Issue metadata
Sign in to add a comment
|
TargetAutoAttacher::AutoAttachToFrame UaF (Sandbox Escape)
Reported by
wadih.ma...@gmail.com,
May 4 2018
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36 Steps to reproduce the problem: 1-open http://localhost/run.html in the poc 2-follow the instruction on the page What is the expected behavior? No crash What went wrong? DevToolsAgentHost* TargetAutoAttacher::AutoAttachToFrame( NavigationHandleImpl* navigation_handle) { ... auto it = auto_attached_hosts_.find(agent_host); ... auto_attached_hosts_.erase(it); ... } It seems that the objects agent_host is pointing to (like the object pointed by _First) can be already freed by the time erase() uses them. This this a crash stack: Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. chrome_7fed8fb0000!std::vector<scoped_refptr<content::DevToolsAgentHost>,std::allocator<scoped_refptr<content::DevToolsAgentHost> > >::erase+0x4e: 000007fe`d9aa5b84 ff90b8000000 call qword ptr [rax+0B8h] ds:00000000`220700b7=000086000000fe00 0:000> kp Child-SP RetAddr Call Site 00000000`0028de50 000007fe`d9aa3f77 chrome_7fed8fb0000!std::vector<scoped_refptr<content::DevToolsAgentHost>,std::allocator<scoped_refptr<content::DevToolsAgentHost> > >::erase(class std::_Vector_const_iterator<std::_Vector_val<std::_Simple_types<scoped_refptr<content::DevToolsAgentHost> > > > _Where = class std::_Vector_const_iterator<std::_Vector_val<std::_Simple_types<scoped_refptr<content::DevToolsAgentHost> > > >, class scoped_refptr<content::DevToolsAgentHost> * _First = 0x00000000`1ccb99f8, class scoped_refptr<content::DevToolsAgentHost> * _Last = 0x00000000`1ccb99f0, class scoped_refptr<content::DevToolsAgentHost> * _Dest = 0x00000000`1ccb99f0, class scoped_refptr<content::DevToolsAgentHost> r = <Value unavailable error>, class content::DevToolsAgentHost * ptr = <Value unavailable error>, class content::DevToolsAgentHost * x = <Value unavailable error>, class scoped_refptr<content::DevToolsAgentHost> * _Parg = <Value unavailable error>)+0x4e [c:\b\c\win_toolchain\vs_files\1180cb75833ea365097e279efb2d5d7a42dee4b0\vc\tools\msvc\14.11.25503\include\vector @ 1619] 00000000`0028dea0 000007fe`d9aa63de chrome_7fed8fb0000!content::protocol::TargetAutoAttacher::AutoAttachToFrame(class content::NavigationHandleImpl * navigation_handle = <Value unavailable error>, class scoped_refptr<content::DevToolsAgentHost> r = <Value unavailable error>, class content::DevToolsAgentHost ** _Right = <Value unavailable error>, class content::DevToolsAgentHost * ptr = <Value unavailable error>, class content::DevToolsAgentHost * x = <Value unavailable error>, class content::DevToolsAgentHost * args = <Value unavailable error>, class scoped_refptr<content::DevToolsAgentHost> * val = <Value unavailable error>, class scoped_refptr<content::DevToolsAgentHost> * key = <Value unavailable error>, class std::_Vector_iterator<std::_Vector_val<std::_Simple_types<scoped_refptr<content::DevToolsAgentHost> > > > position = class std::_Vector_iterator<std::_Vector_val<std::_Simple_types<scoped_refptr<content::DevToolsAgentHost> > > >)+0x12d [C:\b\c\b\win64_clang\src\content\browser\devtools\protocol\target_auto_attacher.cc @ 175] 00000000`0028df10 000007fe`d94185cd chrome_7fed8fb0000!content::protocol::TargetHandler::Throttle::WillProcessResponse(class content::DevToolsAgentHost ** _Keyval = <Value unavailable error>, class content::protocol::TargetHandler::Throttle * throttle = <Value unavailable error>)+0x54 [C:\b\c\b\win64_clang\src\content\browser\devtools\protocol\target_handler.cc @ 168] 00000000`0028df70 000007fe`d94180c6 chrome_7fed8fb0000!content::NavigationHandleImpl::CheckWillProcessResponse(int64 value = <Value unavailable error>, char phase = <Value unavailable error>, unsigned int flags = <Value unavailable error>, unsigned int64 bind_id = <Value unavailable error>, class std::basic_string<char,std::char_traits<char>,std::allocator<char> > * arg1_val = <Value unavailable error>, char * name = <Value unavailable error>, char * scope = <Value unavailable error>, int thread_id = <Value unavailable error>, class base::TimeTicks * timestamp = <Value unavailable error>, char * arg1_name = <Value unavailable error>, class std::basic_string<char,std::char_traits<char>,std::allocator<char> > * arg = <Value unavailable error>, unsigned char * type = <Value unavailable error>)+0x1d3 [C:\b\c\b\win64_clang\src\content\browser\frame_host\navigation_handle_impl.cc @ 1077] 00000000`0028e0e0 000007fe`d9417108 chrome_7fed8fb0000!content::NavigationHandleImpl::WillProcessResponse(class content::RenderFrameHostImpl * render_frame_host = <Value unavailable error>, class scoped_refptr<net::HttpResponseHeaders> * response_headers = 0x00000000`0028e330, net::HttpResponseInfo::ConnectionInfo connection_info = CONNECTION_INFO_HTTP1_1 (0n1), class net::HostPortPair * socket_address = 0x00000000`1d0cd328, class net::SSLInfo * ssl_info = 0x00000000`174f9390, struct content::GlobalRequestID * request_id = 0x00000000`21c0bc08, class base::RepeatingCallback<void (content::NavigationThrottle::ThrottleCheckResult)> * callback = 0x00000000`0028e3a8, class scoped_refptr<net::HttpResponseHeaders> * r = <Value unavailable error>, class net::HttpResponseHeaders * p = <Value unavailable error>, class net::HttpResponseHeaders * ptr = <Value unavailable error>, int increment = <Value unavailable error>, int _Value = <Value unavailable error>, std::memory_order _Order = <Value unavailable error>, struct std::_Atomic_int * _Atom = <Value unavailable error>, unsigned long * _Tgt = <Value unavailable error>, class net::HttpResponseHeaders ** _Left = <Value unavailable error>, class net::HttpResponseHeaders ** _Right = <Value unavailable error>, char * str = <Value unavailable error>, char * _First = <Value unavailable error>, int64 value = <Value unavailable error>, char phase = <Value unavailable error>, unsigned int64 id = <Value unavailable error>, unsigned int flags = <Value unavailable error>, unsigned int64 bind_id = <Value unavailable error>, char * scope = <Value unavailable error>, int thread_id = <Value unavailable error>, class base::TimeTicks * timestamp = <Value unavailable error>, char * arg1_name = <Value unavailable error>, char * arg = <Value unavailable error>, unsigned char * type = <Value unavailable error>)+0x154 [C:\b\c\b\win64_clang\src\content\browser\frame_host\navigation_handle_impl.cc @ 771] 00000000`0028e2a0 000007fe`d9b99bb9 chrome_7fed8fb0000!content::NavigationRequest::OnResponseStarted(class scoped_refptr<network::ResourceResponse> * response = <Value unavailable error>, class mojo::StructPtr<network::mojom::URLLoaderClientEndpoints> * url_loader_client_endpoints = 0x00000000`0028e4e0, class std::unique_ptr<content::StreamHandle,std::default_delete<content::StreamHandle> > body = class std::unique_ptr<content::StreamHandle,std::default_delete<content::StreamHandle> >, class net::SSLInfo * ssl_info = 0x00000000`0028e530, class std::unique_ptr<content::NavigationData,std::default_delete<content::NavigationData> > navigation_data = class std::unique_ptr<content::NavigationData,std::default_delete<content::NavigationData> >, struct content::GlobalRequestID * request_id = 0x00000000`21c0bc08, bool is_download = <Value unavailable error>, bool is_stream = <Value unavailable error>, class base::Optional<content::SubresourceLoaderParams> * subresource_loader_params = 0x00000000`0028e510, net::Error net_error_code = <Value unavailable error>, class content::NavigationData * _Ptr = <Value unavailable error>, class scoped_refptr<network::ResourceResponse> * r = <Value unavailable error>, struct network::ResourceResponse * p = <Value unavailable error>, struct network::ResourceResponse * ptr = <Value unavailable error>, int increment = <Value unavailable error>, int _Value = <Value unavailable error>, std::memory_order _Order = <Value unavailable error>, struct std::_Atomic_int * _Atom = <Value unavailable error>, unsigned long * _Tgt = <Value unavailable error>, struct network::ResourceResponse ** _Left = <Value unavailable error>, struct network::ResourceResponse ** _Right = <Value unavailable error>, class base::Optional<content::SubresourceLoaderParams> * other = <Value unavailable error>, <function> * invoke_func = <Value unavailable error>, class base::internal::BindStateBase * bind_state = <Value unavailable error>, int64 value = <Value unavailable error>, char phase = <Value unavailable error>, unsigned int64 id = <Value unavailable error>, unsigned int flags = <Value unavailable error>, unsigned int64 bind_id = <Value unavailable error>, char * scope = <Value unavailable error>, int thread_id = <Value unavailable error>, class base::TimeTicks * timestamp = <Value unavailable error>, char * arg1_name = <Value unavailable error>, char (*)[18] arg1_val = <Value unavailable error>, unsigned char * type = <Value unavailable error>)+0x576 [C:\b\c\b\win64_clang\src\content\browser\frame_host\navigation_request.cc @ 954] 00000000`0028e450 000007fe`d9b9c5e1 chrome_7fed8fb0000!content::NavigationURLLoaderNetworkService::OnReceiveResponse(class scoped_refptr<network::ResourceResponse> * response = 0x00000000`0028e688, class mojo::StructPtr<network::mojom::URLLoaderClientEndpoints> url_loader_client_endpoints = <Value unavailable error>, class base::Optional<net::SSLInfo> * maybe_ssl_info = <Value unavailable error>, class std::unique_ptr<content::NavigationData,std::default_delete<content::NavigationData> > navigation_data = class std::unique_ptr<content::NavigationData,std::default_delete<content::NavigationData> >, struct content::GlobalRequestID * global_request_id = 0x00000000`21c0bc08, bool is_download = <Value unavailable error>, bool is_stream = false, class mojo::InterfacePtr<network::mojom::DownloadedTempFile> * downloaded_file = 0x00000000`0028e6a0, class base::Optional<content::SubresourceLoaderParams> * other = <Value unavailable error>, struct content::SubresourceLoaderParams * args = <Value unavailable error>, class content::NavigationData * _Ptr = <Value unavailable error>, class std::unique_ptr<network::mojom::URLLoaderClientEndpoints,std::default_delete<network::mojom::URLLoaderClientEndpoints> > * _Left = <Value unavailable error>, class network::mojom::URLLoaderClientEndpoints ** _Right = <Value unavailable error>, int64 value = <Value unavailable error>, char phase = <Value unavailable error>, unsigned int64 id = <Value unavailable error>, unsigned int flags = <Value unavailable error>, unsigned int64 bind_id = <Value unavailable error>, char * scope = <Value unavailable error>, int thread_id = <Value unavailable error>, class base::TimeTicks * timestamp = <Value unavailable error>, unsigned char * type = <Value unavailable error>)+0x163 [C:\b\c\b\win64_clang\src\content\browser\loader\navigation_url_loader_network_service.cc @ 1099] 00000000`0028e630 000007fe`d9b9c4e9 chrome_7fed8fb0000!base::internal::FunctorTraits<void (<function> * method = 0x000007fe`d9b99a56, class base::WeakPtr<content::NavigationURLLoaderNetworkService> * receiver_ptr = <Value unavailable error>, class scoped_refptr<network::ResourceResponse> * args = 0x00000000`21c0bcc8, class mojo::StructPtr<network::mojom::URLLoaderClientEndpoints> * other = 0x00000000`21c0bcc0, class std::unique_ptr<network::mojom::DownloadedTempFileProxy,std::default_delete<network::mojom::DownloadedTempFileProxy> > * _Left = <Value unavailable error>, class std::unique_ptr<network::mojom::DownloadedTempFileProxy,std::default_delete<network::mojom::DownloadedTempFileProxy> > * _Right = <Value unavailable error>, class content::NavigationData * _Ptr = <Value unavailable error>, class scoped_refptr<network::ResourceResponse> * r = 0x00000000`21c0bcc8)+0xed [C:\b\c\b\win64_clang\src\base\bind_internal.h @ 447] 00000000`0028e720 000007fe`d8fd400f chrome_7fed8fb0000!base::internal::Invoker<base::internal::BindState<void (class base::internal::BindStateBase * base = 0x00000000`21c0bba0, class std::tuple<base::WeakPtr<content::NavigationURLLoaderNetworkService>,scoped_refptr<network::ResourceResponse>,mojo::StructPtr<network::mojom::URLLoaderClientEndpoints>,base::Optional<net::SSLInfo>,std::unique_ptr<content::NavigationData,std::default_delete<content::NavigationData> >,content::GlobalRequestID,bool,bool,mojo::InterfacePtr<network::mojom::DownloadedTempFile> > * bound = 0x00000000`2206ffff, class std::tuple<base::WeakPtr<content::NavigationURLLoaderNetworkService>,scoped_refptr<network::ResourceResponse>,mojo::StructPtr<network::mojom::URLLoaderClientEndpoints>,base::Optional<net::SSLInfo>,std::unique_ptr<content::NavigationData,std::default_delete<content::NavigationData> >,content::GlobalRequestID,bool,bool,mojo::InterfacePtr<network::mojom::DownloadedTempFile> > * _Tuple = <Value unavailable error>, class base::WeakPtr<content::NavigationURLLoaderNetworkService> * weak_ptr = 0x00000000`21c0bcd0, class scoped_refptr<network::ResourceResponse> * args = 0x00000000`1ccb99f0)+0x79 [C:\b\c\b\win64_clang\src\base\bind_internal.h @ 576] 00000000`0028e7a0 000007fe`d8fd3afc chrome_7fed8fb0000!base::debug::TaskAnnotator::RunTask(char * queue_function = <Value unavailable error>, struct base::PendingTask * pending_task = 0x00000000`0028ea48, struct base::PendingTask * task = <Value unavailable error>, class std::_Array_iterator<const void *,4> _First = <Value unavailable error>, class std::_Array_iterator<const void *,7> _Dest = <Value unavailable error>, int64 value = <Value unavailable error>, char phase = <Value unavailable error>, unsigned int64 id = <Value unavailable error>, unsigned int flags = <Value unavailable error>, unsigned int64 bind_id = <Value unavailable error>, char * name = <Value unavailable error>, int thread_id = <Value unavailable error>, class base::TimeTicks * timestamp = <Value unavailable error>, struct base::trace_event::TraceEventHandle event_handle = <Value unavailable error>)+0xdf [C:\b\c\b\win64_clang\src\base\debug\task_annotator.cc @ 61] 00000000`0028e8c0 000007fe`d8fd3558 chrome_7fed8fb0000!base::MessageLoop::RunTask(struct base::PendingTask * pending_task = 0x00000000`0028ea48, char * task_context = <Value unavailable error>, void * program_counter = <Value unavailable error>, class base::ObserverList<base::MessageLoop::TaskObserver,0,1>::Iter * other = <Value unavailable error>, unsigned int64 _Pos = <Value unavailable error>, int64 value = <Value unavailable error>, char phase = <Value unavailable error>, unsigned int64 id = <Value unavailable error>, unsigned int flags = <Value unavailable error>, unsigned int64 bind_id = <Value unavailable error>, int thread_id = <Value unavailable error>, class base::TimeTicks * timestamp = <Value unavailable error>, unsigned char * type = <Value unavailable error>, char * name = <Value unavailable error>, struct base::trace_event::TraceEventHandle event_handle = <Value unavailable error>)+0x23c [C:\b\c\b\win64_clang\src\base\message_loop\message_loop.cc @ 396] 00000000`0028ea20 000007fe`d90ddca9 chrome_7fed8fb0000!base::MessageLoop::DoWork(struct base::PendingTask * pending_task = 0x00000000`00000000)+0x198 [C:\b\c\b\win64_clang\src\base\message_loop\message_loop.cc @ 451] 00000000`0028ec10 000007fe`d901f3b8 chrome_7fed8fb0000!base::MessagePumpForUI::DoRunLoop(void)+0xa9 [C:\b\c\b\win64_clang\src\base\message_loop\message_pump_win.cc @ 174] 00000000`0028ecc0 000007fe`d8fd2b25 chrome_7fed8fb0000!base::MessagePumpWin::Run(class base::MessagePump::Delegate * delegate = 0x00000000`00000001, int64 us = <Value unavailable error>)+0x68 [C:\b\c\b\win64_clang\src\base\message_loop\message_pump_win.cc @ 58] 00000000`0028ed20 000007fe`d93b0e93 chrome_7fed8fb0000!base::RunLoop::Run(void)+0x35 [C:\b\c\b\win64_clang\src\base\run_loop.cc @ 139] 00000000`0028ed50 000007fe`d93b0c84 chrome_7fed8fb0000!ChromeBrowserMainParts::MainMessageLoopRun(int * result_code = 0x00000000`024671c8, int64 value = <Value unavailable error>, char phase = <Value unavailable error>, unsigned int64 id = <Value unavailable error>, unsigned int flags = <Value unavailable error>, unsigned int64 bind_id = <Value unavailable error>, char * name = <Value unavailable error>, char * scope = <Value unavailable error>, int thread_id = <Value unavailable error>, class base::TimeTicks * timestamp = <Value unavailable error>)+0x9f [C:\b\c\b\win64_clang\src\chrome\browser\chrome_browser_main.cc @ 2194] 00000000`0028ee40 000007fe`d93b0c2f chrome_7fed8fb0000!content::BrowserMainLoop::RunMainMessageLoopParts(int64 value = <Value unavailable error>, char phase = <Value unavailable error>, unsigned int64 id = <Value unavailable error>, unsigned int flags = <Value unavailable error>, unsigned int64 bind_id = <Value unavailable error>, char * name = <Value unavailable error>, char * scope = <Value unavailable error>, int thread_id = <Value unavailable error>, class base::TimeTicks * timestamp = <Value unavailable error>)+0x48 [C:\b\c\b\win64_clang\src\content\browser\browser_main_loop.cc @ 1105] 00000000`0028ef00 000007fe`d8fcb06a chrome_7fed8fb0000!content::BrowserMainRunnerImpl::Run(void)+0x11 [C:\b\c\b\win64_clang\src\content\browser\browser_main_runner.cc @ 161] 00000000`0028ef30 000007fe`d8fcaf07 chrome_7fed8fb0000!content::BrowserMain(struct content::MainFunctionParams * parameters = <Value unavailable error>, int64 value = <Value unavailable error>, char phase = <Value unavailable error>, unsigned int64 id = <Value unavailable error>, unsigned int flags = <Value unavailable error>, unsigned int64 bind_id = <Value unavailable error>, int thread_id = <Value unavailable error>, class base::TimeTicks * timestamp = <Value unavailable error>, char * _Left = <Value unavailable error>, char * _Ptr = <Value unavailable error>)+0xc6 [C:\b\c\b\win64_clang\src\content\browser\browser_main.cc @ 46] 00000000`0028f010 000007fe`d8fcadb1 chrome_7fed8fb0000!content::RunNamedProcessTypeMain(class std::basic_string<char,std::char_traits<char>,std::allocator<char> > * process_type = 0x00000000`0028f1b8, struct content::MainFunctionParams * main_function_params = 0x00000000`0028f190, class content::ContentMainDelegate * delegate = 0x00000000`0028f630, class std::basic_string<char,std::char_traits<char>,std::allocator<char> > * _Left = <Value unavailable error>, char * _Right = <Value unavailable error>)+0x11a [C:\b\c\b\win64_clang\src\content\app\content_main_runner.cc @ 423] 00000000`0028f170 000007fe`d8fb7955 chrome_7fed8fb0000!content::ContentMainRunnerImpl::Run(char * str = <Value unavailable error>, char * _First = <Value unavailable error>, class std::basic_string<char,std::char_traits<char>,std::allocator<char> > * _Left = <Value unavailable error>, char * _Right = <Value unavailable error>, class base::FieldTrialList * _Ptr = 0x00000000`00000000, class base::CommandLine * cl = <Value unavailable error>)+0x115 [C:\b\c\b\win64_clang\src\content\app\content_main_runner.cc @ 703] 00000000`0028f210 000007fe`d8fb7418 chrome_7fed8fb0000!service_manager::Main(struct service_manager::MainParams * params = <Value unavailable error>, char * str = <Value unavailable error>, char * _First = <Value unavailable error>, class std::basic_string<char,std::char_traits<char>,std::allocator<char> > * _Left = <Value unavailable error>, char * _Right = <Value unavailable error>, class base::BasicStringPiece<std::basic_string<char,std::char_traits<char>,std::allocator<char> > > * name = <Value unavailable error>, int64 value = <Value unavailable error>, class service_manager::MainDelegate * delegate = <Value unavailable error>, char * _Ptr = <Value unavailable error>, class scoped_refptr<base::SingleThreadTaskRunner> * r = <Value unavailable error>, class base::SingleThreadTaskRunner * p = <Value unavailable error>, class base::SingleThreadTaskRunner * ptr = <Value unavailable error>, int increment = <Value unavailable error>, int _Value = <Value unavailable error>, std::memory_order _Order = <Value unavailable error>, struct std::_Atomic_int * _Atom = <Value unavailable error>, unsigned long * _Tgt = <Value unavailable error>, class service_manager::MainDelegate * main_delegate = <Value unavailable error>, class std::basic_ostream<char,std::char_traits<char> > * _Ostr = <Value unavailable error>, class std::basic_string<char,std::char_traits<char>,std::allocator<char> > * _Str = <Value unavailable error>, <function> * invoke_func = <Value unavailable error>, class base::internal::BindStateBase * bind_state = <Value unavailable error>, base::debug::GlobalActivityTracker::ProcessPhase phase = <Value unavailable error>)+0x478 [C:\b\c\b\win64_clang\src\services\service_manager\embedder\main.cc @ 453] 00000000`0028f540 000007fe`d8fb38a5 chrome_7fed8fb0000!content::ContentMain(struct content::ContentMainParams * params = <Value unavailable error>)+0x41 [C:\b\c\b\win64_clang\src\content\app\content_main.cc @ 19] 00000000`0028f5d0 00000001`3ff7354c chrome_7fed8fb0000!ChromeMain(struct HINSTANCE__ * instance = 0x00000001`3ff70000, struct sandbox::SandboxInterfaceInfo * sandbox_info = 0x00000000`0028f700, int64 exe_entry_point_ticks = <Value unavailable error>, class content::ContentMainDelegate * delegate = <Value unavailable error>, <function> * invoke_func = <Value unavailable error>, class base::internal::BindStateBase * bind_state = <Value unavailable error>, class base::RepeatingCallback<void ()> other = <Value unavailable error>)+0x123 [C:\b\c\b\win64_clang\src\chrome\app\chrome_main.cc @ 104] 00000000`0028f6a0 00000001`3ff7169c chrome!MainDllLoader::Launch(struct HINSTANCE__ * instance = 0x00000001`3ff70000, class base::TimeTicks exe_entry_point_ticks = class base::TimeTicks, char * str = <Value unavailable error>, char * _First = <Value unavailable error>, class std::basic_string<char,std::char_traits<char>,std::allocator<char> > * _Right = <Value unavailable error>, char * _Left = <Value unavailable error>)+0x26c [C:\b\c\b\win64_clang\src\chrome\app\main_dll_loader_win.cc @ 199] 00000000`0028f790 00000001`4004c6a3 chrome!wWinMain(struct HINSTANCE__ * instance = 0x00000001`3ff70000, struct HINSTANCE__ * prev = <Value unavailable error>, char * str = <Value unavailable error>, char * _First = <Value unavailable error>, class std::basic_string<char,std::char_traits<char>,std::allocator<char> > * _Left = <Value unavailable error>, char * _Right = <Value unavailable error>, class base::CommandLine * cmd_line = <Value unavailable error>, wchar_t * _Ptr = <Value unavailable error>, class base::CommandLine * command_line = <Value unavailable error>, class std::basic_string<char,std::char_traits<char>,std::allocator<char> > * command_line_switch = <Value unavailable error>, class std::_Vector_iterator<std::_Vector_val<std::_Simple_types<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > > _Last = <Value unavailable error>, char (*)[40] file = <Value unavailable error>)+0x69c [C:\b\c\b\win64_clang\src\chrome\app\chrome_exe_main_win.cc @ 230] 00000000`0028fb70 00000000`775059cd chrome!__scrt_common_main_seh(void)+0x117 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 283] 00000000`0028fbb0 00000000`7776383d kernel32!BaseThreadInitThunk+0xd 00000000`0028fbe0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d Did this work before? No Chrome version: 66.0.3359.139 Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version:
,
May 4 2018
Am I correct in understanding that this requires activating the devtools manually in order to work? Adjusting severity based on that limitation.
,
May 4 2018
,
May 7 2018
>>this requires activating the devtools manually in order to work? Yes this is correct. But sometimes, like on Windows, all it takes to open the DevTools is the victim to press f12. A bit of social engineering can do the trick, for example: "Press f12 to watch this video fullscreen".
,
May 7 2018
Thanks for filing! This seems to have the same cause as issue 836511.
,
May 7 2018
You are welcome. I don't have access to issue 836511, so i cannot say.
,
May 9 2018
From discussion on issue 836511, we're not sure that the root cause is the same, but the fix may apply to both issues. Tentatively un-duping.
,
May 10 2018
Re: #7, I'm guessing r555988 should be sufficient to fix this bug from a cursory glance, but I just wanted to make sure we confirm it apart from the simple repro steps on the other bug. dgozman@, let us know if you're confident the security aspects are resolved, and if so feel free to mark this fixed as well. Thanks! (Note that we're already moving toward M67 merge on issue 836511 for stability reasons.)
,
May 11 2018
Looking closer at the report here and the fix that landed in issue 836511, I think this one is resolved as well. Marking fixed.
,
May 12 2018
,
May 14 2018
,
May 21 2018
I'm afraid this was indeed a dupe of a previously reported bug, so the VRP panel decline to reward. Many thanks for the report, though!
,
May 21 2018
Hard luck! But from what i can see, the POC of the other bug report needed the flag --site-per-process to work. The POC of this report proved that the flag --site-per-process isn't needed, thus showing that this was a security bug (the other report was considered as a stability issue). This surely must count for something.
,
Aug 18
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by tsepez@chromium.org
, May 4 2018Components: Platform>DevTools
Labels: -Pri-2 Security_Severity-Critical M-66 Security_Impact-Stable Pri-1
Owner: caseq@chromium.org
Status: Assigned (was: Unconfirmed)