New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2015
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security
Nag



Sign in to add a comment
link

Issue 437399: Heap-buffer-overflow in blink::BidiResolver<blink::InlineIterator, blink::BidiRun>::applyL1Rule

Reported by attek...@gmail.com, Nov 28 2014

Issue description

Tested on:

OS: Ubuntu 14.04


Chromium	41.0.2233.0 (Developer Build) 
Revision	222b9c08723a0acd0327b8ff7a11f1254d241a99-refs/heads/master@{#305981}

ASAN-trace:

==15720==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200004421e at pc 0x7fdc0c38c5e8 bp 0x7fffe76e88e0 sp 0x7fffe76e88d8
READ of size 2 at 0x60200004421e thread T0 (chrome)
    #0 0x7fdc0c38c5e7 in int blink::findFirstTrailingSpace<unsigned short>(blink::RenderText*, unsigned short const*, int, int) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/rendering/InlineIterator.h:469:9
    #1 0x7fdc0c38bc3d in blink::BidiResolver<blink::InlineIterator, blink::BidiRun>::applyL1Rule(blink::BidiRunList<blink::BidiRun>&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/text/BidiResolver.h:465:22
    #2 0x7fdc0c38a3fa in blink::BidiResolver<blink::InlineIterator, blink::BidiRun>::createBidiRunsForLine(blink::InlineIterator const&, blink::VisualDirectionOverride, bool, bool) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/text/BidiResolver.h:1068:9
    #3 0x7fdc0c3880df in blink::constructBidiRunsForLine(blink::BidiResolver<blink::InlineIterator, blink::BidiRun>&, blink::BidiRunList<blink::BidiRun>&, blink::InlineIterator const&, blink::VisualDirectionOverride, bool, bool) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/rendering/BidiRunForLine.cpp:141:5
    #4 0x7fdc0c106564 in blink::RenderBlockFlow::layoutRunsAndFloatsInRange(blink::LineLayoutState&, blink::BidiResolver<blink::InlineIterator, blink::BidiRun>&, blink::InlineIterator const&, blink::BidiStatus const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/rendering/RenderBlockLineLayout.cpp:850:13
    #5 0x7fdc0c1047c7 in blink::RenderBlockFlow::layoutRunsAndFloats(blink::LineLayoutState&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/rendering/RenderBlockLineLayout.cpp:773:5
    #6 0x7fdc0c10eac4 in blink::RenderBlockFlow::layoutInlineChildren(bool, blink::LayoutUnit&, blink::LayoutUnit&, blink::LayoutUnit) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/rendering/RenderBlockLineLayout.cpp:1590:9
.
.
.
0x60200004421e is located 0 bytes to the right of 14-byte region [0x602000044210,0x60200004421e)
allocated by thread T0 (chrome) here:
    #0 0x7fdc076f010b in __interceptor_malloc ??:0:0
    #1 0x7fdc0a633c92 in partitionAllocGenericFlags /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/PartitionAlloc.h:541:20
    #2 0x7fdc0a633c92 in partitionAllocGeneric /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/PartitionAlloc.h:557:0
    #3 0x7fdc0a633c92 in WTF::StringImpl::createUninitialized(unsigned int, unsigned short*&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/text/StringImpl.cpp:315:0
    #4 0x7fdc0a634df1 in WTF::StringImpl::create(unsigned short const*, unsigned int) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/text/StringImpl.cpp:407:33
    #5 0x7fdc0a6536ea in WTF::String::String(unsigned short const*, unsigned int) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/text/WTFString.cpp:48:27
    #6 0x7fdc0c16c75f in blink::RenderCombineText::combineText() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/rendering/RenderCombineText.cpp:141:9
.
.
.
 
chrome-heap-buffer-overflow-int9-min.html
337 bytes View Download

Comment 1 by ClusterFuzz, Nov 28 2014

Project Member
ClusterFuzz is analyzing your testcase. Chromium developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6664436101152768

Comment 2 by infe...@chromium.org, Nov 28 2014

Owner: dw.im@chromium.org
Status: Assigned
I am suspecting this is also a regression similar to https://code.google.com/p/chromium/issues/detail?id=437458

Uploading to CF to verify.

Comment 3 by ClusterFuzz, Nov 28 2014

Project Member
Summary: Heap-buffer-overflow in blink::BidiResolver<blink::InlineIterator, blink::BidiRun>::applyL1Rule (was: Heap-buffer-overflow in blink::findFirstTrailingSpace)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6664436101152768

Uploader: inferno@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-buffer-overflow READ 2
Crash Address: 0x60900014fbde
Crash State:
  blink::BidiResolver<blink::InlineIterator, blink::BidiRun>::applyL1Rule
  blink::BidiResolver<blink::InlineIterator, blink::BidiRun>::createBidiRunsF
  blink::constructBidiRunsForLine
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=265035:265102

Minimized Testcase (0.18 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95BklcuCRWNCA_SxxAGLJqkJIQIw1OB0TGPczmxEhuifmky0CuYhhDcAeB8qkj8S-7KOWx61DANlaskLF_ara7j2lwTtDvG5bUGzS5UAtRmXdt43Ojo7ap6G2LiUTtTJ5RaRU5bai3SaqrfrAjjbu76Ns9Y1g
<style>
div {
  -webkit-writing-mode: vertical-lr;
  -webkit-text-combine: horizontal;
  height: 7px;
  white-space: pre-wrap;
</style>
<div>
foo
  <script></script>
  </script><textarea>

Comment 4 by ClusterFuzz, Nov 28 2014

Project Member
Labels: Security_Impact-Stable Stability-Memory-AddressSanitizer

Comment 5 by kenrb@chromium.org, Nov 28 2014

Labels: Security_Severity-Medium Pri-1

Comment 6 by palmer@google.com, Dec 2 2014

Labels: M-40 Cr-Blink-RTL

Comment 7 by ClusterFuzz, Dec 6 2014

Project Member
Labels: Nag
dw.im@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz

Comment 8 by ClusterFuzz, Dec 13 2014

Project Member
dw.im@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz

Comment 9 by infe...@chromium.org, Dec 16 2014

Cc: dw.im@chromium.org dw...@samsung.com igo...@sisa.samsung.com
Owner: ----
Author: igor.o@sisa.samsung.com
Component: blink
Changelist: https://chromium.googlesource.com/chromium/blink.git/+/38ca532f101fa1f1c8a04b18ec5c44f1cb99ab11
Time: Tue Jan 07 10:01:44 2014
The CL last changed line 469 of file InlineIterator.h, which is stack frame 0.

Comment 10 by jsc...@chromium.org, Dec 17 2014

Cc: le...@chromium.org e...@chromium.org
Owner: le...@chromium.org
leviw@, eae@, it looks like you guys reviewed the CL that we suspect and I can't assign the bug directly to igor.o. So, I'm being a jerk and assigning to one of you based on a coin flip and hoping you can help get it fixed.

Comment 11 by e...@chromium.org, Dec 17 2014

Owner: e...@chromium.org
Well, levi is on vacation so I guess it falls on me.

Comment 12 by e...@chromium.org, Dec 18 2014

Status: Started

Comment 13 by e...@chromium.org, Dec 18 2014

Turns out that the patch in r164557 assumes that the last node has at least two characters, which is an incorrect assumption. The obvious fix didn't quite work [1] so I'll revert r164557.

Comment 14 by e...@chromium.org, Dec 18 2014

Turns out it is not quite that easy given that it was added 11 months ago and the code has changed a lot since.
I'm guessing trying to get the fix in https://codereview.chromium.org/813133002/ working will be easier.

Comment 15 by e...@chromium.org, Dec 18 2014

Status: Assigned

Comment 16 by infe...@chromium.org, Jan 7 2015

Labels: OS-All

Comment 17 by ClusterFuzz, Jan 9 2015

Project Member
eae@: Uh oh! This issue is still open and hasn't been updated in the last 21 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz

Comment 18 by ClusterFuzz, Feb 2 2015

Project Member
eae@: Uh oh! This issue is still open and hasn't been updated in the last 45 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz

Comment 19 by ClusterFuzz, Feb 8 2015

Project Member
ClusterFuzz has detected this issue as fixed in range 314621:315214.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6664436101152768

Uploader: inferno@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-buffer-overflow READ 2
Crash Address: 0x60900014fbde
Crash State:
  blink::BidiResolver<blink::InlineIterator, blink::BidiRun>::applyL1Rule
  blink::BidiResolver<blink::InlineIterator, blink::BidiRun>::createBidiRunsF
  blink::constructBidiRunsForLine
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=262830:262871
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=314621:315214

Minimized Testcase (0.18 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95BklcuCRWNCA_SxxAGLJqkJIQIw1OB0TGPczmxEhuifmky0CuYhhDcAeB8qkj8S-7KOWx61DANlaskLF_ara7j2lwTtDvG5bUGzS5UAtRmXdt43Ojo7ap6G2LiUTtTJ5RaRU5bai3SaqrfrAjjbu76Ns9Y1g
<style>
div {
  -webkit-writing-mode: vertical-lr;
  -webkit-text-combine: horizontal;
  height: 7px;
  white-space: pre-wrap;
</style>
<div>
foo
  <script></script>
  </script><textarea>

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Comment 20 by ClusterFuzz, Feb 20 2015

Project Member
Labels: -M-40 M-41

Comment 21 by mea...@chromium.org, Feb 23 2015

Clusterfuzz says this is fixed. eae@: Could you please confirm?

Comment 22 by ClusterFuzz, Feb 23 2015

Project Member
ClusterFuzz has detected this issue as fixed in range 314621:315214.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6664436101152768

Uploader: inferno@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-buffer-overflow READ 2
Crash Address: 0x60900014fbde
Crash State:
  blink::BidiResolver<blink::InlineIterator, blink::BidiRun>::applyL1Rule
  blink::BidiResolver<blink::InlineIterator, blink::BidiRun>::createBidiRunsF
  blink::constructBidiRunsForLine
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=262830:262871
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=314621:315214

Minimized Testcase (0.18 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95BklcuCRWNCA_SxxAGLJqkJIQIw1OB0TGPczmxEhuifmky0CuYhhDcAeB8qkj8S-7KOWx61DANlaskLF_ara7j2lwTtDvG5bUGzS5UAtRmXdt43Ojo7ap6G2LiUTtTJ5RaRU5bai3SaqrfrAjjbu76Ns9Y1g
<style>
div {
  -webkit-writing-mode: vertical-lr;
  -webkit-text-combine: horizontal;
  height: 7px;
  white-space: pre-wrap;
</style>
<div>
foo
  <script></script>
  </script><textarea>

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Comment 23 by infe...@chromium.org, Feb 23 2015

Status: Fixed
no idea what fixed this.

Comment 24 by ClusterFuzz, Feb 23 2015

Project Member
Labels: -Restrict-View-SecurityTeam M-42 Merge-Triage Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

Comment 25 by timwillis@google.com, Feb 26 2015

Labels: -M-41 -Merge-Triage Merge-NA reward-topanel Release-0-M42

Comment 26 by timwillis@google.com, Apr 14 2015

Cc: timwillis@chromium.org
Labels: -reward-topanel reward-500 reward-unpaid CVE-2015-1246
Congrats - $500 for this report. I'll add it to your tab :)

Comment 27 by timwillis@google.com, May 6 2015

Labels: -reward-unpaid reward-inprocess

Comment 28 by ClusterFuzz, Jun 1 2015

Project Member
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.

Comment 29 by timwillis@google.com, Jun 3 2015

Labels: -reward-inprocess
Processing via our *new* e-payment system should only take a 7-10 days and the reward should be on its way to you. Thanks again for your help!

Comment 30 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 31 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 32 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 33 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment