New issue
Advanced search Search tips

Issue 240124 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: May 2013
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in WebCore::ImageInputType::attach

Reported by miau...@gmail.com, May 12 2013

Issue description



VULNERABILITY DETAILS
use-after-free with input type image

VERSION
Chrome Version:stable +dev
Operating System: 64bit ubuntu

REPRODUCTION CASE
<html>
  <body>
    <input id="x" type="image" onerror="x.type=''" src="" />
  </body>
</html>



FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: renderer + asan
Crash State: 

==6146==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900189f608 at pc 0x55555a6e4c2b bp 0x7fffffffb140 sp 0x7fffffffb138
READ of size 8 at 0x61900189f608 thread T0 (asan-release)
    #0 0x55555a6e4c2a in element /b/build/slave/ASAN_Release/build/third_party/WebKit/Source/core/html/InputType.h:309
    #1 0x55555a3fd185 in attach /b/build/slave/ASAN_Release/build/third_party/WebKit/Source/core/html/HTMLInputElement.cpp:775
    #2 0x55555a71b496 in insert /b/build/slave/ASAN_Release/build/third_party/WebKit/Source/core/html/parser/HTMLConstructionSite.cpp:110
    #3 0x55555a70d618 in executeInsertTask 

0x61900189f608 is located 8 bytes inside of 24-byte region [0x61900189f600,0x61900189f618)
freed by thread T0 (asan-release) here:
    #0 0x555556a092c2 in operator delete(void*) ??:0
    #1 0x55555a3f7eab in deleteOwnedPtr<WebCore::InputType> /b/build/slave/ASAN_Release/build/third_party/WebKit/Source/wtf/OwnPtrCommon.h:47
    #2 0x55555a3fa81f in parseAttribute /b/build/slave/ASAN_Release/build/third_party/WebKit/Source/core/html/HTMLInputElement.cpp:627
    #3 0x55555943a719 in attributeChanged 


 
image-stable.txt
13.9 KB View Download
image.html
95 bytes View Download
image.txt
11.3 KB View Download
Summary: Heap-use-after-free in WebCore::ImageInputType::attach (was: Security: use-after-free with input type image)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=183664630

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x60a00008e928
Crash State:
  - crash stack -
  WebCore::ImageInputType::attach
  WebCore::HTMLInputElement::attach
  - free stack -
  WebCore::HTMLInputElement::updateType
  WebCore::HTMLInputElement::parseAttribute
  

Minimized Testcase (0.06 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95hNLuTiMzVvHWwDm2jI-dV4Oj93HFFn_WfFc5KFr6LgOFmGMAGpzHM04iP9AZIqJKkwGmf6F5cx9zTL79MGCBvmdyqtEUbQjf75gAZ1m6gch3jd3Qg3-hK8dUWcdWZFdgxe37oKEwYb-107c5dhbNrEKK5D2QOCxElbgUj1cm2sQEElZQ
<input id="x" type="image" onerror="x.type=''" src=""</body>

Comment 3 by parisa@chromium.org, May 13 2013

Labels: Security_Severity-High Security_Impact-Stable Pri-1 Cr-Blink
Status: Available
Labels: Security_Impact-Beta OS-All M-27 Stability-Memory-AddressSanitizer
        // Fire an error event if the url is empty.
        // FIXME: Should we fire this event asynchronoulsy via errorEventSender()?
        m_element->dispatchEvent(Event::create(eventNames().errorEvent, false, false));
    }
Cc: japhet@chromium.org
Owner: infe...@chromium.org
Status: Started
https://codereview.chromium.org/14741011/
Labels: reward-topanel
Project Member

Comment 7 by bugdroid1@chromium.org, May 13 2013

------------------------------------------------------------------------
r150232 | inferno@chromium.org | 2013-05-13T17:29:52.573822Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/fast/forms/image/image-error-event-crash.html?r1=150232&r2=150231&pathrev=150232
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/fast/forms/image/image-error-event-crash-expected.txt?r1=150232&r2=150231&pathrev=150232
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/loader/ImageLoader.cpp?r1=150232&r2=150231&pathrev=150232

Error event was fired synchronously blowing away the input element from underneath. Remove the FIXME and fire it asynchronously using errorEventSender().

BUG= 240124 

Review URL: https://chromiumcodereview.appspot.com/14741011
------------------------------------------------------------------------
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: Fixed
https://src.chromium.org/viewvc/blink?view=rev&revision=150232
Project Member

Comment 9 by ClusterFuzz, May 14 2013

ClusterFuzz has detected this issue as fixed in range 199907:199944.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=183664630

Uploader: inferno@chromium.org

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x60a00008e928
Crash State:
  - crash stack -
  WebCore::ImageInputType::attach
  WebCore::HTMLInputElement::attach
  - free stack -
  WebCore::HTMLInputElement::updateType
  WebCore::HTMLInputElement::parseAttribute
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=199907:199944

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95hNLuTiMzVvHWwDm2jI-dV4Oj93HFFn_WfFc5KFr6LgOFmGMAGpzHM04iP9AZIqJKkwGmf6F5cx9zTL79MGCBvmdyqtEUbQjf75gAZ1m6gch3jd3Qg3-hK8dUWcdWZFdgxe37oKEwYb-107c5dhbNrEKK5D2QOCxElbgUj1cm2sQEElZQ

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Labels: -Merge-Approved Merge-Merged Release-1
M27 is r151280
M28 is r151281
Labels: -reward-topanel reward-1000 CVE-2013-2857 reward-unpaid
$1000
Labels: -reward-unpaid reward-inprocess
Labels: -Restrict-View-SecurityNotify
Bulk release of old security bug reports.

Labels: -reward-inprocess
Project Member

Comment 15 by ClusterFuzz, Feb 2 2016

Labels: -Security_Impact-Beta
Project Member

Comment 16 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 17 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment