Crash when using a proxy with extensions disabled

Issue #2830 resolved
Lead Assimilator created an issue

With CEF 78.3.9+gc7345f2, a null pointer dereference can occur when extensions are disabled and a proxy server and/or pac script is used. The crash will happen if an error occurs while proxying a request (proxy server fails or can’t be contacted) or using a pac script with a syntax error. Using the appropriate win32 Spotify build of cefclient, the following crash can be reproduced via:

cefclient.exe --disable-extensions --proxy-server=10.10.10.1:12345

The issue stems from CEF not registering an extensions browser client (g_extension_browser_client is null) when extensions are disabled, but ProxyConfigMonitor::OnRequestMaybeFailedDueToProxySettings and ProxyConfigMonitor::OnPACScriptError both assume that if ENABLE_EXTENSIONS is defined during compile that an extensions browser client will exist for forwarding an event to and unfortunately the subsequent event forwarding/dispatch code doesn’t do any sort of null checking.

Possible fixes include:

  • always registering an extensions browser client, but disabling its functionality when extensions are disabled
  • disabling event forwarding in ProxyConfigMonitor, ProxyEventRouter, or EventRouterForwarder when extensions are disabled (no other chromium code makes this poor assumption afaik)
  • adding the missing null checks (required in a lot of places unfortunately)

 # ChildEBP RetAddr  Args to Child              
00 04b8e84c 11423bb9 07be4720 00000000 0e216768 libcef!apps::AppLoadServiceFactory::GetBrowserContextToUse+0x8 [Y:\work\CEF3_git\chromium\src\chrome\browser\apps\platform_apps\app_load_service_factory.cc @ 58] 
01 04b8e8a8 1035253a 07be4720 00000001 04b8e8f8 libcef!KeyedServiceFactory::GetServiceForContext+0x3f [Y:\work\CEF3_git\chromium\src\components\keyed_service\core\keyed_service_factory.cc @ 54] 
02 04b8e8bc 127b072b 07be4720 0e24acd0 499d92d8 libcef!extensions::EventRouterFactory::GetForBrowserContext+0x16 [Y:\work\CEF3_git\chromium\src\extensions\browser\event_router_factory.cc @ 21] 
03 04b8e8dc 127b0575 07be4720 04b8e9a0 000000d9 libcef!extensions::EventRouterForwarder::CallEventRouter+0x55 [Y:\work\CEF3_git\chromium\src\chrome\browser\extensions\event_router_forwarder.cc @ 0] 
04 04b8e960 127b01ff 04b8e9a0 000000d9 04b8e9f4 libcef!extensions::EventRouterForwarder::HandleEvent+0x343 [Y:\work\CEF3_git\chromium\src\chrome\browser\extensions\event_router_forwarder.cc @ 115] 
05 04b8e9c4 133a538e 000000d9 04b8e9f4 00000000 libcef!extensions::EventRouterForwarder::DispatchEventToRenderers+0x91 [Y:\work\CEF3_git\chromium\src\chrome\browser\extensions\event_router_forwarder.cc @ 52] 
06 04b8ea74 12b4350a 0e1f5db0 07be4720 ffffff7e libcef!extensions::ProxyEventRouter::OnProxyError+0x152 [Y:\work\CEF3_git\chromium\src\chrome\browser\extensions\api\proxy\proxy_api.cc @ 49] 
07 04b8ea94 0f6c232e ffffff7e 00000000 00000000 libcef!ProxyConfigMonitor::OnRequestMaybeFailedDueToProxySettings+0x2e [Y:\work\CEF3_git\chromium\src\chrome\browser\net\proxy_config_monitor.cc @ 157] 
08 04b8eaec 12b43ee1 0e203804 04b8eb48 04b8eb34 libcef!network::mojom::ProxyErrorClientStubDispatch::Accept+0xe6 [Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\gen\services\network\public\mojom\proxy_config_with_annotation.mojom.cc @ 753] 
09 04b8eafc 111aa421 04b8eb48 499d911c 04b8eb48 libcef!network::mojom::ProxyErrorClientStub<mojo::RawPtrImplRefTraits<network::mojom::ProxyErrorClient> >::Accept+0x13 [Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\gen\services\network\public\mojom\proxy_config_with_annotation.mojom.h @ 322] 
0a 04b8eb34 111ad6f9 04b8eb48 0e225330 0e2268c8 libcef!mojo::InterfaceEndpointClient::HandleValidatedMessage+0x1f5 [Y:\work\CEF3_git\chromium\src\mojo\public\cpp\bindings\lib\interface_endpoint_client.cc @ 554] 
0b 04b8eb94 111ad36c 04b8ebbc 00000002 07b648a8 libcef!mojo::internal::MultiplexRouter::ProcessIncomingMessage+0x17d [Y:\work\CEF3_git\chromium\src\mojo\public\cpp\bindings\lib\multiplex_router.cc @ 878] 
0c 04b8ec1c 111a8df9 04b8ec88 00000000 04b8ec60 libcef!mojo::internal::MultiplexRouter::Accept+0xb0 [Y:\work\CEF3_git\chromium\src\mojo\public\cpp\bindings\lib\multiplex_router.cc @ 602] 
0d 04b8ec80 111a955a 00000000 00000000 00000000 libcef!mojo::Connector::DispatchMessageW+0xb5 [Y:\work\CEF3_git\chromium\src\mojo\public\cpp\bindings\lib\connector.cc @ 513] 
0e 04b8ed38 111a9348 0e225500 04b8ed50 0f694c0f libcef!mojo::Connector::ReadAllAvailableMessages+0x198 [Y:\work\CEF3_git\chromium\src\mojo\public\cpp\bindings\lib\connector.cc @ 589] 
0f 04b8ed44 0f694c0f 00000000 04b8ed60 0f9f1b25 libcef!mojo::Connector::OnHandleReadyInternal+0x52 [Y:\work\CEF3_git\chromium\src\mojo\public\cpp\bindings\lib\connector.cc @ 424] 
10 (Inline) -------- -------- -------- -------- libcef!base::internal::FunctorTraits<void (network::mojom::CookieManager_GetAllCookies_ProxyToResponder::*)(const std::__1::vector<net::CanonicalCookie,std::__1::allocator<net::CanonicalCookie> > &) __attribute__((thiscall)),void>::Invoke+0x9 [Y:\work\CEF3_git\chromium\src\base\bind_internal.h @ 499] 
...

libcef!apps::AppLoadServiceFactory::GetBrowserContextToUse:
103415d0 55              push    ebp
103415d1 89e5            mov     ebp,esp
103415d3 e8f2860200      call    libcef!extensions::ExtensionsBrowserClient::Get (10369cca)
103415d8 8b10            mov     edx,dword ptr [eax]  ds:002b:00000000=????????
103415da 89c1            mov     ecx,eax
103415dc 5d              pop     ebp
103415dd ff621c          jmp     dword ptr [edx+1Ch]

libcef!extensions::ExtensionsBrowserClient::Get:
10369cca 55              push    ebp
10369ccb 89e5            mov     ebp,esp
10369ccd a108471715      mov     eax,dword ptr [libcef!g_extension_browser_client (15174708)]
10369cd2 5d              pop     ebp
10369cd3 c3              ret

Comments (21)

  1. Marshall Greenblatt

    disabling event forwarding in ProxyConfigMonitor

    Can you submit a PR against master with this proposed fix? See the documentation here for how to check if CEF is being built.

    It’s also possible that this issue is resolved without changes in current master because the ProxyConfigMonitor code now uses g_browser_process->extension_event_router_forwarder(), which should be non-nullptr.

  2. Sheen Tian

    I tested the latest version (CEF 84.4.1+gfdc7504+chromium-84.0.4147.105 / Chromium 84.0.4147.105) on macOS

    cefclient.app/Contents/MacOS/cefclient --disable-extensions --proxy-server=10.10.10.1:12345

    it seems there is no more crash.

  3. Sheen Tian

    hi @Marshall Greenblatt , in our project, we use an older version of CEF and we have found some crash (same as this issue) cases from the user side.

    Currently we don’t want to upgrade the CEF in our project, but we still need proxy and --disable-extensions, how could we get rid of this crash issue?

    If we just remove --disable-extensions args without upgrading the CEF can we avoid this crash?

  4. Marshall Greenblatt

    Thanks for the update.

    If we just remove --disable-extensions args without upgrading the CEF can we avoid this crash?

    You would have to test that.

  5. Andy Tzeng

    I would like to update the issue on Windows

    What I used is cef_binary_85.3.0 chromium-85.0.4183.26. If the required credentials proxy is configured into CEF and disable extensions, it suffers the same crash on Windows platform because the global object (extensions::ExtensionsBrowserClient) is not set.

    In this case, the OnProxyError will be invoked because the proxy needs credentials, but GetAuthCredentials() is not called because the crash happens first.

     # ChildEBP RetAddr  Args to Child              
    00 001bf0d4 116ca90d 177e9c48 001bf0fc 11324154 libcef!apps::AppLoadServiceFactory::GetBrowserContextToUse+0x8 (FPO: [1,0,4]) (CONV: thiscall)
    01 001bf120 103aeeb6 177e9c48 00000001 001bf170 libcef!KeyedServiceFactory::GetServiceForContext+0x3b (FPO: [2,0,0]) (CONV: thiscall)
    02 001bf134 13cdb957 177e9c48 092b42f0 fe5e26fd libcef!extensions::EventRouterFactory::GetForBrowserContext+0x16 (FPO: [1,0,0]) (CONV: cdecl)
    03 (Inline) -------- -------- -------- -------- libcef!std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char> >::empty+0x12 (Inline Function @ 13cdb957) (CONV: thiscall)
    04 001bf154 13cdb7a7 177e9c48 001bf218 000000d9 libcef!extensions::EventRouterForwarder::CallEventRouter+0x53 (FPO: [7,0,0]) (CONV: thiscall)
    05 001bf1d8 13cdb3bb 001bf218 000000d9 001bf26c libcef!extensions::EventRouterForwarder::HandleEvent+0x3b9 (FPO: [8,0,0]) (CONV: thiscall)
    06 001bf23c 1367e7a0 000000d9 001bf26c 00000000 libcef!extensions::EventRouterForwarder::DispatchEventToRenderers+0x91 (FPO: [7,0,0]) (CONV: thiscall)
    07 001bf2ec 12b14966 092b0278 177e9c48 ffffff91 libcef!extensions::ProxyEventRouter::OnProxyError+0x150 (FPO: [3,0,0]) (CONV: thiscall)
    08 001bf30c 0f5cb10e ffffff91 102e5b58 0000005f libcef!ProxyConfigMonitor::OnRequestMaybeFailedDueToProxySettings+0x2e (FPO: [1,0,0]) (CONV: thiscall)
    09 001bf370 12b1547d 177cc2b4 001bf3f0 001bf3b8 libcef!network::mojom::ProxyErrorClientStubDispatch::Accept+0xd0 (FPO: [2,0,0]) (CONV: cdecl)
    0a 001bf380 114251f0 001bf3f0 113392a1 001bf3c4 libcef!network::mojom::ProxyErrorClientStub<mojo::RawPtrImplRefTraits<network::mojom::ProxyErrorClient> >::Accept+0x13 (FPO: [1,0,4]) (CONV: thiscall)
    0b 001bf3b8 11be0bff 001bf3f0 18932ae8 177e9324 libcef!mojo::InterfaceEndpointClient::HandleValidatedMessage+0x200 (FPO: [1,0,0]) (CONV: thiscall)
    0c 001bf3dc 114290a3 001bf3f0 04e07a70 177e9288 libcef!mojo::MessageDispatcher::Accept+0x51 (FPO: [1,0,0]) (CONV: thiscall)
    0d 001bf43c 11428d15 001bf464 00000002 00689de8 libcef!mojo::internal::MultiplexRouter::ProcessIncomingMessage+0x17d (FPO: [3,0,0]) (CONV: thiscall)
    0e 001bf4c4 1142436c 001bf53c 00000000 00000000 libcef!mojo::internal::MultiplexRouter::Accept+0xb1 (FPO: [1,0,0]) (CONV: thiscall)
    0f 001bf534 11424923 00000000 00000000 00000000 libcef!mojo::Connector::DispatchMessageW+0xc4 (FPO: [15,0,0]) (CONV: thiscall)
    10 001bf5e4 11424818 001bf5f8 0f59ffaf 00000000 libcef!mojo::Connector::ReadAllAvailableMessages+0x87 (FPO: [0,0,0]) (CONV: thiscall)
    11 001bf5ec 0f59ffaf 00000000 001bf608 0fc07475 libcef!mojo::Connector::OnHandleReadyInternal+0x1a (FPO: [1,0,4]) (CONV: thiscall)
    12 (Inline) -------- -------- -------- -------- libcef!base::internal::FunctorTraits<void (network::mojom::HostResolver_MdnsListen_ProxyToResponder::*)(int) __attribute__((thiscall)),void>::Invoke+0x9 (Inline Function @ 0f59ffaf) (CONV: cdecl)
    13 (Inline) -------- -------- -------- -------- libcef!base::internal::InvokeHelper<0,void>::MakeItSo+0x9 (Inline Function @ 0f59ffaf) (CONV: cdecl)
    14 (Inline) -------- -------- -------- -------- libcef!base::internal::Invoker<base::internal::BindState<void (network::mojom::HostResolver_MdnsListen_ProxyToResponder::*)(int) __attribute__((thiscall)),std::__1::unique_ptr<network::mojom::HostResolver_MdnsListen_ProxyToResponder,std::__1::default_delete<network::mojom::HostResolver_MdnsListen_ProxyToResponder> > >,void (int)>::RunImpl+0x9 (Inline Function @ 0f59ffaf) (CONV: cdecl)
    15 001bf5f8 0fc07475 1890bc90 00000000 001bf61c libcef!base::internal::Invoker<base::internal::BindState<void (network::mojom::HostResolver_MdnsListen_ProxyToResponder::*)(int) __attribute__((thiscall)),std::__1::unique_ptr<network::mojom::HostResolver_MdnsListen_ProxyToResponder,std::__1::default_delete<network::mojom::HostResolver_MdnsListen_ProxyToResponder> > >,void (int)>::RunOnce+0xf (FPO: [2,0,4]) (CONV: cdecl)
    16 (Inline) -------- -------- -------- -------- libcef!base::RepeatingCallback<void (unsigned int)>::Run+0x9 (Inline Function @ 0fc07475) (CONV: thiscall)
    17 001bf608 0fc0748d 1890bc24 00000000 177e6f9c libcef!mojo::SimpleWatcher::DiscardReadyState+0xf (FPO: [3,0,4]) (CONV: cdecl)
    18 (Inline) -------- -------- -------- -------- libcef!base::internal::FunctorTraits<void (*)(const base::RepeatingCallback<void (unsigned int)> &, unsigned int, const mojo::HandleSignalsState &),void>::Invoke+0xa (Inline Function @ 0fc0748d) (CONV: cdecl)
    19 (Inline) -------- -------- -------- -------- libcef!base::internal::InvokeHelper<0,void>::MakeItSo+0xa (Inline Function @ 0fc0748d) (CONV: cdecl)
    1a (Inline) -------- -------- -------- -------- libcef!base::internal::Invoker<base::internal::BindState<void (*)(const base::RepeatingCallback<void (unsigned int)> &, unsigned int, const mojo::HandleSignalsState &),base::RepeatingCallback<void (unsigned int)> >,void (unsigned int, const mojo::HandleSignalsState &)>::RunImpl+0xa (Inline Function @ 0fc0748d) (CONV: cdecl)
    1b 001bf61c 114336d2 1890bc10 00000000 177e6f9c libcef!base::internal::Invoker<base::internal::BindState<void (*)(const base::RepeatingCallback<void (unsigned int)> &, unsigned int, const mojo::HandleSignalsState &),base::RepeatingCallback<void (unsigned int)> >,void (unsigned int, const mojo::HandleSignalsState &)>::Run+0x13 (FPO: [3,0,4]) (CONV: cdecl)
    1c (Inline) -------- -------- -------- -------- libcef!base::RepeatingCallback<void (unsigned int, const mojo::HandleSignalsState &)>::Run+0xe (Inline Function @ 114336d2) (CONV: thiscall)
    1d 001bf668 11433a63 00000001 00000000 177e6f9c libcef!mojo::SimpleWatcher::OnHandleReady+0xb2 (FPO: [3,0,0]) (CONV: thiscall)
    1e (Inline) -------- -------- -------- -------- libcef!base::internal::FunctorTraits<void (mojo::SimpleWatcher::*)(int, unsigned int, const mojo::HandleSignalsState &) __attribute__((thiscall)),void>::Invoke+0x20 (Inline Function @ 11433a63) (CONV: cdecl)
    1f (Inline) -------- -------- -------- -------- libcef!base::internal::InvokeHelper<1,void>::MakeItSo+0x34 (Inline Function @ 11433a63) (CONV: cdecl)
    20 (Inline) -------- -------- -------- -------- libcef!base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::*)(int, unsigned int, const mojo::HandleSignalsState &) __attribute__((thiscall)),base::WeakPtr<mojo::SimpleWatcher>,int,unsigned int,mojo::HandleSignalsState>,void ()>::RunImpl+0x34 (Inline Function @ 11433a63) (CONV: cdecl)
    21 001bf68c 11366f2a 177e6f78 00000c78 001bf601 libcef!base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::*)(int, unsigned int, const mojo::HandleSignalsState &) __attribute__((thiscall)),base::WeakPtr<mojo::SimpleWatcher>,int,unsigned int,mojo::HandleSignalsState>,void ()>::RunOnce+0x41 (FPO: [1,0,0]) (CONV: cdecl)
    22 (Inline) -------- -------- -------- -------- libcef!base::OnceCallback<void ()>::Run+0x10 (Inline Function @ 11366f2a) (CONV: thiscall)
    23 001bf708 11b96e2d 15550206 092ec5b8 00000000 libcef!base::TaskAnnotator::RunTask+0xfa (FPO: [2,0,0]) (CONV: thiscall)
    24 001bf7a0 11b96b57 001bf7b8 001bf7c0 0068b1a8 libcef!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl+0x10d (FPO: [2,0,0]) (CONV: thiscall)
    25 001bf7f8 1138c2d1 001bf810 000000a3 d76de1cb libcef!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork+0x87 (FPO: [1,0,0]) (CONV: thiscall)
    26 001bf834 1138bb31 0068b1ac 11b9da00 00000001 libcef!base::MessagePumpForUI::DoRunLoop+0x51 (FPO: [0,0,0]) (CONV: thiscall)
    27 001bf854 11b97479 0068b1ac 001bf8b8 ffffffff libcef!base::MessagePumpWin::Run+0x41 (FPO: [1,0,4]) (CONV: thiscall)
    28 001bf884 113548e6 00000001 ffffffff 7fffffff libcef!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run+0xf9 (FPO: [3,0,0]) (CONV: thiscall)
    29 001bf8d0 11b5940e 001bf8d8 0068b1b0 00000000 libcef!base::RunLoop::Run+0x176 (FPO: [0,0,0]) (CONV: thiscall)
    *** WARNING: Unable to verify checksum for uiWinMgr.exe
    2a 001bf904 008c26f7 45cf9e6c 00000000 0000000a libcef!CefMainRunner::RunMessageLoop+0x52 (FPO: [0,0,0]) (CONV: thiscall)
    2b (Inline) -------- -------- -------- -------- uiWinMgr!cef::MainMessageLoop::Run+0x97 (Inline Function @ 008c26f7) (CONV: thiscall) [D:\project\Titanium\src\UI\uiWinMgr\cef\browser\MainMessageLoop.cc @ 40] 
    2c (Inline) -------- -------- -------- -------- uiWinMgr!TmWeb::MainContext::Run+0x101 (Inline Function @ 008c26f7) (CONV: thiscall) [D:\project\Titanium\src\UI\uiWinMgr\TmWeb\MainContext.cpp @ 238] 
    2d 001bfab4 00929345 04eca3c0 00000000 0063238a uiWinMgr!wWinMain+0x4c7 (FPO: [Non-Fpo]) (CONV: stdcall) [D:\project\Titanium\src\UI\uiWinMgr\uiWinMgr.cpp @ 70] 
    *** WARNING: Unable to verify checksum for KERNEL32.DLL
    2e (Inline) -------- -------- -------- -------- uiWinMgr!invoke_main+0x1a (Inline Function @ 00929345) (CONV: cdecl) [d:\agent\_work\3\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 118] 
    2f 001bfb00 76040419 00201000 76040400 001bfb6c uiWinMgr!__scrt_common_main_seh+0xf8 (FPO: [Non-Fpo]) (CONV: cdecl) [d:\agent\_work\3\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 
    30 001bfb10 76fd66dd 00201000 aa2c7f7d 00000000 KERNEL32!BaseThreadInitThunk+0x19 (FPO: [Non-Fpo])
    31 001bfb6c 76fd66ad ffffffff 76ff53bd 00000000 ntdll!__RtlUserThreadStart+0x2f (FPO: [SEH])
    32 001bfb7c 00000000 009293c9 00201000 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])
    

    Please re-consider this case. Thank you.

  6. John Moore

    I can confirm the same crash. on 85.3.9+gb045a6e I encountered it when specifying a proxy, but I forgot to run Fiddler application on Windows 10/x64. Ensuring Fidler was running did not reproduce the issue.

    As a temporary workaround, we can disable appending the proxy-server argument when Fiddler.exe is running, but obviously the underlying crash could use a fix as well.

  7. Srikanth Addepalli

    I still see the crash in cef_binary_85.3.9+gb045a6e+chromium-85.0.4183.102 when proxy is used.

  8. Marshall Greenblatt

    Testing with cefclient (cefclient.exe --disable-extensions --proxy-server=<IP>:808) and CCProxy on Windows, and using the default “guest”/”guest” credentials already configured in ClientHandler::GetAuthCredentials, I’m not able to reproduce this issue with M97 or M98.

    If someone else is still able to reproduce with supported versions then we can re-open.

  9. Marshall Greenblatt

    Looks like we should disable the registration of ProxyErrorClient in ProxyConfigMonitor when extensions are disabled, so that OnPACScriptError and OnRequestMaybeFailedDueToProxySettings are not called.

  10. Log in to comment