Issue 765650 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Owner:	dgozman@chromium.org
Closed:	Sep 2017
Components:	Platform>DevTools
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug-Security
allpublic

Security: Browser crash - UaF in content::RenderFrameDevToolsAgentHost::RevokePolicy

Reported by chromium...@gmail.com, Sep 15 2017

Issue description

Chrome Version: Canary 63.0.3216.0
Operating System: Windows 7 

REPRODUCTION CASE
1. Navigate to chrome-devtools://devtools/remote/serve_rev/@199588/devtools.html
2. Open the Devtools
3. Navigate to the link below in chrome-dev.txt (on the same tab)
4. Click to go back to chrome-devtools://devtools/remote/serve_rev/@199588/devtools.html >> Crash.

rax=0000016b0000ffff rbx=000000001e62ae60 rcx=000000001e3b00c0
rdx=000000001e3b00c0 rsi=0000000000000000 rdi=000000001e3b00c0
rip=000007feeef4a6c0 rsp=000000000040e820 rbp=000000001e5da4c0
 r8=000000004f59a62e  r9=000000000040e6d0 r10=00000002f2f1de0f
r11=000000000040e880 r12=000000000040ec80 r13=0000000000000000
r14=000000001e5da4c0 r15=000000001e5da4c0
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=0000  ds=0000  es=0000  fs=0053  gs=002b             efl=00010246
*** WARNING: Unable to verify checksum for chrome.dll
chrome_7feeea50000!content::RenderFrameDevToolsAgentHost::RevokePolicy+0x38:
000007fe`eef4a6c0 ff5050          call    qword ptr [rax+50h] ds:0000016b`0001004f=????????????????
0:000> k
  *** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
00000000`0040e820 000007fe`eef4a398 chrome_7feeea50000!content::RenderFrameDevToolsAgentHost::RevokePolicy+0x38 [c:\b\c\b\win64_pgo\src\content\browser\devtools\render_frame_devtools_agent_host.cc @ 788]
00000000`0040e8a0 000007fe`eef49e59 chrome_7feeea50000!content::RenderFrameDevToolsAgentHost::UpdateFrameHost+0x64 [c:\b\c\b\win64_pgo\src\content\browser\devtools\render_frame_devtools_agent_host.cc @ 739]
00000000`0040e8d0 000007fe`ef1e8ca7 chrome_7feeea50000!content::RenderFrameDevToolsAgentHost::ReadyToCommitNavigation+0x4d [c:\b\c\b\win64_pgo\src\content\browser\devtools\render_frame_devtools_agent_host.cc @ 670]
00000000`0040e900 000007fe`eefb6680 chrome_7feeea50000!content::WebContentsImpl::ReadyToCommitNavigation+0x6f [c:\b\c\b\win64_pgo\src\content\browser\web_contents\web_contents_impl.cc @ 3737]
00000000`0040e970 000007fe`eefb637a chrome_7feeea50000!content::NavigationHandleImpl::ReadyToCommitNavigation+0x264 [c:\b\c\b\win64_pgo\src\content\browser\frame_host\navigation_handle_impl.cc @ 746]
00000000`0040ea70 000007fe`eefba8f5 chrome_7feeea50000!content::NavigationHandleImpl::WillProcessResponse+0x186 [c:\b\c\b\win64_pgo\src\content\browser\frame_host\navigation_handle_impl.cc @ 715]
00000000`0040eb20 000007fe`ef05a532 chrome_7feeea50000!content::NavigationRequest::OnResponseStarted+0x47d [c:\b\c\b\win64_pgo\src\content\browser\frame_host\navigation_request.cc @ 736]
00000000`0040ec30 000007fe`ef05b3cf chrome_7feeea50000!content::NavigationURLLoaderImpl::NotifyResponseStarted+0x92 [c:\b\c\b\win64_pgo\src\content\browser\loader\navigation_url_loader_impl.cc @ 110]
00000000`0040ecd0 000007fe`ef633c02 chrome_7feeea50000!base::internal::Invoker<base::internal::BindState<void (__cdecl content::NavigationURLLoaderImpl::*)(scoped_refptr<content::ResourceResponse> const & __ptr64,std::unique_ptr<content::StreamHandle,std::default_delete<content::StreamHandle> >,content::SSLStatus const & __ptr64,std::unique_ptr<content::NavigationData,std::default_delete<content::NavigationData> >,content::GlobalRequestID const & __ptr64,bool,bool) __ptr64,base::WeakPtr<content::NavigationURLLoaderImpl>,scoped_refptr<content::ResourceResponse>,base::internal::PassedWrapper<std::unique_ptr<content::StreamHandle,std::default_delete<content::StreamHandle> > >,content::SSLStatus,base::internal::PassedWrapper<std::unique_ptr<content::NavigationData,std::default_delete<content::NavigationData> > >,content::GlobalRequestID,bool,bool>,void __cdecl(void)>::RunOnce+0xbf [c:\b\c\b\win64_pgo\src\base\bind_internal.h @ 318]
00000000`0040ed20 000007fe`ef5cc8ea chrome_7feeea50000!base::debug::TaskAnnotator::RunTask+0x132 [c:\b\c\b\win64_pgo\src\base\debug\task_annotator.cc @ 61]
00000000`0040ee90 000007fe`ef5cd263 chrome_7feeea50000!base::MessageLoop::RunTask+0x1fa [c:\b\c\b\win64_pgo\src\base\message_loop\message_loop.cc @ 407]
00000000`0040eff0 000007fe`ef627db1 chrome_7feeea50000!base::MessageLoop::DoWork+0x453 [c:\b\c\b\win64_pgo\src\base\message_loop\message_loop.cc @ 524]
00000000`0040f1b0 000007fe`ef627a34 chrome_7feeea50000!base::MessagePumpForUI::DoRunLoop+0x71 [c:\b\c\b\win64_pgo\src\base\message_loop\message_pump_win.cc @ 174]
00000000`0040f220 000007fe`ef5ecba9 chrome_7feeea50000!base::MessagePumpWin::Run+0x54 [c:\b\c\b\win64_pgo\src\base\message_loop\message_pump_win.cc @ 58]
00000000`0040f270 000007fe`ef537a30 chrome_7feeea50000!base::RunLoop::Run+0x69 [c:\b\c\b\win64_pgo\src\base\run_loop.cc @ 124]
00000000`0040f320 000007fe`eeed4ffc chrome_7feeea50000!ChromeBrowserMainParts::MainMessageLoopRun+0x1a8 [c:\b\c\b\win64_pgo\src\chrome\browser\chrome_browser_main.cc @ 1914]
00000000`0040f3e0 000007fe`eeece055 chrome_7feeea50000!content::BrowserMainRunnerImpl::Run+0x6c [c:\b\c\b\win64_pgo\src\content\browser\browser_main_runner.cc @ 148]
00000000`0040f430 000007fe`ef48a6f7 chrome_7feeea50000!content::BrowserMain+0xb5 [c:\b\c\b\win64_pgo\src\content\browser\browser_main.cc @ 46]
00000000`0040f480 000007fe`ef4a6642 chrome_7feeea50000!content::ContentMainRunnerImpl::Run+0x24b [c:\b\c\b\win64_pgo\src\content\app\content_main_runner.cc @ 703]
00000000`0040f630 000007fe`ef48a038 chrome_7feeea50000!service_manager::Main+0x2d2 [c:\b\c\b\win64_pgo\src\services\service_manager\embedder\main.cc @ 469]

chrome-dev.txt
1.7 KB View Download

Comment 1 Deleted

Comment 2 Deleted

Comment 3 by elawrence@chromium.org, Sep 15 2017

 Issue 765060 , Issue 756120, and Issue 742955 all appear to be similar.

Comment 4 by mea...@chromium.org, Sep 15 2017

Owner: dgozman@chromium.org
Status: Assigned (was: Unconfirmed)

dgozman: Can you please take a look? Issue 742955 indeed looks like a duplicate.

Comment 5 Deleted

Comment 6 by chromium...@gmail.com, Sep 16 2017

Also, I was able to repro this on Mac, but I couldn't repro on Linux.

Comment 7 by chromium...@gmail.com, Sep 18 2017

I have another way to repro this crash with the below steps: 

1. Open index.html
2. Click on "Start" button
3. Now on crash.html open the devtools and click on the toggle device toolbar.
4. Then tap on "Crash" button

PoC.rar
330 bytes Download

	323432.mp4 364 KB View Download

Comment 8 by palmer@chromium.org, Sep 19 2017

Components: Platform>DevTools
Mergedinto: 742955
Status: Duplicate (was: Assigned)

This looks like a duplicate of Issue 742955 to me. CC'd this bug's reporter on that bug.

Project Member

Comment 9 by sheriffbot@chromium.org, Dec 27 2017

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 765650 link

Issue metadata

Security: Browser crash - UaF in content::RenderFrameDevToolsAgentHost::RevokePolicy

Issue description

Comment 1 Deleted

Comment 2 Deleted

Comment 3 by elawrence@chromium.org, Sep 15 2017

Comment 3 Deleted

Comment 4 by mea...@chromium.org, Sep 15 2017

Comment 4 Deleted

Comment 5 Deleted

Comment 6 by chromium...@gmail.com, Sep 16 2017

Comment 6 Deleted

Comment 7 by chromium...@gmail.com, Sep 18 2017

Comment 7 Deleted

Comment 8 by palmer@chromium.org, Sep 19 2017

Comment 8 Deleted

Comment 9 by sheriffbot@chromium.org, Dec 27 2017

Comment 9 Deleted

Sign in to add a comment