Issue 853536 link

Starred by 3 users

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Jun 2018
Cc:	brucedaw...@chromium.org █ e...@surfright.com thakis@chromium.org
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	2
Type:	Bug
Arch-x86_64 Via-Wizard-Security Stability-ThirdParty

HitmanPro Alert : Chrome Mitigation. Browser close.

Reported by levi...@gmail.com, Jun 17 2018

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.25 Safari/537.36

Steps to reproduce the problem:
1. I don't know if it can be reproduced.
I had this security alert 3 times already.
URL : https://www.calcalist.co.il/home/0,7340,L-8,00.html (isreali site, Hebrew)
2. 
3. 

What is the expected behavior?
Normal browsing

What went wrong?
HitmanPro Alert app alerted about a security problem in Chrome browser and closed Chrome (event ID 911).

General:
Mitigation   ROP

Platform     6.1.7601/x64 v739 06_2a
PID          8792
Application  C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe
Description  Google Chrome 68

Callee Type  AllocateVirtualMemory
             0x000002D884404000 (503808 bytes)

Branch Trace                              Opcode  To                                      
---------------------------------------- -------- ----------------------------------------
0x000007FED155D990 chrome_child.dll          RET  0x000007FED156E189 chrome_child.dll     

0x000007FED4EC6EC6 chrome_child.dll          RET  0x000007FED155D988 chrome_child.dll     

0x000007FED158F715 chrome_child.dll          RET  0x000007FED155D978 chrome_child.dll     

0x000007FED155D990 chrome_child.dll          RET  0x000007FED156E174 chrome_child.dll     

+0xc20f0                                     RET  +0x4cd11                                
0x000007FEFD0120F0 hmpalert.dll                   0x000007FEFCF9CD11 hmpalert.dll         

MsgWaitForMultipleObjects +0x24            ~ RET* 0x0000000140002F8F chrome.exe           
0x00000000771062E4 user32.dll                                                             
                    00ba651b0000             ADD          [RDX+0x1b65], BH
                    4889c1                   MOV          RCX, RAX
                    ff155a760e00             CALL         QWORD [RIP+0xe765a]
                    c644242f01               MOV          BYTE [RSP+0x2f], 0x1
                    e814f00200               CALL         0x140031fbc
                    84c0                     TEST         AL, AL
                    0f848c000000             JZ           0x14000303c
                    488d7c2430               LEA          RDI, [RSP+0x30]
                    4889f9                   MOV          RCX, RDI
                    e80bf00200               CALL         0x140031fc8
                    488d5c242f               LEA          RBX, [RSP+0x2f]
                    4889f9                   MOV          RCX, RDI
                    4889da                   MOV          RDX, RBX
                    e83ff20200               CALL         0x14003220c
                                         (FBC5282D0412E8B5)

MsgWaitForMultipleObjectsEx +0x32          ~ RET  MsgWaitForMultipleObjects +0x20         
0x00000000771062B6 user32.dll                     0x00000000771062E0 user32.dll           

GetScrollBarInfo +0x21a                    ~ RET  MsgWaitForMultipleObjectsEx +0x2e       
0x0000000077108FBA user32.dll                     0x00000000771062B2 user32.dll           

ClientThreadSetup +0x146                     RET  GetScrollBarInfo +0x1e9                 
0x000000007710A72A user32.dll                     0x0000000077108F89 user32.dll           

Stack Trace
#  Address          Module                   Location
-- ---------------- ------------------------ ----------------------------------------
1  000007FEFD1A1945 KernelBase.dll           VirtualAlloc +0x45

2  000007FED2AF026D chrome_child.dll        
                    4885c0                   TEST         RAX, RAX
                    0f95c0                   SETNZ        AL
                    4883c428                 ADD          RSP, 0x28
                    c3                       RET         

3  000007FED156E22C chrome_child.dll        
4  000007FED156E14E chrome_child.dll        
5  000007FED1B6724F chrome_child.dll        
6  000007FED1B66DD0 chrome_child.dll        
7  000007FED1B65C26 chrome_child.dll        
8  000007FED1B5B7F4 chrome_child.dll        
9  000007FED1B587E1 chrome_child.dll        
10 000007FED1B57B5D chrome_child.dll        

Code Injection
0000000000060000-0000000000061000    4KB C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe [8384]
000000000007A000-000000000007B000    4KB
0000000077361000-0000000077362000    4KB
0000000077362000-0000000077363000    4KB
00000001400F8000-00000001400F9000    4KB
00000001400F5000-00000001400F6000    4KB
0000000000080000-0000000000081000    4KB
00000001400F1000-00000001400F2000    4KB
1  C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe [8384]
"C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe" --disable-accelerated-video-decode
2  C:\Windows\explorer.exe [2152]
3  C:\Windows\System32\userinit.exe [2076]
4  C:\Windows\System32\winlogon.exe [600]
winlogon.exe

Process Trace
1  C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe [8792]
"C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe" --type=renderer --disable-accelerated-video-decode --field-trial-handle=1200,17715590274891262602,10691171079327471071,131072 --service-pipe-token=D6326CF49818764F778143D67F3B7D7B --lang=en
2  C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe [8384]
"C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe" --disable-accelerated-video-decode
3  C:\Windows\explorer.exe [2152]
4  C:\Windows\System32\userinit.exe [2076]
5  C:\Windows\System32\winlogon.exe [600]
winlogon.exe

Thumbprint
0b0d4d7a4ad57b1f505ec4f86c8570dfbfb184adc6275cca7e601e30a4c07f46

Details:
   C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe 
   ROP 
   Mitigation ROP Platform 6.1.7601/x64 v739 06_2a PID 8792 Application C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe Description Google Chrome 68 Callee Type AllocateVirtualMemory 0x000002D884404000 (503808 bytes) Branch Trace Opcode To ---------------------------------------- -------- ---------------------------------------- 0x000007FED155D990 chrome_child.dll RET 0x000007FED156E189 chrome_child.dll 0x000007FED4EC6EC6 chrome_child.dll RET 0x000007FED155D988 chrome_child.dll 0x000007FED158F715 chrome_child.dll RET 0x000007FED155D978 chrome_child.dll 0x000007FED155D990 chrome_child.dll RET 0x000007FED156E174 chrome_child.dll +0xc20f0 RET +0x4cd11 0x000007FEFD0120F0 hmpalert.dll 0x000007FEFCF9CD11 hmpalert.dll MsgWaitForMultipleObjects +0x24 ~ RET* 0x0000000140002F8F chrome.exe 0x00000000771062E4 user32.dll 00ba651b0000 ADD [RDX+0x1b65], BH 4889c1 MOV RCX, RAX ff155a760e00 CALL QWORD [RIP+0xe765a] c644242f01 MOV BYTE [RSP+0x2f], 0x1 e814f00200 CALL 0x140031fbc 84c0 TEST AL, AL 0f848c000000 JZ 0x14000303c 488d7c2430 LEA RDI, [RSP+0x30] 4889f9 MOV RCX, RDI e80bf00200 CALL 0x140031fc8 488d5c242f LEA RBX, [RSP+0x2f] 4889f9 MOV RCX, RDI 4889da MOV RDX, RBX e83ff20200 CALL 0x14003220c (FBC5282D0412E8B5) MsgWaitForMultipleObjectsEx +0x32 ~ RET MsgWaitForMultipleObjects +0x20 0x00000000771062B6 user32.dll 0x00000000771062E0 user32.dll GetScrollBarInfo +0x21a ~ RET MsgWaitForMultipleObjectsEx +0x2e 0x0000000077108FBA user32.dll 0x00000000771062B2 user32.dll ClientThreadSetup +0x146 RET GetScrollBarInfo +0x1e9 0x000000007710A72A user32.dll 0x0000000077108F89 user32.dll Stack Trace # Address Module Location -- ---------------- ------------------------ ---------------------------------------- 1 000007FEFD1A1945 KernelBase.dll VirtualAlloc +0x45 2 000007FED2AF026D chrome_child.dll 4885c0 TEST RAX, RAX 0f95c0 SETNZ AL 4883c428 ADD RSP, 0x28 c3 RET 3 000007FED156E22C chrome_child.dll 4 000007FED156E14E chrome_child.dll 5 000007FED1B6724F chrome_child.dll 6 000007FED1B66DD0 chrome_child.dll 7 000007FED1B65C26 chrome_child.dll 8 000007FED1B5B7F4 chrome_child.dll 9 000007FED1B587E1 chrome_child.dll 10 000007FED1B57B5D chrome_child.dll Code Injection 0000000000060000-0000000000061000 4KB C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe [8384] 000000000007A000-000000000007B000 4KB 0000000077361000-0000000077362000 4KB 0000000077362000-0000000077363000 4KB 00000001400F8000-00000001400F9000 4KB 00000001400F5000-00000001400F6000 4KB 0000000000080000-0000000000081000 4KB 00000001400F1000-00000001400F2000 4KB 1 C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe [8384] "C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe" --disable-accelerated-video-decode 2 C:\Windows\explorer.exe [2152] 3 C:\Windows\System32\userinit.exe [2076] 4 C:\Windows\System32\winlogon.exe [600] winlogon.exe Process Trace 1 C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe [8792] "C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe" --type=renderer --disable-accelerated-video-decode --field-trial-handle=1200,17715590274891262602,10691171079327471071,131072 --service-pipe-token=D6326CF49818764F778143D67F3B7D7B --lang=en 2 C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe [8384] "C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe" --disable-accelerated-video-decode 3 C:\Windows\explorer.exe [2152] 4 C:\Windows\System32\userinit.exe [2076] 5 C:\Windows\System32\winlogon.exe [600] winlogon.exe Thumbprint 0b0d4d7a4ad57b1f505ec4f86c8570dfbfb184adc6275cca7e601e30a4c07f46 

Did this work before? N/A 

Chrome version: 68.0.3440.25  Channel: beta
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 30.0 r0

Comment 1 by wfh@chromium.org, Jun 18 2018

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Stability-ThirdParty Type-Bug
Status: Untriaged (was: Unconfirmed)

Sounds like an incompatibility with HitmanPro, and Chrome. Have you tried contacting HitmanPro?

Injection implies something else is injecting. Can you go to chrome://conflicts and paste the entire page here?

Windows sheriff will deal with this.

Comment 2 by levi...@gmail.com, Jun 18 2018


This page lists all modules loaded into the main process and modules registered to load at a later point.

Modules (122) - No conflicts detected

Software	Signed by	Version	Location
Bonjour Namespace Provider	Apple Inc.	3,1,0,1	%programfiles%\bonjour\mdnsnsp.dll
cplredirector	Microsoft Corporation	2.0.162.0	%programfiles%\microsoft mouse and keyboard center\cplredirector.dll (Shell Extension -- Not loaded yet)
ipcplact.dll	Microsoft Corporation	2.0.162.0	%programfiles%\microsoft mouse and keyboard center\ipcplact.dll (Shell Extension -- Not loaded yet)
TouchPad Control Panel Extensions	Microsoft Windows Hardware Compatibility Publisher	16.2.19.14	%programfiles%\synaptics\syntp\syntpcpl.dll (Shell Extension -- Not loaded yet)
%programfiles%\teracopy\teracopy.dll (Shell Extension -- Not loaded yet)
%programfiles%\teracopy\teracopy64.dll (Shell Extension -- Not loaded yet)
Code Sector		%programfiles%\teracopy\teracopyext.dll (Shell Extension -- Not loaded yet)
BTNCopy Module	Broadcom Corporation	6.5.1.4500	%programfiles%\thinkpad\bluetooth software\btncopy.dll (Shell Extension -- Not loaded yet)
Advanced Windows 32 Base API	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\advapi32.dll
ApiSet Stub DLL	Microsoft Windows	10.0.10240.16390	%systemroot%\system32\api-ms-win-core-synch-l1-2-0.dll
Application Compatibility Client Library	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\apphelp.dll
Audio Session	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\audioses.dll
Windows Cryptographic Primitives Library	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\bcrypt.dll
Windows Cryptographic Primitives Library	Microsoft Windows	6.1.7601.17514	%systemroot%\system32\bcryptprimitives.dll
Configuration Manager DLL	Microsoft Windows	6.1.7601.17514	%systemroot%\system32\cfgmgr32.dll
COM+ Configuration Catalog	Microsoft Windows	2001.12.8530.16385	%systemroot%\system32\clbcatq.dll
Credential Delegation Security Package	Microsoft Windows	6.1.7601.17514	%systemroot%\system32\credssp.dll
Credential Manager User Interface	Microsoft Windows	6.1.7601.17514	%systemroot%\system32\credui.dll
Crypto API32	Microsoft Windows	6.1.7601.18205	%systemroot%\system32\crypt32.dll
Base cryptographic API DLL	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\cryptbase.dll
Crypto Network Related API	Microsoft Windows	6.1.7601.18205	%systemroot%\system32\cryptnet.dll
Cryptographic Service Provider API	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\cryptsp.dll
Direct3D 11 Runtime	Microsoft Windows	6.2.9200.16570	%systemroot%\system32\d3d11.dll
Windows Image Helper	Microsoft Windows	6.1.7601.17514	%systemroot%\system32\dbghelp.dll
Device Information Set DLL	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\devobj.dll
DHCP Client Service	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\dhcpcsvc.dll
DHCPv6 Client	Microsoft Windows	6.1.7601.17970	%systemroot%\system32\dhcpcsvc6.dll
DNS Client API DLL	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\dnsapi.dll
Windows DirectUI Engine	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\dui70.dll
Windows DirectUser Engine	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\duser.dll
Microsoft Desktop Window Manager API	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\dwmapi.dll
Microsoft DirectX Typography Services	Microsoft Windows	6.2.9200.16492	%systemroot%\system32\dwrite.dll
DirectX Graphics Infrastructure	Microsoft Windows	6.2.9200.16492	%systemroot%\system32\dxgi.dll
ExplorerFrame	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\explorerframe.dll
Windows Firewall API	Microsoft Windows	6.1.7601.17514	%systemroot%\system32\firewallapi.dll
FWP/IPsec User-Mode API	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\fwpuclnt.dll
GDI Client DLL	Microsoft Windows	6.1.7601.18577	%systemroot%\system32\gdi32.dll
Group Policy Client API	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\gpapi.dll
Hid User Library	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\hid.dll
HitmanPro.Alert 64-bit Support Library	SurfRight B.V.	3.7.6.739	%systemroot%\system32\hmpalert.dll
Microsoft Color Management Module (CMM)	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\icm32.dll
Multi-User Windows IMM32 API Client DLL	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\imm32.dll
IP Helper API	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\iphlpapi.dll
Windows NT BASE API Client DLL	Microsoft Windows	6.1.7601.18015	%systemroot%\system32\kernel32.dll
Windows NT BASE API Client DLL	Microsoft Windows	6.1.7601.18015	%systemroot%\system32\kernelbase.dll
Windows Volume Tracking	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\linkinfo.dll
Language Pack	Microsoft Windows	6.1.7601.18923	%systemroot%\system32\lpk.dll
Media Foundation DLL	Microsoft Windows	12.0.7600.16385	%systemroot%\system32\mf.dll (Shell Extension -- Not loaded yet)
MMDevice API	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\mmdevapi.dll
ASN.1 Runtime APIs	Microsoft Windows	6.1.7601.17514	%systemroot%\system32\msasn1.dll
Microsoft Color Matching System DLL	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\mscms.dll
MSCTF Server DLL	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\msctf.dll
DMO Runtime	Microsoft Windows	6.6.7601.17514	%systemroot%\system32\msdmo.dll
Windows Installer	Microsoft Windows	5.0.7601.18637	%systemroot%\system32\msi.dll
GDIEXT Client DLL	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\msimg32.dll
Windows NT CRT DLL	Microsoft Windows	7.0.7601.17744	%systemroot%\system32\msvcrt.dll
Microsoft Windows Sockets 2.0 Service Provider	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\mswsock.dll
Windows cryptographic library	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\ncrypt.dll
Net Win32 API DLL	Microsoft Windows	6.1.7601.17887	%systemroot%\system32\netapi32.dll
Net Win32 API Helpers DLL	Microsoft Windows	6.1.7601.17514	%systemroot%\system32\netutils.dll
Network Location Awareness 2	Microsoft Windows	6.1.7601.17964	%systemroot%\system32\nlaapi.dll
NSI User-mode interface DLL	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\nsi.dll
NT Layer DLL	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\ntdll.dll
Active Directory Domain Services API	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\ntdsapi.dll
Windows NT MARTA provider	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\ntmarta.dll
Microsoft OLE for Windows	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\ole32.dll
Active Accessibility Core Component	Microsoft Windows	7.0.0.0	%systemroot%\system32\oleacc.dll
Microsoft Windows	6.1.7601.18679	%systemroot%\system32\oleaut32.dll
User Profile Basic API	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\profapi.dll
Microsoft Property System	Microsoft Windows	7.00.7600.16385	%systemroot%\system32\propsys.dll
Process Status Helper	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\psapi.dll
Remote Access AutoDial Helper	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\rasadhlp.dll
Remote Procedure Call Runtime	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\rpcrt4.dll
Remote RPC Extension	Microsoft Windows	6.1.7601.17514	%systemroot%\system32\rpcrtremote.dll
Microsoft Enhanced Cryptographic Provider	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\rsaenh.dll
Security Accounts Manager Client DLL	Microsoft Windows	6.1.7601.17514	%systemroot%\system32\samcli.dll
SAM Library DLL	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\samlib.dll
Host for SCM/SDDL/LSA Lookup APIs	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\sechost.dll
Security Support Provider Interface	Microsoft Windows	6.1.7601.18270	%systemroot%\system32\secur32.dll
Windows Setup API	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\setupapi.dll
Shell Doc Object and Control Library	Microsoft Windows	6.1.7601.18222	%systemroot%\system32\shdocvw.dll (Shell Extension -- Not loaded yet)
Shell Doc Object and Control Library	Microsoft Windows	6.1.7601.18222	%systemroot%\system32\shdocvw.dll (Shell Extension -- Not loaded yet)
Windows Shell Common Dll	Microsoft Windows	6.1.7601.17514	%systemroot%\system32\shell32.dll
Shell Light-weight Utility Library	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\shlwapi.dll
Server Service Client DLL	Microsoft Windows	6.1.7601.17514	%systemroot%\system32\srvcli.dll
Security Support Provider Interface	Microsoft Windows	6.1.7601.18270	%systemroot%\system32\sspicli.dll
Multi-User Windows USER API Client DLL	Microsoft Windows	6.1.7601.17514	%systemroot%\system32\user32.dll
Userenv	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\userenv.dll
Uniscribe Unicode script processor	Microsoft Windows	1.0626.7601.18454	%systemroot%\system32\usp10.dll
Microsoft UxTheme Library	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\uxtheme.dll
Version Checking and File Installation Libraries	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\version.dll
WMI	Microsoft Windows	6.2.9200.16398	%systemroot%\system32\wbemcomn2.dll
Web Site Monitor	Microsoft Windows	10.00.9200.16521	%systemroot%\system32\webcheck.dll (Shell Extension -- Not loaded yet)
Web Transfer Protocols API	Microsoft Windows	6.1.7601.17514	%systemroot%\system32\webio.dll
Eventing Consumption and Configuration API	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\wevtapi.dll
Windows HTTP Services	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\winhttp.dll
MCI API DLL	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\winmm.dll
Network Store Information RPC interface	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\winnsi.dll
Winstation Library	Microsoft Windows	6.1.7601.17514	%systemroot%\system32\winsta.dll
Microsoft Trust Verification APIs	Microsoft Windows	6.1.7601.18205	%systemroot%\system32\wintrust.dll
Windows USB Driver User Library	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\winusb.dll
Workstation Service Client DLL	Microsoft Windows	6.1.7601.17514	%systemroot%\system32\wkscli.dll
Windows WLAN AutoConfig Client Side API DLL	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\wlanapi.dll
Windows Wireless LAN 802.11 Utility DLL	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\wlanutil.dll
Win32 LDAP API DLL	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\wldap32.dll
WPC Settings Library	Microsoft Windows	1.0.0.1	%systemroot%\system32\wpc.dll
Windows Socket 2.0 32-Bit DLL	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\ws2_32.dll
Winsock2 Helper DLL (TL/IPv6)	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\wship6.dll
Winsock2 Helper DLL (TL/IPv4)	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\wshtcpip.dll
Windows Remote Desktop Session Host Server SDK APIs	Microsoft Windows	6.1.7600.16385	%systemroot%\system32\wtsapi32.dll
%systemroot%\system32\wuaucpl.cpl (Shell Extension -- Not loaded yet)
WMI Custom Marshaller	Microsoft Windows	6.2.9200.16398	%systemroot%\system32\wbem\fastprox.dll
WMI	Microsoft Windows	6.2.9200.16398	%systemroot%\system32\wbem\wbemprox.dll
WMI	Microsoft Windows	6.2.9200.16398	%systemroot%\system32\wbem\wbemsvc.dll
User Experience Controls Library	Microsoft Windows	6.10	%systemroot%\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll
Acronis True Image Shell Extensions	Acronis International GmbH	17,0,0,3063	c:\program files (x86)\acronis\trueimagehome\tishell64.dll (Shell Extension -- Not loaded yet)
AMD Desktop Control Panel		6.14.10.2001	c:\program files (x86)\ati technologies\ati.ace\core-static\atiacm64.dll (Shell Extension -- Not loaded yet)
AMD Desktop Control Panel		6.14.10.2001	c:\program files (x86)\ati technologies\ati.ace\core-static\atiama64.dll (Shell Extension -- Not loaded yet)
Google Chrome	Google Inc	68.0.3440.25	c:\program files (x86)\google\chrome beta\application\68.0.3440.25\chrome.dll
Google Chrome	Google Inc	68.0.3440.25	c:\program files (x86)\google\chrome beta\application\68.0.3440.25\chrome_elf.dll
Shell Extension	Kaspersky Lab	18.0.0.704	c:\program files (x86)\kaspersky lab\kaspersky anti-virus 18.0.0\x64\shellex.dll (Shell Extension -- Not loaded yet)
d:\portable winrar x64 (64 bit) v5.10 final\rarext.dll (Shell Extension -- Not loaded yet)

Comment 3 by e.lo...@gmail.com, Jun 21 2018

I'm one of the developers of HitmanPro/Sophos Intercept X.

This issue is occurring since Chrome 67. Chrome 66 doesn't exhibit the problem.

The above report lists LBR Stack records from the Intel CPU.

What has specifically changed between Chrome 66 and 67?
Did Chrome change compiler? Or are there specific Spectre mitigations resulting in the above anomaly?

Can any of the Chrome developers chime in on this issue?

I can be contacted via erik(at)surfright.com.

Comment 4 by wfh@chromium.org, Jun 21 2018

Cc: thakis@chromium.org e...@surfright.com brucedaw...@chromium.org

I don't think there were any major toolchain changes in 67. We moved from VC to clang in 64. Maybe +thakis or +brucedawson can comment.

In general, you should not be relying on any internal structures, binary layout, or behavior of Chrome, as this change change between releases.

In addition, DLLs loaded into Chrome's memory space will soon be blocked as part of an inititive announced here:

https://blog.chromium.org/2017/11/reducing-chrome-crashes-caused-by-third.html

It looks like there is a module loaded "%systemroot%\system32\hmpalert.dll" that may not reliably load in future versions of Chrome.

Comment 5 by brucedaw...@chromium.org, Jun 21 2018

According to "git log tools\clang\scripts\update.py" we update the version of the clang compiler that we build with a few times per month and it seems quite possible that some Spectre mitigations are now being used. +thakis might know more.

V8 may also be generating different code in order to mitigate against Spectre.

You can read more about our Spectre mitigations and thoughts here:
https://cs.chromium.org/chromium/src/docs/security/side-channel-threat-model.md

Comment 6 by thakis@chromium.org, Jun 21 2018

No, no major toolchain changes in 67. We switched from cl.exe to clang in 64, and will switch from link.exe to lld in 68. Neither should change in-memory struct layout in theory though, since we try to be abi compatible.

We don't have compiler level spectre mitigations. We do OOPIF (also launched to some most people in 64 I think? Maybe that ramped up in 67 though), but that's just a different process model, and had changes in v8 and webkit for spectre, but nothing toolchainy.

Comment 7 by wfh@chromium.org, Jun 21 2018

Re: #3 if you wanted to diagnose what was wrong without having to grok all the revision logs, you could try a bisect while running your product. You can do that using the tools available here:

https://www.chromium.org/developers/bisect-builds-py

You would want to look at releases on omahaproxy [1] and then bisect between the base revision for the "good" vs "bad" release, looking up the releases on the "Version Information" on the same page.

e.g. 66.0.3359.181 -> 540276
67.0.3396.62 -> 550428

python bisect-builds.py -a win64 -g 540276 -b 550428

[1] https://omahaproxy.appspot.com/history?os=win&channel=stable

Comment 8 by brucedaw...@chromium.org, Jun 22 2018

Does your tool tell you where the flagged behavior is occurring? You should be able to attach a debugger and disassembly the code at the flagged location and see what is going on. Chrome's symbol server together with source indexing then makes it easy to see what function, source file, etc. is the source of the machine code.

https://www.chromium.org/developers/how-tos/debugging-on-windows

Comment 9 by wfh@chromium.org, Jun 22 2018

Components: Blink>JavaScript

Searching for the assembly in #0 in chrome_child.dll from 68.0.3440.2 gives 52 hits of which only one is aligned at page + 26d

0:024> lmvm chrome_child
Browse full module list
start             end                 module name
00007ff9`01c70000 00007ff9`066ff000

0:024> s 00007ff9`01c70000 00007ff9`066ff000 48 85 c0 0f 95 c0 48 83 c4 28 c3

...
00007ff9`0327026d  48 85 c0 0f 95 c0 48 83-c4 28 c3 bb ff ff ff e9  H.....H..(......
...

so base address of chrome_child.dll in the report can thus be calculated as offsets:

0:024> .formats 000007FED2AF026D - (00007ff9`0327026d - 00007ff9`01c70000)
Evaluate expression:
  Hex:     000007fe`d14f0000

this means the stack in #0 can be symbolized by just manually loading chrome_child.dll symbols into the debugger at that address:

0:024> .reload chrome_child.dll=000007fe`d14f0000,04A8F000,5B209207

0:024> ln 000007FED2AF026D
C:\b\c\b\win64_clang\src\base\allocator\partition_allocator\page_allocator.cc(205)+0x59
SrcSrv Command: base64.b64decode(u.read()))"
(000007fe`d2af0210)   chrome_child!base::SetSystemPagesAccess+0x5d   |  (000007fe`d2af0290)   chrome_child!base::ReleaseReservation

https://chromium.googlesource.com/chromium/src/+/68.0.3440.25/base/allocator/partition_allocator/page_allocator.cc#205

this gives full stack as:

(000007fe`d2af0210)   chrome_child!base::SetSystemPagesAccess+0x5d (C:\b\c\b\win64_clang\src\base\allocator\partition_allocator\page_allocator.cc(205))
(000007fe`d156e1b0)   chrome_child!v8::internal::SetPermissions+0x7c (C:\b\c\b\win64_clang\src\v8\src\allocation.cc(189))
 ( https://chromium.googlesource.com/v8/v8.git/+/6.8.275.13/src/allocation.cc#189 )
(000007fe`d156e0a0)   chrome_child!v8::internal::MemoryChunk::SetReadAndExecutable+0xae (C:\b\c\b\win64_clang\src\v8\src\heap\spaces.cc(579))
(000007fe`d1b67120)   chrome_child!v8::internal::Heap::ProtectUnprotectedMemoryChunks+0x12f (C:\b\c\b\win64_clang\src\v8\src\heap\heap.cc(0))
(000007fe`d1b66b70)   chrome_child!v8::internal::Factory::NewCode+0x260 (C:\b\c\b\win64_clang\src\v8\src\heap\factory.cc(2546)+0x20)
(000007fe`d1b644c0)   chrome_child!v8::internal::RegExpMacroAssemblerX64::GetCode+0x1766 (C:\b\c\b\win64_clang\src\v8\src\regexp\x64\regexp-macro-assembler-x64.cc(1012))
(000007fe`d1b5b630)   chrome_child!v8::internal::RegExpCompiler::Assemble+0x1c4 (C:\b\c\b\win64_clang\src\v8\src\regexp\jsregexp.cc(1107))
(000007fe`d1b57ef0)   chrome_child!v8::internal::RegExpEngine::Compile+0x8f1 (C:\b\c\b\win64_clang\src\v8\src\regexp\jsregexp.cc(6798))
(000007fe`d1b57990)   chrome_child!v8::internal::RegExpImpl::CompileIrregexp+0x1cd (C:\b\c\b\win64_clang\src\v8\src\regexp\jsregexp.cc(354))

This code does call into VirtualAlloc via SetSystemPagesAccessInternal, but perhaps something changed in the v8 allocator in 67?

Either way, this code looks correct and it seems like this is WAI. I'll let the v8 folks comment if they want, but I'll be closing this as WontFix shortly.

Comment 10 by wfh@chromium.org, Jun 25 2018

Status: WontFix (was: Untriaged)

►

Issue 853536 link

Issue metadata

HitmanPro Alert : Chrome Mitigation. Browser close.

Issue description

Comment 1 by wfh@chromium.org, Jun 18 2018

Comment 1 Deleted

Comment 2 by levi...@gmail.com, Jun 18 2018

Comment 2 Deleted

Comment 3 by e.lo...@gmail.com, Jun 21 2018

Comment 3 Deleted

Comment 4 by wfh@chromium.org, Jun 21 2018

Comment 4 Deleted

Comment 5 by brucedaw...@chromium.org, Jun 21 2018

Comment 5 Deleted

Comment 6 by thakis@chromium.org, Jun 21 2018

Comment 6 Deleted

Comment 7 by wfh@chromium.org, Jun 21 2018

Comment 7 Deleted

Comment 8 by brucedaw...@chromium.org, Jun 22 2018

Comment 8 Deleted

Comment 9 by wfh@chromium.org, Jun 22 2018

Comment 9 Deleted

Comment 10 by wfh@chromium.org, Jun 25 2018

Comment 10 Deleted

Sign in to add a comment