New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
User never visited
Closed: Apr 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
link

Issue 118642: Heap-use-after-free in v8::internal::JSObject::GetElementWithInterceptor

Reported by ax3...@gmail.com, Mar 16 2012

Issue description

VULNERABILITY DETAILS
Usea-after-free in JavaScript engine.

VERSION
Version 19.0.1068.0 (126348), Developer Build on Ubuntu 10.10

REPRODUCTION CASE
Unfortunately can't provide testcase currently - this is one of those rare cases, when reproduction does not works. Decided to provide at least stack trace, probably it can be useful. This bug appears quite frequently, so, probably later I will get finally the testcase. 

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
==5320== ERROR: AddressSanitizer heap-use-after-free on address 0x7ffbb6a02888 at pc 0x7ffbdcb07aa9 bp 0x7fff610c4cb0 sp 0x7fff610c4ca8
READ of size 8 at 0x7ffbb6a02888 thread T0
    #0 0x7ffbdcb07aa9 in WebCore::toV8(WebCore::CSSStyleSheet*) ???:0
    #1 0x7ffbd77a348e in v8::internal::JSObject::GetElementWithInterceptor(v8::internal::Object*, unsigned int) /media/Chromium/chromium/depot_tools/src/v8/src/objects.cc:10097
    #2 0x7ffbd78fe004 in v8::internal::Runtime::GetObjectProperty(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>) /media/Chromium/chromium/depot_tools/src/v8/src/runtime.cc:4182
    #3 0x7ffbd7be13fc in v8::internal::KeyedLoadIC::Load(v8::internal::InlineCacheState, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, bool) /media/Chromium/chromium/depot_tools/src/v8/src/ic.cc:1195
    #4 0x7ffbd7beccd5 in v8::internal::KeyedLoadIC_Miss(v8::internal::Arguments, v8::internal::Isolate*) /media/Chromium/chromium/depot_tools/src/v8/src/ic.cc:1987
    #5 0x2ef9fe00614e
    #6 0x2ef9fe0ca0e0
    #7 0x2ef9fe0c6822
    #8 0x2ef9fe0e89ed
    #9 0x2ef9fe06e4b3
    #10 0x2ef9fe022647
    #11 0x2ef9fe011137
    #12 0x7ffbd74e3278 in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*) /media/Chromium/chromium/depot_tools/src/v8/src/execution.cc:118
    #13 0x7ffbd742d586 in v8::Script::Run() /media/Chromium/chromium/depot_tools/src/v8/src/api.cc:1588
    #14 0x7ffbd9152a03 in WebCore::V8Proxy::runScript(v8::Handle<v8::Script>) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:382
    #15 0x7ffbd9151bab in WebCore::V8Proxy::evaluate(WebCore::ScriptSourceCode const&, WebCore::Node*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:353
    #16 0x7ffbd997eda7 in ~Scope /media/Chromium/chromium/depot_tools/src/v8/include/v8.h:3577
    #17 0x7ffbd97b8c64 in WebCore::InspectorInstrumentation::hasFrontends() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/inspector/InspectorInstrumentation.h:225
    #18 0x7ffbd8dc85d8 in WebCore::ThreadTimers::sharedTimerFiredInternal() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:118
    #19 0x7ffbd69f1256 in base::Callback<void ()()>::Run() const /media/Chromium/chromium/depot_tools/src/./base/callback.h:272
    #20 0x7ffbd69f1ab8 in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:470
    #21 0x7ffbd69f3498 in MessageLoop::DoDelayedWork(base::TimeTicks*) /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:698
    #22 0x7ffbd69fd2ce in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /media/Chromium/chromium/depot_tools/src/base/message_pump_default.cc:33
    #23 0x7ffbd69efe1e in MessageLoop::RunInternal() /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:418
    #24 0x7ffbd69ee00f in ~AutoRunState /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:745
    #25 0x7ffbdbdc9b5c in RendererMain(content::MainFunctionParams const&) /media/Chromium/chromium/depot_tools/src/content/renderer/renderer_main.cc:241
    #26 0x7ffbd69464b6 in RunZygote /media/Chromium/chromium/depot_tools/src/content/app/content_main_runner.cc:245
    #27 0x7ffbd6944a2a in content::ContentMain(int, char const**, content::ContentMainDelegate*) /media/Chromium/chromium/depot_tools/src/content/app/content_main.cc:35
    #28 0x7ffbd53abc97 in ChromeMain /media/Chromium/chromium/depot_tools/src/chrome/app/chrome_main.cc:32
    #29 0x7ffbd53abbeb in main /media/Chromium/chromium/depot_tools/src/chrome/app/chrome_exe_main_gtk.cc:18
    #30 0x7ffbce7bbd8e in __libc_start_main /build/buildd/eglibc-2.12.1/csu/libc-start.c:258
0x7ffbb6a02888 is located 8 bytes inside of 136-byte region [0x7ffbb6a02880,0x7ffbb6a02908)
freed by thread T0 here:
    #0 0x7ffbdd14b9d2 in operator delete(void*) ??:0
    #1 0x7ffbd753eb39 in v8::internal::RuntimeProfiler::IsEnabled() /media/Chromium/chromium/depot_tools/src/v8/src/runtime-profiler.h:50
previously allocated by thread T0 here:
    #0 0x7ffbdd14b852 in operator new(unsigned long) ??:0
    #1 0x7ffbd8b88258 in WebCore::HTMLStyleElement::create(WebCore::QualifiedName const&, WebCore::Document*, bool) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/html/HTMLStyleElement.cpp:70
    #2 0x7ffbda6cd5aa in WTF::PassRefPtr<WebCore::HTMLStyleElement>::leakRef() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:161
    #3 0x7ffbda6c4c63 in WTF::PassRefPtr<WebCore::HTMLElement>::operator WebCore::HTMLElement* WTF::PassRefPtr<WebCore::HTMLElement>::*() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:82
    #4 0x7ffbd8acd759 in WTF::PassRefPtr<WebCore::HTMLElement>::leakRef() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:161
    #5 0x7ffbda57ff00 in WTF::PassRefPtr<WebCore::Element>::leakRef() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:161
    #6 0x7ffbd7494da3 in HandleApiCallHelper /media/Chromium/chromium/depot_tools/src/v8/src/builtins.cc:1136
    #7 0x2ef9fe00614e
    #8 0x2ef9fe0ca1aa
    #9 0x2ef9fe0c6822
    #10 0x2ef9fe0e89ed
    #11 0x2ef9fe06e4b3
    #12 0x2ef9fe022647
    #13 0x2ef9fe011137
    #14 0x7ffbd74e3278 in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*) /media/Chromium/chromium/depot_tools/src/v8/src/execution.cc:118
    #15 0x7ffbd742d586 in v8::Script::Run() /media/Chromium/chromium/depot_tools/src/v8/src/api.cc:1588
    #16 0x7ffbd9152a03 in WebCore::V8Proxy::runScript(v8::Handle<v8::Script>) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:382
    #17 0x7ffbd9151bab in WebCore::V8Proxy::evaluate(WebCore::ScriptSourceCode const&, WebCore::Node*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:353
    #18 0x7ffbd997eda7 in ~Scope /media/Chromium/chromium/depot_tools/src/v8/include/v8.h:3577
    #19 0x7ffbd97b8c64 in WebCore::InspectorInstrumentation::hasFrontends() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/inspector/InspectorInstrumentation.h:225
    #20 0x7ffbd8dc85d8 in WebCore::ThreadTimers::sharedTimerFiredInternal() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:118
==5320== ABORTING
Stats: 109M malloced (128M for red zones) by 331569 calls
Stats: 19M realloced by 16069 calls
Stats: 103M freed by 306260 calls
Stats: 0M really freed by 0 calls
Stats: 260M (66588 full pages) mmaped in 65 calls
  mmaps   by size class: 8:262128; 9:40955; 10:28665; 11:18423; 12:3072; 13:1024; 14:512; 15:128; 16:64; 17:160; 18:96; 19:32; 20:16;
  mallocs by size class: 8:248081; 9:37212; 10:25489; 11:16687; 12:2322; 13:911; 14:418; 15:100; 16:64; 17:143; 18:95; 19:32; 20:15;
  frees   by size class: 8:225725; 9:35875; 10:24598; 11:16216; 12:2223; 13:830; 14:382; 15:87; 16:52; 17:135; 18:93; 19:31; 20:13;
  rfrees  by size class:
Stats: malloc large: 285 small slow: 1343
Shadow byte and word:
  0x1fff76d40511: fd
  0x1fff76d40510: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1fff76d404f0: fd fd fd fd fd fd fd fd
  0x1fff76d404f8: fd fd fd fd fd fd fd fd
  0x1fff76d40500: fa fa fa fa fa fa fa fa
  0x1fff76d40508: fa fa fa fa fa fa fa fa
=>0x1fff76d40510: fd fd fd fd fd fd fd fd
  0x1fff76d40518: fd fd fd fd fd fd fd fd
  0x1fff76d40520: fd fd fd fd fd fd fd fd
  0x1fff76d40528: fd fd fd fd fd fd fd fd
  0x1fff76d40530: fa fa fa fa fa fa fa fa
 

Comment 1 by cdn@chromium.org, Mar 16 2012

Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit Mstone-18 OS-All SecSeverity-High
Status: Available
I'm not sure that we will be able to do much without a testcase. Kind of looks like the ownerNode went away but I don't think I understand the lifetime of CSSStyleSheets and their style elements well enough to find the bug. I'll investigate a bit but I'm not overly optimistic :)

Comment 2 by jsc...@chromium.org, Mar 17 2012

Cc: danno@chromium.org
Labels: -Mstone-18 -SecSeverity-High WebKit-JavaScript
Status: Unconfirmed
I asked him to file this so the v8 guys could have a look, in case the stack trace gives them a clue. If not we'll close it out. However, since it's not confirmed, please don't assign labels that could be misleading.

Comment 3 by danno@chromium.org, Mar 19 2012

Cc: japhet@chromium.org arv@chromium.org
This looks like a crash in the bindings, not in V8 itself. Adding the bindings guys.

Comment 4 by arv@chromium.org, Mar 19 2012

cdn: What makes you think this is related to ownerNode? I'm curious because we rolled back a change that involved ownerNode. See https://bugs.webkit.org/show_bug.cgi?id=80880 for more details

Comment 5 by cdn@chromium.org, Mar 19 2012

arv, Total guess based on a look at the code around where the crash occurs. A bad ownerNode seemed like the only thing in WebCore::toV8() that could cause a read av.

I am not at all confident in that analysis though :)

Comment 6 by cdn@chromium.org, Mar 19 2012

Oh also if you look at the stack where it was allocated it is creating a style element. Would the ownerNode for a CssStyleSheet would be a style element?

I'll stop guessing now

Comment 7 by ax3...@gmail.com, Mar 19 2012

Good news - I am able to reproduce crash now, will try to provide reduced testcase tomorrow.

Comment 8 by cdn@chromium.org, Mar 19 2012

Excellent!

Want to post what you have now and we can run it through our minimizer. I promise it won't affect the bounty :)

Comment 9 by ax3...@gmail.com, Mar 19 2012

Unfortunately can't do it right now, because testcase is too complicated - requires too much stuff to be done manually and cannot be automated. Actually, it's a part of fuzzing framework and has also bunch of dependencies. Tomorrow I will post minimized version, I'm working on it.

Comment 10 by cdn@chromium.org, Mar 19 2012

No worries. Thanks for continuing to bang on this one.

Comment 11 by ax3...@gmail.com, Mar 20 2012

Attaching testcase and here is a new ASan log:
=================================================================
==4607== ERROR: AddressSanitizer heap-use-after-free on address 0x7fc65ad84c88 at pc 0x7fc6786ffaa9 bp 0x7fffd98b71d0 sp 0x7fffd98b71c8
READ of size 8 at 0x7fc65ad84c88 thread T0
    #0 0x7fc6786ffaa9 in WebCore::toV8(WebCore::CSSStyleSheet*) ???:0
    #1 0x7fc67339b48e in v8::internal::JSObject::GetElementWithInterceptor(v8::internal::Object*, unsigned int) /media/Chromium/chromium/depot_tools/src/v8/src/objects.cc:10097
    #2 0x7fc6734f6004 in v8::internal::Runtime::GetObjectProperty(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>) /media/Chromium/chromium/depot_tools/src/v8/src/runtime.cc:4182
    #3 0x7fc6737d93fc in v8::internal::KeyedLoadIC::Load(v8::internal::InlineCacheState, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, bool) /media/Chromium/chromium/depot_tools/src/v8/src/ic.cc:1195
    #4 0x7fc6737e4cd5 in v8::internal::KeyedLoadIC_Miss(v8::internal::Arguments, v8::internal::Isolate*) /media/Chromium/chromium/depot_tools/src/v8/src/ic.cc:1987
    #5 0x226d1c0614e
    #6 0x226d1c45020
    #7 0x226d1c22647
    #8 0x226d1c11137
    #9 0x7fc6730db278 in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*) /media/Chromium/chromium/depot_tools/src/v8/src/execution.cc:118
    #10 0x7fc673025586 in v8::Script::Run() /media/Chromium/chromium/depot_tools/src/v8/src/api.cc:1588
    #11 0x7fc674d4aa03 in WebCore::V8Proxy::runScript(v8::Handle<v8::Script>) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:382
    #12 0x7fc674d49bab in WebCore::V8Proxy::evaluate(WebCore::ScriptSourceCode const&, WebCore::Node*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:353
    #13 0x7fc675576da7 in ~Scope /media/Chromium/chromium/depot_tools/src/v8/include/v8.h:3577
    #14 0x7fc6753b0d68 in WebCore::InspectorInstrumentation::hasFrontends() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/inspector/InspectorInstrumentation.h:225
    #15 0x7fc6749c05d8 in WebCore::ThreadTimers::sharedTimerFiredInternal() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:118
    #16 0x7fc6725e9256 in base::Callback<void ()()>::Run() const /media/Chromium/chromium/depot_tools/src/./base/callback.h:272
    #17 0x7fc6725e9ab8 in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:470
    #18 0x7fc6725eada9 in MessageLoop::DoWork() /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:660
    #19 0x7fc6725f5277 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /media/Chromium/chromium/depot_tools/src/base/message_pump_default.cc:28
    #20 0x7fc6725e7e1e in MessageLoop::RunInternal() /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:418
    #21 0x7fc6725e600f in ~AutoRunState /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:745
    #22 0x7fc6779c1b5c in RendererMain(content::MainFunctionParams const&) /media/Chromium/chromium/depot_tools/src/content/renderer/renderer_main.cc:241
    #23 0x7fc67253e4b6 in RunZygote /media/Chromium/chromium/depot_tools/src/content/app/content_main_runner.cc:245
    #24 0x7fc67253ca2a in content::ContentMain(int, char const**, content::ContentMainDelegate*) /media/Chromium/chromium/depot_tools/src/content/app/content_main.cc:35
    #25 0x7fc670fa3c97 in ChromeMain /media/Chromium/chromium/depot_tools/src/chrome/app/chrome_main.cc:32
    #26 0x7fc670fa3beb in main /media/Chromium/chromium/depot_tools/src/chrome/app/chrome_exe_main_gtk.cc:18
    #27 0x7fc66a3b3d8e in __libc_start_main /build/buildd/eglibc-2.12.1/csu/libc-start.c:258
0x7fc65ad84c88 is located 8 bytes inside of 144-byte region [0x7fc65ad84c80,0x7fc65ad84d10)
freed by thread T0 here:
    #0 0x7fc678d439d2 in operator delete(void*) ??:0
    #1 0x7fc673136b39 in v8::internal::RuntimeProfiler::IsEnabled() /media/Chromium/chromium/depot_tools/src/v8/src/runtime-profiler.h:50
previously allocated by thread T0 here:
    #0 0x7fc678d43852 in operator new(unsigned long) ??:0
    #1 0x7fc676655fe4 in WebCore::SVGStyleElement::create(WebCore::QualifiedName const&, WebCore::Document*, bool) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/svg/SVGStyleElement.cpp:51
    #2 0x7fc6763fcf79 in WTF::PassRefPtr<WebCore::SVGStyleElement>::leakRef() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:161
    #3 0x7fc6763f6728 in WTF::PassRefPtr<WebCore::SVGElement>::operator WebCore::SVGElement* WTF::PassRefPtr<WebCore::SVGElement>::*() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:82
    #4 0x7fc6740eb7c8 in WTF::PassRefPtr<WebCore::SVGElement>::leakRef() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:161
    #5 0x7fc6754cc4fa in WTF::PassRefPtr<WebCore::Element>::leakRef() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:161
    #6 0x7fc6742fd3b6 in xmlParseStartTag2 /media/Chromium/chromium/depot_tools/src/third_party/libxml/src/parser.c:9126
    #7 0x7fc6743061c9 in xmlParseTryOrFinish /media/Chromium/chromium/depot_tools/src/third_party/libxml/src/parser.c:10847
    #8 0x7fc67430395c in xmlParseChunk /media/Chromium/chromium/depot_tools/src/third_party/libxml/src/parser.c:11625
    #9 0x7fc6754cac50 in WebCore::DocumentParser::isStopped() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/DocumentParser.h:69
    #10 0x7fc6754c4965 in ~RefPtr /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/RefPtr.h:58
    #11 0x7fc678358279 in ~Deque /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/Deque.h:370
    #12 0x7fc6752a0e9f in WebCore::DocumentLoader::commitData(char const*, unsigned long) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/loader/DocumentLoader.cpp:327
    #13 0x7fc67403b618 in WebKit::FrameLoaderClientImpl::committedLoad(WebCore::DocumentLoader*, char const*, int) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebKit/chromium/src/FrameLoaderClientImpl.cpp:1137
    #14 0x7fc6752a0abc in WebCore::DocumentLoader::commitLoad(char const*, int) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/loader/DocumentLoader.cpp:313
    #15 0x7fc67533622e in WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/loader/ResourceLoader.cpp:292
    #16 0x7fc675313450 in WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/loader/MainResourceLoader.cpp:464
    #17 0x7fc67533791b in WebCore::InspectorInstrumentation::hasFrontends() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/inspector/InspectorInstrumentation.h:225
    #18 0x7fc673af77f2 in ResourceDispatcher::OnReceivedData(IPC::Message const&, int, base::FileDescriptor, int, int) /media/Chromium/chromium/depot_tools/src/content/common/resource_dispatcher.cc:404
    #19 0x7fc673af5f45 in ResourceDispatcher::DispatchMessage(IPC::Message const&) /media/Chromium/chromium/depot_tools/src/./content/common/resource_messages.h:155
    #20 0x7fc673af4290 in ResourceDispatcher::OnMessageReceived(IPC::Message const&) /media/Chromium/chromium/depot_tools/src/content/common/resource_dispatcher.cc:326
    #21 0x7fc6739ee75f in ChildThread::OnMessageReceived(IPC::Message const&) /media/Chromium/chromium/depot_tools/src/content/common/child_thread.cc:172
    #22 0x7fc672700e13 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) /media/Chromium/chromium/depot_tools/src/ipc/ipc_channel_proxy.cc:268
==4607== ABORTING
Stats: 48M malloced (35M for red zones) by 74186 calls
Stats: 1M realloced by 1905 calls
Stats: 45M freed by 58757 calls
Stats: 0M really freed by 0 calls
Stats: 116M (29716 full pages) mmaped in 29 calls
  mmaps   by size class: 8:65532; 9:16382; 10:8190; 11:2047; 12:1024; 13:1536; 14:256; 15:384; 16:64; 17:64; 18:16; 19:8; 20:8; 22:5;
  mallocs by size class: 8:57634; 9:8577; 10:4433; 11:1317; 12:378; 13:1335; 14:144; 15:254; 16:44; 17:46; 18:12; 19:2; 20:5; 22:5;
  frees   by size class: 8:43495; 9:7992; 10:4138; 11:1065; 12:290; 13:1313; 14:127; 15:247; 16:37; 17:29; 18:12; 19:2; 20:5; 22:5;
  rfrees  by size class:
Stats: malloc large: 70 small slow: 415
Shadow byte and word:
  0x1ff8cb5b0991: fd
  0x1ff8cb5b0990: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ff8cb5b0970: fd fd fd fd fd fd fd fd
  0x1ff8cb5b0978: fd fd fd fd fd fd fd fd
  0x1ff8cb5b0980: fa fa fa fa fa fa fa fa
  0x1ff8cb5b0988: fa fa fa fa fa fa fa fa
=>0x1ff8cb5b0990: fd fd fd fd fd fd fd fd
  0x1ff8cb5b0998: fd fd fd fd fd fd fd fd
  0x1ff8cb5b09a0: fd fd fd fd fd fd fd fd
  0x1ff8cb5b09a8: fd fd fd fd fd fd fd fd
  0x1ff8cb5b09b0: fa fa fa fa fa fa fa fa
tc-20-03-12-uaf.zip
637 bytes Download

Comment 12 by kenrb@chromium.org, Mar 21 2012

Status: Available
Unfortunately cluster-fuzz still isn't giving us any information, so your ASAN stack trace is still the most information we have.

I can reproduce this fairly easily in debug on Windows, however. It looks like a CSSStyleSheet object has a stale pointer in m_ownerNode.

Ax330d's ASAN dump says it is freed by the runtime profiler?

arv can you have a peek at this again?

Comment 13 by danno@chromium.org, Mar 21 2012

Cc: u...@chromium.org
Owner: arv@chromium.org
Status: Assigned
Assigning to arv, since he's been looking at it up to this point and it should really get attention since it's a reproducible crash. If you need any V8 help, please let me know.

Comment 14 by jsc...@chromium.org, Apr 8 2012

Labels: SecSeverity-High
This seems to have stalled. It looks like high-severity based on the report.

@arv - Are you working on this, and if not, do you know who should be?

Comment 15 by arv@chromium.org, Apr 9 2012

Cc: rniwa@chromium.org
I'll look at it again.

The test case seems to do a lot of thing that should not matter. I'll see if I can repro this in ASAN and scale back the test further.

Comment 16 by arv@chromium.org, Apr 9 2012

One more thing. This is not a binding issue. It just a use after free.

Comment 17 by rniwa@chromium.org, Apr 9 2012

It seems like the timer is calling on a svg element that has already been freed?

Comment 18 by arv@chromium.org, Apr 9 2012

My gut feeling is that we are not correctly invalidating the StyleSheetList when we removed the nodes.

Comment 19 by arv@chromium.org, Apr 9 2012

I managed to reduce this further. It no longer uses a range and it now uses an HTML file (SVGStyleElement has the same removeFromDocument as HTMLStyleElement).
test-case.zip
992 bytes Download

Comment 20 by arv@chromium.org, Apr 10 2012

Comment 21 by arv@chromium.org, Apr 10 2012

Labels: WebKit-ID-83605

Comment 22 by bugdroid1@chromium.org, Apr 10 2012

Project Member
Labels: -WebKit-ID-83605 WebKit-ID-83605-NEW
https://bugs.webkit.org/show_bug.cgi?id=83605

Comment 23 by arv@chromium.org, Apr 10 2012

Cc: eseidel@chromium.org

Comment 24 by arv@chromium.org, Apr 10 2012

Cc: adamk@chromium.org

Comment 25 by arv@chromium.org, Apr 11 2012

Labels: -WebKit-ID-83605-NEW WebKit-ID-83696

Comment 26 by infe...@chromium.org, Apr 11 2012

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved Stability-AddressSanitizer
Status: FixUnreleased
http://trac.webkit.org/changeset/113887

Comment 27 by scarybea...@gmail.com, Apr 22 2012

Labels: reward-topanel
Does anyone happen to know if this affects M18 stable? Or just an M19 regression?

Comment 28 by infe...@chromium.org, Apr 24 2012

Labels: -reward-topanel reward-1000 reward-unpaid SecImpacts-Stable SecImpacts-Beta
Thanks Ax330d for finally getting a awesome repro to reproduce this bug. It was really helpful to see the root problem. This qualifies for $1000 Chromium Security Reward.

Comment 29 by infe...@chromium.org, Apr 24 2012

Labels: Mstone-18

Comment 30 by scarybea...@gmail.com, Apr 30 2012

Labels: -Merge-Approved -Mstone-18 Merge-Merged Mstone-19
M19: http://trac.webkit.org/changeset/115611

Comment 31 by scarybea...@gmail.com, May 10 2012

Labels: -reward-unpaid

Comment 32 by scarybea...@gmail.com, May 14 2012

Labels: CVE-2011-3086

Comment 33 by cdn@chromium.org, May 15 2012

Status: Fixed
Updating status to Fixed on security bugs which were fixed when m19 went to stable.

Comment 34 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 35 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Area-WebKit -WebKit-JavaScript -SecSeverity-High -Stability-AddressSanitizer -SecImpacts-Stable -SecImpacts-Beta -Mstone-19 Cr-Content Cr-Content-JavaScript Security-Impact-Beta Security-Severity-High Security-Impact-Stable M-19 Type-Bug-Security Performance-Memory-AddressSanitizer

Comment 36 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: Restrict-View-EditIssue

Comment 37 by bugdroid1@chromium.org, Mar 14 2013

Project Member
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Comment 38 by scarybea...@gmail.com, Mar 21 2013

Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue

Comment 39 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 40 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 41 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 42 by bugdroid1@chromium.org, Apr 1 2013

Project Member
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer

Comment 43 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 44 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content-JavaScript Cr-Blink-JavaScript

Comment 45 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 46 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 47 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 48 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 49 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment