New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: Heap-use-after-free in content::protocol::NetworkHandler::SetNetworkConditions

Reported by chromium...@gmail.com, Nov 2 2017

Issue description

VERSION
Chrome Version: 64.0.3255.3
Operating System: Windows 7, Mac

REPRODUCTION CASE
rax=000000000000ffff rbx=0000000018dd82f8 rcx=000000001d140d50
rdx=00000000003ad008 rsi=00000000003ad008 rdi=0000000018dd82d0
rip=000007fee7f1f96c rsp=00000000003acf90 rbp=00000000003ad4c0
 r8=0002f59e05e4000b  r9=0002f59f06fe000c r10=000007fee9d45af8
r11=00000000003ad020 r12=00000000003ad0d8 r13=00000000188d1db0
r14=00000000003ad0d0 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=0000  ds=0000  es=0000  fs=0053  gs=002b             efl=00010206
*** WARNING: Unable to verify checksum for chrome.dll
chrome_7fee7690000!content::protocol::NetworkHandler::SetNetworkConditions+0x24:
000007fe`e7f1f96c ff9088000000    call    qword ptr [rax+88h] ds:00000000`00010087=00e6d71e5dd31500
0:000> k
  *** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
00000000`003acf90 000007fe`e7f1f914 chrome_7fee7690000!content::protocol::NetworkHandler::SetNetworkConditions+0x24 [C:\b\c\b\win64_clang\src\content\browser\devtools\protocol\network_handler.cc @ 1263]
00000000`003acfe0 000007fe`e7f0f34f chrome_7fee7690000!content::protocol::NetworkHandler::Disable+0xda [C:\b\c\b\win64_clang\src\content\browser\devtools\protocol\network_handler.cc @ 698]
00000000`003ad0a0 000007fe`e7f0eda2 chrome_7fee7690000!content::DevToolsSession::~DevToolsSession+0x67 [C:\b\c\b\win64_clang\src\content\browser\devtools\devtools_session.cc @ 32]
00000000`003ad140 000007fe`e808e98c chrome_7fee7690000!content::DevToolsSession::~DevToolsSession+0x10 [C:\b\c\b\win64_clang\src\content\browser\devtools\devtools_session.cc @ 29]
00000000`003ad180 000007fe`e7f05799 chrome_7fee7690000!std::vector<std::pair<viz::FrameSinkId,std::unique_ptr<content::OffscreenCanvasSurfaceImpl,std::default_delete<content::OffscreenCanvasSurfaceImpl> > >,std::allocator<std::pair<viz::FrameSinkId,std::unique_ptr<content::OffscreenCanvasSurfaceImpl,std::default_delete<content::OffscreenCanvasSurfaceImpl> > > > >::erase+0x84 [c:\b\c\win_toolchain\vs_files\88c3b62e1eb0893b8cd57e3f4859c3af27907f64\vc\tools\msvc\14.11.25503\include\vector @ 1642]
00000000`003ad1e0 000007fe`e7f05616 chrome_7fee7690000!base::internal::flat_tree<content::DevToolsAgentHostClient *,std::pair<content::DevToolsAgentHostClient *,std::unique_ptr<content::DevToolsSession,std::default_delete<content::DevToolsSession> > >,base::internal::GetKeyFromValuePairFirst<content::DevToolsAgentHostClient *,std::unique_ptr<content::DevToolsSession,std::default_delete<content::DevToolsSession> > >,std::less<void> >::erase<content::DevToolsAgentHostClient *>+0x55 [C:\b\c\b\win64_clang\src\base\containers\flat_tree.h @ 815]
00000000`003ad230 000007fe`e7f0555e chrome_7fee7690000!content::DevToolsAgentHostImpl::InnerDetachClient+0x7c [C:\b\c\b\win64_clang\src\content\browser\devtools\devtools_agent_host_impl.cc @ 211]
00000000`003ad290 000007fe`e9106b5f chrome_7fee7690000!content::DevToolsAgentHostImpl::DetachClient+0x50 [C:\b\c\b\win64_clang\src\content\browser\devtools\devtools_agent_host_impl.cc @ 182]
00000000`003ad2f0 000007fe`e929ce9c chrome_7fee7690000!DevToolsUIBindings::~DevToolsUIBindings+0xb5 [C:\b\c\b\win64_clang\src\chrome\browser\devtools\devtools_ui_bindings.cc @ 584]
00000000`003ad350 000007fe`e813c14f chrome_7fee7690000!DevToolsUI::~DevToolsUI+0x1e [C:\b\c\b\win64_clang\src\chrome\browser\ui\webui\devtools_ui.cc @ 361]
00000000`003ad390 000007fe`e813c0a0 chrome_7fee7690000!content::WebUIImpl::~WebUIImpl+0x37 [C:\b\c\b\win64_clang\src\content\browser\webui\web_ui_impl.cc @ 89]
00000000`003ad3d0 000007fe`e7fa9b4d chrome_7fee7690000!content::WebUIImpl::~WebUIImpl+0x10 [C:\b\c\b\win64_clang\src\content\browser\webui\web_ui_impl.cc @ 89]
00000000`003ad410 000007fe`e8130cf1 chrome_7fee7690000!content::RenderFrameHostManager::ClearWebUIInstances+0x11 [C:\b\c\b\win64_clang\src\content\browser\frame_host\render_frame_host_manager.cc @ 678]
00000000`003ad440 000007fe`e812fe4e chrome_7fee7690000!content::WebContentsImpl::~WebContentsImpl+0x1bd [C:\b\c\b\win64_clang\src\content\browser\web_contents\web_contents_impl.cc @ 598]
00000000`003ad560 000007fe`e92b199e chrome_7fee7690000!content::WebContentsImpl::~WebContentsImpl+0x10 [C:\b\c\b\win64_clang\src\content\browser\web_contents\web_contents_impl.cc @ 573]
00000000`003ad5a0 000007fe`e92afdca chrome_7fee7690000!TabStripModelImpl::InternalCloseTab+0xce [C:\b\c\b\win64_clang\src\chrome\browser\ui\tabs\tab_strip_model_impl.cc @ 1262]
00000000`003ad650 000007fe`e92af8b6 chrome_7fee7690000!TabStripModelImpl::InternalCloseTabs+0x4f8 [C:\b\c\b\win64_clang\src\chrome\browser\ui\tabs\tab_strip_model_impl.cc @ 1237]
00000000`003ad760 000007fe`e932a9ca chrome_7fee7690000!TabStripModelImpl::CloseAllTabs+0x76 [C:\b\c\b\win64_clang\src\chrome\browser\ui\tabs\tab_strip_model_impl.cc @ 544]
00000000`003ad7d0 000007fe`e839f88c chrome_7fee7690000!BrowserView::CanClose+0xa2 [C:\b\c\b\win64_clang\src\chrome\browser\ui\views\frame\browser_view.cc @ 1915]
00000000`003ad810 000007fe`e788b7e0 chrome_7fee7690000!views::Widget::Close+0x36 [C:\b\c\b\win64_clang\src\ui\views\widget\widget.cc @ 582]

 
Hi Khalil - any more details here? Any reproduction steps or test case?
Hi Andrew - This crash occurs when I start navigating to different sites with Devtools, then sometimes I can see there's another Devtools is being opened randomly as in the attached screenshot, so in that case If I close the origin page firstly then the devtools (which is opened randomly) Chrome will get crash.
Screen Shot 2017-11-08 at 03.27.34.png
1.5 MB View Download
Cc: pfeldman@chromium.org
Components: Platform>DevTools
Labels: Security_Severity-High Security_Impact-Head OS-Windows Pri-1
Owner: dgozman@chromium.org
Status: Assigned (was: Unconfirmed)
dgozman, do you mind taking a look? Looks like the crash might originate in the devtools detachment.
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 8 2017

Labels: M-64
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 8 2017

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: -pfeldman@chromium.org dgozman@chromium.org
Owner: caseq@chromium.org

Comment 7 by caseq@chromium.org, Nov 8 2017

Labels: Needs-Feedback
Khalil, could you please provide a bit more details on how to reproduce this? I suppose the page you navigate to or from has popups and you've got Auto-open DevTools for popups enable in DevTools settings, is that the case? Also, could you provide an example URL where this happens?
Well, now I'm able to get Auto-open Devtools with the attached testcase.

1. Open a new tab with Devtools 
2. lunch the test case then click back

As you can see in the video I've got a new Devtools.
screen.mp4
1.1 MB View Download
testcase (2).html
87 bytes View Download

Comment 9 by mmoroz@chromium.org, Nov 16 2017

Labels: -Needs-Feedback
caseq@, is c#8 helpful or we need more feedback?
Crash ID's 965e5add401e5ae6.
Project Member

Comment 11 by sheriffbot@chromium.org, Nov 23 2017

caseq: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Caseq, any update?
Cc: lukasza@chromium.org nasko@chromium.org
Components: Internals>Sandbox>SiteIsolation
Labels: OS-Chrome OS-Linux OS-Mac
Adding Internals>Sandbox>SiteIsolation due to content/browser/frame_host/OWNERS. The top of the crash stack is:

0x000000010cd4876d	(Google Chrome Framework -Frame.h:141 )	blink::WebRemoteFrameImpl::DidStopLoading()
0x000000010dac5a95	(Google Chrome Framework -tuple.h:52 )	bool IPC::MessageT<FrameMsg_DidStopLoading_Meta, std::__1::tuple<>, void>::Dispatch<content::RenderFrameProxy, content::RenderFrameProxy, void, void (content::RenderFrameProxy::*)()>(IPC::Message const*, content::RenderFrameProxy*, content::RenderFrameProxy*, void*, void (content::RenderFrameProxy::*)())
0x000000010dac4cec	(Google Chrome Framework -render_frame_proxy.cc:345 )	content::RenderFrameProxy::OnMessageReceived(IPC::Message const&)
0x0000000109f0477a	(Google Chrome Framework -ipc_channel_proxy.cc:321 )	IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&)
0x0000000109bbd27b	(Google Chrome Framework -callback.h:65 )	base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0x00000001096c66a1	(Google Chrome Framework -task_queue_manager.cc:535 )	blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, bool, blink::scheduler::LazyNow, base::TimeTicks*)
0x00000001096c4601	(Google Chrome Framework -task_queue_manager.cc:323 )	blink::scheduler::TaskQueueManager::DoWork(bool)
0x0000000109bbd27b	(Google Chrome Framework -callback.h:65 )	base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)

This could potentially affect all platforms except iOS, right? At least Desktop? The reporter cites at least macOS in addition to Windows.

It'd be good to make progress on this, since we promise to resolve High severity issues in under 60 days. Thanks!
palmer@ does #13 refer to a different bug? This is a browser crash and the stack in #13 is from renderer.
Project Member

Comment 15 by sheriffbot@chromium.org, Dec 7 2017

Labels: -Security_Impact-Head Security_Impact-Beta
Project Member

Comment 16 by sheriffbot@chromium.org, Dec 19 2017

caseq: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 17 by sheriffbot@chromium.org, Jan 1 2018

Labels: Deadline-Exceeded
We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue?

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: Target-64
Just a reminder: we're less than 2 weeks away from M64 stable promotion, and this is marked as a blocker. 
Cc: palmer@chromium.org
palmer -- question for you on #14.
re #14: I'm not sure; I was going on the stack trace given in the crash ID given in #10. It might indeed be for a different bug.
Labels: -ReleaseBlock-Stable
Project Member

Comment 22 by bugdroid1@chromium.org, Jan 23 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3c8e4852477d5b1e2da877808c998dc57db9460f

commit 3c8e4852477d5b1e2da877808c998dc57db9460f
Author: Andrey Kosyakov <caseq@chromium.org>
Date: Tue Jan 23 05:20:27 2018

DevTools: speculative fix for crash in NetworkHandler::Disable

This keeps BrowserContext* and StoragePartition* instead of
RenderProcessHost* in an attemp to resolve UAF of RenderProcessHost
upon closure of DevTools front-end.

Bug: 801117, 783067,  780694 
Change-Id: I6c2cca60cc0c29f0949d189cf918769059f80c1b
Reviewed-on: https://chromium-review.googlesource.com/876657
Commit-Queue: Andrey Kosyakov <caseq@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#531157}
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/devtools_session.cc
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/devtools_session.h
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/devtools_domain_handler.cc
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/devtools_domain_handler.h
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/dom_handler.cc
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/dom_handler.h
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/emulation_handler.cc
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/emulation_handler.h
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/input_handler.cc
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/input_handler.h
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/inspector_handler.cc
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/inspector_handler.h
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/io_handler.cc
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/io_handler.h
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/network_handler.cc
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/network_handler.h
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/page_handler.cc
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/page_handler.h
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/security_handler.cc
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/security_handler.h
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/service_worker_handler.cc
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/service_worker_handler.h
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/storage_handler.cc
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/storage_handler.h
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/target_handler.cc
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/protocol/target_handler.h
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/render_frame_devtools_agent_host.cc
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/service_worker_devtools_agent_host.cc
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/shared_worker_devtools_agent_host.cc
[modify] https://crrev.com/3c8e4852477d5b1e2da877808c998dc57db9460f/content/browser/devtools/shared_worker_devtools_agent_host.h

Project Member

Comment 23 by sheriffbot@chromium.org, Jan 23 2018

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Verified in 66.0.3330.0. 
caseq: Thanks for the fix. If there is no further action needed, can this bug be closed now?
Project Member

Comment 26 by sheriffbot@chromium.org, Jan 25 2018

Labels: -Security_Impact-Beta Security_Impact-Stable
I don't feel comfortable taking #22 for M64. This is RB-Stable for M64; however, I'd like to push this to M65 instead. Awhalley@ any issues?
Labels: -M-64 M-65 Merge-Request-65
Project Member

Comment 29 by sheriffbot@chromium.org, Feb 1 2018

Labels: -Merge-Request-65 Hotlist-Merge-Approved Merge-Approved-65
Your change meets the bar and is auto-approved for M65. Please go ahead and merge the CL to branch 3325 manually. Please contact milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Shouldn't be marked as a fixed?

Comment 31 Deleted

Cc: awhalley@chromium.org
I also don't feel comfortable taking this merge to M65. 
+awhalley@, is this really needed for M65? 
I'd like to take this if the fix isn't too risky. It seems big in terms of number of lines of change rather than being a major change. caseq@ - seem reasonable for to take it in 65? 
Labels: -Merge-Approved-65 Merge-Request-65
Changing back to "Merge-Request-65" per comments #32 and #33.
I think this _may_ possibly be merged, we've had the change live for quite some time without any  issues. Yet on the other hand, we don't know the exact reproduction scenario and the original number of crashes was quite small, so I'm not sure if the severity is really high enough to justify the merge. So I would defer this to the TPMs, but given #32, perhaps we shouldn't?
Labels: -Merge-Request-65 Merge-Rejected-65
Rejecting merge to M65 branch based on comments #33 and #35. 
awhalley@, pls let me know if there is any concern here. Thank you.
Status: Fixed (was: Assigned)
This is fixed, merge needs to be tracked by merge flags.
Project Member

Comment 38 by sheriffbot@chromium.org, Feb 8 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -ReleaseBlock-Stable
Labels: -reward-topanel -Security_Severity-High Security_Severity-Low reward-0
I'm afraid the Chrome VRP panel decided not to award this report :-(
Labels: -M-65 -Target-64 M-66 Target-66
Labels: Release-0-M66
Labels: CVE-2018-6111
Labels: CVE_description-missing
Project Member

Comment 46 by sheriffbot@chromium.org, May 17

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 47 by sheriffbot@chromium.org, Jul 28

Labels: -Pri-1 Pri-2

Sign in to add a comment