Issue metadata
Sign in to add a comment
|
Security: Browser crash - UaF in content::RenderFrameDevToolsAgentHost::RevokePolicy
Reported by
chromium...@gmail.com,
Sep 15 2017
|
||||||||||||||||||||
Issue descriptionChrome Version: Canary 63.0.3216.0 Operating System: Windows 7 REPRODUCTION CASE 1. Navigate to chrome-devtools://devtools/remote/serve_rev/@199588/devtools.html 2. Open the Devtools 3. Navigate to the link below in chrome-dev.txt (on the same tab) 4. Click to go back to chrome-devtools://devtools/remote/serve_rev/@199588/devtools.html >> Crash. rax=0000016b0000ffff rbx=000000001e62ae60 rcx=000000001e3b00c0 rdx=000000001e3b00c0 rsi=0000000000000000 rdi=000000001e3b00c0 rip=000007feeef4a6c0 rsp=000000000040e820 rbp=000000001e5da4c0 r8=000000004f59a62e r9=000000000040e6d0 r10=00000002f2f1de0f r11=000000000040e880 r12=000000000040ec80 r13=0000000000000000 r14=000000001e5da4c0 r15=000000001e5da4c0 iopl=0 nv up ei pl zr na po nc cs=0033 ss=0000 ds=0000 es=0000 fs=0053 gs=002b efl=00010246 *** WARNING: Unable to verify checksum for chrome.dll chrome_7feeea50000!content::RenderFrameDevToolsAgentHost::RevokePolicy+0x38: 000007fe`eef4a6c0 ff5050 call qword ptr [rax+50h] ds:0000016b`0001004f=???????????????? 0:000> k *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site 00000000`0040e820 000007fe`eef4a398 chrome_7feeea50000!content::RenderFrameDevToolsAgentHost::RevokePolicy+0x38 [c:\b\c\b\win64_pgo\src\content\browser\devtools\render_frame_devtools_agent_host.cc @ 788] 00000000`0040e8a0 000007fe`eef49e59 chrome_7feeea50000!content::RenderFrameDevToolsAgentHost::UpdateFrameHost+0x64 [c:\b\c\b\win64_pgo\src\content\browser\devtools\render_frame_devtools_agent_host.cc @ 739] 00000000`0040e8d0 000007fe`ef1e8ca7 chrome_7feeea50000!content::RenderFrameDevToolsAgentHost::ReadyToCommitNavigation+0x4d [c:\b\c\b\win64_pgo\src\content\browser\devtools\render_frame_devtools_agent_host.cc @ 670] 00000000`0040e900 000007fe`eefb6680 chrome_7feeea50000!content::WebContentsImpl::ReadyToCommitNavigation+0x6f [c:\b\c\b\win64_pgo\src\content\browser\web_contents\web_contents_impl.cc @ 3737] 00000000`0040e970 000007fe`eefb637a chrome_7feeea50000!content::NavigationHandleImpl::ReadyToCommitNavigation+0x264 [c:\b\c\b\win64_pgo\src\content\browser\frame_host\navigation_handle_impl.cc @ 746] 00000000`0040ea70 000007fe`eefba8f5 chrome_7feeea50000!content::NavigationHandleImpl::WillProcessResponse+0x186 [c:\b\c\b\win64_pgo\src\content\browser\frame_host\navigation_handle_impl.cc @ 715] 00000000`0040eb20 000007fe`ef05a532 chrome_7feeea50000!content::NavigationRequest::OnResponseStarted+0x47d [c:\b\c\b\win64_pgo\src\content\browser\frame_host\navigation_request.cc @ 736] 00000000`0040ec30 000007fe`ef05b3cf chrome_7feeea50000!content::NavigationURLLoaderImpl::NotifyResponseStarted+0x92 [c:\b\c\b\win64_pgo\src\content\browser\loader\navigation_url_loader_impl.cc @ 110] 00000000`0040ecd0 000007fe`ef633c02 chrome_7feeea50000!base::internal::Invoker<base::internal::BindState<void (__cdecl content::NavigationURLLoaderImpl::*)(scoped_refptr<content::ResourceResponse> const & __ptr64,std::unique_ptr<content::StreamHandle,std::default_delete<content::StreamHandle> >,content::SSLStatus const & __ptr64,std::unique_ptr<content::NavigationData,std::default_delete<content::NavigationData> >,content::GlobalRequestID const & __ptr64,bool,bool) __ptr64,base::WeakPtr<content::NavigationURLLoaderImpl>,scoped_refptr<content::ResourceResponse>,base::internal::PassedWrapper<std::unique_ptr<content::StreamHandle,std::default_delete<content::StreamHandle> > >,content::SSLStatus,base::internal::PassedWrapper<std::unique_ptr<content::NavigationData,std::default_delete<content::NavigationData> > >,content::GlobalRequestID,bool,bool>,void __cdecl(void)>::RunOnce+0xbf [c:\b\c\b\win64_pgo\src\base\bind_internal.h @ 318] 00000000`0040ed20 000007fe`ef5cc8ea chrome_7feeea50000!base::debug::TaskAnnotator::RunTask+0x132 [c:\b\c\b\win64_pgo\src\base\debug\task_annotator.cc @ 61] 00000000`0040ee90 000007fe`ef5cd263 chrome_7feeea50000!base::MessageLoop::RunTask+0x1fa [c:\b\c\b\win64_pgo\src\base\message_loop\message_loop.cc @ 407] 00000000`0040eff0 000007fe`ef627db1 chrome_7feeea50000!base::MessageLoop::DoWork+0x453 [c:\b\c\b\win64_pgo\src\base\message_loop\message_loop.cc @ 524] 00000000`0040f1b0 000007fe`ef627a34 chrome_7feeea50000!base::MessagePumpForUI::DoRunLoop+0x71 [c:\b\c\b\win64_pgo\src\base\message_loop\message_pump_win.cc @ 174] 00000000`0040f220 000007fe`ef5ecba9 chrome_7feeea50000!base::MessagePumpWin::Run+0x54 [c:\b\c\b\win64_pgo\src\base\message_loop\message_pump_win.cc @ 58] 00000000`0040f270 000007fe`ef537a30 chrome_7feeea50000!base::RunLoop::Run+0x69 [c:\b\c\b\win64_pgo\src\base\run_loop.cc @ 124] 00000000`0040f320 000007fe`eeed4ffc chrome_7feeea50000!ChromeBrowserMainParts::MainMessageLoopRun+0x1a8 [c:\b\c\b\win64_pgo\src\chrome\browser\chrome_browser_main.cc @ 1914] 00000000`0040f3e0 000007fe`eeece055 chrome_7feeea50000!content::BrowserMainRunnerImpl::Run+0x6c [c:\b\c\b\win64_pgo\src\content\browser\browser_main_runner.cc @ 148] 00000000`0040f430 000007fe`ef48a6f7 chrome_7feeea50000!content::BrowserMain+0xb5 [c:\b\c\b\win64_pgo\src\content\browser\browser_main.cc @ 46] 00000000`0040f480 000007fe`ef4a6642 chrome_7feeea50000!content::ContentMainRunnerImpl::Run+0x24b [c:\b\c\b\win64_pgo\src\content\app\content_main_runner.cc @ 703] 00000000`0040f630 000007fe`ef48a038 chrome_7feeea50000!service_manager::Main+0x2d2 [c:\b\c\b\win64_pgo\src\services\service_manager\embedder\main.cc @ 469]
,
Sep 15 2017
Issue 765060 , Issue 756120, and Issue 742955 all appear to be similar.
,
Sep 15 2017
dgozman: Can you please take a look? Issue 742955 indeed looks like a duplicate.
,
Sep 16 2017
Also, I was able to repro this on Mac, but I couldn't repro on Linux.
,
Sep 18 2017
I have another way to repro this crash with the below steps: 1. Open index.html 2. Click on "Start" button 3. Now on crash.html open the devtools and click on the toggle device toolbar. 4. Then tap on "Crash" button
,
Sep 19 2017
This looks like a duplicate of Issue 742955 to me. CC'd this bug's reporter on that bug.
,
Dec 27 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 Deleted