New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 478549 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in blink::SMILTimeContainer::updateAnimations

Reported by attek...@gmail.com, Apr 19 2015

Issue description



Tested on:

OS: Ubuntu 14.04

Chrome: asan-symbolized-linux-release-325771

Note: There is some timing condition in the repro-file. It prevents me from minimizing the file automatically, so I'll take a closer look manually when I have some spare time.

You need to hit refresh couple of times to reproduce the crash, so it might not reproduce on clusterfuzz. Also sometimes the crash occurs as a null-pointer and sometimes as an UAF.


ASAN-trace:(UAF)


==31305==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000004860 at pc 0x7f20bdb75284 bp 0x7ffddd692af0 sp 0x7ffddd692ae8
READ of size 8 at 0x617000004860 thread T0 (chrome)
    #0 0x7f20bdb75283 in operator==<blink::SVGElement *, blink::QualifiedName> /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../buildtools/third_party/libc++/trunk/include/utility:405
    #1 0x7f20bdb74f9a in WTF::HashTableHelper<WTF::KeyValuePair<std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > >, WTF::KeyValuePairKeyExtractor, WTF::HashTraits<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName> > >::isEmptyOrDeletedBucket(WTF::KeyValuePair<std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > > const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/HashTable.h:328
    #2 0x7f20bdb7a3c1 in WTF::HashTableConstIterator<std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::KeyValuePair<std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > >, WTF::KeyValuePairKeyExtractor, WTF::PairHash<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName>, WTF::HashMapValueTraits<WTF::HashTraits<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName> >, WTF::HashTraits<WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > > >, WTF::HashTraits<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName> >, WTF::DefaultAllocator>::skipEmptyBuckets() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/HashTable.h:120
    #3 0x7f20bdb7a5ce in WTF::HashTableConstIterator<std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::KeyValuePair<std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > >, WTF::KeyValuePairKeyExtractor, WTF::PairHash<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName>, WTF::HashMapValueTraits<WTF::HashTraits<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName> >, WTF::HashTraits<WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > > >, WTF::HashTraits<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName> >, WTF::DefaultAllocator>::operator++() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/HashTable.h:173
    #4 0x7f20bdb7a57a in WTF::HashTableIterator<std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::KeyValuePair<std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > >, WTF::KeyValuePairKeyExtractor, WTF::PairHash<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName>, WTF::HashMapValueTraits<WTF::HashTraits<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName> >, WTF::HashTraits<WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > > >, WTF::HashTraits<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName> >, WTF::DefaultAllocator>::operator++() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/HashTable.h:230
    #5 0x7f20bdb7132a in WTF::HashTableIteratorAdapter<WTF::HashTable<std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::KeyValuePair<std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > >, WTF::KeyValuePairKeyExtractor, WTF::PairHash<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName>, WTF::HashMapValueTraits<WTF::HashTraits<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName> >, WTF::HashTraits<WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > > >, WTF::HashTraits<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName> >, WTF::DefaultAllocator>, WTF::KeyValuePair<std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > > >::operator++() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/HashIterators.h:73
    #6 0x7f20bdb6ee9f in updateAnimations /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/svg/animation/SMILTimeContainer.cpp:464 (discriminator 3)
    #7 0x7f20bdb7144a in blink::SMILTimeContainer::updateAnimationsAndScheduleFrameIfNeeded(blink::SMILTime, bool) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/svg/animation/SMILTimeContainer.cpp:432
    #8 0x7f20bdb6c2f4 in blink::SMILTimeContainer::wakeupTimerFired(blink::Timer<blink::SMILTimeContainer>*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/svg/animation/SMILTimeContainer.cpp:313
    #9 0x7f20c5c6b094 in blink::ThreadTimers::sharedTimerFiredInternal() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/ThreadTimers.cpp:137
    #10 0x7f20c5c6a80e in blink::ThreadTimers::sharedTimerFired() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/ThreadTimers.cpp:107
    #11 0x7f20c0a9c736 in content::BlinkPlatformImpl::DoTimeout() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/child/blink_platform_impl.h:178
    #12 0x7f20c0a9efb1 in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (content::BlinkPlatformImpl::*)()>, base::internal::TypeList<content::BlinkPlatformImpl*> >::MakeItSo(base::internal::RunnableAdapter<void (content::BlinkPlatformImpl::*)()>, content::BlinkPlatformImpl*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../base/bind_internal.h:293
.
.
.
0x617000004860 is located 480 bytes inside of 768-byte region [0x617000004680,0x617000004980)
freed by thread T0 (chrome) here:
    #0 0x7f20b621e46b in __interceptor_free ??:?
    #1 0x7f20bdb74b63 in WTF::HashTable<std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::KeyValuePair<std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > >, WTF::KeyValuePairKeyExtractor, WTF::PairHash<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName>, WTF::HashMapValueTraits<WTF::HashTraits<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName> >, WTF::HashTraits<WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > > >, WTF::HashTraits<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName> >, WTF::DefaultAllocator>::rehash(unsigned int, WTF::KeyValuePair<std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > >*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/HashTable.h:1148
    #2 0x7f20bdb74070 in WTF::HashTableAddResult<WTF::HashTable<std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::KeyValuePair<std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > >, WTF::KeyValuePairKeyExtractor, WTF::PairHash<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName>, WTF::HashMapValueTraits<WTF::HashTraits<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName> >, WTF::HashTraits<WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > > >, WTF::HashTraits<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName> >, WTF::DefaultAllocator>, WTF::KeyValuePair<std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > > > WTF::HashTable<std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::KeyValuePair<std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > >, WTF::KeyValuePairKeyExtractor, WTF::PairHash<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName>, WTF::HashMapValueTraits<WTF::HashTraits<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName> >, WTF::HashTraits<WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > > >, WTF::HashTraits<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName> >, WTF::DefaultAllocator>::add<WTF::HashMapTranslator<WTF::HashMapValueTraits<WTF::HashTraits<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName> >, WTF::HashTraits<WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > > >, WTF::PairHash<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName> >, std::__1::pair<blink::SVGElement*, blink::QualifiedName>, WTF::PassOwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > >(std::__1::pair<blink::SVGElement*, blink::QualifiedName> const&, WTF::PassOwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/HashTable.h:847
    #3 0x7f20bdb73cc1 in WTF::HashMap<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName>, WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> >, WTF::PairHash<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName>, WTF::HashTraits<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName> >, WTF::HashTraits<WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > >, WTF::DefaultAllocator>::inlineAdd(std::__1::pair<blink::SVGElement*, blink::QualifiedName> const&, WTF::PassOwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> >&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/HashMap.h:359
    #4 0x7f20bdb6ca91 in WTF::HashMap<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName>, WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> >, WTF::PairHash<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName>, WTF::HashTraits<std::__1::pair<WTF::RawPtr<blink::SVGElement>, blink::QualifiedName> >, WTF::HashTraits<WTF::OwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> > >, WTF::DefaultAllocator>::add(std::__1::pair<blink::SVGElement*, blink::QualifiedName> const&, WTF::PassOwnPtr<WTF::LinkedHashSet<WTF::RawPtr<blink::SVGSMILElement>, WTF::PtrHash<WTF::RawPtr<blink::SVGSMILElement> >, WTF::HashTraits<WTF::RawPtr<blink::SVGSMILElement> >, WTF::DefaultAllocator> >) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/HashMap.h:386
    #5 0x7f20bdb6c7a8 in schedule /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/svg/animation/SMILTimeContainer.cpp:93
    #6 0x7f20bdb8c50e in schedule /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/svg/animation/SVGSMILElement.cpp:1326
    #7 0x7f20bda76ee1 in blink::SVGAnimationElement::setTargetElement(blink::SVGElement*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/svg/SVGAnimationElement.cpp:692
.
.
.


ASAN-trace:(null-pointer)

==30816==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f321eca7727 bp 0x7fff4767ef30 sp 0x7fff4767ee60 T0)
    #0 0x7f321eca7726 in calculateAnimatedValue /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/svg/SVGAnimatedTypeAnimator.cpp:254
    #1 0x7f321ec9e5f7 in calculateAnimatedValue /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/svg/SVGAnimateElement.cpp:99
    #2 0x7f321ecb221f in blink::SVGAnimationElement::updateAnimation(float, unsigned int, blink::SVGSMILElement*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/svg/SVGAnimationElement.cpp:638
    #3 0x7f321edcffd5 in blink::SVGSMILElement::progress(blink::SMILTime, blink::SVGSMILElement*, bool) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/svg/animation/SVGSMILElement.cpp:1184
    #4 0x7f321edab09c in updateAnimations /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/svg/animation/SMILTimeContainer.cpp:490
    #5 0x7f321edad44a in blink::SMILTimeContainer::updateAnimationsAndScheduleFrameIfNeeded(blink::SMILTime, bool) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/svg/animation/SMILTimeContainer.cpp:432
    #6 0x7f321eda82f4 in blink::SMILTimeContainer::wakeupTimerFired(blink::Timer<blink::SMILTimeContainer>*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/svg/animation/SMILTimeContainer.cpp:313
    #7 0x7f3226ea7094 in blink::ThreadTimers::sharedTimerFiredInternal() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/ThreadTimers.cpp:137
.
.
.
 
chrome-heap-use-after-free-operatorblinkSVGElement.svg
135 KB Download
Cc: fmalita@chromium.org schenney@chromium.org pdr@chromium.org
Labels: Security_Severity-High Pri-1 OS-All Cr-Blink-SVG
Owner: kouhei@chromium.org
Status: Assigned
Kouhei@, you seem to have dived into this code recently, can you please take a look.

Comment 2 by attek...@gmail.com, Apr 20 2015


I did some work with the test case. At least on my laptop the crash reproduces reliably within 10s, when the file is loaded into Chrome. You could try the new repro-file on ClusterFuzz.

I reduced most of the JavaScript and some of the XML, but there is still some weird timing conditions.

JavaScript has one setInterval and two setTimeout left and SVG/XML has lots of animation timings.

JavaScript part doesn't touch any of the animation values, so I think that the timing condition is between the animations set in the SVG/XML and the DOM and style manipulations in JavaScript code.

chrome-heap-use-after-free-operatorblinkSVGElement-min.svg
56.4 KB Download

Comment 3 by kouhei@chromium.org, Apr 20 2015

Status: Started

Comment 4 by kouhei@chromium.org, Apr 20 2015

repro memo: Load the svg in debug content_shell and it will crash on ASSERT:
89          ASSERT(!m_preventScheduledAnimationsChanges);

#0  0x000000000b338d31 in blink::SMILTimeContainer::schedule (this=0x6120000accc0, animation=0x616000365180, target=0x616000365180, attributeName=...)
    at ../../third_party/WebKit/Source/core/svg/animation/SMILTimeContainer.cpp:89


Comment 5 by kouhei@chromium.org, Apr 20 2015

SMILTimeContainer::progress in the CSS animation may cause the target element render tree to be created in-place, and that may instantiate the use shadow tree which may contain <animate> elements which then need to be scheduled in the SMILTimeContainer.

We have to prevent this somewhere, but it is not obvious to me right away where is the right place to do.

Comment 6 by f...@chromium.org, Apr 21 2015

Labels: ReleaseBlock-Stable

Comment 7 by f...@chromium.org, Apr 21 2015

Labels: -ReleaseBlock-Stable Security_Impact-Stable
Project Member

Comment 8 by ClusterFuzz, Apr 21 2015

Labels: M-42

Comment 9 by kouhei@chromium.org, Apr 23 2015

Cc: f...@opera.com e...@opera.com
Workaround CL: https://codereview.chromium.org/1098913004/

Comment 10 by f...@opera.com, Apr 23 2015

To me it feels like we could block these (animation elements) when cloning the shadow-tree (isDisallowedElement in SVGUseElement.cpp)

Comment 11 by f...@opera.com, Apr 23 2015

nvm, looks like that's done already...

Comment 12 by f...@opera.com, Apr 23 2015

Looks like the TC has some <use> that directly reference animation elements (ID4 and ID28), and that clone+append doesn't appear directly guarded by isDisallowedElement (checked "after the fact").
That would be easier if its acceptable.

The animation elements in the shadow tree may reference a different element, so blocking it would change behavior in some cases.
Sorry please ignore #13.

Thanks for investigating. #12 seems to explain this bug. I'm onboarding to a flight now and will be offline for ~24hrs, so feel free to take this from me.

Comment 15 by f...@opera.com, Apr 23 2015

Owner: f...@opera.com
Will do.
Cc: kouhei@chromium.org

Comment 17 by f...@opera.com, Apr 24 2015

Reduced down to the attached, which seems to reproduce pretty reliably.
chrome-heap-use-after-free-operatorblinkSVGElement-min.html
542 bytes View Download

Comment 18 by f...@opera.com, Apr 24 2015

Reduced based on the assert in SMILTimeContainer::schedule I should've said.
Project Member

Comment 19 by bugdroid1@chromium.org, Apr 25 2015

The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=194421

------------------------------------------------------------------
r194421 | fs@opera.com | 2015-04-25T01:10:46.501939Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/svg/SVGUseElement.cpp?r1=194421&r2=194420&pathrev=194421
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/svg/custom/use-referencing-animation-crash-expected.txt?r1=194421&r2=194420&pathrev=194421
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/svg/custom/use-referencing-animation-crash.html?r1=194421&r2=194420&pathrev=194421

Avoid transiently creating disallowed elements when building <use> trees

When building a shadow tree for a <use>, a direct reference to a
"disallowed" element would cause the element to first be inserted before
buildShadowTree() noticed it's disallowed and returns false, so it's
removed again.
This transient mutation could take place while computing an animation
update, if a CSS property was being animated and the layout tree/style
was dirty.
Avoid the insert-remove sequence by checking if the initial target is
disallowed up-front. This matches how it's done in the general subtree
building case inside buildShadowTree().

BUG= 478549 

Review URL: https://codereview.chromium.org/1105873002
-----------------------------------------------------------------
Status: Fixed
Project Member

Comment 21 by ClusterFuzz, Apr 25 2015

Labels: -Restrict-View-SecurityTeam M-43 Restrict-View-SecurityNotify Merge-Triage
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

Comment 22 by f...@opera.com, May 6 2015

Labels: Merge-Requested
Labels: -Merge-Requested Merge-Review-42 Hotlist-Merge-Review
[Automated comment] Request affecting a post-stable build (M42), manual review required.
Labels: Merge-Review-43
[Automated comment] Less than 2 weeks to go before stable on M43, manual review required.
Labels: -Merge-Review-43 Merge-Approved
Labels: -Merge-Review-42
I don't plan to take this for M42 given where we are in the release cycle.  Ping me if you have any objections.
Project Member

Comment 27 by bugdroid1@chromium.org, May 7 2015

Labels: -Merge-Approved merge-merged-2357
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=195031

------------------------------------------------------------------
r195031 | fs@opera.com | 2015-05-07T08:03:41.925923Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/branches/chromium/2357/LayoutTests/svg/custom/use-referencing-animation-crash.html?r1=195031&r2=195030&pathrev=195031
   M http://src.chromium.org/viewvc/blink/branches/chromium/2357/Source/core/svg/SVGUseElement.cpp?r1=195031&r2=195030&pathrev=195031
   A http://src.chromium.org/viewvc/blink/branches/chromium/2357/LayoutTests/svg/custom/use-referencing-animation-crash-expected.txt?r1=195031&r2=195030&pathrev=195031

Merge 194421 "Avoid transiently creating disallowed elements whe..."

> Avoid transiently creating disallowed elements when building <use> trees
> 
> When building a shadow tree for a <use>, a direct reference to a
> "disallowed" element would cause the element to first be inserted before
> buildShadowTree() noticed it's disallowed and returns false, so it's
> removed again.
> This transient mutation could take place while computing an animation
> update, if a CSS property was being animated and the layout tree/style
> was dirty.
> Avoid the insert-remove sequence by checking if the initial target is
> disallowed up-front. This matches how it's done in the general subtree
> building case inside buildShadowTree().
> 
> BUG= 478549 
> 
> Review URL: https://codereview.chromium.org/1105873002

TBR=fs@opera.com

Review URL: https://codereview.chromium.org/1134453003
-----------------------------------------------------------------
Labels: -Merge-Triage
Labels: -M-42 reward-topanel Release-0-M43
Labels: -reward-topanel reward-unpaid CVE-2015-1256 reward-2000
$2000 for this one.

Notes from reward panel: "$2,000 here as UaF is less reliable".
Labels: -reward-unpaid reward-inprocess
Processing rewards - should be paid in approximately 2 weeks.
Labels: -reward-inprocess
Processing via our e-payment system can take up to two weeks, but the reward should be on its way to you. Thanks again for your help!

(Note: sorry for the delay here - it turns out in the new payment system, these payments were waiting for a second approval from me).
Project Member

Comment 33 by ClusterFuzz, Aug 1 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 34 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 35 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment