New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner: ----
Closed: Feb 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
use-after-free when document.close and document.write are called after requesting a non-existing script
Reported by miau...@gmail.com, Feb 3 2011 Back to list

VULNERABILITY DETAILS
RIP == 0
valgrind says it's because
Address 0x358ded70 is 0 bytes inside a block of size 128 free'd

VERSION
Chromium 11.0.656.0 Ubuntu 10.10
on Ubuntu Maverick 64bit 2.6.35-25-generic
Google Chrome 10.0.648.11 dev
on Ubuntu Maverick 64bit 2.6.35-25-generic

8.0.552.237 (Official build 70801)
on Windows 7 32-bit

REPRODUCTION CASE
<script src="non-existent.js"></script>
<iframe onload="document.close(); document.write();"></iframe>


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: sad tab
Crash State: #0  0x0000000000000000 in ?? ()
#1  0x00007ffff62e6910 in WebCore::HTMLConstructionSite::attach<WebCore::Element> (this=0x7ffff8e8fe30, parent=0x7ffff9170a00, prpChild=<value optimized out>)
    at third_party/WebKit/Source/WebCore/html/parser/HTMLConstructionSite.cpp:98
#2  0x00007ffff62e69d5 in WebCore::HTMLConstructionSite::attachToCurrent (this=0x1, child=<value optimized out>)
    at third_party/WebKit/Source/WebCore/html/parser/HTMLConstructionSite.cpp:237
#3  0x00007ffff62e6dc7 in WebCore::HTMLConstructionSite::insertHTMLElement (this=0x7ffff8e8fe30, token=<value optimized out>)
    at third_party/WebKit/Source/WebCore/html/parser/HTMLConstructionSite.cpp:267
 
Comment 1 by miau...@gmail.com, Feb 3 2011
valgrind log
valgrind.txt
8.2 KB View Download
Comment 2 by miau...@gmail.com, Feb 3 2011
gdb log
gdb.txt
14.0 KB View Download
Comment 3 by miau...@gmail.com, Feb 3 2011
repro as a file.  it's just those two lines
71763.html
103 bytes View Download
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High OS-All reward-topanel Mstone-9
Yep, that's a very stale this pointer. Looks like somewhere up this hierarchy we need to hold a RefPtr to parent.

@abarth - Since this is in the parser you might be the best to turn around a quick fix. I'd probably just naively use a protector on parent in HTMLConstructionSite::attach.

@miaubiz - Nice bug. And it's also very handy when you use the bug ID on filenames in follow up attachments like that.
Status: Available
Actually, I think I'll just submit a patch with my naive solution. @abarth can chastise me upstream if it's the wrong fix.

Reported upstream at: https://bugs.webkit.org/show_bug.cgi?id=53689

I take it back. This needs the work of a parser expert. Protecting the pointer fixes the crash, but there are asserts hitting and generally confusing behavior.
Looking again.
This bug is complex.  :-/
Status: ExternalDependency
Path posted upstream.
Status: WillMerge
Fixenated: http://trac.webkit.org/changeset/78147
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
I do think this change is rather quite fresh and might be risky for M9P2, lets pick it up in M9P3.
Labels: -Mstone-9 Mstone-10 ApprovedForMerge
We're not cutting another m9, so merging straight to m10.
Labels: -ApprovedForMerge
Status: FixUnreleased
Merged to m10: http://trac.webkit.org/changeset/79901
Labels: -reward-topanel reward-1000 reward-unpaid
@miaubiz: Nice report! This provisionally qualifies for a $1000 Chromium Security Reward.
This bug is an awesome report, and rewarded at the higher $1000 level due to various things:
- Truly minimal repro :D
- The inclusion of a valgrind report is really useful.

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Labels: CVE-2011-1195
Labels: -reward-unpaid
Invoice finalized; payment is in e-payment system.
Labels: Type-Security
Labels: SecImpacts-Stable
Batch update.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed
Project Member Comment 23 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 24 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-WebKit -SecSeverity-High -Mstone-10 -Type-Security -SecImpacts-Stable Cr-Content Security-Impact-Stable Type-Bug-Security Security-Severity-High M-10
Project Member Comment 25 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member Comment 26 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 27 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 28 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 29 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 30 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment