New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

OOB read in FEDisplacementMap::apply

Reported by woo...@gmail.com, Mar 18 2011

Issue description

18 seems exploitable, 19,20 seems only crash.
eax=007e7b40 ebx=007e7c80 ecx=007e7c80 edx=00000806 esi=001fecdc edi=007e7c80
eip=00000003 esp=001fec9c ebp=001fecb0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
00000003 ??              ???
1:014> k
ChildEBP RetAddr  
WARNING: Frame IP not in any known module. Following frames may be wrong.
001fec98 652cd0ae 0x3
001fecb0 65522c61 chrome_64da0000!WebCore::Node::isDefaultNamespace+0x29 [d:\b\build\slave\chrome-official\build\src\third_party\webkit\webcore\dom\node.cpp @ 1734]
001fecd0 65abec10 chrome_64da0000!WebCore::NodeInternal::isDefaultNamespaceCallback+0x70 [d:\b\build\slave\chrome-official\build\src\build\release\obj\global_intermediate\webcore\bindings\v8node.cpp @ 272]
001fed34 65abef1f chrome_64da0000!v8::internal::HandleApiCallHelper<0>+0x140 [d:\b\build\slave\chrome-official\build\src\v8\src\builtins.cc @ 1037]
001fede0 65a977c2 chrome_64da0000!v8::internal::Builtin_HandleApiCall+0xf [d:\b\build\slave\chrome-official\build\src\v8\src\builtins.cc @ 1054]
001fee24 65a97896 chrome_64da0000!v8::internal::Invoke+0xc2 [d:\b\build\slave\chrome-official\build\src\v8\src\execution.cc @ 96]
001fee48 65a48318 chrome_64da0000!v8::internal::Execution::Call+0x26 [d:\b\build\slave\chrome-official\build\src\v8\src\execution.cc @ 121]
001fee90 6539a52d chrome_64da0000!v8::Function::Call+0xc8 [d:\b\build\slave\chrome-official\build\src\v8\src\api.cc @ 2880]
001feed8 65431874 chrome_64da0000!WebCore::V8Proxy::callFunction+0x149 [d:\b\build\slave\chrome-official\build\src\third_party\webkit\webcore\bindings\v8\v8proxy.cpp @ 482]
001fef08 6545bbe1 chrome_64da0000!WebCore::V8EventListener::callListenerFunction+0x55 [d:\b\build\slave\chrome-official\build\src\third_party\webkit\webcore\bindings\v8\custom\v8customeventlistener.cpp @ 75]
001fef50 6545ba90 chrome_64da0000!WebCore::V8AbstractEventListener::invokeEventHandler+0xdf [d:\b\build\slave\chrome-official\build\src\third_party\webkit\webcore\bindings\v8\v8abstracteventlistener.cpp @ 151]
001fef80 6539ed34 chrome_64da0000!WebCore::V8AbstractEventListener::handleEvent+0x4f [d:\b\build\slave\chrome-official\build\src\third_party\webkit\webcore\bindings\v8\v8abstracteventlistener.cpp @ 95]
001fefb0 6539ec6e chrome_64da0000!WebCore::EventTarget::fireEventListeners+0xb6 [d:\b\build\slave\chrome-official\build\src\third_party\webkit\webcore\dom\eventtarget.cpp @ 342]
001fefdc 652eb27e chrome_64da0000!WebCore::EventTarget::fireEventListeners+0x47 [d:\b\build\slave\chrome-official\build\src\third_party\webkit\webcore\dom\eventtarget.cpp @ 313]
001ff004 652eb310 chrome_64da0000!WebCore::DOMWindow::dispatchEvent+0x99 [d:\b\build\slave\chrome-official\build\src\third_party\webkit\webcore\page\domwindow.cpp @ 1551]
001ff018 652eb0e2 chrome_64da0000!WebCore::DOMWindow::dispatchTimedEvent+0x31 [d:\b\build\slave\chrome-official\build\src\third_party\webkit\webcore\page\domwindow.cpp @ 1562]
001ff09c 652d3b77 chrome_64da0000!WebCore::DOMWindow::dispatchLoadEvent+0x85 [d:\b\build\slave\chrome-official\build\src\third_party\webkit\webcore\page\domwindow.cpp @ 1516]
001ff0c0 652b1e46 chrome_64da0000!WebCore::Document::implicitClose+0xf4 [d:\b\build\slave\chrome-official\build\src\third_party\webkit\webcore\dom\document.cpp @ 2110]
001ff0c8 652b1d4b chrome_64da0000!WebCore::FrameLoader::checkCallImplicitClose+0x4d [d:\b\build\slave\chrome-official\build\src\third_party\webkit\webcore\loader\frameloader.cpp @ 904]
001ff0e4 652b1c71 chrome_64da0000!WebCore::FrameLoader::checkCompleted+0x82 [d:\b\build\slave\chrome-official\build\src\third_party\webkit\webcore\loader\frameloader.cpp @ 853]

 
chrome.rar
4.4 KB Download

Comment 1 by jsc...@chromium.org, Mar 18 2011

Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High Mstone-9 OS-All
Owner: jsc...@chromium.org
Status: Assigned
Repro 18 is another case where the XML error doc is blowing things away underneath us. Here's a further, hand reduction:

<svg:style xmlns:svg="http://www.w3.org/2000/svg" xmlns:xht="http://www.w3.org/1999/xhtml">
  <svg:script type="text/javascript">
    window.onload = function() { document.getElementById('1').isDefaultNamespace('A'); }
  </svg:script>
  <xht:frame onload="document.getElementsByTagName('html')[0].lastChild.textContent='A'"/>
  <xht:frame id="1"/>
  <html>


I'm already very familiar with these, so I don't mind grabbing it. I'll take a look at the other two and diagnose them when I get in.

Comment 2 by jsc...@chromium.org, Mar 19 2011

Repro 18 is actually another duplicate of bug 75801. It turns out the XML parser error is firing mid insertion, just like the duplicate in  bug 76651 . I just kicked off a build and I should have some time this weekend to look into 19 and 20.

Comment 3 by jsc...@chromium.org, Mar 21 2011

Labels: -Mstone-9 Mstone-10
Summary: Memory corruption in FEDisplacementMap::apply
Just had a closer look. Repro 19 is always going to index -1, so it's not a security issue. (Apparently @inferno hits it regularly in his fuzzing and has been meaning to fix it since it's a trivial patch.)

Repro 20 crashes on an OOB read in feDisplacementMap, but the displacement map instance has an impossible value in an enum member. So, there's obviously something worse leading to the eventual crash.

Since that's the only unique security bug in this collection of repros I'll track it here.

test0.xhtml
484 bytes View Download

Comment 4 by jsc...@chromium.org, Mar 21 2011

Labels: Type-Security

Comment 5 by jsc...@chromium.org, Mar 21 2011

Labels: -Pri-1 -SecSeverity-High Pri-2 SecSeverity-Medium
Turns out this is a pretty straight-forward OOB read. I can't find any way to use it as an information leak, but marking as medium-severity to be safe. I've got it worked out and the fix is pretty easy, so I'll upstream it and submit a patch for review shortly.

Comment 6 by jsc...@chromium.org, Mar 22 2011

Upstream bug: https://bugs.webkit.org/show_bug.cgi?id=56794
Patch up for review.

Comment 7 by jsc...@chromium.org, Mar 22 2011

Labels: -Mstone-10 Mstone-11
Moving m10 bugs to m11.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: WillMerge
http://trac.webkit.org/changeset/81689

Comment 9 by jsc...@chromium.org, Mar 22 2011

Summary: OOB read in FEDisplacementMap::apply
Status: FixUnreleased
Affected M10.
Merged to M11: Committed revision 81728.
Cc: jsc...@chromium.org
 Issue 77469  has been merged into this issue.
Labels: CVE-2011-1445
Labels: SecImpacts-Stable
Batch update.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed
Project Member

Comment 16 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 17 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-WebKit -SecSeverity-Medium -Type-Security -Mstone-11 -SecImpacts-Stable Cr-Content Security-Impact-Stable Security-Severity-Medium Type-Bug-Security M-11
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member

Comment 21 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Labels: reward-topanel
Project Member

Comment 23 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 24 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment