None
A denial of service vulnerability exists in the Video Encoder Metrics functionality of Google Chrome Chrome Stable 119.0.6045.160 (64-bit) and Chromium 121.0.6152.0 (Build) (64-bit). A specially crafted website can lead to denial of service. This vulnerability can be triggered by an attacker persuading a user to visit a specific webpage.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Google Chrome Chrome Stable 119.0.6045.160 (64-bit)
Google Chrome Chromium 121.0.6152.0 (Build) (64-bit)
Chrome - https://www.google.com/chrome/
4.6 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
CWE-617 - Reachable Assertion
Google Chrome is a cross-platform web browser, developed by Google.
Problem happens in the VideoEncoderMetricsProvider. VideoEncoderMetricsProvider records the UKM ( URL-Keyed Metrics ) about the video encoder metrics, e.g. codec and resolution.
The ReportUMA function from the mojo_video_encoder_metrics_provider_service.cc, will eventually execute encode_size_.GetArea():
// lkgr/ui/gfx/geometry/size.cc
int Size::GetArea() const {
return GetCheckedArea().ValueOrDie();
}
base::CheckedNumeric<int> Size::GetCheckedArea() const {
base::CheckedNumeric<int> checked_area = width();
checked_area *= height();
return checked_area;
}
Where ValueOrDie is defined as follows:
// ValueOrDie() - The primary accessor for the underlying value. If the
// current state is not valid it will CHECK and crash.
// A range checked destination type can be supplied using the Dst template
// parameter, which will trigger a CHECK if the value is not in bounds for
// the destination.
// The CHECK behavior can be overridden by supplying a handler as a
// template parameter, for test code, etc. However, the handler cannot access
// the underlying value, and it is not available through other means.
template <typename Dst = T, class CheckHandler = CheckOnFailure>
constexpr StrictNumeric<Dst> ValueOrDie() const {
return BASE_NUMERICS_LIKELY(IsValid<Dst>())
? static_cast<Dst>(state_.value())
: CheckHandler::template HandleFailure<Dst>();
}
By executing videoEncoder.configure function multiple times (with specified params) and setting the height ie. to 0x7fffff00 it is possible to execute HandleFailure function, which will crash the entire chrome browser (all processes).
POC command line: chrome.exe --autoplay-policy=no-user-gesture-required http://127.0.0.1:4444 (WEB SERVER NEEDS TO BE SPAWNED FIRST)
=================================================================
==5628==ERROR: AddressSanitizer: breakpoint on unknown address 0x7ffafa10cc5a (pc 0x7ffafa10cc5a bp 0x00edf91fd9d0 sp 0x00edf91fd930 T0)
==5628==WARNING: Failed to use and restart external symbolizer!
#0 0x7ffafa10cc59 in gfx::Size::GetArea C:\b\s\w\ir\cache\builder\src\ui\gfx\geometry\size.cc:49
#1 0x7ffafb20d1b3 in media::MojoVideoEncoderMetricsProviderService::EncoderMetricsHandler::ReportUMA C:\b\s\w\ir\cache\builder\src\media\mojo\services\mojo_video_encoder_metrics_provider_service.cc:132
#2 0x7ffafb20f865 in std::__Cr::__destroy_at<std::__Cr::pair<const unsigned long long,media::MojoVideoEncoderMetricsProviderService::EncoderMetricsHandler>,0> C:\b\s\w\ir\cache\builder\src\third_party\libc++\src\include\__memory\construct_at.h:69
#3 0x7ffafb20fa6b in std::__Cr::__tree<std::__Cr::__value_type<unsigned long long,media::MojoVideoEncoderMetricsProviderService::EncoderMetricsHandler>,std::__Cr::__map_value_compare<unsigned long long,std::__Cr::__value_type<unsigned long long,media::MojoVideoEncoderMetricsProviderService::EncoderMetricsHandler>,std::__Cr::less<unsigned long long>,1>,std::__Cr::allocator<std::__Cr::__value_type<unsigned long long,media::MojoVideoEncoderMetricsProviderService::EncoderMetricsHandler> > >::__erase_unique<unsigned long long> C:\b\s\w\ir\cache\builder\src\third_party\libc++\src\include\__tree:2458
#4 0x7ffafb20bece in media::MojoVideoEncoderMetricsProviderService::Complete C:\b\s\w\ir\cache\builder\src\media\mojo\services\mojo_video_encoder_metrics_provider_service.cc:209
#5 0x7ffaec24e97a in media::mojom::VideoEncoderMetricsProviderStubDispatch::Accept C:\b\s\w\ir\cache\builder\src\out\Release_x64\gen\media\mojo\mojom\video_encoder_metrics_provider.mojom.cc:514
#6 0x7ffaf97f3cc3 in mojo::InterfaceEndpointClient::HandleValidatedMessage C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\interface_endpoint_client.cc:1016
#7 0x7ffafce7d296 in mojo::MessageDispatcher::Accept C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\message_dispatcher.cc:43
#8 0x7ffaf97f95c3 in mojo::InterfaceEndpointClient::HandleIncomingMessage C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\interface_endpoint_client.cc:701
#9 0x7ffaf97e6202 in mojo::internal::MultiplexRouter::ProcessIncomingMessage C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\multiplex_router.cc:1096
#10 0x7ffaf97e4f60 in mojo::internal::MultiplexRouter::Accept C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\multiplex_router.cc:710
#11 0x7ffafce7d296 in mojo::MessageDispatcher::Accept C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\message_dispatcher.cc:43
#12 0x7ffaf9809f63 in mojo::Connector::DispatchMessageW C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\connector.cc:561
#13 0x7ffaf980b839 in mojo::Connector::ReadAllAvailableMessages C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\connector.cc:618
#14 0x7ffaf980b2e9 in mojo::Connector::OnWatcherHandleReady C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\bindings\lib\connector.cc:417
#15 0x7ffaf980dcd1 in base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(const char *, unsigned int),base::internal::UnretainedWrapper<mojo::Connector,base::unretained_traits::MayNotDangle,0>,base::internal::UnretainedWrapper<const char,base::unretained_traits::MayNotDangle,0> >,void (unsigned int)>::Run C:\b\s\w\ir\cache\builder\src\base\functional\bind_internal.h:931
#16 0x7ffaee14c195 in base::RepeatingCallback<void (unsigned int)>::Run C:\b\s\w\ir\cache\builder\src\base\functional\callback.h:345
#17 0x7ffaee14bf8d in base::internal::Invoker<base::internal::BindState<void (*)(const base::RepeatingCallback<void (unsigned int)> &, unsigned int, const mojo::HandleSignalsState &),base::RepeatingCallback<void (unsigned int)> >,void (unsigned int, const mojo::HandleSignalsState &)>::Run C:\b\s\w\ir\cache\builder\src\base\functional\bind_internal.h:931
#18 0x7ffaf983a158 in base::RepeatingCallback<void (unsigned int, const mojo::HandleSignalsState &)>::Run C:\b\s\w\ir\cache\builder\src\base\functional\callback.h:345
#19 0x7ffaf9839bb5 in mojo::SimpleWatcher::OnHandleReady C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\system\simple_watcher.cc:278
#20 0x7ffaf983aba3 in base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::*)(int, unsigned int, const mojo::HandleSignalsState &),base::WeakPtr<mojo::SimpleWatcher>,int,unsigned int,mojo::HandleSignalsState>,void ()>::RunOnce C:\b\s\w\ir\cache\builder\src\base\functional\bind_internal.h:918
#21 0x7ffaf904d6fd in base::TaskAnnotator::RunTaskImpl C:\b\s\w\ir\cache\builder\src\base\task\common\task_annotator.cc:201
#22 0x7ffafc9c27b0 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl C:\b\s\w\ir\cache\builder\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc:461
#23 0x7ffafc9c1572 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork C:\b\s\w\ir\cache\builder\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc:326
#24 0x7ffaf8f868de in base::MessagePumpForUI::DoRunLoop C:\b\s\w\ir\cache\builder\src\base\message_loop\message_pump_win.cc:212
#25 0x7ffaf8f844f6 in base::MessagePumpWin::Run C:\b\s\w\ir\cache\builder\src\base\message_loop\message_pump_win.cc:78
#26 0x7ffafc9c453d in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run C:\b\s\w\ir\cache\builder\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc:626
#27 0x7ffaf90b05dc in base::RunLoop::Run C:\b\s\w\ir\cache\builder\src\base\run_loop.cc:134
#28 0x7ffaf2a53f33 in content::BrowserMainLoop::RunMainMessageLoop C:\b\s\w\ir\cache\builder\src\content\browser\browser_main_loop.cc:1086
#29 0x7ffaf2a5b54b in content::BrowserMainRunnerImpl::Run C:\b\s\w\ir\cache\builder\src\content\browser\browser_main_runner_impl.cc:158
#30 0x7ffaf2a4b446 in content::BrowserMain C:\b\s\w\ir\cache\builder\src\content\browser\browser_main.cc:34
#31 0x7ffaf75fb917 in content::RunBrowserProcessMain C:\b\s\w\ir\cache\builder\src\content\app\content_main_runner_impl.cc:706
#32 0x7ffaf75ff790 in content::ContentMainRunnerImpl::RunBrowser C:\b\s\w\ir\cache\builder\src\content\app\content_main_runner_impl.cc:1292
#33 0x7ffaf75fee59 in content::ContentMainRunnerImpl::Run C:\b\s\w\ir\cache\builder\src\content\app\content_main_runner_impl.cc:1136
#34 0x7ffaf75f9a53 in content::RunContentProcess C:\b\s\w\ir\cache\builder\src\content\app\content_main.cc:334
#35 0x7ffaf75fa706 in content::ContentMain C:\b\s\w\ir\cache\builder\src\content\app\content_main.cc:347
#36 0x7ffaea101746 in ChromeMain C:\b\s\w\ir\cache\builder\src\chrome\app\chrome_main.cc:190
#37 0x7ff614415f72 in MainDllLoader::Launch C:\b\s\w\ir\cache\builder\src\chrome\app\main_dll_loader_win.cc:169
#38 0x7ff614412a5c in main C:\b\s\w\ir\cache\builder\src\chrome\app\chrome_exe_main_win.cc:392
#39 0x7ff61483f60b in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
#40 0x7ffba0fb7343 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017343)
#41 0x7ffba19a26b0 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x1800526b0)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: breakpoint C:\b\s\w\ir\cache\builder\src\ui\gfx\geometry\size.cc:49 in gfx::Size::GetArea
==5628==ADDITIONAL INFO
==5628==Note: Please include this section with the ASan report.
Task trace:
#0 0x7ffaf983a677 in mojo::SimpleWatcher::Context::Notify C:\b\s\w\ir\cache\builder\src\mojo\public\cpp\system\simple_watcher.cc:102
==5628==END OF ADDITIONAL INFO
==5628==ABORTING
2023-11-28 - Vendor Disclosure
2023-11-29 - Vendor does not consider Denial Of Service to be security vulnerabilities
2024-02-28 - Public Release
Discovered by Piotr Bania of Cisco Talos.