New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Closed: Mar 2011
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment

RIP goes to zero with select tag, and form validation message with position:relative

Reported by, Mar 21 2011

Issue description

rip == 0, or null pointer deref at 0x88

Chrome Version: 
Chromium	12.0.710.0 (Developer Build 78857) Ubuntu 10.10
WebKit	534.26 (trunk@81520)

Operating System: 
Ubuntu 10.10:
Linux 2.6.35-28-generic #49-Ubuntu SMP Tue Mar 1 14:39:03 UTC 2011 x86_64


Type of crash: tab
Crash State: 
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff6676994 in remove (this=0x7ffff95ed048)
    at third_party/WebKit/Source/WebCore/rendering/RenderObject.h:752
#2  WebCore::RenderObject::destroy (this=0x7ffff95ed048)
    at third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:2187

515 bytes View Download

Comment 1 by, Mar 21 2011

tools bisect says:

which is: Roll WebKit DEPS 80725:80974

Comment 2 Deleted

Comment 3 by, Mar 21 2011

valgrind log.

it says null pointer at 0x88.  don't know if it's a timing issue.  
10.1 KB View Download
looks like a dup of and will check when webkit rolls 
Still sad tab in my Linux 64-bit trunk build, after the roll.
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High OS-All Mstone-11
Status: Available
Owner: a deleted user
Status: Assigned
Summary: Regression(80773): RIP goes to zero with webkit-keyframes and select tag
Kent, this is caused by the one liner change in Can you please take a look.

    // Needs to update layout now because we'd like to call isFocusable(), which
    // has !renderer()->needsLayout() assertion.

Comment 8 by, Mar 23 2011

I haven't found the root cause yet, but my findings at this moment are:

* I confirmed this was a use-after-free bug.

* RenderMenuList::m_innerBlock keeps a pointer to an anonymous block while m_innerBlock->addChild() can remove m_innerBlock.
   - See RenderMenuList::addChild(), and
   - removeLeftoverAnonymousBlock(this) at the bottom of RenderBlock::addChildIgnoringAnonymousColumnBlocks()

* Probably, doesn't have a code problem and it just exposed the bug.

Thanks a lot Kent. Happy to leave it in your able hands.

Comment 10 by, Mar 23 2011

Summary: Regression(80773): RIP goes to zero with webkit-keyframes, select tag, and form validation
The crash doesn't happen if I replace document.getElementById('submit').click() with document.getElementByTagName('select')[0].offsetLeft, which calls updateLayoutIgnorePendingStylesheets().

So, I think WebCore/html/ValidationMessage broke an assumption of RenderMenuList.  I should handle this bug :-P

Comment 11 by, Mar 23 2011

Status: Started
Summary: RIP goes to zero with select tag, and form validation message with position:relative
I found -webkit-animation was unrelated, and found a workaround.

The root cause is "div { positoin:relative; }".  It changes the style of a validation message div, and this style causes an optimization of anonymous blocks.

tracking webkit bug -

Comment 13 by, Mar 24 2011

Status: Fixed
Fixed in WebKit:
Need to merge it to M10 and M11 branches.

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: WillMerge
Thanks a lot Kent. We will handle the merges.
Labels: reward-topanel
Status: FixUnreleased
There are no more M10 patches.
Merged to M11:
Labels: -reward-topanel reward-1000 reward-unpaid
@miaubiz: great bug and thanks for the usual valgrind and even bisect awesomeness.

Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
Labels: CVE-2011-1447
Labels: -reward-unpaid
Invoice finalized; payment is in e-payment system; it can take a couple of weeks.
Labels: SecImpacts-Stable
Batch update.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed
Project Member

Comment 22 by, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 23 by, Mar 10 2013

Labels: -Type-Security -Area-WebKit -SecSeverity-High -Mstone-11 -SecImpacts-Stable Cr-Content Security-Impact-Stable Security-Severity-High M-11 Type-Bug-Security
Project Member

Comment 24 by, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 25 by, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 26 by, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 27 by, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 28 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 29 by, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment