New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 278908 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2013
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in WebCore::XMLDocumentParser::append

Reported by cloudfuz...@gmail.com, Aug 25 2013

Issue description

VULNERABILITY DETAILS
The attached testcase crashes the ASAN build of chrome.

VERSION
Chrome Version: asan-symbolized-linux-release-219161
Operating System: linux 64-bit

REPRODUCTION CASE
The testcase is attached in crash.zip as it requires multiple files.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State: ASAN output attached in stack.txt
 
crash.zip
13.5 KB Download
stack.txt
17.4 KB View Download
Project Member

Comment 1 by ClusterFuzz, Aug 25 2013

ClusterFuzz is now working on this testcase. See https://cluster-fuzz.appspot.com/testcase?key=5626424941608960

Comment 2 by tsepez@chromium.org, Aug 26 2013

Owner: abarth@chromium.org
Status: Assigned
DNR on ClusterFuzz.  Adam, do you think this might be covered by your changes in https://code.google.com/p/chromium/issues/detail?id=260105

Comment 3 by tsepez@chromium.org, Aug 26 2013

Not likely.  Turns out asan-symbolized-linux-release-219161 is 31.0.1609.0.
I just confirmed it still reproduces with 219567. Try the following arguments when loading from a local file:

--no-sandbox --incognito --allow-file-access-from-files --js-flags=--expose_gc

Comment 5 by tsepez@chromium.org, Aug 26 2013

Repro'd locally on 31.0.1612.0.  Kicking off CF again.
Project Member

Comment 6 by ClusterFuzz, Aug 26 2013

ClusterFuzz is now working on this testcase. See https://cluster-fuzz.appspot.com/testcase?key=5710986405216256

Comment 7 by tsepez@chromium.org, Aug 26 2013

Labels: Security_Severity-High Pri-1 M-30

Comment 8 by jsc...@chromium.org, Aug 27 2013

Labels: OS-All
Project Member

Comment 9 by ClusterFuzz, Sep 3 2013

ClusterFuzz is now working on this testcase. See https://cluster-fuzz.appspot.com/testcase?key=6339177985605632
Labels: reward-topanel
Labels: -M-30 M-29 Security_Impact-Beta Security_Impact-Stable Stability-Memory-AddressSanitizer
Now reproducible on CF, report coming soon.
Project Member

Comment 12 by ClusterFuzz, Sep 4 2013

Summary: Heap-use-after-free in WebCore::XMLDocumentParser::append (was: Security: ASAN heap-use-after-free in DocumentParser::isStopped with XSL)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6339177985605632

Uploader: inferno@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x61600004ef8c
Crash State:
  - crash stack -
  WebCore::XMLDocumentParser::append
  WebCore::Document::setContent
  - free stack -
  WebCore::XMLDocumentParser::doWrite
  WebCore::XMLDocumentParser::append
  

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97zIiM0zXTIcAEC5vsL1OTEQdNKSU0i1zztROE8GPaL0MR_VtrjnXCtAt6TgKuuVuraHcz0XKgLDmDbtxMqOhb7v_JhFzVz1u4P-53IOX5Cs7254T_1EP-ti4SuHQuqmWQ6bPhLpynak-TdtRPPPGfP57iHrA

Fully reproducible crash found using linux_tsan_chrome_mp job type (history_size=6).

Cc: abarth@chromium.org
Owner: pdr@chromium.org
This regressed from http://src.chromium.org/viewvc/blink?view=rev&revision=153969 as per CF regression range.
Project Member

Comment 14 by ClusterFuzz, Sep 6 2013

ClusterFuzz has detected this issue as fixed in range 220928:220934.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6339177985605632

Uploader: inferno@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x61600004ef8c
Crash State:
  - crash stack -
  WebCore::XMLDocumentParser::append
  WebCore::Document::setContent
  - free stack -
  WebCore::XMLDocumentParser::doWrite
  WebCore::XMLDocumentParser::append
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=211180:211191
Fixed: https://cluster-fuzz.appspot.com/revisions?range=220928:220934

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97zIiM0zXTIcAEC5vsL1OTEQdNKSU0i1zztROE8GPaL0MR_VtrjnXCtAt6TgKuuVuraHcz0XKgLDmDbtxMqOhb7v_JhFzVz1u4P-53IOX5Cs7254T_1EP-ti4SuHQuqmWQ6bPhLpynak-TdtRPPPGfP57iHrA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Ignore last comment. Bug is not fixed. I clicked redo on testcase.
Project Member

Comment 16 by ClusterFuzz, Sep 7 2013

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6339177985605632

Uploader: inferno@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x61600004ef8c
Crash State:
  - crash stack -
  WebCore::XMLDocumentParser::append
  WebCore::Document::setContent
  - free stack -
  WebCore::XMLDocumentParser::doWrite
  WebCore::XMLDocumentParser::append
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=211180:211191

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97zIiM0zXTIcAEC5vsL1OTEQdNKSU0i1zztROE8GPaL0MR_VtrjnXCtAt6TgKuuVuraHcz0XKgLDmDbtxMqOhb7v_JhFzVz1u4P-53IOX5Cs7254T_1EP-ti4SuHQuqmWQ6bPhLpynak-TdtRPPPGfP57iHrA


Comment 17 by pdr@chromium.org, Sep 15 2013

Cc: infe...@chromium.org
I'm not sure this is my change after all. @Abhishek, can you do a bisect on the blink range? I am able to reproduce on OSX and reverting https://code.google.com/p/chromium/issues/detail?id=260105 doesn't seem to prevent the crash.

I may have a fix, but I'm not familiar with this code:
It looks like the parser is getting destructed in the middle of XMLDocumentParser::append due to doWrite (which has comments in it hinting that the parser can be destroyed). When the parser is destructed, the isStopped() check in append can fail to work for obvious reasons which prevents leaving the function.

I've put up a patch to ref the parser in append which prevents this case:
https://codereview.chromium.org/23456031

Comment 18 by pdr@chromium.org, Sep 17 2013

Abarth was happy with this change and I should be able to land this tomorrow.

Comment 19 Deleted

Project Member

Comment 20 by bugdroid1@chromium.org, Sep 17 2013

The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=157914

------------------------------------------------------------------------
r157914 | pdr@chromium.org | 2013-09-17T19:49:17.572199Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/xml/parser/XMLDocumentParser.cpp?r1=157914&r2=157913&pathrev=157914

Prevent crash due to XMLDocumentParser destruction

This patch prevents a crash in XMLDocumentParser::append due to the
parser being destructed through doWrite. Destructing the parser can
lead to the subsequent isStopped() check to fail to return, but by
keeping the parser alive we ensure isStopped() correctly exits.

BUG= 278908 

Review URL: https://chromiumcodereview.appspot.com/23456031
------------------------------------------------------------------------
Labels: -Restrict-View-SecurityTeam -M-29 Restrict-View-SecurityNotify M-30 Merge-Approved
Status: Fixed
Last m30 beta will be out next week, it makes sense to let this bake (no brainer change though) and then merge end of week to 1599 branch.
Project Member

Comment 22 by ClusterFuzz, Sep 18 2013

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6339177985605632

Uploader: inferno@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x61600004ef8c
Crash State:
  - crash stack -
  WebCore::XMLDocumentParser::append
  WebCore::Document::setContent
  - free stack -
  WebCore::XMLDocumentParser::doWrite
  WebCore::XMLDocumentParser::append
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=211180:211191

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97zIiM0zXTIcAEC5vsL1OTEQdNKSU0i1zztROE8GPaL0MR_VtrjnXCtAt6TgKuuVuraHcz0XKgLDmDbtxMqOhb7v_JhFzVz1u4P-53IOX5Cs7254T_1EP-ti4SuHQuqmWQ6bPhLpynak-TdtRPPPGfP57iHrA


Comment 23 by pdr@chromium.org, Sep 18 2013

Status: Assigned
For posterity, https://codereview.chromium.org/23781008 was also related to this bug.

Clusterfuzz' latest run is using Blink@r157102 whereas the patch landed at Blink@r157914. Lets see if clusterfuzz reports this as fixed once it syncs past r157914.
Project Member

Comment 24 by ClusterFuzz, Sep 18 2013

ClusterFuzz has detected this issue as fixed in range 220928:220934.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6339177985605632

Uploader: inferno@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x61600004ef8c
Crash State:
  - crash stack -
  WebCore::XMLDocumentParser::append
  WebCore::Document::setContent
  - free stack -
  WebCore::XMLDocumentParser::doWrite
  WebCore::XMLDocumentParser::append
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=211180:211191
Fixed: https://cluster-fuzz.appspot.com/revisions?range=220928:220934

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97zIiM0zXTIcAEC5vsL1OTEQdNKSU0i1zztROE8GPaL0MR_VtrjnXCtAt6TgKuuVuraHcz0XKgLDmDbtxMqOhb7v_JhFzVz1u4P-53IOX5Cs7254T_1EP-ti4SuHQuqmWQ6bPhLpynak-TdtRPPPGfP57iHrA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Project Member

Comment 25 by ClusterFuzz, Sep 18 2013

Labels: -Security_Impact-Stable
Fixing impact labels.
Labels: -M-30 M-29 Security_Impact-Stable
Labels: -Merge-Approved
Status: Fixed
Project Member

Comment 28 by ClusterFuzz, Sep 19 2013

Labels: Merge-Approved
Adding Merge-Approved to track merges across stable and beta branches. Please do not merge without checking with the release manager first. If the fix is not applicable for merge, change this label to Merge-NA.

Comment 29 by kareng@google.com, Sep 23 2013

Labels: -M-29 -Merge-Approved M-30 Merge-Merged Release-0
Committed revision 158204
Project Member

Comment 30 by bugdroid1@chromium.org, Sep 23 2013

Labels: merge-merged-1599
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=158204

------------------------------------------------------------------------
r158204 | karen@chromium.org | 2013-09-23T20:35:14.688455Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/branches/chromium/1599/Source/core/xml/parser/XMLDocumentParser.cpp?r1=158204&r2=158203&pathrev=158204

Merge 157914 "Prevent crash due to XMLDocumentParser destruction"

> Prevent crash due to XMLDocumentParser destruction
> 
> This patch prevents a crash in XMLDocumentParser::append due to the
> parser being destructed through doWrite. Destructing the parser can
> lead to the subsequent isStopped() check to fail to return, but by
> keeping the parser alive we ensure isStopped() correctly exits.
> 
> BUG= 278908 
> 
> Review URL: https://chromiumcodereview.appspot.com/23456031

TBR=pdr@chromium.org

Review URL: https://codereview.chromium.org/24395004
------------------------------------------------------------------------
Did you saw our new criteria for possibly issuing higher rewards? See http://www.chromium.org/Home/chromium-security/vulnerability-rewards-program/reward-nomination-process
E.g. If you are able to provide a repro that faulted at an address of 0x41414141, it will qualify for the new higher rewards. Or, if you can show that you have control between free and crash points, etc.
Labels: CVE-2013-2913
Labels: -reward-topanel reward-1000 reward-unpaid
$1000. No obvious control between free and use.

Comment 34 by pdr@chromium.org, Oct 16 2013

Cc: rniwa@chromium.org
Labels: -reward-unpaid reward-inprocess
OK, kicked off payment for this one (and the rest). Expect something in a few weeks. Thanks again cloudfuzzer :)
Project Member

Comment 36 by ClusterFuzz, Feb 6 2014

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: Stability-ThreadSanitizer
Project Member

Comment 38 by ClusterFuzz, Feb 2 2016

Labels: -Security_Impact-Beta
Project Member

Comment 39 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 40 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment