My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 71595: Stale pointer in DeviceOrientationController::didChangeDeviceOrientation()
1 person starred this issue and may be notified of changes. Back to list
Status:  Fixed
Owner:  chromium.cdn@gmail.com
Closed:  Feb 2011
Cc:  security...@gtempaccount.com
M-9

Restricted
  • Only users with EditIssue permission may comment.


Sign in to add a comment
 
Reported by serg.gla...@gmail.com, Feb 1, 2011
VULNERABILITY DETAILS
void DeviceOrientationController::didChangeDeviceOrientation(DeviceOrientation* orientation)
{
    RefPtr<DeviceOrientationEvent> event = DeviceOrientationEvent::create(eventNames().deviceorientationEvent, orientation);
    Vector<DOMWindow*> listenersVector;
    copyToVector(m_listeners, listenersVector);
    for (size_t i = 0; i < listenersVector.size(); ++i)
        listenersVector[i]->dispatchEvent(event);
}

didChangeDeviceOrientation() creates a vector containing raw window pointers and doesn't protect these window objects from removing by device orientation event handlers.

DeviceMotionController::didChangeDeviceMotion() has the same code.

VERSION
Google Chrome 8.0.552.237 (70801); Chromium 11.0.656.0 (73263).
repro.html
1.2 KB   View   Download
crash_details.txt
6.9 KB   View   Download
Feb 1, 2011
#1 chromium.cdn@gmail.com
The fix for this is just to change these vectors to RefPtrs
Status: Assigned
Owner: c...@chromium.org
Cc: secur...@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High WebKit-Core
Feb 2, 2011
#2 chromium.cdn@gmail.com
Serg, totally tangential to this bug, but it may be useful in reproing this type of thing in the future. Try the command line flag --js-flags="--expose-gc". This will expose gc() which lets you initiate v8 garbage collection in a more deterministic way.

On a more related note I have a patch for these two issues just need to clean up the layout test.
Feb 2, 2011
#3 chromium.cdn@gmail.com
fix committed in http://trac.webkit.org/changeset/77418
Status: WillMerge
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Mstone-9
Feb 9, 2011
#4 infe...@chromium.org
merged to m9 in r78090.

still needs m10 merge.
Feb 9, 2011
#5 infe...@chromium.org
merged to m10 in http://trac.webkit.org/changeset/78118.
Status: FixUnreleased
Feb 9, 2011
#6 scarybea...@gmail.com
(No comment was entered for this change.)
Labels: reward-topanel
Feb 13, 2011
#7 scarybea...@gmail.com
@serg.glazunov: nice discovery via code analysis! And a provisional $1000 Chromium Security Reward.

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Labels: -reward-topanel reward-1000 reward-unpaid
Mar 4, 2011
#9 scarybea...@gmail.com
Invoice finalized; payment is in e-payment system.
Labels: -reward-unpaid
Mar 21, 2011
#10 jsc...@chromium.org
(No comment was entered for this change.)
Labels: Type-Security
Oct 4, 2011
#11 jsc...@chromium.org
Batch update.
Labels: SecImpacts-Stable
Apr 18, 2012
#12 jsc...@chromium.org
Lifting view restrictions.
Labels: -Restrict-View-SecurityNotify
Apr 18, 2012
#13 jsc...@chromium.org
(No comment was entered for this change.)
Status: Fixed
Oct 13, 2012
#14 bugdro...@chromium.org
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Labels: Restrict-AddIssueComment-Commit
Mar 9, 2013
#15 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Area-WebKit -SecSeverity-High -WebKit-Core -Mstone-9 -Type-Security -SecImpacts-Stable Cr-Content M-9 Security-Impact-Stable Type-Bug-Security Cr-Content-Core Security-Severity-High
Mar 13, 2013
#16 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Mar 21, 2013
#17 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Severity-High Security_Severity-High
Mar 21, 2013
#18 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Impact-Stable Security_Impact-Stable
Apr 5, 2013
#19 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Cr-Content Cr-Blink
Sign in to add a comment

Powered by Google Project Hosting