Security: Heap-use-after-free in content::protocol::NetworkHandler::SetNetworkConditions
Reported by
chromium...@gmail.com,
Nov 2 2017
|
||||||||||||||||||||||||||||||||
Issue descriptionVERSION Chrome Version: 64.0.3255.3 Operating System: Windows 7, Mac REPRODUCTION CASE rax=000000000000ffff rbx=0000000018dd82f8 rcx=000000001d140d50 rdx=00000000003ad008 rsi=00000000003ad008 rdi=0000000018dd82d0 rip=000007fee7f1f96c rsp=00000000003acf90 rbp=00000000003ad4c0 r8=0002f59e05e4000b r9=0002f59f06fe000c r10=000007fee9d45af8 r11=00000000003ad020 r12=00000000003ad0d8 r13=00000000188d1db0 r14=00000000003ad0d0 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc cs=0033 ss=0000 ds=0000 es=0000 fs=0053 gs=002b efl=00010206 *** WARNING: Unable to verify checksum for chrome.dll chrome_7fee7690000!content::protocol::NetworkHandler::SetNetworkConditions+0x24: 000007fe`e7f1f96c ff9088000000 call qword ptr [rax+88h] ds:00000000`00010087=00e6d71e5dd31500 0:000> k *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site 00000000`003acf90 000007fe`e7f1f914 chrome_7fee7690000!content::protocol::NetworkHandler::SetNetworkConditions+0x24 [C:\b\c\b\win64_clang\src\content\browser\devtools\protocol\network_handler.cc @ 1263] 00000000`003acfe0 000007fe`e7f0f34f chrome_7fee7690000!content::protocol::NetworkHandler::Disable+0xda [C:\b\c\b\win64_clang\src\content\browser\devtools\protocol\network_handler.cc @ 698] 00000000`003ad0a0 000007fe`e7f0eda2 chrome_7fee7690000!content::DevToolsSession::~DevToolsSession+0x67 [C:\b\c\b\win64_clang\src\content\browser\devtools\devtools_session.cc @ 32] 00000000`003ad140 000007fe`e808e98c chrome_7fee7690000!content::DevToolsSession::~DevToolsSession+0x10 [C:\b\c\b\win64_clang\src\content\browser\devtools\devtools_session.cc @ 29] 00000000`003ad180 000007fe`e7f05799 chrome_7fee7690000!std::vector<std::pair<viz::FrameSinkId,std::unique_ptr<content::OffscreenCanvasSurfaceImpl,std::default_delete<content::OffscreenCanvasSurfaceImpl> > >,std::allocator<std::pair<viz::FrameSinkId,std::unique_ptr<content::OffscreenCanvasSurfaceImpl,std::default_delete<content::OffscreenCanvasSurfaceImpl> > > > >::erase+0x84 [c:\b\c\win_toolchain\vs_files\88c3b62e1eb0893b8cd57e3f4859c3af27907f64\vc\tools\msvc\14.11.25503\include\vector @ 1642] 00000000`003ad1e0 000007fe`e7f05616 chrome_7fee7690000!base::internal::flat_tree<content::DevToolsAgentHostClient *,std::pair<content::DevToolsAgentHostClient *,std::unique_ptr<content::DevToolsSession,std::default_delete<content::DevToolsSession> > >,base::internal::GetKeyFromValuePairFirst<content::DevToolsAgentHostClient *,std::unique_ptr<content::DevToolsSession,std::default_delete<content::DevToolsSession> > >,std::less<void> >::erase<content::DevToolsAgentHostClient *>+0x55 [C:\b\c\b\win64_clang\src\base\containers\flat_tree.h @ 815] 00000000`003ad230 000007fe`e7f0555e chrome_7fee7690000!content::DevToolsAgentHostImpl::InnerDetachClient+0x7c [C:\b\c\b\win64_clang\src\content\browser\devtools\devtools_agent_host_impl.cc @ 211] 00000000`003ad290 000007fe`e9106b5f chrome_7fee7690000!content::DevToolsAgentHostImpl::DetachClient+0x50 [C:\b\c\b\win64_clang\src\content\browser\devtools\devtools_agent_host_impl.cc @ 182] 00000000`003ad2f0 000007fe`e929ce9c chrome_7fee7690000!DevToolsUIBindings::~DevToolsUIBindings+0xb5 [C:\b\c\b\win64_clang\src\chrome\browser\devtools\devtools_ui_bindings.cc @ 584] 00000000`003ad350 000007fe`e813c14f chrome_7fee7690000!DevToolsUI::~DevToolsUI+0x1e [C:\b\c\b\win64_clang\src\chrome\browser\ui\webui\devtools_ui.cc @ 361] 00000000`003ad390 000007fe`e813c0a0 chrome_7fee7690000!content::WebUIImpl::~WebUIImpl+0x37 [C:\b\c\b\win64_clang\src\content\browser\webui\web_ui_impl.cc @ 89] 00000000`003ad3d0 000007fe`e7fa9b4d chrome_7fee7690000!content::WebUIImpl::~WebUIImpl+0x10 [C:\b\c\b\win64_clang\src\content\browser\webui\web_ui_impl.cc @ 89] 00000000`003ad410 000007fe`e8130cf1 chrome_7fee7690000!content::RenderFrameHostManager::ClearWebUIInstances+0x11 [C:\b\c\b\win64_clang\src\content\browser\frame_host\render_frame_host_manager.cc @ 678] 00000000`003ad440 000007fe`e812fe4e chrome_7fee7690000!content::WebContentsImpl::~WebContentsImpl+0x1bd [C:\b\c\b\win64_clang\src\content\browser\web_contents\web_contents_impl.cc @ 598] 00000000`003ad560 000007fe`e92b199e chrome_7fee7690000!content::WebContentsImpl::~WebContentsImpl+0x10 [C:\b\c\b\win64_clang\src\content\browser\web_contents\web_contents_impl.cc @ 573] 00000000`003ad5a0 000007fe`e92afdca chrome_7fee7690000!TabStripModelImpl::InternalCloseTab+0xce [C:\b\c\b\win64_clang\src\chrome\browser\ui\tabs\tab_strip_model_impl.cc @ 1262] 00000000`003ad650 000007fe`e92af8b6 chrome_7fee7690000!TabStripModelImpl::InternalCloseTabs+0x4f8 [C:\b\c\b\win64_clang\src\chrome\browser\ui\tabs\tab_strip_model_impl.cc @ 1237] 00000000`003ad760 000007fe`e932a9ca chrome_7fee7690000!TabStripModelImpl::CloseAllTabs+0x76 [C:\b\c\b\win64_clang\src\chrome\browser\ui\tabs\tab_strip_model_impl.cc @ 544] 00000000`003ad7d0 000007fe`e839f88c chrome_7fee7690000!BrowserView::CanClose+0xa2 [C:\b\c\b\win64_clang\src\chrome\browser\ui\views\frame\browser_view.cc @ 1915] 00000000`003ad810 000007fe`e788b7e0 chrome_7fee7690000!views::Widget::Close+0x36 [C:\b\c\b\win64_clang\src\ui\views\widget\widget.cc @ 582]
,
Nov 8 2017
Hi Andrew - This crash occurs when I start navigating to different sites with Devtools, then sometimes I can see there's another Devtools is being opened randomly as in the attached screenshot, so in that case If I close the origin page firstly then the devtools (which is opened randomly) Chrome will get crash.
,
Nov 8 2017
dgozman, do you mind taking a look? Looks like the crash might originate in the devtools detachment.
,
Nov 8 2017
,
Nov 8 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 8 2017
,
Nov 8 2017
Khalil, could you please provide a bit more details on how to reproduce this? I suppose the page you navigate to or from has popups and you've got Auto-open DevTools for popups enable in DevTools settings, is that the case? Also, could you provide an example URL where this happens?
,
Nov 9 2017
Well, now I'm able to get Auto-open Devtools with the attached testcase. 1. Open a new tab with Devtools 2. lunch the test case then click back As you can see in the video I've got a new Devtools.
,
Nov 16 2017
caseq@, is c#8 helpful or we need more feedback?
,
Nov 20 2017
Crash ID's 965e5add401e5ae6.
,
Nov 23 2017
caseq: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 23 2017
Caseq, any update?
,
Dec 4 2017
Adding Internals>Sandbox>SiteIsolation due to content/browser/frame_host/OWNERS. The top of the crash stack is: 0x000000010cd4876d (Google Chrome Framework -Frame.h:141 ) blink::WebRemoteFrameImpl::DidStopLoading() 0x000000010dac5a95 (Google Chrome Framework -tuple.h:52 ) bool IPC::MessageT<FrameMsg_DidStopLoading_Meta, std::__1::tuple<>, void>::Dispatch<content::RenderFrameProxy, content::RenderFrameProxy, void, void (content::RenderFrameProxy::*)()>(IPC::Message const*, content::RenderFrameProxy*, content::RenderFrameProxy*, void*, void (content::RenderFrameProxy::*)()) 0x000000010dac4cec (Google Chrome Framework -render_frame_proxy.cc:345 ) content::RenderFrameProxy::OnMessageReceived(IPC::Message const&) 0x0000000109f0477a (Google Chrome Framework -ipc_channel_proxy.cc:321 ) IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) 0x0000000109bbd27b (Google Chrome Framework -callback.h:65 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0x00000001096c66a1 (Google Chrome Framework -task_queue_manager.cc:535 ) blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, bool, blink::scheduler::LazyNow, base::TimeTicks*) 0x00000001096c4601 (Google Chrome Framework -task_queue_manager.cc:323 ) blink::scheduler::TaskQueueManager::DoWork(bool) 0x0000000109bbd27b (Google Chrome Framework -callback.h:65 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) This could potentially affect all platforms except iOS, right? At least Desktop? The reporter cites at least macOS in addition to Windows. It'd be good to make progress on this, since we promise to resolve High severity issues in under 60 days. Thanks!
,
Dec 5 2017
palmer@ does #13 refer to a different bug? This is a browser crash and the stack in #13 is from renderer.
,
Dec 7 2017
,
Dec 19 2017
caseq: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 1 2018
We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue? For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 11 2018
Just a reminder: we're less than 2 weeks away from M64 stable promotion, and this is marked as a blocker.
,
Jan 20 2018
palmer -- question for you on #14.
,
Jan 22 2018
re #14: I'm not sure; I was going on the stack trace given in the crash ID given in #10. It might indeed be for a different bug.
,
Jan 22 2018
,
Jan 23 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3c8e4852477d5b1e2da877808c998dc57db9460f commit 3c8e4852477d5b1e2da877808c998dc57db9460f Author: Andrey Kosyakov <caseq@chromium.org> Date: Tue Jan 23 05:20:27 2018 DevTools: speculative fix for crash in NetworkHandler::Disable This keeps BrowserContext* and StoragePartition* instead of RenderProcessHost* in an attemp to resolve UAF of RenderProcessHost upon closure of DevTools front-end. Bug: 801117, 783067, 780694 Change-Id: I6c2cca60cc0c29f0949d189cf918769059f80c1b Reviewed-on: https://chromium-review.googlesource.com/876657 Commit-Queue: Andrey Kosyakov <caseq@chromium.org> Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Cr-Commit-Position: refs/heads/master@{#531157} [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/devtools_session.cc [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/devtools_session.h [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/devtools_domain_handler.cc [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/devtools_domain_handler.h [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/dom_handler.cc [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/dom_handler.h [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/emulation_handler.cc [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/emulation_handler.h [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/input_handler.cc [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/input_handler.h [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/inspector_handler.cc [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/inspector_handler.h [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/io_handler.cc [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/io_handler.h [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/network_handler.cc [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/network_handler.h [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/page_handler.cc [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/page_handler.h [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/security_handler.cc [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/security_handler.h [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/service_worker_handler.cc [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/service_worker_handler.h [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/storage_handler.cc [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/storage_handler.h [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/target_handler.cc [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/target_handler.h [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/render_frame_devtools_agent_host.cc [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/service_worker_devtools_agent_host.cc [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/shared_worker_devtools_agent_host.cc [modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/shared_worker_devtools_agent_host.h
,
Jan 23 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 23 2018
Verified in 66.0.3330.0.
,
Jan 23 2018
caseq: Thanks for the fix. If there is no further action needed, can this bug be closed now?
,
Jan 25 2018
,
Jan 31 2018
I don't feel comfortable taking #22 for M64. This is RB-Stable for M64; however, I'd like to push this to M65 instead. Awhalley@ any issues?
,
Jan 31 2018
,
Feb 1 2018
Your change meets the bar and is auto-approved for M65. Please go ahead and merge the CL to branch 3325 manually. Please contact milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 1 2018
Shouldn't be marked as a fixed?
,
Feb 1 2018
I also don't feel comfortable taking this merge to M65. +awhalley@, is this really needed for M65?
,
Feb 1 2018
I'd like to take this if the fix isn't too risky. It seems big in terms of number of lines of change rather than being a major change. caseq@ - seem reasonable for to take it in 65?
,
Feb 2 2018
Changing back to "Merge-Request-65" per comments #32 and #33.
,
Feb 2 2018
I think this _may_ possibly be merged, we've had the change live for quite some time without any issues. Yet on the other hand, we don't know the exact reproduction scenario and the original number of crashes was quite small, so I'm not sure if the severity is really high enough to justify the merge. So I would defer this to the TPMs, but given #32, perhaps we shouldn't?
,
Feb 2 2018
Rejecting merge to M65 branch based on comments #33 and #35. awhalley@, pls let me know if there is any concern here. Thank you.
,
Feb 7 2018
This is fixed, merge needs to be tracked by merge flags.
,
Feb 8 2018
,
Feb 12 2018
,
Feb 12 2018
,
Feb 19 2018
I'm afraid the Chrome VRP panel decided not to award this report :-(
,
Mar 6 2018
,
Apr 17 2018
,
Apr 25 2018
,
Apr 25 2018
,
May 17 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 28
,
Jan 4
|
||||||||||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||||||||||
Comment 1 by awhalley@chromium.org
, Nov 8 2017