New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2011
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
link

Issue 92959: Stale node in StyleSheetCandidateListHashSet

Reported by ax3...@gmail.com, Aug 15 2011

Issue description

VULNERABILITY DETAILS
Tab is crashing when modifying SVG file.

I had two different crash places with this test case, probably they are due to one one bug. First crash place is shown in attachment dbg-1.tar.gz. and is related to 15.0.849.0 dev-m (unfortunately, I don't have minimized test case - I have only huge one). Second crash looks more dangerous, for that test case is attached here, with debug info dbg-2.tar.gz, reproduced on 14.0.835.35 beta-m.

One note about test case - if to change font size in test case, then register eax value changes too.

VERSION
Windows XP SP3: 15.0.849.0 dev-m, 14.0.835.35 beta-m

REPRODUCTION CASE
See attachment.
 
test-case-2.tar.gz
1.0 KB Download
dbg-1.tar.gz
13.4 KB Download
dbg-2.tar.gz
14.7 KB Download

Comment 1 by ax3...@gmail.com, Aug 15 2011

Attaching test-case-1. Sorry for such a fat SVG file, I'm in hurry and won't be soon near my workstation. This test-case is related to dbg-1.tar.gz.
test-case-1.tar.gz
3.6 KB Download

Comment 2 by infe...@chromium.org, Aug 16 2011

Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit reward-topanel Mstone-13 SecSeverity-High OS-All
Status: Available
Summary: Stale node in StyleSheetCandidateListHashSet
Thank you for the nice bug.

In the future, can you please attach the testcase and stacktrace directly to the bug without zipping it. In fact, smaller testcases and stack, you can paste directly in the comments.

test-case-2 reproduces perfectly, but it is not fully reproduced. Also, i don't think you need 2 files. If you can fully reduce the testcase and have a clear repro, you will qualify for the higher reward. Want to give it a shot ?

Comment 4 by ax3...@gmail.com, Aug 17 2011

Ok, will do so.

I will try to reduce testcase, albeit I can't promise to do that fast - unfortunately, currently I am quite limited to internet. Hope to provide reduced testcase in a couple of days.

Also, how do you mean "not fully reproduced" - it works not always or file is just too bloated? On dev and beta under windows it worked always for me.

And do you need smaller repro for test-case-1?

Comment 5 by infe...@chromium.org, Aug 17 2011

They are the same bug, isn't it. So, we need reduction for only one. For now, i reduced it, this will serve as an example for your future reports. By reduced, we mean smaller and cleaner testcase

<!DOCTYPE html>
<html>
<script>
function runTest() {
    svgdoc = document.getElementById('root').contentDocument;
    var style = document.createElement('style');
    var test1 = svgdoc.getElementById('test1');
    test1.appendChild(style);
    svgdoc.getElementById('test2').setAttribute('xlink:href', 0);
    svgdoc.getElementById('test').setAttribute('stroke', 0);

}
</script>
<object data="animate-elem-77-t.svg" id="root" onload="runTest();" type="image/svg+xml"></object>
</html>

----animate-elem-77-t.svg----
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="test">
<text id="test1">PASS</text>
</g>
<use id="test2" xlink:href="#test"/>
<use xlink:href="#test"/>
<set attributeName="font-style" to="italic"/>
</svg>

Comment 6 by infe...@chromium.org, Aug 17 2011

Owner: infe...@chromium.org
Status: Assigned

Comment 7 by infe...@chromium.org, Aug 17 2011

Labels: Merge-Approved
Status: FixUnreleased
http://trac.webkit.org/changeset/93227

Comment 8 by ax3...@gmail.com, Aug 17 2011

Great, thanks a lot, inferno!

Comment 9 by infe...@chromium.org, Aug 17 2011

Ax330d, the pleasure is all ours, keep your fuzzers rocking!!

Comment 10 by scarybea...@gmail.com, Aug 20 2011

Labels: -Restrict-View-SecurityTeam -reward-topanel -Mstone-13 Restrict-View-SecurityNotify reward-1000 Mstone-14 reward-unpaid
@Ax330d: thanks for this report, and it's my pleasure to offer you a $1000 Chromium Security Reward -- congrats!

It's always good to see new researchers, so I hope you have more research planned ;-)

We reward at the higher $1000 level for good quality reports. To be sure of getting the higher reward amount in the future, please make sure to strip any unneeded constructs out of the repro files, and keep them as small and tidy as possible.

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----

Comment 11 by ax3...@gmail.com, Aug 20 2011

Nice, pleasure to work with you :)

Comment 12 by scarybea...@gmail.com, Aug 22 2011

Labels: -Merge-Approved Merge-Merged
Merged to M14: http://trac.webkit.org/changeset/93497

Comment 13 by scarybea...@gmail.com, Aug 22 2011

@Ax330d: with what name would you like to be credited?

Comment 14 by ax3...@gmail.com, Aug 22 2011

@scarybeasts, you can use my real name - Arthur Gerkis.

Comment 15 by scarybea...@gmail.com, Sep 9 2011

Labels: CVE-2011-2855

Comment 16 by scarybea...@gmail.com, Sep 30 2011

Labels: -reward-unpaid
Payment is in system.

Comment 17 by jsc...@chromium.org, Oct 5 2011

Labels: SecImpacts-Stable
Batch update.

Comment 18 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed..

Comment 19 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 20 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Area-WebKit -Mstone-14 -SecSeverity-High -SecImpacts-Stable Cr-Content Type-Bug-Security Security-Severity-High Security-Impact-Stable M-14

Comment 21 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: Restrict-View-EditIssue

Comment 22 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Comment 23 by scarybea...@gmail.com, Mar 21 2013

Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue

Comment 24 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 25 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 26 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 27 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 28 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 29 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 30 by awhalley@chromium.org, Apr 26 2018

Labels: CVE_description-submitted

Sign in to add a comment