New issue
Advanced search Search tips

Issue 865324 link

Starred by 1 user
Status: Untriaged
Owner: ----
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Large history.pushState call kills the renderer due to IPC kMaxMessageSize

Reported by ma7h1a...@gmail.com, Jul 19 
VERSION
Chrome Version: chrome stable
Operating System: windows 7 / android

REPRODUCTION CASE
http://www.infelphira.cn/static/chrome_crash.html

a.length() == 67108864
Project Member

Comment 1 by ClusterFuzz, Jul 19 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6191118463795200.

Comment 2 by cthomp@chromium.org, Jul 19

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Linux Type-Bug
Status: Untriaged (was: Unconfirmed)
I was able to reproduce the crash locally on M69 Linux. Here's the stacktrace:

[1:1:0719/091534.647049:FATAL:ipc_mojo_bootstrap.cc(666)] Check failed: message->data_num_bytes() <= Channel::kMaximumMessageSize (134218336 vs. 134217728)
#0 0x7f59ac367a5c base::debug::StackTrace::StackTrace()
#1 0x7f59ac2cb020 logging::LogMessage::~LogMessage()
#2 0x7f59aacdc917 IPC::(anonymous namespace)::ChannelAssociatedGroupController::SendMessage()
#3 0x7f59a9b6ad1f content::mojom::FrameHostProxy::DidCommitSameDocumentNavigation()
#4 0x7f59aa4ecedf content::RenderFrameImpl::DidFinishSameDocumentNavigation()
#5 0x7f59a592287e blink::LocalFrameClientImpl::DidFinishSameDocumentNavigation()
#6 0x7f59a5da9b48 blink::DocumentLoader::UpdateForSameDocumentNavigation()
#7 0x7f59a5dbc25e blink::FrameLoader::UpdateForSameDocumentNavigation()
#8 0x7f59a59b756b blink::History::StateObjectAdded()
#9 0x7f59a60b4fe6 blink::V8History::replaceStateMethodCallback()
#10 0x7f59a680c1d1 v8::internal::FunctionCallbackArguments::Call()
#11 0x7f59a680b6c6 v8::internal::(anonymous namespace)::HandleApiCallHelper<>()
#12 0x7f59a680add6 v8::internal::Builtin_Impl_HandleApiCall()
#13 0x7f59a6f90e8e <unknown>

The crash is from hitting a FATAL:ipc_channel_proxy.cc(540)] Check failed: message->size() <= Channel::kMaximumMessageSize (2000000188 vs. 134217728) which would be a functional issue. This is a maximum IPC size assert which crashes the renderer. A tab can DoS itself but this is not a security bug.

Similar bugs:
- Issue 69227 (which this may be a dupe of, since they both deal with very long URLs)
-  Issue 740214  (crashes using very long color property, was marked WontFix)
- Issue 795372 (crashes using `console.log` with a very long message)
- Issue 810787 (crashes using very large string and the clipboard API)

Comment 3 by cthomp@chromium.org, Jul 19

Components: Internals>Core
Summary: Large history.pushState call kills the renderer due to IPC kMaxMessageSize (was: Security: unknown when call history.pushState)
Renaming issue and setting component.
Project Member

Comment 4 by ClusterFuzz, Jul 30

Labels: Security_Impact-Head
Summary: <no crash state available> (was: Large history.pushState call kills the renderer due to IPC kMaxMessageSize)
Testcase 6191118463795200 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=6191118463795200.

Comment 5 by aarya@google.com, Jul 30

Summary: Large history.pushState call kills the renderer due to IPC kMaxMessageSize (was: <no crash state available>)

Comment 6 by benhenry@google.com, Jan 11

Labels: Pri-2
Issue has a component, but no priority. Updating to have default priority (Pri-2)

Sign in to add a comment