Issue 768295 link

Starred by 2 users

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Sep 2017
Cc:	palmer@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug-Security
allpublic

Security: Access Violation in chrome_child

Reported by ma7h1a...@gmail.com, Sep 25 2017

Issue description

FAULTING_IP: 
chrome_child+16295bb
031e95bb 8b4304          mov     eax,dword ptr [ebx+4]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 031e95bb (chrome_child+0x016295bb)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000004
Attempt to read from address 00000004

PROCESS_NAME:  chrome.exe

ADDITIONAL_DEBUG_TEXT:  
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

FAULTING_MODULE: 765b0000 kernel32

DEBUG_FLR_IMAGE_TIMESTAMP:  59ba2cbc

MODULE_NAME: chrome_child

ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  00000004

READ_ADDRESS:  00000004 

FOLLOWUP_IP: 
chrome_child+16295bb
031e95bb 8b4304          mov     eax,dword ptr [ebx+4]

poc.html
51 bytes View Download

Comment 1 by ma7h1a...@gmail.com, Sep 25 2017

Uploaded crash report ID: 5ec93a3158f6dd46 (local crash ID: ac17a946-7e41-4aa2-8f1a-4b412467a7ca)

Reported by the crash report on Monday, September 25, 2017, at 3:47:52 pm on Wednesday, September 25, 2017, at 3:47:54

The first time that i find this was September 18, this time I minize the POC.html

	crash.jpg 20.2 KB View Download

Comment 2 by ma7h1a...@gmail.com, Sep 25 2017

oh I'm sorry that i copy a wrong report
This bug is caused by Break instruction exception , not Access violation

FAULTING_IP: 
chrome_child!GetHandleVerifier+15a20e
01b65f85 cc              int     3

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 01b65f85 (chrome_child!GetHandleVerifier+0x0015a20e)
   ExceptionCode: 80000003 (Break instruction exception)
  ExceptionFlags: 00000000
NumberParameters: 1
   Parameter[0]: 00000000

PROCESS_NAME:  chrome.exe

Project Member

Comment 3 by ClusterFuzz, Sep 25 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6097105684004864.

Comment 4 by palmer@chromium.org, Sep 25 2017

Labels: Needs-Feedback

The stack trace from 5ec93a3158f6dd46 seems unrelated. I can't reproduce the crash with the poc.html on Windows or Linux. Do you have any additional information?

Comment 5 by ma7h1a...@gmail.com, Sep 25 2017

I could reproduce it using the stable version chrome and windows7
i'm sorry but now it was midnight here ,i'll give a feedback tomorrow.

Project Member

Comment 6 by sheriffbot@chromium.org, Sep 25 2017

Cc: palmer@chromium.org
Labels: -Needs-Feedback

Thank you for providing more feedback. Adding requester "palmer@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by ma7h1a...@gmail.com, Sep 26 2017

oh,here i got the keypoint
you must put the html file on a local http server
instead of opening it directly

Comment 8 by ma7h1a...@gmail.com, Sep 26 2017

please put it on a local httpserver or it would not crash
crash id 5a569c1a0de8aecb
it could crash on the following enviorment
system windows 7
browser 61.0.3163.100 /  62.0.3202.29 (Official Build) beta

	crash.gif 1.3 MB View Download

Comment 9 by ma7h1a...@gmail.com, Sep 26 2017

so here i got an online demo for you
https://www.math1as.com/chrome/poc.html

Project Member

Comment 10 by ClusterFuzz, Sep 26 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6369979049181184.

Comment 11 by infe...@chromium.org, Sep 26 2017

Status: WontFix (was: Unconfirmed)

Does not reproduce on both linux and windows and with loading testcase from http server.

Project Member

Comment 12 by sheriffbot@chromium.org, Jan 3 2018

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 768295 link

Issue metadata

Security: Access Violation in chrome_child

Issue description

Comment 1 by ma7h1a...@gmail.com, Sep 25 2017

Comment 1 Deleted

Comment 2 by ma7h1a...@gmail.com, Sep 25 2017

Comment 2 Deleted

Comment 3 by ClusterFuzz, Sep 25 2017

Comment 3 Deleted

Comment 4 by palmer@chromium.org, Sep 25 2017

Comment 4 Deleted

Comment 5 by ma7h1a...@gmail.com, Sep 25 2017

Comment 5 Deleted

Comment 6 by sheriffbot@chromium.org, Sep 25 2017

Comment 6 Deleted

Comment 7 by ma7h1a...@gmail.com, Sep 26 2017

Comment 7 Deleted

Comment 8 by ma7h1a...@gmail.com, Sep 26 2017

Comment 8 Deleted

Comment 9 by ma7h1a...@gmail.com, Sep 26 2017

Comment 9 Deleted

Comment 10 by ClusterFuzz, Sep 26 2017

Comment 10 Deleted

Comment 11 by infe...@chromium.org, Sep 26 2017

Comment 11 Deleted

Comment 12 by sheriffbot@chromium.org, Jan 3 2018

Comment 12 Deleted

Sign in to add a comment