|
|
Microsoft Internet Explorer: READ in CAnimatablePropertyListElement::GetCurrentValues | |||
| Reported by ClusterFuzz, Dec 10 2015 | Back to list | |||
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6643354500071424 Fuzzer: inferno_twister Job Type: windows_ie Platform Id: windows Crash Type: READ Crash Address: 0x000001120000 Crash State: CAnimatablePropertyListElement::GetCurrentValues CreateKeyframeFromBlock BuildAnimation Minimized Testcase (0.89 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97viMU3QrSbY38dqWNKVzlD3PngbGZqyCYIn_tnV9rMshhHMiPhWaQLuzYw-mUn1xUYp_6uYXP3eXN6uqi6MwHwHjDVPyzibQl35E2cHXjFaoaT9W2IhzI73cIwrLtKWbKBQ-Y8TmW3SNPz0h9pnFO1BBTQ_w Filer: mbarbella See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 10 2015
,
Dec 11 2015
,
Mar 8 2016
Microsoft has concluded that this is a non-exploitable crash, so marking as WontFix and removing view restrictions.
Since the ClusterFuzz report isn't publicly visible, posting some of the information from it here:
(ae4.994): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
No .natvis files found at C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers.
ntdll_770c0000!LdrpValidateUserCallTargetBitMapCheck:
770ea88b 8b1482 mov edx,dword ptr [edx+eax*4] ds:002b:01120000=????????
1:016:x86> cdb: Reading initial command sxd wos; sxd wob; !analyze -v; k; r; ub; q
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
ntdll_770c0000!LdrpValidateUserCallTargetBitMapCheck+0
770ea88b 8b1482 mov edx,dword ptr [edx+eax*4]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00000000770ea88b (ntdll_770c0000!LdrpValidateUserCallTargetBitMapCheck)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000001120000
Attempt to read from address 0000000001120000
FAULTING_THREAD: 00000994
PROCESS_NAME: iexplore.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 0000000001120000
READ_ADDRESS: 0000000001120000
FOLLOWUP_IP:
ntdll_770c0000!LdrpValidateUserCallTargetBitMapCheck+0
770ea88b 8b1482 mov edx,dword ptr [edx+eax*4]
NTGLOBALFLAG: 2000000
APPLICATION_VERIFIER_FLAGS: 0
APPLICATION_VERIFIER_LOADED: 1
APP: iexplore.exe
ANALYSIS_VERSION: 10.0.10240.9 amd64fre
BUGCHECK_STR: INVALID_POINTER_READ_ZEROED_STACK_AVRF
DEFAULT_BUCKET_ID: INVALID_POINTER_READ_AVRF
LAST_CONTROL_TRANSFER: from 000000006d807e97 to 00000000770ea88b
STACK_TEXT:
08eb7d90 6d807e97 08eb80e8 6d8f1350 00000000 ntdll_770c0000!LdrpValidateUserCallTargetBitMapCheck
08eb7dc8 6dbbc2e4 08eb80e8 08eb7e1c 08eb7e27 MSHTML!CAnimatablePropertyListElement::GetCurrentValues+0x47
08eb7e28 6d7f530a 08eb7eb0 00000001 0942cd80 MSHTML!CreateKeyframeFromBlock+0x3c5a82
08eb7edc 6d7f540c 08eb7f08 09438380 09428740 MSHTML!BuildAnimation+0x37a
08eb7fa8 6d7f41e9 08eb7fe8 08eb80e8 00000000 MSHTML!AnimationStartHandler+0xdb
08eb8038 6d7f3f7d 094086c0 08eb80e8 08eb8590 MSHTML!CAnimations::LoopAnimations+0x18e
08eb8184 6d557e1e 0942a1e0 08eb8590 0942a5a0 MSHTML!ProcessTransitionsAndAnimations+0xe3e
08eb8450 6db171e0 08eb8590 0942a5a0 0942a5a0 MSHTML!CElement::ComputeFormatsVirtual+0xa97
08eb84f0 6db1861d 08eb8590 0942a5a0 0942a5a0 MSHTML!CElement::ComputeFormats+0x3c0
08eb91c0 6d58a75d 0942a1e0 0942a5a0 08eb9918 MSHTML!CTreeNode::ComputeFormatsHelper+0xab
08eb91d0 6d6582ff 09430500 0942cd00 08eb9a28 MSHTML!CTreeNode::GetFancyFormatIndexHelper+0x11
08eb9918 6d544380 00000000 00000000 00013240 MSHTML!CFancyFormat::EnsureTopLevelFormatsAndNormalizeForPage+0x289
08eb9950 6d5442fd 09428900 08eb9ab8 00000000 MSHTML!Layout::PageCollection::LayoutPages+0x79
08eb9a08 6d54389c 08eb9a28 08eb9ab8 08eb9aa0 MSHTML!CMarkupPageLayout::CalcPageLayoutSize+0x428
08eb9a90 6d7160fe 00000000 08eb9ab8 00000000 MSHTML!CMarkupPageLayout::CalcTopLayoutSize+0xec
08eb9ad4 6d4f2e3d 00000000 00000001 09420638 MSHTML!CView::EnsureSize+0x233
08eb9b64 6d66f9be 00000000 08eb9c20 6d66f810 MSHTML!CView::EnsureView+0x774
08eb9c18 6d58954b 09420000 00000000 092a89f8 MSHTML!CDoc::RunningToInPlace+0x1b4
08eb9c38 6d72c3e2 00000003 00000000 08eb9c60 MSHTML!CServer::TransitionTo+0x7d
08eb9c50 6e91eb22 09420000 00000001 00000000 MSHTML!CServer::Show+0x50
08eb9c70 6e91ea11 08eb9c9c 6e91e9e0 09420000 IEFRAME!CDocObjectHost::_ShowMsoView+0xd8
08eb9c8c 6d66d4fd 092a8a10 094084e0 08eb9d08 IEFRAME!CDocObjectHost::ActivateMe+0x31
08eb9cb0 6d66d471 08eb9d08 6d66d450 094084b0 MSHTML!CServer::ActivateView+0x81
08eb9ce4 6d66d41c 09420000 ffffffff 00000000 MSHTML!CServer::DoUIActivate+0x21
08eb9d1c 6d72b779 09420000 ffffffff 00000000 MSHTML!CServer::DoVerb+0x78
08eb9d5c 6d72b72e 00000000 00000000 08eb9db0 MSHTML!CMarkup::Navigate+0x3b
08eb9d6c 6e91ebcc 09420000 00000000 00000000 MSHTML!CDoc::Navigate+0x1e
08eb9db0 6eaa02a7 00000003 0966af80 095a5780 IEFRAME!CDocObjectHost::_ActivateMsoView+0x8f
08eb9dd0 6e8e2890 00000003 092a89f8 00000003 IEFRAME!CDocObjectHost::UIActivate+0x4c
08eb9de8 6eaa01e3 0966af80 00000003 6e8e36c0 IEFRAME!CDocObjectView::UIActivate+0x20
08eb9e14 6e984c60 00000003 00000000 80040100 IEFRAME!CBaseBrowser2::_UIActivateView+0xa5
08ebbee0 6e98c1bc 00000000 80040100 095a5780 IEFRAME!CBaseBrowser2::v_ActivatePendingView+0x200
08ebbf00 6e98b1b7 6e8cc884 fffffffc 80040100 IEFRAME!CShellBrowser2::v_ActivatePendingView+0x2c
08ebbf1c 6e9861a0 6e8cc884 0000000a 00000000 IEFRAME!CBaseBrowser2::_ExecShellDocView+0xcb
08ebbf50 6e8cca6c 095a5794 6e8cc884 0000000a IEFRAME!CBaseBrowser2::Exec+0x20c
08ebc1e0 6e98b279 095a5794 6e8cc884 0000000a IEFRAME!CShellBrowser2::Exec+0xdd
08ebc218 6e98116a 08ebc458 6d4cefc0 092a89f8 IEFRAME!CDocObjectHost::_Navigate+0x50
08ebc448 6e980b75 00000003 00000001 08ebc4c0 IEFRAME!CDocObjectHost::_OnReadyState+0x13c
08ebc4a8 6e980aab 08ebc500 6d57b0b3 092a8a30 IEFRAME!CDocObjectHost::_OnChangedReadyState+0xc6
08ebc4b0 6d57b0b3 092a8a30 fffffdf3 0943e0a0 IEFRAME!CDocObjectHost::OnChanged+0x1b
08ebc500 6d6fa574 fffffdf3 00000001 0943e0a0 MSHTML!CBase::FirePropertyNotify+0x106
08ebc524 6d6fd0fa 00000003 09420000 09430500 MSHTML!CMarkup::SetReadyState+0x85
08ebc6c8 6d70683e 09430500 00000000 00000001 MSHTML!CMarkup::SetInteractiveInternal+0x66e
08ebc6fc 6d7070eb 00000001 00000000 09430500 MSHTML!CMarkup::RequestReadystateInteractive+0x92
08ebc728 6d6f719a 09468150 6d6ffb30 094381c0 MSHTML!CMarkup::BlockScriptExecutionHelper+0xf7
08ebc85c 6d6ffe38 04c45d22 09410000 094381c0 MSHTML!CHtmPost::Exec+0x91e
08ebc87c 6d6ffd9e 04c45d22 094381c0 09410000 MSHTML!CHtmPost::Run+0x3d
08ebc89c 6d705b16 094381c0 094381c0 80000000 MSHTML!PostManExecute+0x61
08ebc8b0 6d706478 6d706440 08ebc8f0 09410000 MSHTML!PostManResume+0x7b
08ebc8e0 6d57817b 09438230 094381c0 6d57a0f0 MSHTML!CHtmPost::OnDwnChanCallback+0x38
08ebc8f8 6d4cdfc3 09438230 00000000 00000001 MSHTML!CDwnChan::OnMethodCall+0x2f
08ebc940 6d4cd5ca 6b1d8655 6d4ccc10 00008002 MSHTML!GlobalWndOnMethodCall+0x17b
08ebc994 757a8e71 00d804ee 00008002 00000000 MSHTML!GlobalWndProc+0x14c
08ebc9c0 757a90d1 6d4ccc10 00d804ee 00008002 user32!_InternalCallWinProc+0x2b
08ebca54 757aa66f 6d4ccc10 00000000 00008002 user32!UserCallWinProcCheckWow+0x18e
08ebcac0 757aa6e0 7839b2d4 08ebfc9c 6e8ca7ac user32!DispatchMessageWorker+0x208
08ebcacc 6e8ca7ac 08ebcb0c 00cd8e48 085e7fe0 user32!DispatchMessageW+0x10
08ebfc9c 6e907c88 08ebfd68 6e907900 00cdaff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
08ebfd5c 6fe8b87c 00cd8e48 08ebfd80 6e90ec40 IEFRAME!LCIETab_ThreadProc+0x3e7
08ebfd74 6fd24a71 00cdaff0 6fd249e0 6fd249e0 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1c
08ebfdac 75527c04 08603fe8 75527be0 70322ce5 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
08ebfdc0 7711ad1f 08603fe8 724f2363 00000000 KERNEL32!BaseThreadInitThunk+0x24
08ebfe08 7711acea ffffffff 7710021e 00000000 ntdll_770c0000!__RtlUserThreadStart+0x2f
08ebfe18 00000000 6fd249e0 08603fe8 00000000 ntdll_770c0000!_RtlUserThreadStart+0x1b
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: ntdll!LdrpValidateUserCallTargetBitMapCheck+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ntdll_770c0000
IMAGE_NAME: ntdll.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 55c4bc8e
STACK_COMMAND: ~16s ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_AVRF_c0000005_ntdll.dll!LdrpValidateUserCallTargetBitMapCheck
BUCKET_ID: INVALID_POINTER_READ_ZEROED_STACK_AVRF_ntdll!LdrpValidateUserCallTargetBitMapCheck+0
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_ZEROED_STACK_AVRF_ntdll!LdrpValidateUserCallTargetBitMapCheck+0
FAILURE_PROBLEM_CLASS: INVALID_POINTER_READ_AVRF
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: ntdll.dll
FAILURE_FUNCTION_NAME: LdrpValidateUserCallTargetBitMapCheck
FAILURE_SYMBOL_NAME: ntdll.dll!LdrpValidateUserCallTargetBitMapCheck
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_read_avrf_c0000005_ntdll.dll!ldrpvalidateusercalltargetbitmapcheck
FAILURE_ID_HASH: {9f6c8219-618e-e152-dea0-7698ffcc0f96}
Followup: MachineOwner
---------
ChildEBP RetAddr
08eb7d90 6d807e97 ntdll_770c0000!LdrpValidateUserCallTargetBitMapCheck
08eb7dc8 6dbbc2e4 MSHTML!CAnimatablePropertyListElement::GetCurrentValues+0x47
08eb7e28 6d7f530a MSHTML!CreateKeyframeFromBlock+0x3c5a82
08eb7edc 6d7f540c MSHTML!BuildAnimation+0x37a
08eb7fa8 6d7f41e9 MSHTML!AnimationStartHandler+0xdb
08eb8038 6d7f3f7d MSHTML!CAnimations::LoopAnimations+0x18e
08eb8184 6d557e1e MSHTML!ProcessTransitionsAndAnimations+0xe3e
08eb8450 6db171e0 MSHTML!CElement::ComputeFormatsVirtual+0xa97
08eb84f0 6db1861d MSHTML!CElement::ComputeFormats+0x3c0
08eb91c0 6d58a75d MSHTML!CTreeNode::ComputeFormatsHelper+0xab
08eb91d0 6d6582ff MSHTML!CTreeNode::GetFancyFormatIndexHelper+0x11
08eb9918 6d544380 MSHTML!CFancyFormat::EnsureTopLevelFormatsAndNormalizeForPage+0x289
08eb9950 6d5442fd MSHTML!Layout::PageCollection::LayoutPages+0x79
08eb9a08 6d54389c MSHTML!CMarkupPageLayout::CalcPageLayoutSize+0x428
08eb9a90 6d7160fe MSHTML!CMarkupPageLayout::CalcTopLayoutSize+0xec
08eb9ad4 6d4f2e3d MSHTML!CView::EnsureSize+0x233
08eb9b64 6d66f9be MSHTML!CView::EnsureView+0x774
08eb9c18 6d58954b MSHTML!CDoc::RunningToInPlace+0x1b4
08eb9c38 6d72c3e2 MSHTML!CServer::TransitionTo+0x7d
08eb9c50 6e91eb22 MSHTML!CServer::Show+0x50
08eb9c70 6e91ea11 IEFRAME!CDocObjectHost::_ShowMsoView+0xd8
08eb9c8c 6d66d4fd IEFRAME!CDocObjectHost::ActivateMe+0x31
08eb9cb0 6d66d471 MSHTML!CServer::ActivateView+0x81
08eb9ce4 6d66d41c MSHTML!CServer::DoUIActivate+0x21
08eb9d1c 6d72b779 MSHTML!CServer::DoVerb+0x78
08eb9d5c 6d72b72e MSHTML!CMarkup::Navigate+0x3b
08eb9d6c 6e91ebcc MSHTML!CDoc::Navigate+0x1e
08eb9db0 6eaa02a7 IEFRAME!CDocObjectHost::_ActivateMsoView+0x8f
08eb9dd0 6e8e2890 IEFRAME!CDocObjectHost::UIActivate+0x4c
08eb9de8 6eaa01e3 IEFRAME!CDocObjectView::UIActivate+0x20
08eb9e14 6e984c60 IEFRAME!CBaseBrowser2::_UIActivateView+0xa5
08ebbee0 6e98c1bc IEFRAME!CBaseBrowser2::v_ActivatePendingView+0x200
08ebbf00 6e98b1b7 IEFRAME!CShellBrowser2::v_ActivatePendingView+0x2c
08ebbf1c 6e9861a0 IEFRAME!CBaseBrowser2::_ExecShellDocView+0xcb
08ebbf50 6e8cca6c IEFRAME!CBaseBrowser2::Exec+0x20c
08ebc1e0 6e98b279 IEFRAME!CShellBrowser2::Exec+0xdd
08ebc218 6e98116a IEFRAME!CDocObjectHost::_Navigate+0x50
08ebc448 6e980b75 IEFRAME!CDocObjectHost::_OnReadyState+0x13c
08ebc4a8 6e980aab IEFRAME!CDocObjectHost::_OnChangedReadyState+0xc6
08ebc4b0 6d57b0b3 IEFRAME!CDocObjectHost::OnChanged+0x1b
08ebc500 6d6fa574 MSHTML!CBase::FirePropertyNotify+0x106
08ebc524 6d6fd0fa MSHTML!CMarkup::SetReadyState+0x85
08ebc6c8 6d70683e MSHTML!CMarkup::SetInteractiveInternal+0x66e
08ebc6fc 6d7070eb MSHTML!CMarkup::RequestReadystateInteractive+0x92
08ebc728 6d6f719a MSHTML!CMarkup::BlockScriptExecutionHelper+0xf7
08ebc85c 6d6ffe38 MSHTML!CHtmPost::Exec+0x91e
08ebc87c 6d6ffd9e MSHTML!CHtmPost::Run+0x3d
08ebc89c 6d705b16 MSHTML!PostManExecute+0x61
08ebc8b0 6d706478 MSHTML!PostManResume+0x7b
08ebc8e0 6d57817b MSHTML!CHtmPost::OnDwnChanCallback+0x38
08ebc8f8 6d4cdfc3 MSHTML!CDwnChan::OnMethodCall+0x2f
08ebc940 6d4cd5ca MSHTML!GlobalWndOnMethodCall+0x17b
08ebc994 757a8e71 MSHTML!GlobalWndProc+0x14c
08ebc9c0 757a90d1 user32!_InternalCallWinProc+0x2b
08ebca54 757aa66f user32!UserCallWinProcCheckWow+0x18e
08ebcac0 757aa6e0 user32!DispatchMessageWorker+0x208
08ebcacc 6e8ca7ac user32!DispatchMessageW+0x10
08ebfc9c 6e907c88 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
08ebfd5c 6fe8b87c IEFRAME!LCIETab_ThreadProc+0x3e7
08ebfd74 6fd24a71 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1c
08ebfdac 75527c04 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
08ebfdc0 7711ad1f KERNEL32!BaseThreadInitThunk+0x24
08ebfe08 7711acea ntdll_770c0000!__RtlUserThreadStart+0x2f
08ebfe18 00000000 ntdll_770c0000!_RtlUserThreadStart+0x1b
eax=00000000 ebx=00000000 ecx=00000000 edx=01120000 esi=00000000 edi=08eb7db4
eip=770ea88b esp=08eb7d94 ebp=08eb7dc8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
ntdll_770c0000!LdrpValidateUserCallTargetBitMapCheck:
770ea88b 8b1482 mov edx,dword ptr [edx+eax*4] ds:002b:01120000=????????
ntdll_770c0000!SHATransformP3+0x1299:
770ea879 5b pop ebx
770ea87a 5f pop edi
770ea87b 5e pop esi
770ea87c c20800 ret 8
770ea87f 90 nop
ntdll_770c0000!LdrpValidateUserCallTarget:
770ea880 8b1540321c77 mov edx,dword ptr [ntdll_770c0000!LdrSystemDllInitBlock+0x60 (771c3240)]
770ea886 8bc1 mov eax,ecx
770ea888 c1e808 shr eax,8
,
Mar 11 2016
I found the exact same issue a few months back and analyzed it to find out if it was a security issue because of the non-null read access violation. I've now published my analysis, which explains why this NULL pointer dereference is not causing an access violation at address 0. Details here: http://blog.skylined.nl/20160311001.html |
||||
| ► Sign in to add a comment | ||||
Hand-minimized repro: <style> * { animation-name: animation; } @keyframes animation { 100% { font: icon; } } </style>