New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Heap-use-after-free in WebCore::PopStateEvent::~PopStateEvent
Reported by attek...@gmail.com, Nov 23 2012 Back to list

Tested on:

OS: Ubuntu 12.04 x86_64
Chromium: ASAN 25.0.1332.0 (Developer Build 169130)

repro-file as attachment.

You need to load the attached SVG-file into a img-tag with html-file

html-file:

<html>
<img src='chrome-use-after-free-25d45.svg'></img>
</html>



ASAN-report:

==9498== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f17355b99e0 at pc 0x7f1768a34d16 bp 0x7fffb1bee1f0 sp 0x7fffb1bee1e8
READ of size 4 at 0x7f17355b99e0 thread T0
    #0 0x7f1768a34d15 in WebCore::PopStateEvent::~PopStateEvent() ???:0
    #1 0x7f176860c572 in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderObject*, bool) ???:0
    #2 0x7f17687f48a9 in WebCore::RenderSVGContainer::layout() ???:0
    #3 0x7f176860c776 in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderObject*, bool) ???:0
    #4 0x7f17687f48a9 in WebCore::RenderSVGContainer::layout() ???:0
    #5 0x7f176860c776 in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderObject*, bool) ???:0
    #6 0x7f17687f48a9 in WebCore::RenderSVGContainer::layout() ???:0
    #7 0x7f176860c776 in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderObject*, bool) ???:0
    #8 0x7f17686037d7 in WebCore::RenderSVGRoot::layout() ???:0
    #9 0x7f176bca34fc in WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) ???:0
.
.
.
freed by thread T0 here:
    #0 0x7f176de88860 in __interceptor_free ??:0
    #1 0x7f17687731ca in WebCore::SVGTextContentElement::~SVGTextContentElement() ???:0
    #2 0x7f176cdea6ed in WebCore::SVGTextElement::~SVGTextElement() ???:0
    #3 0x7f1768648b7a in WebCore::SVGElementInstance::detach() ???:0
    #4 0x7f1768704304 in WebCore::SVGUseElement::clearResourceReferences() ???:0
    #5 0x7f176870654c in WebCore::SVGUseElement::buildPendingResource() ???:0
    #6 0x7f1768706053 in WebCore::SVGUseElement::svgAttributeChanged(WebCore::QualifiedName const&) ???:0
    #7 0x7f1768899c76 in WebCore::notifyTargetAndInstancesAboutAnimValChange(WebCore::SVGElement*, WebCore::QualifiedName const&) ../../third_party/WebKit/Source/WebCore/svg/SVGAnimateElement.cpp:0
.
.
.

 
chrome-use-after-free-25d45.svg
755 bytes Download
Comment 1 by attek...@gmail.com, Nov 23 2012
Altered version of the same repro-file causes a global-buffer-overflow. repro-file as attachment. This file also causes a crash only when loaded into a img-tag.

ASAN-report:

==9679== ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fd42e4a59f0 at pc 0x7fd42542facd bp 0x7fffbf9caf70 sp 0x7fffbf9caf68
READ of size 8 at 0x7fd42e4a59f0 thread T0
    #0 0x7fd42542facc in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderObject*, bool) ???:0
    #1 0x7fd4256178a9 in WebCore::RenderSVGContainer::layout() ???:0
    #2 0x7fd42542f776 in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderObject*, bool) ???:0
    #3 0x7fd4256178a9 in WebCore::RenderSVGContainer::layout() ???:0
    #4 0x7fd42542f776 in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderObject*, bool) ???:0
    #5 0x7fd4256178a9 in WebCore::RenderSVGContainer::layout() ???:0
    #6 0x7fd42542f776 in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderObject*, bool) ???:0
    #7 0x7fd4254267d7 in WebCore::RenderSVGRoot::layout() ???:0
    #8 0x7fd428ac64fc in WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) ???:0
.
.
.

Global-buffer-overflow.svg
647 bytes Download
Cc: pdr@chromium.org fmalita@chromium.org
Labels: -Area-Undefined WebKit-SVG Mstone-25 Stability-AddressSanitizer SecSeverity-High
Owner: schenney@chromium.org
Status: Assigned
I confirm similar stack traces on a trunk ASAN build.

For some reason, ASAN isn't seeing a UAF for me in a Debug build; it's hitting a wild address:

==24799== ERROR: AddressSanitizer: SEGV on unknown address 0x000700000034 (pc 0x7ff6b04019dc sp 0x7fff78ae1280 bp 0x7fff78ae13d0 T0)
AddressSanitizer can not provide additional info.
    #0 0x7ff6b04019db in WTF::ThreadRestrictionVerifier::isSafeToUse() const out/Debug/../../third_party/WebKit/Source/WTF/wtf/ThreadRestrictionVerifier.h:123
    #1 0x7ff6b0400f70 in WTF::RefCountedBase::derefBase() out/Debug/../../third_party/WebKit/Source/WTF/wtf/RefCounted.h:142
    #2 0x7ff6ba63f9c2 in WTF::RefCounted<WebCore::History>::deref() out/Debug/../../third_party/WebKit/Source/WTF/wtf/RefCounted.h:201
    #3 0x7ff6ba63f88b in void WTF::derefIfNotNull<WebCore::History>(WebCore::History*) out/Debug/../../third_party/WebKit/Source/WTF/wtf/PassRefPtr.h:53
    #4 0x7ff6ba656c3b in ~RefPtr out/Debug/../../third_party/WebKit/Source/WTF/wtf/RefPtr.h:56
    #5 0x7ff6ba6298b6 in ~RefPtr out/Debug/../../third_party/WebKit/Source/WTF/wtf/RefPtr.h:56
    #6 0x7ff6bcf294c6 in ~PopStateEvent out/Debug/../../third_party/WebKit/Source/WebCore/dom/PopStateEvent.cpp:64
    #7 0x7ff6bcf2933f in ~PopStateEvent out/Debug/../../third_party/WebKit/Source/WebCore/dom/PopStateEvent.cpp:63
    #8 0x7ff6bbe2f309 in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderObject*, bool) out/Debug/../../third_party/WebKit/Source/WebCore/rendering/svg/SVGRenderSupport.cpp:250
    #9 0x7ff6bc4e6362 in WebCore::RenderSVGContainer::layout() out/Debug/../../third_party/WebKit/Source/WebCore/rendering/svg/RenderSVGContainer.cpp:71
...
@attekett: ClusterFuzz doesn't seem to reproduce this for me (I think I uploaded a .zip of the two files correctly....) and I'm not near my desktop, so I'll be lazy and ask you: does this affect M23 stable / M24 beta?
@schenney: would you or one of the other SVG experts mind taking this on?
Comment 5 by attek...@gmail.com, Nov 24 2012
@scarybeasts: The SVG-files didn't have any effect on asan-linux-stable-23.0.1271.64, but on asan-linux-beta-24.0.1312.5 file chrome-use-after-free-25d45.svg loaded via the html-file caused a tab crash. I donwnloaded the builds from https://commondatastorage.googleapis.com/chromium-browser-asan/index.html

ASAN-report:

ASAN:SIGSEGV
=================================================================
==3125== ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 0x000000000000 sp 0x7fff78fcd218 bp 0x7fff78fcd390 T0)
AddressSanitizer can not provide additional info.
Stats: 36M malloced (19M for red zones) by 23940 calls
Stats: 0M realloced by 63 calls
Stats: 24M freed by 13957 calls
Stats: 0M really freed by 0 calls
Stats: 58M (15006 full pages) mmaped in 43 calls
  mmaps   by size class: 7:20475; 8:4094; 9:1023; 10:2044; 11:255; 12:128; 13:128; 14:128; 15:48; 16:80; 17:8; 18:2; 19:1; 22:2; 23:4; 
  mallocs by size class: 7:17946; 8:2968; 9:541; 10:1932; 11:157; 12:79; 13:84; 14:105; 15:35; 16:80; 17:5; 18:1; 19:1; 22:2; 23:4; 
  frees   by size class: 7:9616; 8:1839; 9:299; 10:1822; 11:69; 12:36; 13:69; 14:95; 15:29; 16:74; 17:3; 18:1; 19:1; 22:2; 23:2; 
  rfrees  by size class: 
Stats: malloc large: 128 small slow: 267
==3125== ABORTING
Labels: -Mstone-25 Mstone-24 SecImpacts-Beta ReleaseBlock-Stable
Marking as release blocker since it seems to be a M24 security regression.
I'm on it.
Status: Started
The global-buffer-override version will crash but not assert in a regular build. Something is using a <text> element while it is being deleted.

Stopped crashing between Tuesday and today (Friday). No idea why but I'll have to try Asan before deciding the problem has gone away.

The issue is that layout is occurring during destruction of the use element's shadow tree, which is calling layout on the shadow tree when the element that it refers to has already been destroyed. Very odd, really, and I need to track down the cause of the layout as it seems silly to lay out something that is being removed.
Still crashes an Asan build. So I'm still on it.
Labels: WebKit-ID-104007
Labels: -Pri-0 -Mstone-24 Pri-1 Mstone-23
This code SVGImageCache::imageContentChanged hasnt changed for a while, so m23 should be affected.
This code SVGImageCache::imageContentChanged hasnt changed for a while, so m23 should be affected.
Labels: OS-All
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved SecImpacts-Stable
Status: FixUnreleased
http://trac.webkit.org/changeset/136845

SVG team rocks big time!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Labels: reward-topanel
Labels: -Mstone-23 -Merge-Approved Mstone-24 Merge-Merged
M24: http://trac.webkit.org/changeset/137675
Labels: Release-0
Status: Fixed
Labels: -reward-topanel reward-1000 reward-unpaid
@attekett: Enjoy your New Year with a $1000 Chromium Security Reward! Thanks!
Comment 22 by attek...@gmail.com, Dec 26 2012
@scarybeasts: Thanks! I will enjoy this even more because I had sorted this bug into Duplicates section and didn't even remember it was reward-topanel. :D
Labels: -reward-unpaid reward-inprocess
Labels: -reward-inprocess
Project Member Comment 25 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -WebKit-SVG -Mstone-24 -Stability-AddressSanitizer -SecSeverity-High -SecImpacts-Beta -SecImpacts-Stable Security-Impact-Beta Cr-Content-SVG M-24 Performance-Memory-AddressSanitizer Security-Impact-Stable Type-Bug-Security Security-Severity-High
Labels: -Restrict-View-SecurityNotify
Project Member Comment 27 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 28 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 29 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 30 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member Comment 31 by bugdroid1@chromium.org, Apr 5 2013
Labels: Cr-Blink
Project Member Comment 32 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content-SVG Cr-Blink-SVG
Project Member Comment 33 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 34 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 35 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment