Malformed UI Latency message from renderer crashes browser
Reported by
zhouat2...@gmail.com,
Jun 15 2017
|
|||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.86 Safari/537.36 Steps to reproduce the problem: 1. hook the render process 2. fuzz the payload of ipc message 3. then send Message to browser 4. crash the whole chrome What is the expected behavior? What went wrong? Just one visit , crash the whole chrome . Some one can construct malicious ipc message, which carry bad payload, then he put all thing in his home page. Once other user visit his home page's url, the visitor's whole browser crashed! because the check in source file ,ref to here: https://cs.chromium.org/chromium/src/ui/latency/latency_info.cc?l=226 Did this work before? N/A Chrome version: 59.0.3071.86 Channel: stable OS Version: Ubuntu 14.04.5 LTS \n \l Flash Version: In the poc video, i use `Chromium 51.0.2684.0 (Developer Build) (32-bit)`, which is the newest version i can get from the url below . Which is not stripped, then i can locate the send of ipc easily, ipc message is the second argument. But it can affect all versions of chrome , and need some more work to construct message by hand. https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Linux/
,
Jun 15 2017
,
Jun 16 2017
Thank you for providing more feedback. Adding requester "estark@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 16 2017
Thanks for the additional info. Is the crash from poc_zhouat.png the same as shown in the video, i.e. "Check failed" in latency_info.cc?
,
Jun 16 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6255979154112512
,
Jun 16 2017
Thank you for providing more feedback. Adding requester "estark@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 16 2017
Thanks. I'm removing security labels because the crash hits a CHECK, which is designed to crash the browser to prevent security problems. It would be better if it were not so easy to crash the browser, but we don't classify such problems as security bugs.
,
Jun 16 2017
Re comment #10: yes I agree Chrome should handle this case better which is why I'm leaving the bug open to be triaged as a functional bug. See https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Are-denial-of-service-issues-considered-security-bugs- for our FAQ about DoS as security bugs.
,
Jun 21 2017
,
Feb 14 2018
Changing type to Bug since this bug doesn't seem to have security implications. Re #14, we don't give CVE numbers to non-security bugs.
,
Jul 30
Testcase 6255979154112512 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=6255979154112512.
,
Jul 30
,
Nov 8
Mass UI Triage. |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by elawrence@chromium.org
, Jun 15 2017Components: UI
Labels: Stability-Crash
Summary: Malformed UI Latency message from renderer crashes browser (was: Malicious payload of ipc message in render process, crash the whole chrome.)