New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 705827 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Mar 2017
Cc:
ta...@google.com
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Unknown crash in ui::LayerOwner::RecreateLayer

Reported by jackwill...@gmail.com, Mar 28 2017 
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home
/chromium-security/security-faq

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

VERSION
Chrome Version: 59.0.3053.0 (Official Build) canary (64-bit)
Operating System: Win7

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Crash State: Browser


0:000> .ecxr
rax=000007fedef2b2c0 rbx=000000000f8a4b00 rcx=000000000f8a4b00
rdx=000007fedf040128 rsi=000000000f8a4b00 rdi=000007fedf040128
rip=000007fedcd1811e rsp=000000000017bce0 rbp=000000000017be09
 r8=000000000b4e44f0  r9=000000000b4e4130 r10=000000000b7cc798
r11=00000000063e9901 r12=000000000ff1c580 r13=0000000000000000
r14=000007fedf040128 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=0000  ds=0000  es=0000  fs=0053  gs=002b             efl=00010206
*** WARNING: Unable to verify checksum for chrome.dll
chrome_7fedc420000!ui::LayerOwner::RecreateLayer+0x2e:
000007fe`dcd1811e 4c89b840010000  mov     qword ptr [rax+140h],r15 ds:000007fe`def2b400={chrome_7fedc420000!logging::LogMessageVoidify::operator& (000007fe`dc4b5e80)}
0:000> k
  *** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
00000000`0017bce0 000007fe`de1cc275 chrome_7fedc420000!ui::LayerOwner::RecreateLayer+0x2e [c:\b\build\slave\win64-pgo\build\src\ui\compositor\layer_owner.cc @ 34]
00000000`0017bd50 000007fe`ddd3c2e9 chrome_7fedc420000!views::View::RecreateLayer+0x15 [c:\b\build\slave\win64-pgo\build\src\ui\views\view.cc @ 575]
00000000`0017bd80 000007fe`dc8b9460 chrome_7fedc420000!ConstrainedWebDialogUI::RenderFrameCreated+0x109 [c:\b\build\slave\win64-pgo\build\src\chrome\browser\ui\webui\constrained_web_dialog_ui.cc @ 78]
00000000`0017be70 000007fe`dc8b60f0 chrome_7fedc420000!content::RenderFrameHostManager::UpdatePendingWebUIOnCurrentFrameHost+0x104 [c:\b\build\slave\win64-pgo\build\src\content\browser\frame_host\render_frame_host_manager.cc @ 2471]
00000000`0017bf30 000007fe`dc88ae90 chrome_7fedc420000!content::RenderFrameHostManager::GetFrameHostForNavigation+0x198 [c:\b\build\slave\win64-pgo\build\src\content\browser\frame_host\render_frame_host_manager.cc @ 779]
00000000`0017bfb0 000007fe`dc89f0c5 chrome_7fedc420000!content::FrameTreeNode::CreatedNavigationRequest+0xa4 [c:\b\build\slave\win64-pgo\build\src\content\browser\frame_host\frame_tree_node.cc @ 396]
00000000`0017bff0 000007fe`dc8a7890 chrome_7fedc420000!content::NavigatorImpl::OnBeginNavigation+0x105 [c:\b\build\slave\win64-pgo\build\src\content\browser\frame_host\navigator_impl.cc @ 1013]
00000000`0017c050 000007fe`dc8b045a chrome_7fedc420000!content::RenderFrameHostImpl::OnBeginNavigation+0x150 [c:\b\build\slave\win64-pgo\build\src\content\browser\frame_host\render_frame_host_impl.cc @ 2043]
00000000`0017c520 000007fe`dc8a39b1 chrome_7fedc420000!IPC::MessageT<FrameHostMsg_BeginNavigation_Meta,std::tuple<content::CommonNavigationParams,content::BeginNavigationParams>,void>::Dispatch<content::RenderFrameHostImpl,content::RenderFrameHostImpl,void,void (__cdecl content::RenderFrameHostImpl::*)(content::CommonNavigationParams const & __ptr64,content::BeginNavigationParams const & __ptr64) __ptr64>+0xe6 [c:\b\build\slave\win64-pgo\build\src\ipc\ipc_message_templates.h @ 121]
00000000`0017ca30 000007fe`dc9dddca chrome_7fedc420000!content::RenderFrameHostImpl::OnMessageReceived+0x18f1 [c:\b\build\slave\win64-pgo\build\src\content\browser\frame_host\render_frame_host_impl.cc @ 785]
00000000`0017eb00 000007fe`dd1dc548 chrome_7fedc420000!content::RenderProcessHostImpl::OnMessageReceived+0x55a [c:\b\build\slave\win64-pgo\build\src\content\browser\renderer_host\render_process_host_impl.cc @ 2079]
00000000`0017ef50 000007fe`dce737df chrome_7fedc420000!IPC::ChannelProxy::Context::OnDispatchMessage+0x28 [c:\b\build\slave\win64-pgo\build\src\ipc\ipc_channel_proxy.cc @ 330]
00000000`0017ef80 000007fe`dce28ca6 chrome_7fedc420000!base::debug::TaskAnnotator::RunTask+0x1af [c:\b\build\slave\win64-pgo\build\src\base\debug\task_annotator.cc @ 59]
00000000`0017f130 000007fe`dce2985a chrome_7fedc420000!base::MessageLoop::RunTask+0x1f6 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 424]
00000000`0017f290 000007fe`dce73d81 chrome_7fedc420000!base::MessageLoop::DoWork+0x48a [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 527]
00000000`0017f490 000007fe`dce739d4 chrome_7fedc420000!base::MessagePumpForUI::DoRunLoop+0x71 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_pump_win.cc @ 174]
00000000`0017f500 000007fe`dce4ced0 chrome_7fedc420000!base::MessagePumpWin::Run+0x54 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_pump_win.cc @ 58]
00000000`0017f550 000007fe`dcd4eb78 chrome_7fedc420000!base::RunLoop::Run+0xc0 [c:\b\build\slave\win64-pgo\build\src\base\run_loop.cc @ 38]
00000000`0017f600 000007fe`dc7d951c chrome_7fedc420000!ChromeBrowserMainParts::MainMessageLoopRun+0x138 [c:\b\build\slave\win64-pgo\build\src\chrome\browser\chrome_browser_main.cc @ 1971]
00000000`0017f680 000007fe`dc7d19a9 chrome_7fedc420000!content::BrowserMainRunnerImpl::Run+0x6c [c:\b\build\slave\win64-pgo\build\src\content\browser\browser_main_runner.cc @ 140]
0:000> kl
f3e8036d-919a-4a1d-a227-2bd3d5304e38.dmp
5.2 MB Download

Comment 1 by jackwill...@gmail.com, Mar 28 2017 

This is a random crash.

Comment 2 by ta...@google.com, Mar 30 2017

Labels: Needs-Feedback
Could you explain how to reproduce it? Thank you.

Comment 3 by jackwill...@gmail.com, Mar 30 2017 

Unable to reproduce this on 59.0.3055.0 canary, seems like fixed.
Project Member

Comment 4 by sheriffbot@chromium.org, Mar 30 2017

Cc: ta...@google.com
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "tanin@google.com" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by ta...@google.com, Mar 30 2017

Status: WontFix (was: Unconfirmed)
Thank you. I'll close this issue. Please re-open if you can reproduce it.
Project Member

Comment 6 by sheriffbot@chromium.org, Jul 6 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment