https://chromium.googlesource.com/chromium/src/+/23107311dcb2bc1ecfa1c0fbe63f5f210c154049
Cc: -kerrnel@chromium.org
Labels: reward-topanel
Project Member Comment 30 by bugdroid1@chromium.org, Mar 27
Labels: merge-merged-2987
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8839f8f3d22dc169ede6edad06d75735dbf3c34a

commit 8839f8f3d22dc169ede6edad06d75735dbf3c34a
Author: Lei Zhang <thestig@chromium.org>
Date: Mon Mar 27 03:40:04 2017

M57: Properly clean up in PrintViewManager::RenderFrameCreated().

BUG= 694382 , 698622 

Review-Url: https://codereview.chromium.org/2742853003
Cr-Commit-Position: refs/heads/master@{#457363}
(cherry picked from commit 746da1cc6b2fbc2f725934542eedc49b41e5f17b)

Review-Url: https://codereview.chromium.org/2775133002 .
Cr-Commit-Position: refs/branch-heads/2987@{#881}
Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943}

[modify] https://crrev.com/8839f8f3d22dc169ede6edad06d75735dbf3c34a/chrome/browser/printing/print_view_manager.cc
[add] https://crrev.com/8839f8f3d22dc169ede6edad06d75735dbf3c34a/chrome/browser/printing/print_view_manager_unittest.cc
[modify] https://crrev.com/8839f8f3d22dc169ede6edad06d75735dbf3c34a/chrome/test/BUILD.gn

Labels: CVE-2017-5053 Release-1-M57
Cc: pbomm...@chromium.org ranjitkan@chromium.org durga.behera@chromium.org brajkumar@chromium.org
Labels: TE-NeedsTriageFromMTV
Was unable to reproduce the crash on Win 7 and Win 10 using reported version 58.0.3018.0 and 57.0.2987.98/110 using steps from comment # 24.After allowing the plugin no alert is seen or it says the plugin is not supported.

And using steps from Original report(comment #1), was unable to click on Back/Forward buttons of the browser and not able to enter text on Omnibox until the Ok button is clicked.

Requesting MTV team to take a look into this.
694382_Mar_28.mp4
1.4 MB View Download
Project Member Comment 34 by sheriffbot@chromium.org, Mar 28
Labels: -release-1-m57
This bug is a regression and does not impact stable. Removing incorrectly added Release- labels.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -CVE-2017-5053
Thanks sheriffbot!
I just repro this on stable 57.0.2987.110. This crash needs several attempts.
Recording #6.mp4
689 KB View Download
It does take several attempts to crash. I sometimes see renderer crashes too. I'll look some more.
I'm testing with 57.0.2987.130 here. I got one browser crash earlier as mentioned, but the crash server never processed that crash so I don't know what happened. I kept trying, and the browser process hasn't crashed since. The renderer crash has been filed as bug 706103. I keep hitting it all the time using PoC.rar.
Attaching mnimized testcase. (Only browser crash)
UAF.html
348 bytes View Download
I tried the test case in comment 40 but I haven't been able to reproduce a browser crash with it. If it's racy, I could just be having bad (good rather?) luck.

If you have crash report IDs, that may be helpful.
Oh, and if this is on 57.x, we will hopefully have a new build out this week with the merge in comment 30. Maybe try that once released?
C#41 - Unable to get a server crash ID, anyway I got the same stack traces from WinDbg.

C#42 - Okey, but release- labels were removed!
Are you testing 57.0.2987.110? Is the problem present on Canary?

I'm not sure about the release- labels. If the concern is about which 57.x builds have the potential fix in comment 30, the answer is 57.0.2987.130 and newer.
The crash has been fixed in Canary, the reason why I attached the mnimized testcase in comment 40 is to proof that's repro on Stable (57.0.2987.110), against in comment 34.
Labels: -Security_Severity-Medium -Security_Impact-Head Security_Impact-Stable Security_Severity-High
Verified on stable 57.0.2987.133. Thanks for the fix :)
Glad to hear it. Thank you for looking into this and coming up with more test cases.
Comment 49 Deleted
Comment 50 Deleted
Note - Actually this was very easy to repro the crash with this below mnimized test case instead of the all test cases (in comments 1/24/40).

<script>
document.location = "https://www.google.com"
 window.onunload = function(){
  print();
 }
</script>
testcase.html
112 bytes View Download
Recording #7.mp4
555 KB View Download
Labels: -reward-topanel reward-unpaid reward-2000
Good news! The panel decided to award $2,000 for this bug.  There was another report of this bug from an external researcher that came in after yours, but with a much better PoC that required no user interaction and is what triggered us to make the fix. For future reference the reward would have been much higher had this report had a better PoC.  Thanks!
Andrew, what do you think about comment 51?
Labels: -reward-unpaid reward-inprocess
Labels: Release-0-M58
Labels: CVE-2017-5058
Project Member Comment 58 by sheriffbot@chromium.org, Jun 23
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment