New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

RIP goes to zero with select tag, and form validation message with position:relative

Reported by miau...@gmail.com, Mar 21 2011 Back to list

Issue description


VULNERABILITY DETAILS
rip == 0, or null pointer deref at 0x88

VERSION
Chrome Version: 
Chromium	12.0.710.0 (Developer Build 78857) Ubuntu 10.10
WebKit	534.26 (trunk@81520)

Operating System: 
Ubuntu 10.10:
Linux 2.6.35-28-generic #49-Ubuntu SMP Tue Mar 1 14:39:03 UTC 2011 x86_64

REPRODUCTION CASE
attached

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State: 
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff6676994 in remove (this=0x7ffff95ed048)
    at third_party/WebKit/Source/WebCore/rendering/RenderObject.h:752
#2  WebCore::RenderObject::destroy (this=0x7ffff95ed048)
    at third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:2187


 
27.html
515 bytes View Download

Comment 1 by miau...@gmail.com, Mar 21 2011

tools bisect says:
http://build.chromium.org/f/chromium/perf/dashboard/ui/changelog.html?url=/trunk/src&range=77979:77982

which is: Roll WebKit DEPS 80725:80974

Comment 2 by miau...@gmail.com, Mar 21 2011

valgrind log.

it says null pointer at 0x88.  don't know if it's a timing issue.  
valgrind_76966.txt
10.1 KB View Download

Comment 3 Deleted

looks like a dup of http://trac.webkit.org/changeset/81613 and http://code.google.com/p/chromium/issues/detail?id=76528. will check when webkit rolls 
Still sad tab in my Linux 64-bit trunk build, after the roll.
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High OS-All Mstone-11
Status: Available (was: NULL)
Owner: a deleted user
Status: Assigned (was: NULL)
Summary: Regression(80773): RIP goes to zero with webkit-keyframes and select tag (was: NULL)
Kent, this is caused by the one liner change in http://trac.webkit.org/changeset/80773. Can you please take a look.

    // Needs to update layout now because we'd like to call isFocusable(), which
    // has !renderer()->needsLayout() assertion.
    document()->updateLayoutIgnorePendingStylesheets();

Comment 8 by tkent@chromium.org, Mar 23 2011

I haven't found the root cause yet, but my findings at this moment are:

* I confirmed this was a use-after-free bug.

* RenderMenuList::m_innerBlock keeps a pointer to an anonymous block while m_innerBlock->addChild() can remove m_innerBlock.
   - See RenderMenuList::addChild(), and
   - removeLeftoverAnonymousBlock(this) at the bottom of RenderBlock::addChildIgnoringAnonymousColumnBlocks()

* Probably, http://trac.webkit.org/changeset/80773 doesn't have a code problem and it just exposed the bug.

Thanks a lot Kent. Happy to leave it in your able hands.

Comment 10 by tkent@chromium.org, Mar 23 2011

Cc: jam...@chromium.org dglazkov...@gtempaccount.com
Summary: Regression(80773): RIP goes to zero with webkit-keyframes, select tag, and form validation (was: NULL)
The crash doesn't happen if I replace document.getElementById('submit').click() with document.getElementByTagName('select')[0].offsetLeft, which calls updateLayoutIgnorePendingStylesheets().

So, I think WebCore/html/ValidationMessage broke an assumption of RenderMenuList.  I should handle this bug :-P


Comment 11 by tkent@chromium.org, Mar 23 2011

Status: Started (was: NULL)
Summary: RIP goes to zero with select tag, and form validation message with position:relative (was: NULL)
I found -webkit-animation was unrelated, and found a workaround.

The root cause is "div { positoin:relative; }".  It changes the style of a validation message div, and this style causes an optimization of anonymous blocks.

tracking webkit bug - https://bugs.webkit.org/show_bug.cgi?id=56901

Comment 13 by tkent@chromium.org, Mar 24 2011

Status: Fixed (was: NULL)
Fixed in WebKit: http://trac.webkit.org/changeset/81851
Need to merge it to M10 and M11 branches.

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: WillMerge (was: NULL)
Thanks a lot Kent. We will handle the merges.
Labels: reward-topanel
Status: FixUnreleased (was: NULL)
There are no more M10 patches.
Merged to M11: http://trac.webkit.org/changeset/81888
Labels: -reward-topanel reward-1000 reward-unpaid
@miaubiz: great bug and thanks for the usual valgrind and even bisect awesomeness.
$1000.

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Labels: CVE-2011-1447
Labels: -reward-unpaid
Invoice finalized; payment is in e-payment system; it can take a couple of weeks.
Labels: SecImpacts-Stable
Batch update.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed (was: NULL)
Project Member

Comment 22 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-WebKit -SecSeverity-High -Mstone-11 -SecImpacts-Stable Cr-Content Security-Impact-Stable Security-Severity-High M-11 Type-Bug-Security
Project Member

Comment 24 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 25 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 26 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 27 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 28 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 29 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment