New issue
Advanced search Search tips

Issue 158204 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2012
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in WebCore::Frame::dispatchVisibilityStateChangeEvent

Reported by chamal.d...@gmail.com, Oct 28 2012

Issue description

VULNERABILITY DETAILS

This vulnerbility is in Frame.cpp->dispatchVisibilityStateChangeEvent method.

void Frame::dispatchVisibilityStateChangeEvent()
{
    if (m_doc)
        m_doc->dispatchVisibilityStateChangeEvent();
    for (Frame* child = tree()->firstChild(); child; child = child->tree()->nextSibling())
        child->dispatchVisibilityStateChangeEvent();
}

It is possible to capture visibility change event from javascript and remove the first child frame which causes the use after free.

VERSION
Chrome Version: [24.0.1309.0 (164506)] + [trunk build]

*webkitvisibilitychange event is available in dev and stable releases. But this issue does NOT reproduce in stable or dev releases. But Frame.cpp->dispatchVisibilityStateChangeEvent method which I think is the cause of the issue is added to code long time back. So I really don't understand why this does not reproduce in stable or dev releases.

In case this bug happens because of code currently being developed, please ignore this issue. 
        
Operating System: [Ubuntu 12.04, 64 bit]

REPRODUCTION CASE
1. Download and copy pagevisibility_parent.html and pagevisibility.html to same folder.
2. Open pagevisibility_parent.html on chrome.
3. Click on the "Click" button or open another tab.
4. Chrome will display sad tab.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab]
Crash State: [Address sanitizer output]

==4771== ERROR: AddressSanitizer heap-use-after-free on address 0x7f3cc7ffa098 at pc 0x7f3cfce84de5 bp 0x7fff63039940 sp 0x7fff63039938
READ of size 8 at 0x7f3cc7ffa098 thread T0
    #0 0x7f3cfce84de4 in WebCore::FrameTree::firstChild() const third_party/WebKit/Source/WTF/wtf/RefPtr.h:58
    #1 0x7f3cfce84db7 in WebCore::Frame::dispatchVisibilityStateChangeEvent() third_party/WebKit/Source/WebCore/page/Frame.cpp:674
    #2 0x7f3cfae74d3d in WebKit::WebViewImpl::setVisibilityState(WebKit::WebPageVisibilityState, bool) third_party/WebKit/Source/WebKit/chromium/src/WebViewImpl.cpp:4176
    #3 0x7f3d005cd241 in content::RenderViewImpl::OnWasHidden() content/renderer/render_view_impl.cc:5673
    #4 0x7f3d005e398e in bool IPC::Message::Dispatch<content::RenderWidget, content::RenderWidget>(IPC::Message const*, content::RenderWidget*, content::RenderWidget*, void (content::RenderWidget::*)()) ./ipc/ipc_message.h:156
    #5 0x7f3d00586d58 in content::RenderViewImpl::OnMessageReceived(IPC::Message const&) content/renderer/render_view_impl.cc:1040
    #6 0x7f3cfa87dd40 in content::MessageRouter::RouteMessage(IPC::Message const&) content/common/message_router.cc:49
    #7 0x7f3cfa87dbb3 in content::MessageRouter::OnMessageReceived(IPC::Message const&) content/common/message_router.cc:41
    #8 0x7f3cfa76b0dc in content::ChildThread::OnMessageReceived(IPC::Message const&) content/common/child_thread.cc:275
    #9 0x7f3cfa70c0e2 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) ipc/ipc_channel_proxy.cc:261
    #10 0x7f3cf9be3617 in base::Callback<void ()>::Run() const ./base/callback.h:391
    #11 0x7f3cf9be3bf1 in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop.cc:482
    #12 0x7f3cf9be49ad in MessageLoop::DoWork() base/message_loop.cc:661
    #13 0x7f3cf9bef336 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_pump_default.cc:28
    #14 0x7f3cf9be23ca in MessageLoop::RunInternal() base/message_loop.cc:427
    #15 0x7f3cf9c2a3b1 in base::RunLoop::Run() base/run_loop.cc:45
    #16 0x7f3cf9be0886 in MessageLoop::Run() base/message_loop.cc:307
    #17 0x7f3d0060ea4f in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:241
    #18 0x7f3cf9a6fb2a in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:402
    #19 0x7f3cf9a710f9 in content::RunNamedProcessTypeMain(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:456
    #20 0x7f3cf9a7290f in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:741
    #21 0x7f3cf9a6f257 in content::ContentMain(int, char const**, content::ContentMainDelegate*) content/app/content_main.cc:35
    #22 0x7f3cf89a2cb6 in ChromeMain chrome/app/chrome_main.cc:32
    #23 0x7f3cf89a2c1a in main chrome/app/chrome_exe_main_gtk.cc:31
    #24 0x7f3cf1af276c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226
0x7f3cc7ffa098 is located 88 bytes inside of 2704-byte region [0x7f3cc7ffa040,0x7f3cc7ffaad0)
freed by thread T0 here:
    #0 0x7f3d02203e10 in __interceptor_free ??:0
    #1 0x7f3cfce90f2e in WTF::RefCounted<WebCore::Frame>::operator delete(void*) third_party/WebKit/Source/WTF/wtf/RefCounted.h:197
    #2 0x7f3cfce9061d in ~FrameView third_party/WebKit/Source/WebCore/page/FrameView.cpp:227
    #3 0x7f3cfb192321 in WTF::RefCounted<WebCore::Widget>::deref() third_party/WebKit/Source/WTF/wtf/RefCounted.h:202
    #4 0x7f3cfb188fb1 in WebCore::EventDispatcher::~EventDispatcher() third_party/WebKit/Source/WebCore/dom/EventDispatcher.h:70
    #5 0x7f3cfb0c924d in WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) third_party/WebKit/Source/WebCore/dom/Node.cpp:2579
    #6 0x7f3cfafe850f in WebCore::Document::dispatchVisibilityStateChangeEvent() third_party/WebKit/Source/WebCore/dom/Document.cpp:1650
    #7 0x7f3cfce84d76 in WebCore::Frame::dispatchVisibilityStateChangeEvent() third_party/WebKit/Source/WebCore/page/Frame.cpp:672
    #8 0x7f3cfce84db7 in WebCore::Frame::dispatchVisibilityStateChangeEvent() third_party/WebKit/Source/WebCore/page/Frame.cpp:674
    #9 0x7f3cfae74d3d in WebKit::WebViewImpl::setVisibilityState(WebKit::WebPageVisibilityState, bool) third_party/WebKit/Source/WebKit/chromium/src/WebViewImpl.cpp:4176
    #10 0x7f3d005cd241 in content::RenderViewImpl::OnWasHidden() content/renderer/render_view_impl.cc:5673
    #11 0x7f3d005e398e in bool IPC::Message::Dispatch<content::RenderWidget, content::RenderWidget>(IPC::Message const*, content::RenderWidget*, content::RenderWidget*, void (content::RenderWidget::*)()) ./ipc/ipc_message.h:156
    #12 0x7f3d00586d58 in content::RenderViewImpl::OnMessageReceived(IPC::Message const&) content/renderer/render_view_impl.cc:1040
    #13 0x7f3cfa87dd40 in content::MessageRouter::RouteMessage(IPC::Message const&) content/common/message_router.cc:49
    #14 0x7f3cfa87dbb3 in content::MessageRouter::OnMessageReceived(IPC::Message const&) content/common/message_router.cc:41
previously allocated by thread T0 here:
    #0 0x7f3d02203ed0 in __interceptor_malloc ??:0
    #1 0x7f3cfaf5ad08 in WTF::fastMalloc(unsigned long) third_party/WebKit/Source/WTF/wtf/FastMalloc.cpp:269
    #2 0x7f3cfce82012 in WTF::RefCounted<WebCore::Frame>::operator new(unsigned long) third_party/WebKit/Source/WTF/wtf/RefCounted.h:197
    #3 0x7f3cfae0ddb5 in WebKit::WebFrameImpl::createChildFrame(WebCore::FrameLoadRequest const&, WebCore::HTMLFrameOwnerElement*) third_party/WebKit/Source/WebKit/chromium/src/WebFrameImpl.cpp:2233
    #4 0x7f3cfaed3dbc in WebKit::FrameLoaderClientImpl::createFrame(WebCore::KURL const&, WTF::String const&, WebCore::HTMLFrameOwnerElement*, WTF::String const&, bool, int, int) third_party/WebKit/Source/WebKit/chromium/src/FrameLoaderClientImpl.cpp:1459
    #5 0x7f3cfcd7495f in WebCore::SubframeLoader::loadSubframe(WebCore::HTMLFrameOwnerElement*, WebCore::KURL const&, WTF::String const&, WTF::String const&) third_party/WebKit/Source/WebCore/loader/SubframeLoader.cpp:366
    #6 0x7f3cfcd6f692 in WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement*, WebCore::KURL const&, WTF::AtomicString const&, bool, bool) third_party/WebKit/Source/WebCore/loader/SubframeLoader.cpp:337
    #7 0x7f3cfcd6f09d in WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement*, WTF::String const&, WTF::AtomicString const&, bool, bool) third_party/WebKit/Source/WebCore/loader/SubframeLoader.cpp:87
    #8 0x7f3d01853ae6 in WebCore::HTMLFrameElementBase::openURL(bool, bool) third_party/WebKit/Source/WebCore/html/HTMLFrameElementBase.cpp:100

 
pagevisibility_parent.html
236 bytes View Download
pagevisibility.html
159 bytes View Download
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High OS-All Stability-AddressSanitizer
Status: Available
Very nice catch Chamal.
Labels: SecImpacts-Stable SecImpacts-Beta Mstone-23
CF report coming - https://cluster-fuzz.appspot.com/testcase?key=132701773
Inferno, Can you reproduce this on stable(Labels:SecImpacts-Stable SecImpacts-Beta)?
I cannot reproduce this on stable or dev release.
Summary: Heap-use-after-free in WebCore::Frame::dispatchVisibilityStateChangeEvent
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=132701773

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7fe7c5dd8098
Crash State:
  - crash stack -
  WebCore::Frame::dispatchVisibilityStateChangeEvent
  WebCore::Frame::dispatchVisibilityStateChangeEvent
  - free stack -
  WebCore::FrameView::~FrameView
  WebCore::FrameView::~FrameView
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=114961:114982

Minimized Testcase (0.46 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94mcBbz3xFAw5rlJsauaIQ4DduB83zzl6aTw-1fzCRL2Q1CV2GlmiVTyp7xsTMB5BKBY5ybL-yBtmLiHib0xdJY6MN2M_KDNt_yLEHoMo1_BZQUvlPm5WGmSMIlho2ki8uA2COukFXjDBHCqkNFiMRr7Kmy1uJdUYyqQUALMhd117OjzjI

Additional requirements: Requires Interaction Gestures
Increasing the ref count of child frame in Frame.cpp->dispatchVisibilityStateChangeEvent method fixed the bug. If this fix is ok I'd like to submit a patch.

void Frame::dispatchVisibilityStateChangeEvent()
{
    if (m_doc)
        m_doc->dispatchVisibilityStateChangeEvent();
    //fix RefPtr<Frame> child
    for (RefPtr<Frame> child = tree()->firstChild(); child; child = child->tree()->nextSibling())
        child->dispatchVisibilityStateChangeEvent();
}
Chamal, please file an upstream security bug in webkit and submit a patch as per webkit guidelines [http://www.webkit.org/coding/contributing.html] with a test. [you can trigger the user interaction in layout tests using eventSender]
Fix and layout test is ready. But webkit-patch upload command fails for me with OSError: [Errno 2] No such file or directory error. I ll try to download webkit seperately and submit a patch tomorrow.
I wrote this attached layout test. It reproduces in webkit which is in chrome.
But it does NOT reproduce in webkit taken from webkit trunk repository. So I think this bug does not exist in webkit trunk.

Inferno, Can a chrome developer please take over this issue from me, because I am unable to provide a fix for this issue :(.
page-visibility-iframe-child-delete-test.html
1.3 KB View Download
page-visibility-iframe-child-delete-test-expected.txt
5 bytes View Download
Note: The regression range in these bugs starting with '114961:' is wrong. There was a ASAN string change which caused ClusterFuzz to not detect the end tag of an ASAN stack. I have fixed this on ClusterFuzz now and clicked redo on these testcases. The ClusterFuzz report will be updated with new regression range for these bugs.
Owner: infe...@chromium.org
Status: Started
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved reward-topanel
Status: FixUnreleased
http://trac.webkit.org/changeset/135740
Project Member

Comment 13 by ClusterFuzz, Nov 28 2012

ClusterFuzz has detected this issue as fixed in range 169616:169821.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=132701773

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7fe7c5dd8098
Crash State:
  - crash stack -
  WebCore::Frame::dispatchVisibilityStateChangeEvent
  WebCore::Frame::dispatchVisibilityStateChangeEvent
  - free stack -
  WebCore::FrameView::~FrameView
  WebCore::FrameView::~FrameView
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=169616:169821

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94mcBbz3xFAw5rlJsauaIQ4DduB83zzl6aTw-1fzCRL2Q1CV2GlmiVTyp7xsTMB5BKBY5ybL-yBtmLiHib0xdJY6MN2M_KDNt_yLEHoMo1_BZQUvlPm5WGmSMIlho2ki8uA2COukFXjDBHCqkNFiMRr7Kmy1uJdUYyqQUALMhd117OjzjI

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Labels: -Merge-Approved Merge-Merged
M23: http://trac.webkit.org/changeset/136273
M24: http://trac.webkit.org/changeset/136274
Labels: -reward-topanel reward-1500 reward-unpaid
Thank you Chamal!
A $1500 reward.
$1000 for the bug and a $500 bonus for your assistance filing the WebKit bug, making a nice LayoutTest and suggesting the fix.
Thank you very much for the reward :)
Labels: CVE-2012-5139
Labels: -reward-unpaid
Status: Fixed
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-WebKit -SecSeverity-High -Stability-AddressSanitizer -SecImpacts-Stable -SecImpacts-Beta -Mstone-23 Cr-Content Security-Impact-Beta M-23 Security-Severity-High Security-Impact-Stable Type-Bug-Security Performance-Memory-AddressSanitizer
Labels: -Restrict-View-SecurityNotify
Project Member

Comment 22 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 24 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 25 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 26 by bugdroid1@chromium.org, Apr 5 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 27 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 28 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 29 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment