New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Closed: Dec 2012
Cc:
EstimatedDays: ----
NextAction: ----
OS: Windows , All
Pri: 2
Type: Bug-Security



Sign in to add a comment
Heap-use-after-free in WebCore::ChildNodeInsertionNotifier::notifyDescendantInsertedIntoDocument
Reported by javg0...@gmail.com, Dec 13 2012 Back to list
UserAgent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11

Steps to reproduce the problem:
1. Upload the poc.html to your server 
2. Open chrome.exe
3. Browse to poc.html

What is the expected behavior?
No crash of the renderer process.

What went wrong?
I can't watch if it triggers some assertion which would do the analysis easier, but taking a look in the source of the poc and the stack, this bug is probably an use-after-free issue on Webkit because of the incorrectly nested tags and the insertBefore function. But just a guess.

- Jose.

Did this work before? N/A 

Chrome version: 23.0.1271.97  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)

Note that stack2.txt is the stack trace of the fuzz sample (not attached).

Tested on:

- Windows XP SP3 (fully updated) x86_32 Spanish
- Windows 7 SP1 (fully updated) x86_32 Spanish

- Chrome 23.0.1271.95 m
- Chrome 23.0.1271.97 m
 
poc.html
577 bytes View Download
stack2.txt
1.1 KB View Download
stack1.txt
12.3 KB View Download
@javg0x83: thanks for the report!
Do you have crash reporting enabled? If you go to chrome://crashes and send me a few crash IDs from triggering this, we can get an idea if it's use-after-free or not.
Owner: morrita@chromium.org
Status: Assigned
It is indeed a UAF. Report coming in https://cluster-fuzz.appspot.com/testcase?key=150460119.

Hajime, can you save us from another DOM doom.
Labels: reward-topanel
Summary: Heap-use-after-free in WebCore::ChildNodeInsertionNotifier::notifyDescendantInsertedIntoDocument (was: WebCore::ChildNodeInsertionNotifier::notifyDescendantInsertedIntoDocument+0x4e)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=150460119

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f88423195b0
Crash State:
  - crash stack -
  WebCore::ChildNodeInsertionNotifier::notifyDescendantInsertedIntoDocument
  WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoDocument
  - free stack -
  WebCore::ContainerNode::removeChildren
  WebCore::replaceChildrenWithFragment
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=150475:150548

Minimized Testcase (0.27 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97uliVuf2I17bY_VGUuEoYHv7sdzp4c2q1MoKezhWejMF7yryJ5k20C3mVkw7f-UEDIM4xjooemGVzG8TtpgQsG9o8RqLN-Aw0ugvBMyqZrvGRcV5GI64b693m_sPAAe7Ul4epHI6YehQrdaYLJFms8ikzBRR7mrMfLzBn6_oa9oRcyKc4
<script>

	function f1(){
		document.write('<form>');		document.getElementsByTagName("s")[0].innerHTML = 'foo';	}

	function f2(){
		
			document.getElementsByTagName("kbd")[0].innerHTML = 'foo';	}

</script>
<s>
	<script>f1();</script>
	<kbd>
		<script>f2();</script>
	</s>
Actually it regressed from haraken@'s changeset, can you please take a look at this regression.
https://trac.webkit.org/changeset/124990/
Cc: morrita@chromium.org
Labels: SecImpacts-Stable SecImpacts-Beta Mstone-23 OS-All
Owner: haraken@chromium.org
Actually it regressed from haraken@'s changeset, can you please take a look at this regression.
https://trac.webkit.org/changeset/124990/
Labels: SecSeverity-High
Comment 8 by javg0...@gmail.com, Dec 13 2012
@Chris: ok, i take note. So next time i'll attach the crash IDs.
@inferno: your minimized testcase is not working for me (tested on Win7 SP1 + chrome stable). No crash if it does not include the insertBefore function. I mean i have only had to use the line: document.getElementsByTagName("kbd")[0].insertBefore... for triggering your testcase.

Btw, there goes attached another sample.


poc_2.html
536 bytes View Download
BTW, @javg0x83 -- been a long time, good to see you back :)
javg0x83@, don't worry about more repros. Our minimized testcase works reliably since it is run under a really nice memory debugging tool ASAN. You might consider this in your future fuzzing efforts. - http://www.chromium.org/developers/testing/addresssanitizer
Status: Started
Taking a look.
Comment 12 Deleted
Labels: webkit-id-104982
The WebKit side fix is going to be landed soon.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
http://trac.webkit.org/changeset/137702
Project Member Comment 16 by ClusterFuzz, Dec 16 2012
ClusterFuzz has detected this issue as fixed in range 172836:173286.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=150460119

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f88423195b0
Crash State:
  - crash stack -
  WebCore::ChildNodeInsertionNotifier::notifyDescendantInsertedIntoDocument
  WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoDocument
  - free stack -
  WebCore::ContainerNode::removeChildren
  WebCore::replaceChildrenWithFragment
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=150475:150548
Fixed: https://cluster-fuzz.appspot.com/revisions?range=172836:173286

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97uliVuf2I17bY_VGUuEoYHv7sdzp4c2q1MoKezhWejMF7yryJ5k20C3mVkw7f-UEDIM4xjooemGVzG8TtpgQsG9o8RqLN-Aw0ugvBMyqZrvGRcV5GI64b693m_sPAAe7Ul4epHI6YehQrdaYLJFms8ikzBRR7mrMfLzBn6_oa9oRcyKc4

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Labels: -Mstone-23 -Merge-Approved Mstone-24 Merge-Merged Release-0 Release-Private
M24: http://trac.webkit.org/changeset/137971, http://trac.webkit.org/changeset/137972, http://trac.webkit.org/changeset/137974
Status: Fixed
Labels: -reward-topanel reward-1000 reward-unpaid
@javg0x83: thanks for the report!
And a $1000 Chromium Security Reward and a Happy New Year to you sir.
Comment 20 by javg0...@gmail.com, Dec 27 2012
@Chris, you're welcome. Happy New Year to you and all the team too :)

Btw, this time i prefer the money goes for the people who can't pass a happy christmas. For example:

https://secure3.convio.net/gfn/site/Donation2?idb=1315600659&df_id=1460&1460.donation=form1


Labels: -Release-Private -reward-unpaid reward-decline
@javg0x83: you rock! Reward upped to $1337 and donated to the indicated charity above.
Labels: CVE-2012-5147
Project Member Comment 23 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -SecImpacts-Stable -SecImpacts-Beta -Mstone-24 -SecSeverity-High Security-Impact-Stable Security-Impact-Beta M-24 Security-Severity-High Type-Bug-Security
Labels: -Restrict-View-SecurityNotify
Project Member Comment 25 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 26 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 27 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 28 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 29 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 30 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment