Chromium

Security shepherd: sending to the same assignee as issue 338248595 with similar pri/sev :)

caseq@: As the author of this do you have thoughts on the proposed fix? Should Page.reload be exempt from being discarded? It's specifically the falling through that's causing the issue here.

My recollection is that these lines were there because something was breaking if we just discarded Page.reload in this case -- I would assume it would have to do with reloading a page with a ctrl+r pressed in the front-end after a page crash. But I tried the proposed fix, and (1) I don't see any tests failing now and (2) the underlying functionality appears to be broken even without the proposed change (I assume this could have been the result of migration to the tab target, as we're apparently disconnecting the crashed session now).

So.. I guess you could try that fix and see if anything breaks. Or you could limit that to the case of when the page has navigated to a DOM UI origin. Also, I just noticed you landed this, I assume this should help?

You are right, cannot reproduce the bug with the loaderId restriction anymore! ading2019@ can you confirm?

I'm still able to reproduce this bug with the loaderId changes. I tested on position 1305741, which does have the loaderId fix in it. I checked this by looking at the JS in the devtools frontend, and sure enough it is passing the loaderId properly. See my attached video and screenshot for a demonstration of this. I'm still using the exact same POC that was uploaded to this issue before, except that I increased the duration of the last sleep to 1000ms.

I'm able to reproduce this as well. Pinning the reload to a loaderId isn't sufficient. So far I've not been able to repoduce it in a custom build in order to track down the casue. It's extremely timing sensitive. I'm inclined to go with un-specialcasing Page.reload. My best hypothesis currently is that the Page.reload arrives on the "old" document, schedules the injection, and then gets interrupted by the crash.

Assigning to caseq@ to make a call on the tentative fix CL.

As I stated above, I don't object against the suggested fix as long as it doesn't cause any regressions. While I've ran a CQ against it on a WIP CL, I hope you could follow through by accompanying the change with some test coverage.

As for the loaderId check -- Philip, I had another look at your CL and realized you only verify the loaderId on the browser side. Would it help against this attack vector if we were also to verify the loaderId on the renderer side?

Requesting merge to stable (M126) because latest trunk commit (1316330) appears to be after stable branch point (1300313). Requesting merge to beta (M127) because latest trunk commit (1316330) appears to be after beta branch point (1313161). Thank you for fixing this security bug! We aim to ship security fixes as quickly as possible, to limit their opportunity for exploitation as an "n-day" (that is, a bug where git fixes are developed into attacks before those fixes reach users).

We have determined this fix is necessary on milestone(s): [].

Please answer the following questions so that we can safely process this merge request:

1. Which CLs should be backmerged? (Please include Gerrit links.)
2. Has this fix been verified on Canary to not pose any stability regressions?
3. Does this fix pose any potential non-verifiable stability risks?
4. Does this fix pose any known compatibility risks?
5. Does it require manual verification by the test team? If so, please describe required testing.

Merge review required: M127 is already shipping to beta.

Please answer the following questions so that we can safely process your merge request:

1. Why does your merge fit within the merge criteria for these milestones?

• Chrome Browser: https://chromiumdash.appspot.com/branches
• Chrome OS: https://goto.google.com/cros-release-branch-merge-guidelines

2. What changes specifically would you like to merge? Please link to Gerrit.
3. Have the changes been released and tested on canary?
4. Is this a new feature? If yes, is it behind a Finch flag and are experiments active in any release channels?
5. [Chrome OS only]: Was the change reviewed and approved by the Eng Prod Representative? https://goto.google.com/cros-engprodcomponents
6. If this merge addresses a major issue in the stable channel, does it require manual verification by the test team? If so, please describe required testing.

Please contact the milestone owner if you have questions. Owners: eakpobaro (Android), eakpobaro (iOS), alonbajayo (ChromeOS), danielyip (Desktop)

Merge review required: M126 is already shipping to stable.

Please answer the following questions so that we can safely process your merge request:

1. Why does your merge fit within the merge criteria for these milestones?

• Chrome Browser: https://chromiumdash.appspot.com/branches
• Chrome OS: https://goto.google.com/cros-release-branch-merge-guidelines

2. What changes specifically would you like to merge? Please link to Gerrit.
3. Have the changes been released and tested on canary?
4. Is this a new feature? If yes, is it behind a Finch flag and are experiments active in any release channels?
5. [Chrome OS only]: Was the change reviewed and approved by the Eng Prod Representative? https://goto.google.com/cros-engprodcomponents
6. If this merge addresses a major issue in the stable channel, does it require manual verification by the test team? If so, please describe required testing.

Please contact the milestone owner if you have questions. Owners: eakpobaro (Android), eakpobaro (iOS), ceb (ChromeOS), srinivassista (Desktop)

Given the regression concerns noted in #11 and upon reviewing the change, I would like this fix to get a bit more bake time on Canary before a potential backmerge. I'll revisit and re-review early next week.

LTS Milestone M126

This issue has been flagged as a merge candidate for Chrome OS' LTS channel. If selected, our merge team will handle any additional merges. To help us determine if this issue requires a merge to LTS, please answer this short questionnaire:

1. Was this issue a regression for the milestone it was found in?
2. Is this issue related to a change or feature merged after the latest LTS Milestone?

This issue requires additional review before it can be merged to the LTS channel. Please answer the following questions to help us evaluate this merge:

1. Number of CLs needed for this fix and links to them.
2. Level of complexity (High, Medium, Low - Explain)
3. Has this been merged to a stable release? beta release?
4. Overall Recommendation (Yes, No)

1. https://crrev.com/c/5672472
2. Low, there were a few simple merge conflicts
3. 127
4. Yes

M126 merge approved for https://crrev.com/c/5625857 -- please merge this fix to branch 6478 at your earliest convenience so this fix can be included in the M126 Extended Stable release next week

The Chrome VRP panel has decided to award crbug.com/338248595, the parent bug for this issue, a VRP reward of $20,000, because the reward has already been communicated and updated on issue 338248595, updating the reward tag on this issue as 0.
Congratulations Allen and nice work!

This bug has been closed for more than 14 weeks. Removing issue access restrictions.