New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Mar 2011
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Floats not cleared to logical height wraps.
Reported by miau...@gmail.com, Feb 19 2011 Back to list

VULNERABILITY DETAILS
stale pointer RIP goes to random address

VERSION
Google Chrome	9.0.597.98 (Official Build 74359)
Chromium	11.0.673.0 (Developer Build 75059) Ubuntu 10.10
on Linux 2.6.35-27-generic #47-Ubuntu SMP Fri Feb 11 22:52:49 UTC 2011 x86_64

Google Chrome 9.0.597.102 (official build 74604)
OSX Snow Leopard 10.6.6

REPRODUCTION CASE

attached

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State: 
#0  0x00007ffffa1c59c0 in ?? ()
#1  0x00007ffff67e8699 in WebCore::RenderBlock::insertFloatingObject at third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:3073
#2  0x00007ffff68029ae in WebCore::RenderBlock::layoutInlineChildren at third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:870

   0x00007ffff67e8693 <+195>:	callq  *0x140(%rax)
 
insertfloating.html
819 bytes View Download
Comment 1 by miau...@gmail.com, Feb 19 2011
valgrind log

==1379==  Address 0x3647b4ab is 91 bytes inside a block of size 96 free'd
==1379==    at 0x4C29146: free (vg_replace_malloc.c:913)
==1379==    by 0x1CE8A0F: WebCore::RenderObject::~RenderObject() (RefCounted.h:136)

==1379== Process terminating with default action of signal 4 (SIGILL)
==1379==  Illegal opcode at address 0x35A98344
==1379==    at 0x35A98344: ???
==1379==    by 0xF772777: ???
==1379==    by 0x1C70698: WebCore::RenderBlock::insertFloatingObject(WebCore::RenderBox*) (RenderBlock.cpp:3073)

valgrind_73526.txt
12.6 KB View Download
Mergedinto: 71855
Status: Duplicate
Does not crash on both windows trunk (webkit 78997) and linux trunk (webkit 78540). Seeing the repro, this is pretty obvious dup of http://trac.webkit.org/changeset/77565
Comment 3 by miau...@gmail.com, Feb 19 2011
I thought it looked familiar :D

But this is reproducible for me on trunk (webkit 79006), and the repros from the other bug do nothing.

This crash has something to do with the -webkit-columns CSS directive being present in the repro.

I'll attach some more repros.  The b?.html segfault at RIP and the numbered ones nullptr at 140.


b3.html
4.0 KB View Download
2.html
741 bytes View Download
b2.html
4.0 KB View Download
b1.html
4.0 KB View Download
3.html
728 bytes Download
1.html
722 bytes View Download
4.html
733 bytes View Download
Mergedinto: -71855
Status: Available
Ok, i will recheck again with your new repros. Reopening bug.
Comment 5 by miau...@gmail.com, Feb 20 2011
here's a smaller one for nullptr 0x140..  the instructions is callq %rax+0x140

can repro on ubuntu chromium daily version on maverick 64bit:
Chromium	11.0.678.0 (Developer Build 75511) Ubuntu 10.10
WebKit	534.21 (trunk@79111)
null140.html
335 bytes View Download
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High OS-All Mstone-9
Summary: Floats not cleared to logical height wraps. (was: NULL)
miaubiz, you are awesome!! this new repro works. and this is not a dup.

the logical height is wrapping up at 
setLogicalHeight(logicalHeight() + logicalHeightForChild(child)); in RenderBlock.cpp

and hence we are not able to clear the linebox in markLinesDirtyInBlockRange. note that logical height wrap leads to negative block logical height leading to linebox not cleared -> stale linebox -> use after free. my last two fixes in this area 

these signed int are really bad, they are all over the place in webkit. and atleast negative logical height has a meaning, i am still checking if we can fix this more generically using block logical height for which negative value is probably invalid.

taking a look.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify reward-topanel
Status: WillMerge
Fixed in http://trac.webkit.org/changeset/79462
Comment 9 by miau...@gmail.com, Feb 23 2011
@inferno <3 thank you.

I can get RIP to go to bad places with the attached repros with r79479.  I'm using webkit master git branch, because gclient branch with lkgr isn't up to date yet.

not sure if it's more of the same bug or should be filed as a different one

Chromium	11.0.682.0 (Developer Build f504cfe)
WebKit	534.22 (git@58b0446) == r79479

==12302==  Address 0xf7d44ab is 91 bytes inside a block of size 96 free'd
==12302==    at 0x4C29146: free (vg_replace_malloc.c:913)
==12302==    by 0x1E3ECFF: WebCore::RenderObject::~RenderObject() (in /home/clooney/chromium/src/out/Release/chrome)
==12302==    by 0x1DF9156: WebCore::RenderEmbeddedObject::~RenderEmbeddedObject() (in /home/clooney/chromium/src/out/Release/chrome)
==12302==    by 0x1E3971A: WebCore::RenderObject::arenaDelete(WebCore::RenderArena*, void*) (in /home/clooney/chromium/src/out/Release/chrome)
==12302== 
==12302== Jump to the invalid address stated on the next line
==12302==    at 0x0: ???
==12302==    by 0x1DC5968: WebCore::RenderBlock::insertFloatingObject(WebCore::RenderBox*) (in /home/clooney/chromium/src/out/Release/chrome)
==12302==    by 0x1DE008D: WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) (in /home/clooney/chromium/src/out/Release/chrome)


@miaubiz: can you please file a new bug with these repros.
Comment 11 Deleted
@Miaubiz: thank you very much for your continued patience and testing on trunk build. Please try to include all new repros concerning this case of overflow in the new bug. (dont worry if those repros are big, we want to make sure we have them all before I try another fix to cover rest of scenarios).
Comment 13 by miau...@gmail.com, Feb 24 2011
@inferno:  bug 73962 
Labels: -Mstone-9 Mstone-10
Labels: -reward-topanel reward-1000 reward-unpaid
@miaubiz: thanks for all your high-quality help as usual :)
We'll reward you $1000 for this bug and consider the other bug for additional reward once we've fixed it and verified all the different repros.

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Labels: -Mstone-10 Mstone-11
Status: FixUnreleased
Probably no more M10 patches. Going to let this fix roll into M11. I love having regular release trains :D
Labels: Type-Security
Labels: CVE-2011-1437
Labels: -reward-unpaid
Invoice finalized; payment is in e-payment system; it can take a couple of weeks.
Labels: SecImpacts-Stable
Batch update.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed
Project Member Comment 24 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 25 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-WebKit -SecSeverity-High -Mstone-11 -Type-Security -SecImpacts-Stable Cr-Content Security-Impact-Stable Type-Bug-Security Security-Severity-High M-11
Project Member Comment 26 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member Comment 27 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 28 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 29 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 30 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 31 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment