New issue
Advanced search Search tips

Issue 73526 link

Starred by 1 user

Issue metadata

Status: Fixed
Closed: Mar 2011
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment

Floats not cleared to logical height wraps.

Reported by, Feb 19 2011

Issue description

stale pointer RIP goes to random address

Google Chrome	9.0.597.98 (Official Build 74359)
Chromium	11.0.673.0 (Developer Build 75059) Ubuntu 10.10
on Linux 2.6.35-27-generic #47-Ubuntu SMP Fri Feb 11 22:52:49 UTC 2011 x86_64

Google Chrome 9.0.597.102 (official build 74604)
OSX Snow Leopard 10.6.6



Type of crash: tab
Crash State: 
#0  0x00007ffffa1c59c0 in ?? ()
#1  0x00007ffff67e8699 in WebCore::RenderBlock::insertFloatingObject at third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:3073
#2  0x00007ffff68029ae in WebCore::RenderBlock::layoutInlineChildren at third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:870

   0x00007ffff67e8693 <+195>:	callq  *0x140(%rax)
819 bytes View Download

Comment 1 by, Feb 19 2011

valgrind log

==1379==  Address 0x3647b4ab is 91 bytes inside a block of size 96 free'd
==1379==    at 0x4C29146: free (vg_replace_malloc.c:913)
==1379==    by 0x1CE8A0F: WebCore::RenderObject::~RenderObject() (RefCounted.h:136)

==1379== Process terminating with default action of signal 4 (SIGILL)
==1379==  Illegal opcode at address 0x35A98344
==1379==    at 0x35A98344: ???
==1379==    by 0xF772777: ???
==1379==    by 0x1C70698: WebCore::RenderBlock::insertFloatingObject(WebCore::RenderBox*) (RenderBlock.cpp:3073)

12.6 KB View Download
Mergedinto: 71855
Status: Duplicate
Does not crash on both windows trunk (webkit 78997) and linux trunk (webkit 78540). Seeing the repro, this is pretty obvious dup of

Comment 3 by, Feb 19 2011

I thought it looked familiar :D

But this is reproducible for me on trunk (webkit 79006), and the repros from the other bug do nothing.

This crash has something to do with the -webkit-columns CSS directive being present in the repro.

I'll attach some more repros.  The b?.html segfault at RIP and the numbered ones nullptr at 140.

4.0 KB View Download
741 bytes View Download
4.0 KB View Download
4.0 KB View Download
728 bytes Download
722 bytes View Download
733 bytes View Download
Mergedinto: -71855
Status: Available
Ok, i will recheck again with your new repros. Reopening bug.

Comment 5 by, Feb 20 2011

here's a smaller one for nullptr 0x140..  the instructions is callq %rax+0x140

can repro on ubuntu chromium daily version on maverick 64bit:
Chromium	11.0.678.0 (Developer Build 75511) Ubuntu 10.10
WebKit	534.21 (trunk@79111)
335 bytes View Download
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High OS-All Mstone-9
Summary: Floats not cleared to logical height wraps.
miaubiz, you are awesome!! this new repro works. and this is not a dup.

the logical height is wrapping up at 
setLogicalHeight(logicalHeight() + logicalHeightForChild(child)); in RenderBlock.cpp

and hence we are not able to clear the linebox in markLinesDirtyInBlockRange. note that logical height wrap leads to negative block logical height leading to linebox not cleared -> stale linebox -> use after free. my last two fixes in this area 

these signed int are really bad, they are all over the place in webkit. and atleast negative logical height has a meaning, i am still checking if we can fix this more generically using block logical height for which negative value is probably invalid.

taking a look.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify reward-topanel
Status: WillMerge
Fixed in

Comment 9 by, Feb 23 2011

@inferno <3 thank you.

I can get RIP to go to bad places with the attached repros with r79479.  I'm using webkit master git branch, because gclient branch with lkgr isn't up to date yet.

not sure if it's more of the same bug or should be filed as a different one

Chromium	11.0.682.0 (Developer Build f504cfe)
WebKit	534.22 (git@58b0446) == r79479

==12302==  Address 0xf7d44ab is 91 bytes inside a block of size 96 free'd
==12302==    at 0x4C29146: free (vg_replace_malloc.c:913)
==12302==    by 0x1E3ECFF: WebCore::RenderObject::~RenderObject() (in /home/clooney/chromium/src/out/Release/chrome)
==12302==    by 0x1DF9156: WebCore::RenderEmbeddedObject::~RenderEmbeddedObject() (in /home/clooney/chromium/src/out/Release/chrome)
==12302==    by 0x1E3971A: WebCore::RenderObject::arenaDelete(WebCore::RenderArena*, void*) (in /home/clooney/chromium/src/out/Release/chrome)
==12302== Jump to the invalid address stated on the next line
==12302==    at 0x0: ???
==12302==    by 0x1DC5968: WebCore::RenderBlock::insertFloatingObject(WebCore::RenderBox*) (in /home/clooney/chromium/src/out/Release/chrome)
==12302==    by 0x1DE008D: WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) (in /home/clooney/chromium/src/out/Release/chrome)

@miaubiz: can you please file a new bug with these repros.

Comment 11 Deleted

@Miaubiz: thank you very much for your continued patience and testing on trunk build. Please try to include all new repros concerning this case of overflow in the new bug. (dont worry if those repros are big, we want to make sure we have them all before I try another fix to cover rest of scenarios).

Comment 13 by, Feb 24 2011

@inferno:  bug 73962 
Labels: -Mstone-9 Mstone-10
Labels: -reward-topanel reward-1000 reward-unpaid
@miaubiz: thanks for all your high-quality help as usual :)
We'll reward you $1000 for this bug and consider the other bug for additional reward once we've fixed it and verified all the different repros.

Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
Labels: -Mstone-10 Mstone-11
Status: FixUnreleased
Probably no more M10 patches. Going to let this fix roll into M11. I love having regular release trains :D
Labels: Type-Security
Labels: CVE-2011-1437
Labels: -reward-unpaid
Invoice finalized; payment is in e-payment system; it can take a couple of weeks.
Labels: SecImpacts-Stable
Batch update.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed
Project Member

Comment 24 by, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 25 by, Mar 10 2013

Labels: -Area-WebKit -SecSeverity-High -Mstone-11 -Type-Security -SecImpacts-Stable Cr-Content Security-Impact-Stable Type-Bug-Security Security-Severity-High M-11
Project Member

Comment 26 by, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 27 by, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 28 by, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 29 by, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 30 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 31 by, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment