Issue metadata
Sign in to add a comment
|
Security: Infinite console.log loop crashes or hangs
Reported by
davidedlc97@gmail.com,
May 11 2018
|
||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Greetings Google Security Team, While i was writing some javascript code in the console, I decided to test the efficiency of Chrome. The code that I used is in the "FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION" section below. There are two main cases: 1) The first one comes up when the console is dock to the left, bottom or right; you can't stop the execution of the script. I tested it on other browsers like Firefox or Microsoft Edge, they show to the user a message that says "Continue script execution" or "Stop script execution". Chrome does not display a message to stop it, the script will continue its execution until the tab crash, if the current tab does not respond; a message will be displayed but it allows you to wait until the script finishes its execution (if you click on wait the tab will crash in any case) or close the current tab. Also the temperature goes really high and there is a high usage of memory and CPU. With a PC that it is not quite powerful it can create high damages to the components, from the moment the temperature should be really low, for example it should be under 50% if you are just using Chrome. 2) The second one comes up when the console is undock into a separate window, unlike the first one, it will not crash a single tab, but Chrome itself. For example if you launch the script with 8 tabs open, they will all be closed, also this issue brings the PC temperature far higher, in some cases you can't even close Chrome or use other tabs. These are the two main issues that I found, thanks for your attention and I hope that you will consider my report. Best regards. VERSION Chrome Version: [66.0.3359.170] + [stable] Operating System: [OS Windows 7 Home Premium, version 6.1, Service Pack Level 1] REPRODUCTION CASE You can check my Google Drive link where i put some screenshots, where I show the different issues and bugs that Chrome has shown to me. https://docs.google.com/document/d/1KD8u-xH8bWholYrjCXTFah0lfLiCjqlqRcY6gLHYyIw/edit?usp=sharing FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: [tab, browser] Crash ID First Case: 33e32a9b-26d5-47a3-a80e-047f62934176 Crash ID Second Case: 3a7f7577-8483-41ab-b8cb-842b9889cdbe Crash State: stack trace var i; var j; for(i = 0; i<1000000000000000000; i++) { console.log('this is a test'); //it will displays hundred of messages that will make the tab or Chrome to crash } if(i==1000000000000000000){ //the script never reach the "if" because the browser or the tab crash, so the console will terminate as well for(j = i; j>0; j--) { console.log('test number 2'); } }
,
May 11 2018
I understand what you mean, but even it is a DOS the issue still remains. A person with evil intentions can create an html file, send the file to the victim and wait until the person opens it. With a portion of code very simple you can make the pc really slow, also as I said in my primary comment other web browser like Firefox or Microsoft Edge does not have this issue. Also the memory does not go to a high level, i tried this test on two different computers, the first one was not powerful in fact it lacked of performance, while the second one unless you create a very simple html file, with the script that i used above you can slow down even a powerful pc. I already provided the Crash ID of the first and second case at the Chrome page (chrome://crashes as you said) that i found on the official documentation. But i can provided them again: Crash ID First Case: 33e32a9b-26d5-47a3-a80e-047f62934176 Crash ID Second Case: 3a7f7577-8483-41ab-b8cb-842b9889cdbe When you say "Any computer that is damaged under load has a design defect" it is true for a half part, I continue to take Firefox and Microsoft Edge because even if you execute the script they does not slow down too much the pc, but the most important thing is that they show you a message where you can stop the script. Chrome does not do this, and this is a big issue because if there is a script executed and it is taking a great memory of the pc, it could damage the computer in the worst way. With no way to stop it. Thank you for your comment, i appreciated because it helps me to improve and get better. I hope i answered to your question about the Crash ID, Best Regards.
,
May 11 2018
Unfortunately, we need the "Uploaded Report ID" which should be a little bit earlier than the numbers you sent. In general, the mitigation against the scenario you've described (JavaScript runs forever) is that the user simply closes the tab. In some cases, it may take a few seconds for the close button to respond, but it should always work. The Chrome browser itself should not generally crash, although the *tab* may stop responding or crash (due to running out of memory).
,
May 11 2018
From the moment the documentation was not very clear, I did not understand very well which ID I have to sent, so now i will provide the correct ID that you reported to me. Crash ID First Case: aec288b2a4368d21 Crash ID Second Case: 455433e9acf8ab23 I hope they are correct, the italian version of Chrome is a little bit different, let me know if they are correct now. Thanks again for the answer, if i will find another DOS issue or a new bug I will be happy to share my discovery to you.
,
May 11 2018
The aec288 report is a hang in the expected place: (chrome_child.dll -ipc_mojo_bootstrap.cc:605 ) IPC::`anonymous namespace'::ChannelAssociatedGroupController::SendMessageW (chrome_child.dll -devtools_agent.mojom-blink.cc:547 ) blink::mojom::blink::DevToolsSessionHostProxy::DispatchProtocolNotification(WTF::String const &) (chrome_child.dll -InspectorSession.cpp:196 ) blink::InspectorSession::flushProtocolNotifications() (chrome_child.dll -v8-runtime-agent-impl.cc:691 ) v8_inspector::V8RuntimeAgentImpl::messageAdded(v8_inspector::V8ConsoleMessage *) The 4554 report looks like pretty much the same thing, and the classifier points at Issue 826432. Both of these look like Denial-of-Service only.
,
May 14 2018
As noted in #1, we do not consider denial of service to be a security vulnerability. Chrome does not implement a "stop script" feature, but closing the tab will kill the process.
,
Aug 21
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by elawrence@chromium.org
, May 11 2018