My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 50515: Memory corruption - DOMMimeType
2 people starred this issue and may be notified of changes. Back to list
Status:  Fixed
Owner:  ----
Closed:  Jul 2010
Cc:  jap...@chromium.org, jsc...@chromium.org, deep...@chromium.org, aproskur...@gmail.com
M-5

Restricted
  • Only users with EditIssue permission may comment.


Sign in to add a comment
 
Reported by serg.gla...@gmail.com, Jul 28, 2010
Repro: javascript:s=(w=open()).navigator.mimeTypes.item(0);w.close();setTimeout('s.enabledPlugin',1000)

Tested with Chrome 6.0.472.0 dev and Chromium 6.0.477.0 (53631).

Stack trace:
(b3c.100c): Access violation - code c0000005 (first chance)
eax=03ffcae0 ebx=03bfaa50 ecx=00016001 edx=0081c200 esi=63e02901 edi=00000000
eip=001bed3c esp=001becc4 ebp=045fe781 iopl=0         nv up ei ng nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010282
001bed3c 30ed            xor     ch,ch
1:025> kv
ChildEBP RetAddr  Args to Child              
001becc8 641c033a 001becf0 00000000 015dd074 0x1bed3c
001bece0 63a8035a 001bed38 015dd074 001bed3c chrome_631e0000!WebCore::DOMMimeTypeInternal::enabledPluginAttrGetter+0x4a (FPO: [3,1,4]) (CONV: cdecl) [c:\b\slave\chromium-rel-xp\build\src\build\release\obj\global_intermediate\webcore\bindings\v8dommimetype.cpp @ 65]
001bed30 63a89e19 045fe781 001bed30 045cf7c1 chrome_631e0000!v8::internal::Object::GetPropertyWithCallback+0x11a (FPO: [4,12,0]) (CONV: thiscall) [c:\b\slave\chromium-rel-xp\build\src\v8\src\objects.cc @ 173]
001bed58 63b195fc 045fe781 001bed94 045cf7c1 chrome_631e0000!v8::internal::Object::GetProperty+0x189 (FPO: [4,1,0]) (CONV: thiscall) [c:\b\slave\chromium-rel-xp\build\src\v8\src\objects.cc @ 501]
001beda4 63b1a137 00000000 001bedec 001bede8 chrome_631e0000!v8::internal::LoadIC::Load+0x3fc (FPO: [3,10,0]) (CONV: thiscall) [c:\b\slave\chromium-rel-xp\build\src\v8\src\ic.cc @ 868]
001bee4c 63a981f8 04643c00 03d83c95 01920c25 chrome_631e0000!v8::internal::LoadIC_Miss+0x77 (FPO: [2,2,4]) (CONV: cdecl) [c:\b\slave\chromium-rel-xp\build\src\v8\src\ic.cc @ 1589]
001bee90 63a982c6 001beee0 64682028 015dd064 chrome_631e0000!v8::internal::Invoke+0xc8 (FPO: [7,8,4]) (CONV: cdecl) [c:\b\slave\chromium-rel-xp\build\src\v8\src\execution.cc @ 96]
001beeb4 63a648d6 001beee0 015dd064 015dd068 chrome_631e0000!v8::internal::Execution::Call+0x26 (FPO: [6,0,4]) (CONV: cdecl) [c:\b\slave\chromium-rel-xp\build\src\v8\src\execution.cc @ 121]
001bef08 63e2f3b9 001bef38 00000000 00000000 chrome_631e0000!v8::Script::Run+0x156 (FPO: [1,12,0]) (CONV: thiscall) [c:\b\slave\chromium-rel-xp\build\src\v8\src\api.cc @ 1247]
...
Jul 28, 2010
#1 jsc...@chromium.org
Doesn't seem to affect stable, but causes a tab crash on trunk. SubframeLoader::m_frame appears to be invalid (maybe the frame is already detached?). Here's the top of the stack from a debug build:

WebCore::Frame::settings()  Line 287
WebCore::SubframeLoader::allowPlugins(WebCore::ReasonForCallingAllowPlugins reason=NotAboutToInstantiatePlugin)  Line 294
WebCore::DOMMimeType::enabledPlugin()  Line 68
WebCore::DOMMimeTypeInternal::enabledPluginAttrGetter(v8::Local<v8::String> name={...}, const v8::AccessorInfo & info={...})  Line 65
v8::internal::Object::GetPropertyWithCallback(v8::internal::Object * receiver=0x03cf2579, v8::internal::Object * structure=0x03ce01c1, v8::internal::String * name=0x03599a65, v8::internal::Object * holder=0x03cf2579)  Line 173
v8::internal::Object::GetProperty(v8::internal::Object * receiver=0x03cf2579, v8::internal::LookupResult * result=0x04bbf43c, v8::internal::String * name=0x03599a65, PropertyAttributes * attributes=0x04bbf420)  Line 501

Nate, Since this seems to have been introduced after the SubframeLoader split do you mind taking a look when you get a chance?

Status: Available
Cc: jap...@chromium.org jsc...@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit Mstone-6 SecSeverity-High
Jul 28, 2010
#2 jap...@chromium.org
The crash is occurring because in DOMMimeType::enabledPlugin(), m_pluginData->page() is dead.  This appears to be unrelated to my SubframeLoader changes.
Jul 28, 2010
#3 serg.gla...@gmail.com
I guess the corruption occurs before DOMMimeType::enabledPlugin(). In some crashes the DOMMimeType object pointer is already incorrect (e.g. 0x0000017f).
Jul 28, 2010
#4 jsc...@chromium.org
I think I have it worked out. It looks like we should be calling PluginData::disconnectPage() inside the Page destructor. I've filed upstream at:
https://bugs.webkit.org/show_bug.cgi?id=43147

I should have a patch in shortly.

Jul 29, 2010
#5 jsc...@chromium.org
Landed upstream as: http://trac.webkit.org/changeset/64293

This doesn't affect trunk. It just needs to be merged to 472.

Status: WillMerge
Jul 29, 2010
#6 scarybea...@gmail.com
Thanks for you help as always, Serg!
And congratulations, this qualifies for a $1000 Chromium Security Reward! For high quality reports -- such as this -- we are upping the base from $500 to $1000. Thanks for the simple repro.
Labels: reward-1000 reward-unpaid
Jul 31, 2010
#7 jsc...@chromium.org
 Issue 50841  has been merged into this issue.
Jul 31, 2010
#8 skylined@chromium.org
The repro in  issue 50841  affects Chrome 5.0.375.125 - this needs to be merged in stable.
Aug 5, 2010
#9 bugdroid1@gmail.com
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=55075 

------------------------------------------------------------------------
r55075 | inferno@chromium.org | 2010-08-05 09:41:02 -0700 (Thu, 05 Aug 2010) | 24 lines
Changed paths:
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/472/LayoutTests/plugins/access-after-page-destroyed-expected.txt
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/472/LayoutTests/plugins/access-after-page-destroyed.html
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/472/WebCore/page/Page.cpp?r1=55075&r2=55074

Merge 64293 - 2010-07-28  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Nate Chapin.

        Clear PluginData's page pointer on Page destruction
        https://bugs.webkit.org/show_bug.cgi?id=43147

        Test: plugins/access-after-page-destroyed.html

        * page/Page.cpp:
        (WebCore::Page::~Page):
2010-07-28  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Nate Chapin.

        Clear PluginData's page pointer on Page destruction
        https://bugs.webkit.org/show_bug.cgi?id=43147

        * plugins/access-after-page-destroyed-expected.txt: Added.
        * plugins/access-after-page-destroyed.html: Added.

BUG=50515

Review URL: http://codereview.chromium.org/3046050
------------------------------------------------------------------------

Aug 10, 2010
#10 infe...@chromium.org
(No comment was entered for this change.)
Labels: -Mstone-6 Mstone-5
Aug 10, 2010
#11 infe...@chromium.org
(No comment was entered for this change.)
Status: FixUnreleased
Aug 10, 2010
#12 bugdroid1@gmail.com
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=55612 

------------------------------------------------------------------------
r55612 | inferno@chromium.org | 2010-08-10 13:10:47 -0700 (Tue, 10 Aug 2010) | 24 lines
Changed paths:
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/plugins/access-after-page-destroyed-expected.txt
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/plugins/access-after-page-destroyed.html
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/page/Page.cpp?r1=55612&r2=55611

Merge 64293 - 2010-07-28  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Nate Chapin.

        Clear PluginData's page pointer on Page destruction
        https://bugs.webkit.org/show_bug.cgi?id=43147

        Test: plugins/access-after-page-destroyed.html

        * page/Page.cpp:
        (WebCore::Page::~Page):
2010-07-28  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Nate Chapin.

        Clear PluginData's page pointer on Page destruction
        https://bugs.webkit.org/show_bug.cgi?id=43147

        * plugins/access-after-page-destroyed-expected.txt: Added.
        * plugins/access-after-page-destroyed.html: Added.

BUG=50515

Review URL: http://codereview.chromium.org/3123003
------------------------------------------------------------------------

Aug 11, 2010
#13 serg.gla...@gmail.com
(maybe it's worth to create a separate issue)
this new repro causes a crash on Chromium 6.0.492.0 (55764) and Chrome 6.0.472.25 dev:
javascript:s=(w=open()).navigator.mimeTypes[0];w.navigator.plugins.refresh();w.close();setTimeout('s.enabledPlugin',1000)

Page::refreshPlugins sets m_pluginData to NULL hence the patch doesn't work.

Aug 11, 2010
#14 jsc...@chromium.org
Serg, excellent catch and analysis. Please file a new bug so we can track it separately for reward purposes.

Aug 11, 2010
#15 serg.gla...@gmail.com
I've created  issue 51835 .
Aug 17, 2010
#16 scarybea...@gmail.com
(No comment was entered for this change.)
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Aug 18, 2010
#17 srikan...@chromium.org
(No comment was entered for this change.)
Cc: deep...@chromium.org
Aug 18, 2010
#18 deep...@chromium.org
Cannot reproduce the bug anymore on mac. Verified in 5.0.375.127 (Official Build 55887).
Aug 18, 2010
#19 suna...@chromium.org
Works fine with Google Chrome 5.0.375.127 (Official Build 55887) on Win XP and Linux Ubuntu 9.04
Aug 25, 2010
#20 scarybea...@gmail.com
Payment is in the electronic system.
Labels: -reward-unpaid
Sep 14, 2010
#21 abarth@chromium.org
(No comment was entered for this change.)
Cc: aproskuryakov
Mar 21, 2011
#22 jsc...@chromium.org
(No comment was entered for this change.)
Labels: Type-Security
Oct 4, 2011
#23 jsc...@chromium.org
Batch update.
Labels: SecImpacts-Stable
Apr 18, 2012
#24 jsc...@chromium.org
Lifting view restrictions.
Labels: -Restrict-View-SecurityNotify
Apr 18, 2012
#25 jsc...@chromium.org
(No comment was entered for this change.)
Status: Fixed
Oct 13, 2012
#26 bugdro...@chromium.org
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Owner: ---
Labels: Restrict-AddIssueComment-Commit
Mar 9, 2013
#27 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Area-WebKit -Mstone-5 -SecSeverity-High -Type-Security -SecImpacts-Stable Cr-Content M-5 Security-Impact-Stable Type-Bug-Security Security-Severity-High
Mar 13, 2013
#28 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Mar 21, 2013
#29 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Severity-High Security_Severity-High
Mar 21, 2013
#30 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Impact-Stable Security_Impact-Stable
Apr 5, 2013
#31 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Cr-Content Cr-Blink
Sign in to add a comment

Powered by Google Project Hosting