New issue
Advanced search Search tips

Issue 813562 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Feb 2018
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Dos- Memory exhaustion in Chrome

Reported by anin...@gmail.com, Feb 19 2018 
VULNERABILITY DETAILS
 Dos- Memory exhaustion in Chrome

VERSION
Chrome Version: 64.0.3282.167 (Official Build) (64-bit)
Operating System: [Windows 10 Home]

REPRODUCTION CASE
1.open POC page in chrome

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: Chrome page crash

Crash State: 

00007ffc`44f73800 cc              int     3
0:021> g

<--- Last few GCs --->

[18628:000002883F583060]    50357 ms: Mark-sweep 1914.8 (1974.9) -> 1914.8 (1943.9) MB, 3775.1 / 1.1 ms  last resort GC in old space requested
[18628:000002883F583060]    57278 ms: Mark-sweep 1914.8 (1943.9) -> 1914.8 (1943.9) MB, 6920.9 / 0.2 ms  last resort GC in old space requested


<--- JS stacktrace --->

==== JS stack trace =========================================

Security context: 000003E7F15C7D91 <Window map = 000001D1D5B88DD1>
    1: /* anonymous */ [file:///C:/Users/test/Desktop/test2.html:~4] [pc=000000F25A563838](this=000002C4A0604149 <JSGlobal Object>)

==== Details ================================================

[1]: /* anonymous */ [file:///C:/Users/test/Desktop/test2.html:~4] [pc=000000F25A563838](this=000002C4A0604149 <JSGlobal Object>) {
// optimized frame
--------- s o u r c e   c o ...

(48c4.2e5c): Unknown exception - code e0000008 (first chance)
ntdll!NtWaitForAlertByThreadId+0x14:
00007ffc`44f73724 c3              ret
0:017> k
 # Child-SP          RetAddr           Call Site
00 000000f2`fddffac8 00007ffc`44ee732a ntdll!NtWaitForAlertByThreadId+0x14
01 000000f2`fddffad0 00007ffc`41312da2 ntdll!RtlSleepConditionVariableSRW+0xfa
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\64.0.3282.167\chrome_child.dll - 
02 000000f2`fddffb40 00007ffb`da61d840 KERNELBASE!SleepConditionVariableSRW+0x32
03 000000f2`fddffb80 00007ffb`da61d630 chrome_child!ovly_debug_event+0xc8470
04 000000f2`fddffbe0 00007ffb`da61d57f chrome_child!ovly_debug_event+0xc8260
05 000000f2`fddffc30 00007ffb`db905ab2 chrome_child!ovly_debug_event+0xc81af
06 000000f2`fddffcd0 00007ffc`430a1fe4 chrome_child!GetHandleVerifier+0x15682
07 000000f2`fddffd50 00007ffc`44f3efb1 KERNEL32!BaseThreadInitThunk+0x14
08 000000f2`fddffd80 00000000`00000000 ntdll!RtlUserThreadStart+0x21
test2.html
1.4 KB View Download

Comment 1 by anin...@gmail.com, Feb 19 2018 

Origin code is from natashenka (google project zero) and it is DOS on Edge. I have changed code a little so that it can work on Chrome.

Comment 2 by elawrence@chromium.org, Feb 19 2018

Status: WontFix (was: Unconfirmed)
Exhausting memory in a tab does not represent a security vulnerability.

https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Are-denial-of-service-issues-considered-security-bugs
Project Member

Comment 3 by sheriffbot@chromium.org, May 29 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment