New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
User never visited
Closed: Apr 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Heap-use-after-free in v8::internal::JSObject::GetElementWithInterceptor
Reported by ax3...@gmail.com, Mar 16 2012 Back to list
VULNERABILITY DETAILS
Usea-after-free in JavaScript engine.

VERSION
Version 19.0.1068.0 (126348), Developer Build on Ubuntu 10.10

REPRODUCTION CASE
Unfortunately can't provide testcase currently - this is one of those rare cases, when reproduction does not works. Decided to provide at least stack trace, probably it can be useful. This bug appears quite frequently, so, probably later I will get finally the testcase. 

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
==5320== ERROR: AddressSanitizer heap-use-after-free on address 0x7ffbb6a02888 at pc 0x7ffbdcb07aa9 bp 0x7fff610c4cb0 sp 0x7fff610c4ca8
READ of size 8 at 0x7ffbb6a02888 thread T0
    #0 0x7ffbdcb07aa9 in WebCore::toV8(WebCore::CSSStyleSheet*) ???:0
    #1 0x7ffbd77a348e in v8::internal::JSObject::GetElementWithInterceptor(v8::internal::Object*, unsigned int) /media/Chromium/chromium/depot_tools/src/v8/src/objects.cc:10097
    #2 0x7ffbd78fe004 in v8::internal::Runtime::GetObjectProperty(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>) /media/Chromium/chromium/depot_tools/src/v8/src/runtime.cc:4182
    #3 0x7ffbd7be13fc in v8::internal::KeyedLoadIC::Load(v8::internal::InlineCacheState, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, bool) /media/Chromium/chromium/depot_tools/src/v8/src/ic.cc:1195
    #4 0x7ffbd7beccd5 in v8::internal::KeyedLoadIC_Miss(v8::internal::Arguments, v8::internal::Isolate*) /media/Chromium/chromium/depot_tools/src/v8/src/ic.cc:1987
    #5 0x2ef9fe00614e
    #6 0x2ef9fe0ca0e0
    #7 0x2ef9fe0c6822
    #8 0x2ef9fe0e89ed
    #9 0x2ef9fe06e4b3
    #10 0x2ef9fe022647
    #11 0x2ef9fe011137
    #12 0x7ffbd74e3278 in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*) /media/Chromium/chromium/depot_tools/src/v8/src/execution.cc:118
    #13 0x7ffbd742d586 in v8::Script::Run() /media/Chromium/chromium/depot_tools/src/v8/src/api.cc:1588
    #14 0x7ffbd9152a03 in WebCore::V8Proxy::runScript(v8::Handle<v8::Script>) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:382
    #15 0x7ffbd9151bab in WebCore::V8Proxy::evaluate(WebCore::ScriptSourceCode const&, WebCore::Node*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:353
    #16 0x7ffbd997eda7 in ~Scope /media/Chromium/chromium/depot_tools/src/v8/include/v8.h:3577
    #17 0x7ffbd97b8c64 in WebCore::InspectorInstrumentation::hasFrontends() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/inspector/InspectorInstrumentation.h:225
    #18 0x7ffbd8dc85d8 in WebCore::ThreadTimers::sharedTimerFiredInternal() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:118
    #19 0x7ffbd69f1256 in base::Callback<void ()()>::Run() const /media/Chromium/chromium/depot_tools/src/./base/callback.h:272
    #20 0x7ffbd69f1ab8 in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:470
    #21 0x7ffbd69f3498 in MessageLoop::DoDelayedWork(base::TimeTicks*) /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:698
    #22 0x7ffbd69fd2ce in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /media/Chromium/chromium/depot_tools/src/base/message_pump_default.cc:33
    #23 0x7ffbd69efe1e in MessageLoop::RunInternal() /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:418
    #24 0x7ffbd69ee00f in ~AutoRunState /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:745
    #25 0x7ffbdbdc9b5c in RendererMain(content::MainFunctionParams const&) /media/Chromium/chromium/depot_tools/src/content/renderer/renderer_main.cc:241
    #26 0x7ffbd69464b6 in RunZygote /media/Chromium/chromium/depot_tools/src/content/app/content_main_runner.cc:245
    #27 0x7ffbd6944a2a in content::ContentMain(int, char const**, content::ContentMainDelegate*) /media/Chromium/chromium/depot_tools/src/content/app/content_main.cc:35
    #28 0x7ffbd53abc97 in ChromeMain /media/Chromium/chromium/depot_tools/src/chrome/app/chrome_main.cc:32
    #29 0x7ffbd53abbeb in main /media/Chromium/chromium/depot_tools/src/chrome/app/chrome_exe_main_gtk.cc:18
    #30 0x7ffbce7bbd8e in __libc_start_main /build/buildd/eglibc-2.12.1/csu/libc-start.c:258
0x7ffbb6a02888 is located 8 bytes inside of 136-byte region [0x7ffbb6a02880,0x7ffbb6a02908)
freed by thread T0 here:
    #0 0x7ffbdd14b9d2 in operator delete(void*) ??:0
    #1 0x7ffbd753eb39 in v8::internal::RuntimeProfiler::IsEnabled() /media/Chromium/chromium/depot_tools/src/v8/src/runtime-profiler.h:50
previously allocated by thread T0 here:
    #0 0x7ffbdd14b852 in operator new(unsigned long) ??:0
    #1 0x7ffbd8b88258 in WebCore::HTMLStyleElement::create(WebCore::QualifiedName const&, WebCore::Document*, bool) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/html/HTMLStyleElement.cpp:70
    #2 0x7ffbda6cd5aa in WTF::PassRefPtr<WebCore::HTMLStyleElement>::leakRef() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:161
    #3 0x7ffbda6c4c63 in WTF::PassRefPtr<WebCore::HTMLElement>::operator WebCore::HTMLElement* WTF::PassRefPtr<WebCore::HTMLElement>::*() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:82
    #4 0x7ffbd8acd759 in WTF::PassRefPtr<WebCore::HTMLElement>::leakRef() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:161
    #5 0x7ffbda57ff00 in WTF::PassRefPtr<WebCore::Element>::leakRef() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:161
    #6 0x7ffbd7494da3 in HandleApiCallHelper /media/Chromium/chromium/depot_tools/src/v8/src/builtins.cc:1136
    #7 0x2ef9fe00614e
    #8 0x2ef9fe0ca1aa
    #9 0x2ef9fe0c6822
    #10 0x2ef9fe0e89ed
    #11 0x2ef9fe06e4b3
    #12 0x2ef9fe022647
    #13 0x2ef9fe011137
    #14 0x7ffbd74e3278 in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*) /media/Chromium/chromium/depot_tools/src/v8/src/execution.cc:118
    #15 0x7ffbd742d586 in v8::Script::Run() /media/Chromium/chromium/depot_tools/src/v8/src/api.cc:1588
    #16 0x7ffbd9152a03 in WebCore::V8Proxy::runScript(v8::Handle<v8::Script>) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:382
    #17 0x7ffbd9151bab in WebCore::V8Proxy::evaluate(WebCore::ScriptSourceCode const&, WebCore::Node*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:353
    #18 0x7ffbd997eda7 in ~Scope /media/Chromium/chromium/depot_tools/src/v8/include/v8.h:3577
    #19 0x7ffbd97b8c64 in WebCore::InspectorInstrumentation::hasFrontends() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/inspector/InspectorInstrumentation.h:225
    #20 0x7ffbd8dc85d8 in WebCore::ThreadTimers::sharedTimerFiredInternal() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:118
==5320== ABORTING
Stats: 109M malloced (128M for red zones) by 331569 calls
Stats: 19M realloced by 16069 calls
Stats: 103M freed by 306260 calls
Stats: 0M really freed by 0 calls
Stats: 260M (66588 full pages) mmaped in 65 calls
  mmaps   by size class: 8:262128; 9:40955; 10:28665; 11:18423; 12:3072; 13:1024; 14:512; 15:128; 16:64; 17:160; 18:96; 19:32; 20:16;
  mallocs by size class: 8:248081; 9:37212; 10:25489; 11:16687; 12:2322; 13:911; 14:418; 15:100; 16:64; 17:143; 18:95; 19:32; 20:15;
  frees   by size class: 8:225725; 9:35875; 10:24598; 11:16216; 12:2223; 13:830; 14:382; 15:87; 16:52; 17:135; 18:93; 19:31; 20:13;
  rfrees  by size class:
Stats: malloc large: 285 small slow: 1343
Shadow byte and word:
  0x1fff76d40511: fd
  0x1fff76d40510: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1fff76d404f0: fd fd fd fd fd fd fd fd
  0x1fff76d404f8: fd fd fd fd fd fd fd fd
  0x1fff76d40500: fa fa fa fa fa fa fa fa
  0x1fff76d40508: fa fa fa fa fa fa fa fa
=>0x1fff76d40510: fd fd fd fd fd fd fd fd
  0x1fff76d40518: fd fd fd fd fd fd fd fd
  0x1fff76d40520: fd fd fd fd fd fd fd fd
  0x1fff76d40528: fd fd fd fd fd fd fd fd
  0x1fff76d40530: fa fa fa fa fa fa fa fa
 
Comment 1 by cdn@chromium.org, Mar 16 2012
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit Mstone-18 OS-All SecSeverity-High
Status: Available
I'm not sure that we will be able to do much without a testcase. Kind of looks like the ownerNode went away but I don't think I understand the lifetime of CSSStyleSheets and their style elements well enough to find the bug. I'll investigate a bit but I'm not overly optimistic :)
Comment 2 by jsc...@chromium.org, Mar 17 2012
Cc: danno@chromium.org
Labels: -Mstone-18 -SecSeverity-High WebKit-JavaScript
Status: Unconfirmed
I asked him to file this so the v8 guys could have a look, in case the stack trace gives them a clue. If not we'll close it out. However, since it's not confirmed, please don't assign labels that could be misleading.
Comment 3 by danno@chromium.org, Mar 19 2012
Cc: japhet@chromium.org arv@chromium.org
This looks like a crash in the bindings, not in V8 itself. Adding the bindings guys.
Comment 4 by arv@chromium.org, Mar 19 2012
cdn: What makes you think this is related to ownerNode? I'm curious because we rolled back a change that involved ownerNode. See https://bugs.webkit.org/show_bug.cgi?id=80880 for more details
Comment 5 by cdn@chromium.org, Mar 19 2012
arv, Total guess based on a look at the code around where the crash occurs. A bad ownerNode seemed like the only thing in WebCore::toV8() that could cause a read av.

I am not at all confident in that analysis though :)
Comment 6 by cdn@chromium.org, Mar 19 2012
Oh also if you look at the stack where it was allocated it is creating a style element. Would the ownerNode for a CssStyleSheet would be a style element?

I'll stop guessing now
Comment 7 by ax3...@gmail.com, Mar 19 2012
Good news - I am able to reproduce crash now, will try to provide reduced testcase tomorrow.
Comment 8 by cdn@chromium.org, Mar 19 2012
Excellent!

Want to post what you have now and we can run it through our minimizer. I promise it won't affect the bounty :)
Comment 9 by ax3...@gmail.com, Mar 19 2012
Unfortunately can't do it right now, because testcase is too complicated - requires too much stuff to be done manually and cannot be automated. Actually, it's a part of fuzzing framework and has also bunch of dependencies. Tomorrow I will post minimized version, I'm working on it.
Comment 10 by cdn@chromium.org, Mar 19 2012
No worries. Thanks for continuing to bang on this one.
Comment 11 by ax3...@gmail.com, Mar 20 2012
Attaching testcase and here is a new ASan log:
=================================================================
==4607== ERROR: AddressSanitizer heap-use-after-free on address 0x7fc65ad84c88 at pc 0x7fc6786ffaa9 bp 0x7fffd98b71d0 sp 0x7fffd98b71c8
READ of size 8 at 0x7fc65ad84c88 thread T0
    #0 0x7fc6786ffaa9 in WebCore::toV8(WebCore::CSSStyleSheet*) ???:0
    #1 0x7fc67339b48e in v8::internal::JSObject::GetElementWithInterceptor(v8::internal::Object*, unsigned int) /media/Chromium/chromium/depot_tools/src/v8/src/objects.cc:10097
    #2 0x7fc6734f6004 in v8::internal::Runtime::GetObjectProperty(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>) /media/Chromium/chromium/depot_tools/src/v8/src/runtime.cc:4182
    #3 0x7fc6737d93fc in v8::internal::KeyedLoadIC::Load(v8::internal::InlineCacheState, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, bool) /media/Chromium/chromium/depot_tools/src/v8/src/ic.cc:1195
    #4 0x7fc6737e4cd5 in v8::internal::KeyedLoadIC_Miss(v8::internal::Arguments, v8::internal::Isolate*) /media/Chromium/chromium/depot_tools/src/v8/src/ic.cc:1987
    #5 0x226d1c0614e
    #6 0x226d1c45020
    #7 0x226d1c22647
    #8 0x226d1c11137
    #9 0x7fc6730db278 in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*) /media/Chromium/chromium/depot_tools/src/v8/src/execution.cc:118
    #10 0x7fc673025586 in v8::Script::Run() /media/Chromium/chromium/depot_tools/src/v8/src/api.cc:1588
    #11 0x7fc674d4aa03 in WebCore::V8Proxy::runScript(v8::Handle<v8::Script>) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:382
    #12 0x7fc674d49bab in WebCore::V8Proxy::evaluate(WebCore::ScriptSourceCode const&, WebCore::Node*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:353
    #13 0x7fc675576da7 in ~Scope /media/Chromium/chromium/depot_tools/src/v8/include/v8.h:3577
    #14 0x7fc6753b0d68 in WebCore::InspectorInstrumentation::hasFrontends() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/inspector/InspectorInstrumentation.h:225
    #15 0x7fc6749c05d8 in WebCore::ThreadTimers::sharedTimerFiredInternal() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:118
    #16 0x7fc6725e9256 in base::Callback<void ()()>::Run() const /media/Chromium/chromium/depot_tools/src/./base/callback.h:272
    #17 0x7fc6725e9ab8 in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:470
    #18 0x7fc6725eada9 in MessageLoop::DoWork() /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:660
    #19 0x7fc6725f5277 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /media/Chromium/chromium/depot_tools/src/base/message_pump_default.cc:28
    #20 0x7fc6725e7e1e in MessageLoop::RunInternal() /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:418
    #21 0x7fc6725e600f in ~AutoRunState /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:745
    #22 0x7fc6779c1b5c in RendererMain(content::MainFunctionParams const&) /media/Chromium/chromium/depot_tools/src/content/renderer/renderer_main.cc:241
    #23 0x7fc67253e4b6 in RunZygote /media/Chromium/chromium/depot_tools/src/content/app/content_main_runner.cc:245
    #24 0x7fc67253ca2a in content::ContentMain(int, char const**, content::ContentMainDelegate*) /media/Chromium/chromium/depot_tools/src/content/app/content_main.cc:35
    #25 0x7fc670fa3c97 in ChromeMain /media/Chromium/chromium/depot_tools/src/chrome/app/chrome_main.cc:32
    #26 0x7fc670fa3beb in main /media/Chromium/chromium/depot_tools/src/chrome/app/chrome_exe_main_gtk.cc:18
    #27 0x7fc66a3b3d8e in __libc_start_main /build/buildd/eglibc-2.12.1/csu/libc-start.c:258
0x7fc65ad84c88 is located 8 bytes inside of 144-byte region [0x7fc65ad84c80,0x7fc65ad84d10)
freed by thread T0 here:
    #0 0x7fc678d439d2 in operator delete(void*) ??:0
    #1 0x7fc673136b39 in v8::internal::RuntimeProfiler::IsEnabled() /media/Chromium/chromium/depot_tools/src/v8/src/runtime-profiler.h:50
previously allocated by thread T0 here:
    #0 0x7fc678d43852 in operator new(unsigned long) ??:0
    #1 0x7fc676655fe4 in WebCore::SVGStyleElement::create(WebCore::QualifiedName const&, WebCore::Document*, bool) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/svg/SVGStyleElement.cpp:51
    #2 0x7fc6763fcf79 in WTF::PassRefPtr<WebCore::SVGStyleElement>::leakRef() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:161
    #3 0x7fc6763f6728 in WTF::PassRefPtr<WebCore::SVGElement>::operator WebCore::SVGElement* WTF::PassRefPtr<WebCore::SVGElement>::*() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:82
    #4 0x7fc6740eb7c8 in WTF::PassRefPtr<WebCore::SVGElement>::leakRef() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:161
    #5 0x7fc6754cc4fa in WTF::PassRefPtr<WebCore::Element>::leakRef() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:161
    #6 0x7fc6742fd3b6 in xmlParseStartTag2 /media/Chromium/chromium/depot_tools/src/third_party/libxml/src/parser.c:9126
    #7 0x7fc6743061c9 in xmlParseTryOrFinish /media/Chromium/chromium/depot_tools/src/third_party/libxml/src/parser.c:10847
    #8 0x7fc67430395c in xmlParseChunk /media/Chromium/chromium/depot_tools/src/third_party/libxml/src/parser.c:11625
    #9 0x7fc6754cac50 in WebCore::DocumentParser::isStopped() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/DocumentParser.h:69
    #10 0x7fc6754c4965 in ~RefPtr /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/RefPtr.h:58
    #11 0x7fc678358279 in ~Deque /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/Deque.h:370
    #12 0x7fc6752a0e9f in WebCore::DocumentLoader::commitData(char const*, unsigned long) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/loader/DocumentLoader.cpp:327
    #13 0x7fc67403b618 in WebKit::FrameLoaderClientImpl::committedLoad(WebCore::DocumentLoader*, char const*, int) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebKit/chromium/src/FrameLoaderClientImpl.cpp:1137
    #14 0x7fc6752a0abc in WebCore::DocumentLoader::commitLoad(char const*, int) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/loader/DocumentLoader.cpp:313
    #15 0x7fc67533622e in WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/loader/ResourceLoader.cpp:292
    #16 0x7fc675313450 in WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/loader/MainResourceLoader.cpp:464
    #17 0x7fc67533791b in WebCore::InspectorInstrumentation::hasFrontends() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/inspector/InspectorInstrumentation.h:225
    #18 0x7fc673af77f2 in ResourceDispatcher::OnReceivedData(IPC::Message const&, int, base::FileDescriptor, int, int) /media/Chromium/chromium/depot_tools/src/content/common/resource_dispatcher.cc:404
    #19 0x7fc673af5f45 in ResourceDispatcher::DispatchMessage(IPC::Message const&) /media/Chromium/chromium/depot_tools/src/./content/common/resource_messages.h:155
    #20 0x7fc673af4290 in ResourceDispatcher::OnMessageReceived(IPC::Message const&) /media/Chromium/chromium/depot_tools/src/content/common/resource_dispatcher.cc:326
    #21 0x7fc6739ee75f in ChildThread::OnMessageReceived(IPC::Message const&) /media/Chromium/chromium/depot_tools/src/content/common/child_thread.cc:172
    #22 0x7fc672700e13 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) /media/Chromium/chromium/depot_tools/src/ipc/ipc_channel_proxy.cc:268
==4607== ABORTING
Stats: 48M malloced (35M for red zones) by 74186 calls
Stats: 1M realloced by 1905 calls
Stats: 45M freed by 58757 calls
Stats: 0M really freed by 0 calls
Stats: 116M (29716 full pages) mmaped in 29 calls
  mmaps   by size class: 8:65532; 9:16382; 10:8190; 11:2047; 12:1024; 13:1536; 14:256; 15:384; 16:64; 17:64; 18:16; 19:8; 20:8; 22:5;
  mallocs by size class: 8:57634; 9:8577; 10:4433; 11:1317; 12:378; 13:1335; 14:144; 15:254; 16:44; 17:46; 18:12; 19:2; 20:5; 22:5;
  frees   by size class: 8:43495; 9:7992; 10:4138; 11:1065; 12:290; 13:1313; 14:127; 15:247; 16:37; 17:29; 18:12; 19:2; 20:5; 22:5;
  rfrees  by size class:
Stats: malloc large: 70 small slow: 415
Shadow byte and word:
  0x1ff8cb5b0991: fd
  0x1ff8cb5b0990: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ff8cb5b0970: fd fd fd fd fd fd fd fd
  0x1ff8cb5b0978: fd fd fd fd fd fd fd fd
  0x1ff8cb5b0980: fa fa fa fa fa fa fa fa
  0x1ff8cb5b0988: fa fa fa fa fa fa fa fa
=>0x1ff8cb5b0990: fd fd fd fd fd fd fd fd
  0x1ff8cb5b0998: fd fd fd fd fd fd fd fd
  0x1ff8cb5b09a0: fd fd fd fd fd fd fd fd
  0x1ff8cb5b09a8: fd fd fd fd fd fd fd fd
  0x1ff8cb5b09b0: fa fa fa fa fa fa fa fa


tc-20-03-12-uaf.zip
637 bytes Download
Comment 12 by kenrb@chromium.org, Mar 21 2012
Status: Available
Unfortunately cluster-fuzz still isn't giving us any information, so your ASAN stack trace is still the most information we have.

I can reproduce this fairly easily in debug on Windows, however. It looks like a CSSStyleSheet object has a stale pointer in m_ownerNode.

Ax330d's ASAN dump says it is freed by the runtime profiler?

arv can you have a peek at this again?
Comment 13 by danno@chromium.org, Mar 21 2012
Cc: u...@chromium.org
Owner: arv@chromium.org
Status: Assigned
Assigning to arv, since he's been looking at it up to this point and it should really get attention since it's a reproducible crash. If you need any V8 help, please let me know.
Labels: SecSeverity-High
This seems to have stalled. It looks like high-severity based on the report.

@arv - Are you working on this, and if not, do you know who should be?
Comment 15 by arv@chromium.org, Apr 9 2012
Cc: rniwa@chromium.org
I'll look at it again.

The test case seems to do a lot of thing that should not matter. I'll see if I can repro this in ASAN and scale back the test further.
Comment 16 by arv@chromium.org, Apr 9 2012
One more thing. This is not a binding issue. It just a use after free.
It seems like the timer is calling on a svg element that has already been freed?
Comment 18 by arv@chromium.org, Apr 9 2012
My gut feeling is that we are not correctly invalidating the StyleSheetList when we removed the nodes.

Comment 19 by arv@chromium.org, Apr 9 2012
I managed to reduce this further. It no longer uses a range and it now uses an HTML file (SVGStyleElement has the same removeFromDocument as HTMLStyleElement).
test-case.zip
992 bytes Download
Comment 20 by arv@chromium.org, Apr 10 2012
Status: ExternalDependency
https://bugs.webkit.org/show_bug.cgi?id=83605
Comment 21 by arv@chromium.org, Apr 10 2012
Labels: WebKit-ID-83605
Project Member Comment 22 by bugdroid1@chromium.org, Apr 10 2012
Labels: -WebKit-ID-83605 WebKit-ID-83605-NEW
https://bugs.webkit.org/show_bug.cgi?id=83605
Comment 23 by arv@chromium.org, Apr 10 2012
Cc: eseidel@chromium.org
Comment 24 by arv@chromium.org, Apr 10 2012
Cc: adamk@chromium.org
Comment 25 by arv@chromium.org, Apr 11 2012
Labels: -WebKit-ID-83605-NEW WebKit-ID-83696
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved Stability-AddressSanitizer
Status: FixUnreleased
http://trac.webkit.org/changeset/113887
Labels: reward-topanel
Does anyone happen to know if this affects M18 stable? Or just an M19 regression?

Labels: -reward-topanel reward-1000 reward-unpaid SecImpacts-Stable SecImpacts-Beta
Thanks Ax330d for finally getting a awesome repro to reproduce this bug. It was really helpful to see the root problem. This qualifies for $1000 Chromium Security Reward.
Labels: Mstone-18
Labels: -Merge-Approved -Mstone-18 Merge-Merged Mstone-19
M19: http://trac.webkit.org/changeset/115611
Labels: -reward-unpaid
Labels: CVE-2011-3086
Comment 33 by cdn@chromium.org, May 15 2012
Status: Fixed
Updating status to Fixed on security bugs which were fixed when m19 went to stable.
Project Member Comment 34 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 35 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-WebKit -WebKit-JavaScript -SecSeverity-High -Stability-AddressSanitizer -SecImpacts-Stable -SecImpacts-Beta -Mstone-19 Cr-Content Cr-Content-JavaScript Security-Impact-Beta Security-Severity-High Security-Impact-Stable M-19 Type-Bug-Security Performance-Memory-AddressSanitizer
Project Member Comment 36 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 37 by bugdroid1@chromium.org, Mar 14 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 39 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 40 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 41 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 42 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member Comment 43 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 44 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content-JavaScript Cr-Blink-JavaScript
Project Member Comment 45 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 46 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 47 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment