One Article Review
| Source |  RedTeam PL |
|---|---|
| Identifiant | 1798883 |
| Date de publication | 2020-04-14 11:45:32 (vue: 2020-07-09 15:05:42) |
| Titre | Google Chrome display locking fuzzing |
| Texte | BackgroundWhile searching for interesting new functionalities in Google Chrome that would potentially be good targets for hunting security bugs I found display locking [https://www.chromestatus.com/feature/4613920211861504]. In general it is related to rendering optimization, so it caught my attention as something that is affecting how the web page layout is displayed. Functionalities like this should always attract attention as potential source of vulnerabilities. Currently display locking is hidden behind a flag (#enable-display-locking).SetupI used the same setup already described in my previous blog post about fuzzing the portal element [ |
| Envoyé | Oui |
| Condensat | #enable $5000 0x00ebfd9f78e0 0x00ebfd9f7928read 0x1218d6e37560 0x7ff95153d609 0x7ff95155cb27 0x7ff95155e20d 0x7ff95155f3cd 0x7ff9517db451 0x7ff951c94f89 0x7ff951ca7e52 0x7ff951ca7e53 0x7ff952200aaf 0x7ff954b6d2eb 0x7ff95525eac9 2019 3987 3993 ;document ;fuzz1 ;jshelpers ;settimeout ;svgfuzz1 ;var about activation addeventlistener adding addition address addresssanitizer: affecting after already also always api appendchild article asan attention attract attribute awarded backgroundwhile became because been before behind below big bit blink blink::compositinginputsroot::update blink::layoutboxmodelobject::willbedestroyed blink::layoutflexiblebox::removechild blink::layoutobject blink::layoutobject::destroy blink::layoutobject::removelayers blink::layoutobject::willbedestroyed blink::layoutobject::willberemovedfromtree blink::layoutobjectchildlist::removechildnode blink::paintlayer blink::paintlayer::commonancestor blink::paintlayer::commonancestora blink::paintlayer::removechild blog body bool boom1 boom2 bounty box bugs builder cache canary caretrangefrompoint case caught cc:124:18 #6 cc:1373:5 #3 cc:220:17 #9 cc:24:44 #2 cc:280:16 #7 cc:3029:3 #8 cc:3160:5 #5 cc:3293:3google cc:3551:1 #1 cc:632:19 #4 change changed changes child chrome chromestatus chromium class com/feature/4613920211861504 com/whatwg/html/issues/4861 com/wicg/display compositing confirmed const contain core crash css current currently december demonstrate deprecated dereferences described dev development display displayed document domato domsubtreemodified during early element finally find first flag flexible following form found free function functionalities functionality fuzz1 fuzz2 fuzzer:attributevalues fuzzing general getelementbyid good google grammar had has heap hidden holdloadshtml holdupgrades how html https://blog https://bugs https://discourse https://github https://www hunting id=1033795 implementation implemented important influenced inputs interesting intrinsic investment invisible io/t/proposal issue javascript later layer layout like list locking locking/2905 log:==426180==error: look lot mentioned minimized model more moved new note nothing null object one only onrendersubtreeactivation onrendersubtreeactivation; onrendersubtreeactivation= optimization org/p/chromium/issues/detail page paint paintlayer::commonancestor part party picking pl/2019/12/chrome pointer portal possible post potential potentially previous process properties really redteam related renderer rendering rendering/drawing rendersubtree rendersubtree= reported resultsas right root same searching second security setattribute setup setupi should showed showing size skip small some something source spec specifically specification src stages subtree summaryit svgfuzz1 t0 #0 tagattributes target targets test then third thread time timing took triggered txt: use used usual var very viewport visiblity void vulnerabilities vulnerability wanted web what where wicg without worked would writing |
| Tags | Vulnerability |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.