New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Blocking:
issue 352369



Sign in to add a comment

Pwn2own (3/13/2014): Use-after-free in bindings

Project Member Reported by infe...@chromium.org, Mar 13 2014

Issue description

Pwnium 4: Blink bug
 
chrome_stage1_poc.html
535 bytes View Download
Blocking: chromium:352369
Cc: japhet@chromium.org jochen@chromium.org eseidel@chromium.org tsepez@chromium.org abarth@chromium.org
<subprocess.Popen object at 0x7fec19fadc50>
[11094:11094:0313/153047:ERROR:renderer_main.cc(227)] Running without renderer sandbox
[11044:11079:0313/153047:ERROR:browser_process_resource_provider.cc(52)] Not implemented reached in task_manager::BrowserProcessResource::BrowserProcessResource()
[11108:11108:0313/153047:ERROR:renderer_main.cc(227)] Running without renderer sandbox
[11169:11169:0313/153053:ERROR:renderer_main.cc(227)] Running without renderer sandbox
=================================================================
==11169==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000166258 at pc 0x7f0041d409d5 bp 0x7fff9ec68340 sp 0x7fff9ec68338
READ of size 8 at 0x604000166258 thread T0 (chrome)
    #0 0x7f0041d409d4 in WebCore::Location::setHref(WebCore::DOMWindow*, WebCore::DOMWindow*, WTF::String const&) out/Release/../../third_party/WebKit/Source/core/frame/Location.cpp:138
    #1 0x7f004374c162 in locationAttributeSetterForMainWorld out/Release/gen/blink/bindings/V8Document.cpp:627
    #2 0x7f004374c162 in WebCore::DocumentV8Internal::locationAttributeSetterCallbackForMainWorld(v8::Local<v8::String>, v8::Local<v8::Value>, v8::PropertyCallbackInfo<void> const&) out/Release/gen/blink/bindings/V8Document.cpp:633
    #3 0x7f0040ad7d56 in v8::internal::PropertyCallbackArguments::Call(void (*)(v8::Local<v8::String>, v8::Local<v8::Value>, v8::PropertyCallbackInfo<void> const&), v8::Local<v8::String>, v8::Local<v8::Value>) out/Release/../../v8/src/arguments.cc:112
    #4 0x7f00408d38a4 in __RT_impl_StoreCallbackProperty out/Release/../../v8/src/stub-cache.cc:500
    #5 0x7f00408d38a4 in v8::internal::StoreCallbackProperty(int, v8::internal::Object**, v8::internal::Isolate*) out/Release/../../v8/src/stub-cache.cc:480

0x604000166258 is located 8 bytes inside of 40-byte region [0x604000166250,0x604000166278)
freed by thread T0 (chrome) here:
    #0 0x7f003e556db1 in __interceptor_free _asan_rtl_
    #1 0x7f0041ce163a in deref out/Release/../../third_party/WebKit/Source/wtf/RefCounted.h:181
    #2 0x7f0041ce163a in derefIfNotNull<WebCore::Location> out/Release/../../third_party/WebKit/Source/wtf/PassRefPtr.h:57
    #3 0x7f0041ce163a in clear out/Release/../../third_party/WebKit/Source/wtf/RefPtr.h:96
    #4 0x7f0041ce163a in operator= out/Release/../../third_party/WebKit/Source/wtf/RefPtr.h:73
    #5 0x7f0041ce163a in WebCore::DOMWindow::resetDOMWindowProperties() out/Release/../../third_party/WebKit/Source/core/frame/DOMWindow.cpp:580
    #6 0x7f0041d03d82 in WebCore::Frame::setDOMWindow(WTF::PassRefPtr<WebCore::DOMWindow>) out/Release/../../third_party/WebKit/Source/core/frame/Frame.cpp:131
    #7 0x7f0041d37ed9 in WebCore::LocalFrame::setDOMWindow(WTF::PassRefPtr<WebCore::DOMWindow>) out/Release/../../third_party/WebKit/Source/core/frame/LocalFrame.cpp:230
    #8 0x7f0041d364e1 in WebCore::LocalFrame::~LocalFrame() out/Release/../../third_party/WebKit/Source/core/frame/LocalFrame.cpp:125
    #9 0x7f0041d3703e in WebCore::LocalFrame::~LocalFrame() out/Release/../../third_party/WebKit/Source/core/frame/LocalFrame.cpp:122
    #10 0x7f0041d07d86 in deref out/Release/../../third_party/WebKit/Source/wtf/RefCounted.h:181
    #11 0x7f0041d07d86 in derefIfNotNull<WebCore::LocalFrame> out/Release/../../third_party/WebKit/Source/wtf/PassRefPtr.h:57
    #12 0x7f0041d07d86 in ~OwnPtr out/Release/../../third_party/WebKit/Source/wtf/RefPtr.h:54
    #13 0x7f0041d07d86 in WebCore::FrameView::~FrameView() out/Release/../../third_party/WebKit/Source/core/frame/FrameView.cpp:215
    #14 0x7f0041d0864e in WebCore::FrameView::~FrameView() out/Release/../../third_party/WebKit/Source/core/frame/FrameView.cpp:191
    #15 0x7f0042950d39 in deref out/Release/../../third_party/WebKit/Source/wtf/RefCounted.h:181
    #16 0x7f0042950d39 in derefIfNotNull<WebCore::Widget> out/Release/../../third_party/WebKit/Source/wtf/PassRefPtr.h:57
    #17 0x7f0042950d39 in ~RefPtr out/Release/../../third_party/WebKit/Source/wtf/RefPtr.h:54
    #18 0x7f0042950d39 in ~KeyValuePair out/Release/../../third_party/WebKit/Source/wtf/HashTraits.h:256
    #19 0x7f0042950d39 in WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashMapValueTraits<WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::DefaultAllocator>::deallocateTable(WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>*, unsigned int) out/Release/../../third_party/WebKit/Source/wtf/HashTable.h:909
    #20 0x7f004294a685 in finalize out/Release/../../third_party/WebKit/Source/wtf/HashTable.h:299
    #21 0x7f004294a685 in ~HashTableDestructorBase out/Release/../../third_party/WebKit/Source/wtf/HashTable.h:231
    #22 0x7f004294a685 in ~HashMap out/Release/../../third_party/WebKit/Source/wtf/HashMap.h:50
    #23 0x7f004294a685 in WebCore::RenderWidget::UpdateSuspendScope::~UpdateSuspendScope() out/Release/../../third_party/WebKit/Source/core/rendering/RenderWidget.cpp:71
    #24 0x7f0040d30145 in WebCore::ContainerNode::removeChildren() out/Release/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:551
    #25 0x7f0040d73973 in WebCore::Document::implicitOpen() out/Release/../../third_party/WebKit/Source/core/dom/Document.cpp:2309
    #26 0x7f0040d5e90d in WebCore::Document::open(WebCore::Document*) out/Release/../../third_party/WebKit/Source/core/dom/Document.cpp:2274
    #27 0x7f0043a493b8 in WebCore::V8HTMLDocument::openMethodCustom(v8::FunctionCallbackInfo<v8::Value> const&) out/Release/../../third_party/WebKit/Source/bindings/v8/custom/V8HTMLDocumentCustom.cpp:83
    #28 0x7f0042f3ab86 in WebCore::HTMLDocumentV8Internal::openMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&) out/Release/gen/blink/bindings/V8HTMLDocument.cpp:364
    #29 0x7f0040ad4209 in v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) out/Release/../../v8/src/arguments.cc:56
    #30 0x7f003ffa4acf in HandleApiCallHelper<false> out/Release/../../v8/src/builtins.cc:1215
    #31 0x7f003ffa4acf in Builtin_implHandleApiCall out/Release/../../v8/src/builtins.cc:1232
    #32 0x7f003ffa4acf in v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**, v8::internal::Isolate*) out/Release/../../v8/src/builtins.cc:1231
    #33 0x7f0040092d52 in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*) out/Release/../../v8/src/execution.cc:119
    #34 0x7f0040097564 in to_string_fun out/Release/../../v8/src/execution.cc:184
    #35 0x7f0040097564 in v8::internal::Execution::ToString(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, bool*) out/Release/../../v8/src/execution.cc:722
    #36 0x7f003ff15fc5 in v8::Value::ToString() const out/Release/../../v8/src/api.cc:2491
    #37 0x7f0042da8b18 in WebCore::V8StringResource<(WebCore::V8StringResourceMode)0>::prepareBase() out/Release/../../third_party/WebKit/Source/bindings/v8/V8StringResource.h:203
    #38 0x7f004374c088 in prepare out/Release/../../third_party/WebKit/Source/bindings/v8/V8StringResource.h:234
    #39 0x7f004374c088 in locationAttributeSetterForMainWorld out/Release/gen/blink/bindings/V8Document.cpp:626
    #40 0x7f004374c088 in WebCore::DocumentV8Internal::locationAttributeSetterCallbackForMainWorld(v8::Local<v8::String>, v8::Local<v8::Value>, v8::PropertyCallbackInfo<void> const&) out/Release/gen/blink/bindings/V8Document.cpp:633
    #41 0x7f0040ad7d56 in v8::internal::PropertyCallbackArguments::Call(void (*)(v8::Local<v8::String>, v8::Local<v8::Value>, v8::PropertyCallbackInfo<void> const&), v8::Local<v8::String>, v8::Local<v8::Value>) out/Release/../../v8/src/arguments.cc:112
    #42 0x7f00408d38a4 in __RT_impl_StoreCallbackProperty out/Release/../../v8/src/stub-cache.cc:500
    #43 0x7f00408d38a4 in v8::internal::StoreCallbackProperty(int, v8::internal::Object**, v8::internal::Isolate*) out/Release/../../v8/src/stub-cache.cc:480

previously allocated by thread T0 (chrome) here:
    #0 0x7f003e556fb1 in __interceptor_malloc _asan_rtl_
    #1 0x7f003fdc4648 in partitionAllocGenericFlags out/Release/../../third_party/WebKit/Source/wtf/PartitionAlloc.h:533
    #2 0x7f003fdc4648 in partitionAllocGeneric out/Release/../../third_party/WebKit/Source/wtf/PartitionAlloc.h:549
    #3 0x7f003fdc4648 in WTF::fastMalloc(unsigned long) out/Release/../../third_party/WebKit/Source/wtf/FastMalloc.cpp:125
    #4 0x7f0041ce46d7 in operator new out/Release/../../third_party/WebKit/Source/wtf/RefCounted.h:175
    #5 0x7f0041ce46d7 in create out/Release/../../third_party/WebKit/Source/core/frame/Location.h:48
    #6 0x7f0041ce46d7 in WebCore::DOMWindow::location() const out/Release/../../third_party/WebKit/Source/core/frame/DOMWindow.cpp:706
    #7 0x7f004374bfee in locationAttributeSetterForMainWorld out/Release/gen/blink/bindings/V8Document.cpp:623
    #8 0x7f004374bfee in WebCore::DocumentV8Internal::locationAttributeSetterCallbackForMainWorld(v8::Local<v8::String>, v8::Local<v8::Value>, v8::PropertyCallbackInfo<void> const&) out/Release/gen/blink/bindings/V8Document.cpp:633
    #9 0x7f0040ad7d56 in v8::internal::PropertyCallbackArguments::Call(void (*)(v8::Local<v8::String>, v8::Local<v8::Value>, v8::PropertyCallbackInfo<void> const&), v8::Local<v8::String>, v8::Local<v8::Value>) out/Release/../../v8/src/arguments.cc:112
    #10 0x7f00405f788c in v8::internal::JSObject::SetPropertyWithCallback(v8::internal::Handle<v8::internal::JSObject>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::JSObject>, v8::internal::StrictMode) out/Release/../../v8/src/objects.cc:2942
    #11 0x7f00405eb585 in v8::internal::JSObject::SetPropertyForResult(v8::internal::Handle<v8::internal::JSObject>, v8::internal::LookupResult*, v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Object>, PropertyAttributes, v8::internal::StrictMode, v8::internal::JSReceiver::StoreFromKeyed) out/Release/../../v8/src/objects.cc:4105
    #12 0x7f00405f6698 in SetProperty out/Release/../../v8/src/objects.cc:3533
    #13 0x7f00405f6698 in v8::internal::JSReceiver::SetProperty(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Object>, PropertyAttributes, v8::internal::StrictMode, v8::internal::JSReceiver::StoreFromKeyed) out/Release/../../v8/src/objects.cc:2887
    #14 0x7f0040405f71 in v8::internal::StoreIC::Store(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::String>, v8::internal::Handle<v8::internal::Object>, v8::internal::JSReceiver::StoreFromKeyed) out/Release/../../v8/src/ic.cc:1296
    #15 0x7f004040c000 in __RT_impl_StoreIC_Miss out/Release/../../v8/src/ic.cc:1823
    #16 0x7f004040c000 in v8::internal::StoreIC_Miss(int, v8::internal::Object**, v8::internal::Isolate*) out/Release/../../v8/src/ic.cc:1816
    #17 0x7f0040092d52 in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*) out/Release/../../v8/src/execution.cc:119
    #18 0x7f003ff26483 in v8::Function::Call(v8::Handle<v8::Value>, int, v8::Handle<v8::Value>*) out/Release/../../v8/src/api.cc:3928
    #19 0x7f0043a05595 in WebCore::V8ScriptRunner::callFunction(v8::Handle<v8::Function>, WebCore::ExecutionContext*, v8::Handle<v8::Value>, int, v8::Handle<v8::Value>*, v8::Isolate*) out/Release/../../third_party/WebKit/Source/bindings/v8/V8ScriptRunner.cpp:129
    #20 0x7f0043970794 in WebCore::ScriptController::callFunction(WebCore::ExecutionContext*, v8::Handle<v8::Function>, v8::Handle<v8::Value>, int, v8::Handle<v8::Value>*, v8::Isolate*) out/Release/../../third_party/WebKit/Source/bindings/v8/ScriptController.cpp:172
    #21 0x7f004396fe83 in WebCore::ScriptController::callFunction(v8::Handle<v8::Function>, v8::Handle<v8::Value>, int, v8::Handle<v8::Value>*) out/Release/../../third_party/WebKit/Source/bindings/v8/ScriptController.cpp:144
    #22 0x7f00439ed4c9 in WebCore::V8LazyEventListener::callListenerFunction(WebCore::ExecutionContext*, v8::Handle<v8::Value>, WebCore::Event*) out/Release/../../third_party/WebKit/Source/bindings/v8/V8LazyEventListener.cpp:103
    #23 0x7f0043d972da in WebCore::V8AbstractEventListener::invokeEventHandler(WebCore::ExecutionContext*, WebCore::Event*, v8::Local<v8::Value>) out/Release/../../third_party/WebKit/Source/bindings/v8/V8AbstractEventListener.cpp:127
    #24 0x7f0043d96e14 in WebCore::V8AbstractEventListener::handleEvent(WebCore::ExecutionContext*, WebCore::Event*) out/Release/../../third_party/WebKit/Source/bindings/v8/V8AbstractEventListener.cpp:93
    #25 0x7f0040f8340c in WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::DefaultAllocator>&) out/Release/../../third_party/WebKit/Source/core/events/EventTarget.cpp:328
    #26 0x7f0040f8237c in WebCore::EventTarget::fireEventListeners(WebCore::Event*) out/Release/../../third_party/WebKit/Source/core/events/EventTarget.cpp:270
    #27 0x7f0040f95ec3 in WebCore::NodeEventContext::handleLocalEvents(WebCore::Event*) const out/Release/../../third_party/WebKit/Source/core/events/NodeEventContext.cpp:62
    #28 0x7f0040f6c5f5 in dispatchEventAtTarget out/Release/../../third_party/WebKit/Source/core/events/EventDispatcher.cpp:160
    #29 0x7f0040f6c5f5 in WebCore::EventDispatcher::dispatch() out/Release/../../third_party/WebKit/Source/core/events/EventDispatcher.cpp:117
    #30 0x7f0040f90447 in WebCore::MouseEventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const out/Release/../../third_party/WebKit/Source/core/events/MouseEvent.cpp:266
    #31 0x7f0040f683b3 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::EventDispatchMediator>) out/Release/../../third_party/WebKit/Source/core/events/EventDispatcher.cpp:48

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x0c0880024bf0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa
  0x0c0880024c00: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
  0x0c0880024c10: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c0880024c20: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c0880024c30: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
=>0x0c0880024c40: fa fa 00 00 00 00 00 fa fa fa fd[fd]fd fd fd fa
  0x0c0880024c50: fa fa 00 00 00 00 00 05 fa fa 00 00 00 00 00 fa
  0x0c0880024c60: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
  0x0c0880024c70: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
  0x0c0880024c80: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c0880024c90: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==11169==ABORTING

Cc: danno@chromium.org jkummerow@chromium.org
Cc: dcheng@chromium.org

Comment 6 by jochen@chromium.org, Mar 13 2014

Labels: Cr-Blink-Bindings
From the writeup document: DocumentV8Internal::locationAttributeSetter holds a raw pointer to the Location* object, and then converts the passed in argument to a string which executes arbitrary javascript.

The javascript clears the DOMWindow which makes the DOMWIndow drop its reference to the location object and so it dies.

Next, the locationAttributeSetter invokes setHref on the raw Location* pointer (which is a UaF)

I see two possible fixes:

a) we should hold RefPtrs to all objects in bindings code (probably expensive), or
b) make sure that we don't hold raw pointers on the stack while executing arbitrary javascript (this would mean to convert all arguments to C++ before retrieving any pointers)
Cc: haraken@chromium.org
Cc: adamk@chromium.org nbarth@chromium.org
Cc: dglazkov@chromium.org
This is a problem with the code generated for the PutForwards=X attribute in the IDLs right?

It looks like there are multiple occurrences of this - I'm going through them now.
Nate, Haraken, Eric are looking into this. Nate is testing fix - https://codereview.chromium.org/196343011.
okay - yes, that's it
Labels: Security_Impact-Beta Security_Severity-High Security_Impact-Stable M-33 M-34
Owner: japhet@chromium.org
Status: Fixed
Merged to m33 in r169177, m34 in r169178. https://codereview.chromium.org/199693002

Nate, Kentaro and Eric rock!!
Project Member

Comment 15 by ClusterFuzz, Mar 13 2014

Labels: Merge-Triage
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: -Merge-Triage Merge-Merged Release-3-M33
merged to cros 1750_149 in r169182.
Cc: kouhei@chromium.org
Cc: deepakg@chromium.org
Summary: Pwn2own (3/13/2014): Use-after-free in bindings (was: Pwnium 4: Blink bug)
Labels: CVE-2014-1713
Cc: scunning...@chromium.org
Project Member

Comment 23 by ClusterFuzz, Jun 20 2014

Labels: -Restrict-View-SecurityTeam
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 24 by ClusterFuzz, Feb 2 2016

Labels: -Security_Impact-Beta
Project Member

Comment 25 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 26 by sheriffbot@chromium.org, Oct 1 2016

Labels: Restrict-View-SecurityNotify
Project Member

Comment 27 by sheriffbot@chromium.org, Oct 2 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted
Project Member

Comment 30 by sheriffbot@chromium.org, Jul 29

Labels: -Pri-0 Pri-1

Sign in to add a comment