New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner: ----
Closed: Sep 2011
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Use-after-free when font is missing
Reported by miau...@gmail.com, Sep 26 2011 Back to list
VULNERABILITY DETAILS
continued

VERSION
Chrome Version: 
Chromium	16.0.893.0 (Developer Build 102749)
OS	Linux
WebKit	535.5 (trunk@95959)

Operating System: 64bit linux

REPRODUCTION CASE
attached

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: renderer
Crash State: 

==25708== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffe39b3890 at pc 0x7ffff378700a bp 0x7fffffff5490 sp 0x7fffffff5460
READ of size 4 at 0x7fffe39b3890 thread T0
    #0 0x7ffff378700a in WebCore::RenderInline::baselinePosition(WebCore::FontBaseline, bool, WebCore::LineDirectionMode, WebCore::LinePositionMode) const ???:0
    #1 0x7ffff3913c16 in WebCore::RootInlineBox::ascentAndDescentForBox(WebCore::InlineBox*, WTF::HashMap<WebCore::InlineTextBox const*, std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<WebCore::SimpleFontData const*, 0ul>, WebCore::GlyphOverflow> > >&, int&, int&, bool&, bool&) const ???:0


0x7fffe39b3890 is located 16 bytes inside of 1208-byte region [0x7fffe39b3880,0x7fffe39b3d38)
freed by thread T0 here:
    #0 0x7ffff5e2749a in free _asan_rtl_
    #1 0x7ffff359f4ed in WebCore::CSSFontFaceSource::pruneTable() ???:0
    #2 0x7ffff359f731 in WebCore::CSSFontFaceSource::fontLoaded(WebCore::CachedFont*) ???:0





 
stil26.txt
12.9 KB View Download
still26.html
282 bytes View Download
Comment 1 by miau...@gmail.com, Sep 26 2011
jump to 0

==25941== ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc (nil) sp 0x7fffffff9ab8 bp 0x7fffffff9f50 ax 0x7fffe07f0930 T0)
AddressSanitizer can not provide additional info. ABORTING
    #0 0x7ffff5e27ae8 in ASAN_OnSIGSEGV _asan_rtl_
    #1 0x7fffeab2bc60 in __restore_rt ??:0
    #2 0x7ffff362810e in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) ???:0
    #3 0x7ffff386c1b2 in WebCore::RenderTable::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) ???:0
    #4 0x7ffff383eb4e in WebCore::RenderObject::setStyle(WTF::PassRefPtr<WebCore::RenderStyle>) ???:0

jump-to-0.txt
2.5 KB View Download
vg-jump-to-0.txt
3.6 KB View Download
jump-to-0.html
303 bytes View Download
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High OS-All Mstone-14 Stability-AddressSanitizer
Status: Available
If you see the stack, you will realize, we need to fix this in Mitz' patch - http://trac.webkit.org/changeset/94508. the crash stack hasn't changed after my fix http://trac.webkit.org/changeset/95959 because the underlying r94508 wasn't able to delay the font retirement.
Labels: reward-topanel
Summary: Use-after-free when font is missing (was: NULL)
Upstreamed - https://bugs.webkit.org/show_bug.cgi?id=68929
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
This is again a specific fix and not a generic one.
http://trac.webkit.org/changeset/96294
Comment 5 by miau...@gmail.com, Sep 29 2011
here's the repro that is still crashing
crashing-sep29.html
609 bytes View Download
Comment 6 by miau...@gmail.com, Sep 29 2011
asan log for that 
asan.txt
12.3 KB View Download
Labels: -Merge-Approved Merge-Merged merge-merged-874
merged to m15 in r96369
Labels: -Mstone-14 Mstone-15
Labels: SecImpacts-Stable
Batch update.
Labels: -reward-topanel reward-1000 reward-unpaid
Thanks for all these stale style bugs, miaubiz. We think we've got a good defense now to making these stale style bugs unexploitable, but we'll pay $1000 per well-reported bug up until that point. $1000 for this one. Forgive the brevity on upcoming rewards :)

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Labels: CVE-2011-3885
Labels: -reward-unpaid
Payment in system, can take up to a couple of weeks.
Comment 13 by cdn@chromium.org, May 15 2012
Status: Fixed
Marking old security bugs Fixed..
Project Member Comment 14 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 15 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-WebKit -SecSeverity-High -Mstone-15 -Stability-AddressSanitizer -SecImpacts-Stable Cr-Content Security-Severity-High Security-Impact-Stable M-15 Type-Bug-Security Performance-Memory-AddressSanitizer
Project Member Comment 16 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 17 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 19 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 20 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 21 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member Comment 22 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 23 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 24 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment