Patch: https://chromium-review.googlesource.com/c/chromium/src/+/844076

Verified with test:
1. Compile Chromium with the patch.
2. Follow the STR from the report and confirm that the renderer does not cause a crash by invalid memory access (the test will will still cause a renderer crash on debug builds, because NOTREACHED on debug build induces a crash).
3. (Test that chrome.send still functions as expected) Call chrome.send('whatever', []);
   This line triggers the code path (because of the array argument) and will be sent to the browser process, where it should trigger a NOTREACHED:
Check failed: false. Unhandled chrome.send("whatever")

This last line signals that the renderer did not crash and managed to pass the message to the browser, so the bug has been fixed.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/90585e657db48f93bd73bc45d4caa975323da41b

commit 90585e657db48f93bd73bc45d4caa975323da41b
Author: Rob Wu <rob@robwu.nl>
Date: Tue Dec 26 18:28:23 2017

Validate frame after conversion in chrome.send

BUG= 797511 
TEST=Manually, see  https://crbug.com/797511#c1 

Change-Id: Ib1a99db4d7648fb1325eb6d7af4ef111d6dda4cb
Reviewed-on: https://chromium-review.googlesource.com/844076
Commit-Queue: Rob Wu <rob@robwu.nl>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#526197}
[modify] https://crrev.com/90585e657db48f93bd73bc45d4caa975323da41b/content/renderer/web_ui_extension.cc

Verified fixed in Chromium 65.0.3322.0. To rule out other patches that might have patched part of the exploit chain, I am testing the specific vulnerability with the following steps:

1. Visit chrome://print
2. Run the following from the DevTools console, and confirm that the renderer does not crash (UAF).
        var f = document.createElement('iframe');
        f.src = location.href; // Some chrome:-URL with webui bindings.
        f.onload = function() {
            var arr = ['about:blank', '', 0, true, false, false, false];
            arr.__defineGetter__('1', function() {
                f.remove();
                return '';
            });
            f.contentWindow.chrome.send('navigateToUrl', arr);
        };
        document.documentElement.appendChild(f);

Requesting to merge of 90585e657db48f93bd73bc45d4caa975323da41b to M-64 to fix the UAF.

This bug requires manual review: We are only 8 days from stable.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

abdulsyed@ - good for 64

Approving merge for M64. Branch:3282

given the user interaction I think this should have been triaged as Low.

#12 The user interaction is just for manual verification.
With just the ability to execute code in a web UI page, this vulnerability can be exploited automatically.

I have reported multiple vulnerabilities last month to satisfy this precondition. Do you want to see a proof of concept to raise the rating again?
E.g. bug 798184

@#12 User interaction is not a requirement. Here is a PoC that shows how one can automatically exploit this vulnerability (using gadgets from  bug 797497  and  bug797500 ).

To reproduce (e.g. in Chrome 63.0.3239.108):
1. Load the attached extension (e.g. via chrome://extensions, enable Developer Mode, "Load unpacked extension").

Result: UAF.

Deleted: webui-send-uaf-v2.zip 3.2 KB

webui-send-uaf-v2.zip 3.2 KB Download

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b51e548897bc30cd97d15048d4e32058a73323d2

commit b51e548897bc30cd97d15048d4e32058a73323d2
Author: Rob Wu <rob@robwu.nl>
Date: Thu Jan 18 21:37:27 2018

Validate frame after conversion in chrome.send

BUG= 797511 
TEST=Manually, see  https://crbug.com/797511#c1 
TBR=rob@robwu.nl

(cherry picked from commit 90585e657db48f93bd73bc45d4caa975323da41b)

Change-Id: Ib1a99db4d7648fb1325eb6d7af4ef111d6dda4cb
Reviewed-on: https://chromium-review.googlesource.com/844076
Commit-Queue: Rob Wu <rob@robwu.nl>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#526197}
Reviewed-on: https://chromium-review.googlesource.com/874471
Reviewed-by: Rob Wu <rob@robwu.nl>
Cr-Commit-Position: refs/branch-heads/3282@{#541}
Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840}
[modify] https://crrev.com/b51e548897bc30cd97d15048d4e32058a73323d2/content/renderer/web_ui_extension.cc

I'm afraid the VRP panel declined to reward for this bug, but will be considering it along with  issue 797497 .

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot