Issue metadata
Sign in to add a comment
|
Security: UNKOWN crash in content::WebContentsImpl::RemoveObserver
Reported by
chromium...@gmail.com,
Apr 1 2017
|
||||||||||||||||||||||
Issue descriptionChrome Version: canary 59.0.3057.0 Operating System: Windows 7 REPRODUCTION CASE I don't have specific steps to repro this crash, but this crash happens when I try to open a new tab. Still trying to figure it out. Here is a crash IDs: 411c0d1640000000 FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: browser rax=5073747365446f6e rbx=0000000015719650 rcx=9000004d2f36ea7f rdx=0000000012ee7e50 rsi=000000001568eea0 rdi=0000000015beef70 rip=000007fee875c5b9 rsp=000000000028b990 rbp=000000000028ba79 r8=00000000156e00a0 r9=00000000156de4e0 r10=00000000157cf038 r11=00000000159f8001 r12=0000000013ca7d50 r13=0000000000000000 r14=0000000000000001 r15=000000000028bc00 iopl=0 ov up ei pl nz na po nc cs=0033 ss=0000 ds=0000 es=0000 fs=0053 gs=002b efl=00010a06 *** WARNING: Unable to verify checksum for chrome.dll chrome_7fee80d0000!content::WebContentsImpl::RemoveObserver+0x19: 000007fe`e875c5b9 483911 cmp qword ptr [rcx],rdx ds:9000004d`2f36ea7f=???????????????? 0:000> k *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site 00000000`0028b990 000007fe`ea37117a chrome_7fee80d0000!content::WebContentsImpl::RemoveObserver+0x19 [c:\b\build\slave\win64-pgo\build\src\content\browser\web_contents\web_contents_impl.cc @ 1687] 00000000`0028b9c0 000007fe`e9aa83f7 chrome_7fee80d0000!dom_distiller::WebContentsMainFrameObserver::RenderProcessGone+0x1a [c:\b\build\slave\win64-pgo\build\src\components\dom_distiller\content\browser\web_contents_main_frame_observer.cc @ 48] 00000000`0028b9f0 000007fe`e8570854 chrome_7fee80d0000!ConstrainedWebDialogUI::RenderFrameCreated+0x107 [c:\b\build\slave\win64-pgo\build\src\chrome\browser\ui\webui\constrained_web_dialog_ui.cc @ 78] 00000000`0028bae0 000007fe`e856d350 chrome_7fee80d0000!content::RenderFrameHostManager::UpdatePendingWebUIOnCurrentFrameHost+0x104 [c:\b\build\slave\win64-pgo\build\src\content\browser\frame_host\render_frame_host_manager.cc @ 2492] 00000000`0028bba0 000007fe`e8541694 chrome_7fee80d0000!content::RenderFrameHostManager::GetFrameHostForNavigation+0x198 [c:\b\build\slave\win64-pgo\build\src\content\browser\frame_host\render_frame_host_manager.cc @ 779] 00000000`0028bc20 000007fe`e8555ff5 chrome_7fee80d0000!content::FrameTreeNode::CreatedNavigationRequest+0xa4 [c:\b\build\slave\win64-pgo\build\src\content\browser\frame_host\frame_tree_node.cc @ 399] 00000000`0028bc60 000007fe`e855e940 chrome_7fee80d0000!content::NavigatorImpl::OnBeginNavigation+0x105 [c:\b\build\slave\win64-pgo\build\src\content\browser\frame_host\navigator_impl.cc @ 1012] 00000000`0028bcc0 000007fe`e856782e chrome_7fee80d0000!content::RenderFrameHostImpl::OnBeginNavigation+0x150 [c:\b\build\slave\win64-pgo\build\src\content\browser\frame_host\render_frame_host_impl.cc @ 2055] 00000000`0028c190 000007fe`e855a9da chrome_7fee80d0000!IPC::MessageT<FrameHostMsg_BeginNavigation_Meta,std::tuple<content::CommonNavigationParams,content::BeginNavigationParams>,void>::Dispatch<content::RenderFrameHostImpl,content::RenderFrameHostImpl,void,void (__cdecl content::RenderFrameHostImpl::*)(content::CommonNavigationParams const & __ptr64,content::BeginNavigationParams const & __ptr64) __ptr64>+0xe6 [c:\b\build\slave\win64-pgo\build\src\ipc\ipc_message_templates.h @ 121] 00000000`0028c6a0 000007fe`e869370a chrome_7fee80d0000!content::RenderFrameHostImpl::OnMessageReceived+0x1a4a [c:\b\build\slave\win64-pgo\build\src\content\browser\frame_host\render_frame_host_impl.cc @ 792] 00000000`0028e8d0 000007fe`e8e936b8 chrome_7fee80d0000!content::RenderProcessHostImpl::OnMessageReceived+0x55a [c:\b\build\slave\win64-pgo\build\src\content\browser\renderer_host\render_process_host_impl.cc @ 2079] 00000000`0028ed20 000007fe`e8b2c470 chrome_7fee80d0000!IPC::ChannelProxy::Context::OnDispatchMessage+0x28 [c:\b\build\slave\win64-pgo\build\src\ipc\ipc_channel_proxy.cc @ 330] 00000000`0028ed50 000007fe`e8ae1416 chrome_7fee80d0000!base::debug::TaskAnnotator::RunTask+0x1b0 [c:\b\build\slave\win64-pgo\build\src\base\debug\task_annotator.cc @ 59] 00000000`0028ef00 000007fe`e8ae1fc7 chrome_7fee80d0000!base::MessageLoop::RunTask+0x1f6 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 424] 00000000`0028f060 000007fe`e8b2ca01 chrome_7fee80d0000!base::MessageLoop::DoWork+0x487 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 527] 00000000`0028f260 000007fe`e8b2c664 chrome_7fee80d0000!base::MessagePumpForUI::DoRunLoop+0x71 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_pump_win.cc @ 174] 00000000`0028f2d0 000007fe`e8b05aa0 chrome_7fee80d0000!base::MessagePumpWin::Run+0x54 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_pump_win.cc @ 58] 00000000`0028f320 000007fe`e8a07e58 chrome_7fee80d0000!base::RunLoop::Run+0xc0 [c:\b\build\slave\win64-pgo\build\src\base\run_loop.cc @ 38] 00000000`0028f3d0 000007fe`e8490c4c chrome_7fee80d0000!ChromeBrowserMainParts::MainMessageLoopRun+0x138 [c:\b\build\slave\win64-pgo\build\src\chrome\browser\chrome_browser_main.cc @ 1972] 00000000`0028f450 000007fe`e8489259 chrome_7fee80d0000!content::BrowserMainRunnerImpl::Run+0x6c [c:\b\build\slave\win64-pgo\build\src\content\browser\browser_main_runner.cc @ 140]
,
Apr 2 2017
Note: I can repro this crash only on Canary and Dev.
,
Apr 3 2017
Interesting, that stack trace in the crash report isn't that illuminating, and the code path this is going through is reasonably stable. I think it must be to do with PlzNavigate, which is now active in Canary (and dev?) +navigation, dom distiller folks to take a look.
,
Apr 3 2017
,
Apr 3 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 3 2017
,
Apr 3 2017
By default, dom-distiller is not enabled on desktop; this will only happen if --enable-dom-distiller is set. The thing that seems to make WebContentsMainFrameObserver unique is that it tries to manually clean itself up. I'll take a closer look to see if this is really necessary.
,
Apr 4 2017
We think this is a PlzNavigate issue that exposed a UAF in the WebUI dialog code. I don't think this is related to the DOM distiller, as we have other similar crash traces that only happen with PlzNavigate.
,
Apr 10 2017
Is there any progress here in identifying the UAF?
,
Apr 10 2017
+arthursonzogni: can you check this is a duplicate of the other WebUI crash?
,
Apr 10 2017
,
Apr 10 2017
This stacktrace is weird. This issue looks very close to this one: https://bugs.chromium.org/p/chromium/issues/detail?id=704327 I have a CL for this: https://codereview.chromium.org/2798583002/ It prevents the WebContent to hold an invalid pointer to a ConstrainedWebDialogBase. It also prevents the ConstrainedWebDialogBase to delete a WebContent that is already deleted. This is probably a duplicate. I am not 100% sure because the two bugs aren't reproducible on Linux and I don't have any way to test it on Windows. +Cc thestig: What do you think of it? Can you please check that the CL fixes this bug too?
,
Apr 11 2017
This seems like fixed per https://codereview.chromium.org/2798583002.
,
Apr 11 2017
The stack trace is wonky above ConstrainedWebDialogUI::RenderFrameCreated(). Given comment 16, it's most likely bug 704327.
,
Apr 14 2017
,
Jul 21 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by chromium...@gmail.com
, Apr 2 2017166 bytes
166 bytes View Download
746 KB
746 KB View Download