Issue 707603 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Owner:	dgozman@chromium.org
Closed:	Apr 2017
Cc:	caseq@chromium.org
Components:	Platform>DevTools
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	1
Type:	Bug-Security
ReleaseBlock-Beta Security_Impact-Head Security_Severity-High allpublic M-59

Security: Crash in ChromeDevToolsManagerDelegate::GetTargetTitle

Reported by chromium...@gmail.com, Apr 3 2017

Issue description

Chrome Version: 59.0.3060.0 Canary
Operating System: Windows 7

REPRODUCTION CASE
Actually this crash happened three times with opening the Devtools.

Type of crash: browser

0:000> .ecxr
rax=00007f4eeea7451f rbx=000000000032a730 rcx=8d8c8c8c0a0a0a0a
rdx=000000000032a730 rsi=00000000126336e8 rdi=0000000012413d60
rip=000007fee997380d rsp=000000000032a6a0 rbp=000000000032a6f0
 r8=0000000012413d60  r9=0000000000000000 r10=0000000014449fb0
r11=00000000144498b0 r12=00000000126336c8 r13=00000000126336c0
r14=0000000000000000 r15=000000000032a960
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=0000  ds=0000  es=0000  fs=0053  gs=002b             efl=00010206
*** WARNING: Unable to verify checksum for chrome.dll
chrome_7fee80d0000!ChromeDevToolsManagerDelegate::GetTargetTitle+0x3d:
000007fe`e997380d 488b01          mov     rax,qword ptr [rcx] ds:8d8c8c8c`0a0a0a0a=????????????????
0:000> k
  *** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
00000000`0032a6a0 000007fe`e84efc90 chrome_7fee80d0000!ChromeDevToolsManagerDelegate::GetTargetTitle+0x3d [c:\b\build\slave\win64-pgo\build\src\chrome\browser\devtools\chrome_devtools_manager_delegate.cc @ 134]
00000000`0032a710 000007fe`e84e4877 chrome_7fee80d0000!content::RenderFrameDevToolsAgentHost::GetTitle+0x50 [c:\b\build\slave\win64-pgo\build\src\content\browser\devtools\render_frame_devtools_agent_host.cc @ 1021]
00000000`0032a7f0 000007fe`e84e705f chrome_7fee80d0000!content::protocol::`anonymous namespace'::CreateInfo+0xbf [c:\b\build\slave\win64-pgo\build\src\content\browser\devtools\protocol\target_handler.cc @ 86]
00000000`0032a940 000007fe`e84c48b9 chrome_7fee80d0000!content::protocol::TargetHandler::DevToolsAgentHostCreated+0xbf [c:\b\build\slave\win64-pgo\build\src\content\browser\devtools\protocol\target_handler.cc @ 417]
00000000`0032a9d0 000007fe`e84e5b6e chrome_7fee80d0000!content::DevToolsAgentHost::AddObserver+0x145 [c:\b\build\slave\win64-pgo\build\src\content\browser\devtools\devtools_agent_host_impl.cc @ 295]
00000000`0032aa20 000007fe`e83f8890 chrome_7fee80d0000!content::protocol::TargetHandler::SetDiscoverTargets+0x5e [c:\b\build\slave\win64-pgo\build\src\content\browser\devtools\protocol\target_handler.cc @ 247]
00000000`0032aa90 000007fe`e83d4f90 chrome_7fee80d0000!content::protocol::Target::DispatcherImpl::setDiscoverTargets+0x220 [c:\b\build\slave\win64-pgo\build\src\out\release_x64\gen\content\browser\devtools\protocol\target.cc @ 419]
00000000`0032aba0 000007fe`e83ed435 chrome_7fee80d0000!content::protocol::DOM::DispatcherImpl::dispatch+0x160 [c:\b\build\slave\win64-pgo\build\src\out\release_x64\gen\content\browser\devtools\protocol\dom.cc @ 120]
00000000`0032ac80 000007fe`e84ce207 chrome_7fee80d0000!content::protocol::UberDispatcher::dispatch+0x581 [c:\b\build\slave\win64-pgo\build\src\out\release_x64\gen\content\browser\devtools\protocol\protocol.cc @ 837]
00000000`0032ada0 000007fe`e84ee9f4 chrome_7fee80d0000!content::DevToolsSession::Dispatch+0x18f [c:\b\build\slave\win64-pgo\build\src\content\browser\devtools\devtools_session.cc @ 81]
00000000`0032ae50 000007fe`e9989acd chrome_7fee80d0000!content::RenderFrameDevToolsAgentHost::DispatchProtocolMessage+0x54 [c:\b\build\slave\win64-pgo\build\src\content\browser\devtools\render_frame_devtools_agent_host.cc @ 558]
00000000`0032af50 000007fe`e9990de0 chrome_7fee80d0000!DevToolsUIBindings::DispatchProtocolMessageFromDevToolsFrontend+0x1d [c:\b\build\slave\win64-pgo\build\src\chrome\browser\devtools\devtools_ui_bindings.cc @ 1049]
00000000`0032af80 000007fe`e998f553 chrome_7fee80d0000!`anonymous namespace'::ParseAndHandle<std::basic_string<char,std::char_traits<char>,std::allocator<char> > const & __ptr64>+0x70 [c:\b\build\slave\win64-pgo\build\src\chrome\browser\devtools\devtools_embedder_message_dispatcher.cc @ 91]
00000000`0032afe0 000007fe`e9986ff4 chrome_7fee80d0000!DispatcherImpl::Dispatch+0x83 [c:\b\build\slave\win64-pgo\build\src\chrome\browser\devtools\devtools_embedder_message_dispatcher.cc @ 124]
00000000`0032b030 000007fe`e87b64bc chrome_7fee80d0000!DevToolsUIBindings::HandleMessageFromDevToolsFrontend+0x254 [c:\b\build\slave\win64-pgo\build\src\chrome\browser\devtools\devtools_ui_bindings.cc @ 609]
00000000`0032b2d0 000007fe`e87b6307 chrome_7fee80d0000!IPC::MessageT<DevToolsHostMsg_DispatchOnEmbedder_Meta,std::tuple<std::basic_string<char,std::char_traits<char>,std::allocator<char> > >,void>::Dispatch<content::DevToolsFrontendHostImpl,content::DevToolsFrontendHostImpl,void,void (__cdecl content::DevToolsFrontendHostImpl::*)(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const & __ptr64) __ptr64>+0x154 [c:\b\build\slave\win64-pgo\build\src\ipc\ipc_message_templates.h @ 121]
00000000`0032b3f0 000007fe`e8758860 chrome_7fee80d0000!content::DevToolsFrontendHostImpl::OnMessageReceived+0xe7 [c:\b\build\slave\win64-pgo\build\src\content\browser\devtools\devtools_frontend_host_impl.cc @ 74]
00000000`0032b4f0 000007fe`e85590a8 chrome_7fee80d0000!content::WebContentsImpl::OnMessageReceived+0x80 [c:\b\build\slave\win64-pgo\build\src\content\browser\web_contents\web_contents_impl.cc @ 738]
00000000`0032c540 000007fe`e869370a chrome_7fee80d0000!content::RenderFrameHostImpl::OnMessageReceived+0x118 [c:\b\build\slave\win64-pgo\build\src\content\browser\frame_host\render_frame_host_impl.cc @ 726]
00000000`0032e770 000007fe`e8e936b8 chrome_7fee80d0000!content::RenderProcessHostImpl::OnMessageReceived+0x55a [c:\b\build\slave\win64-pgo\build\src\content\browser\renderer_host\render_process_host_impl.cc @ 2079]

Comment 1 by dominickn@chromium.org, Apr 3 2017

Components: Platform>DevTools
Labels: Security_Severity-High Security_Impact-Head OS-Windows Pri-1
Owner: dgozman@chromium.org
Status: Assigned (was: Unconfirmed)

Do you have a crash ID? More detailed information on how to trigger the crash?

dgozman, can you take a look at this one?

Project Member

Comment 2 by sheriffbot@chromium.org, Apr 3 2017

Labels: M-59

Project Member

Comment 3 by sheriffbot@chromium.org, Apr 3 2017

Labels: ReleaseBlock-Beta

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by dgozman@chromium.org, Apr 3 2017

Cc: caseq@chromium.org

@caseq: mind taking a look?

Comment 5 Deleted

Comment 6 by chromium...@gmail.com, Apr 3 2017

Here is a Crash ID: crash/a102739c10000000.

Comment 7 by caseq@chromium.org, Apr 4 2017

Mergedinto: 704346
Status: Duplicate (was: Assigned)

Project Member

Comment 8 by sheriffbot@chromium.org, Jul 12 2017

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 707603 link

Issue metadata

Security: Crash in ChromeDevToolsManagerDelegate::GetTargetTitle

Issue description

Comment 1 by dominickn@chromium.org, Apr 3 2017

Comment 1 Deleted

Comment 2 by sheriffbot@chromium.org, Apr 3 2017

Comment 2 Deleted

Comment 3 by sheriffbot@chromium.org, Apr 3 2017

Comment 3 Deleted

Comment 4 by dgozman@chromium.org, Apr 3 2017

Comment 4 Deleted

Comment 5 Deleted

Comment 6 by chromium...@gmail.com, Apr 3 2017

Comment 6 Deleted

Comment 7 by caseq@chromium.org, Apr 4 2017

Comment 7 Deleted

Comment 8 by sheriffbot@chromium.org, Jul 12 2017

Comment 8 Deleted

Sign in to add a comment