My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 73526: Floats not cleared to logical height wraps.
1 person starred this issue and may be notified of changes. Back to list
Status:  Fixed
Owner:  infe...@chromium.org
Closed:  Mar 2011

Restricted
  • Only users with EditIssue permission may comment.


Sign in to add a comment
 
Reported by miaubiz@gmail.com, Feb 19, 2011

VULNERABILITY DETAILS
stale pointer RIP goes to random address

VERSION
Google Chrome	9.0.597.98 (Official Build 74359)
Chromium	11.0.673.0 (Developer Build 75059) Ubuntu 10.10
on Linux 2.6.35-27-generic #47-Ubuntu SMP Fri Feb 11 22:52:49 UTC 2011 x86_64

Google Chrome 9.0.597.102 (official build 74604)
OSX Snow Leopard 10.6.6

REPRODUCTION CASE

attached

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State: 
#0  0x00007ffffa1c59c0 in ?? ()
#1  0x00007ffff67e8699 in WebCore::RenderBlock::insertFloatingObject at third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:3073
#2  0x00007ffff68029ae in WebCore::RenderBlock::layoutInlineChildren at third_party/WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp:870

   0x00007ffff67e8693 <+195>:	callq  *0x140(%rax)
insertfloating.html
819 bytes   View   Download
Feb 19, 2011
#1 miaubiz@gmail.com
valgrind log

==1379==  Address 0x3647b4ab is 91 bytes inside a block of size 96 free'd
==1379==    at 0x4C29146: free (vg_replace_malloc.c:913)
==1379==    by 0x1CE8A0F: WebCore::RenderObject::~RenderObject() (RefCounted.h:136)

==1379== Process terminating with default action of signal 4 (SIGILL)
==1379==  Illegal opcode at address 0x35A98344
==1379==    at 0x35A98344: ???
==1379==    by 0xF772777: ???
==1379==    by 0x1C70698: WebCore::RenderBlock::insertFloatingObject(WebCore::RenderBox*) (RenderBlock.cpp:3073)

valgrind_73526.txt
12.6 KB   View   Download
Feb 19, 2011
#2 infe...@chromium.org
Does not crash on both windows trunk (webkit 78997) and linux trunk (webkit 78540). Seeing the repro, this is pretty obvious dup of http://trac.webkit.org/changeset/77565
Status: Duplicate
Mergedinto: 71855
Feb 19, 2011
#3 miaubiz@gmail.com
I thought it looked familiar :D

But this is reproducible for me on trunk (webkit 79006), and the repros from the other bug do nothing.

This crash has something to do with the -webkit-columns CSS directive being present in the repro.

I'll attach some more repros.  The b?.html segfault at RIP and the numbered ones nullptr at 140.


1.html
722 bytes   View   Download
3.html
728 bytes   Download
4.html
733 bytes   View   Download
2.html
741 bytes   View   Download
b1.html
4.0 KB   View   Download
b2.html
4.0 KB   View   Download
b3.html
4.0 KB   View   Download
Feb 19, 2011
#4 infe...@chromium.org
Ok, i will recheck again with your new repros. Reopening bug.
Status: Available
Mergedinto: -71855
Feb 20, 2011
#5 miaubiz@gmail.com
here's a smaller one for nullptr 0x140..  the instructions is callq %rax+0x140

can repro on ubuntu chromium daily version on maverick 64bit:
Chromium	11.0.678.0 (Developer Build 75511) Ubuntu 10.10
WebKit	534.21 (trunk@79111)
null140.html
335 bytes   View   Download
Feb 20, 2011
#6 infe...@chromium.org
miaubiz, you are awesome!! this new repro works. and this is not a dup.

the logical height is wrapping up at 
setLogicalHeight(logicalHeight() + logicalHeightForChild(child)); in RenderBlock.cpp

and hence we are not able to clear the linebox in markLinesDirtyInBlockRange. note that logical height wrap leads to negative block logical height leading to linebox not cleared -> stale linebox -> use after free. my last two fixes in this area 

these signed int are really bad, they are all over the place in webkit. and atleast negative logical height has a meaning, i am still checking if we can fix this more generically using block logical height for which negative value is probably invalid.

Summary: Floats not cleared to logical height wraps.
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High OS-All Mstone-9
Feb 23, 2011
#7 infe...@chromium.org
taking a look.
Feb 23, 2011
#8 infe...@chromium.org
Fixed in http://trac.webkit.org/changeset/79462
Status: WillMerge
Owner: infe...@chromium.org
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify reward-topanel
Feb 23, 2011
#9 miaubiz@gmail.com
@inferno <3 thank you.

I can get RIP to go to bad places with the attached repros with r79479.  I'm using webkit master git branch, because gclient branch with lkgr isn't up to date yet.

not sure if it's more of the same bug or should be filed as a different one

Chromium	11.0.682.0 (Developer Build f504cfe)
WebKit	534.22 (git@58b0446) == r79479

==12302==  Address 0xf7d44ab is 91 bytes inside a block of size 96 free'd
==12302==    at 0x4C29146: free (vg_replace_malloc.c:913)
==12302==    by 0x1E3ECFF: WebCore::RenderObject::~RenderObject() (in /home/clooney/chromium/src/out/Release/chrome)
==12302==    by 0x1DF9156: WebCore::RenderEmbeddedObject::~RenderEmbeddedObject() (in /home/clooney/chromium/src/out/Release/chrome)
==12302==    by 0x1E3971A: WebCore::RenderObject::arenaDelete(WebCore::RenderArena*, void*) (in /home/clooney/chromium/src/out/Release/chrome)
==12302== 
==12302== Jump to the invalid address stated on the next line
==12302==    at 0x0: ???
==12302==    by 0x1DC5968: WebCore::RenderBlock::insertFloatingObject(WebCore::RenderBox*) (in /home/clooney/chromium/src/out/Release/chrome)
==12302==    by 0x1DE008D: WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) (in /home/clooney/chromium/src/out/Release/chrome)


Feb 23, 2011
#10 infe...@chromium.org
@miaubiz: can you please file a new bug with these repros.
Feb 23, 2011
#12 infe...@chromium.org
@Miaubiz: thank you very much for your continued patience and testing on trunk build. Please try to include all new repros concerning this case of overflow in the new bug. (dont worry if those repros are big, we want to make sure we have them all before I try another fix to cover rest of scenarios).
Feb 23, 2011
#13 miaubiz@gmail.com
@inferno:  bug 73962 
Mar 16, 2011
#14 scarybea...@gmail.com
(No comment was entered for this change.)
Labels: -Mstone-9 Mstone-10
Mar 18, 2011
#15 scarybea...@gmail.com
@miaubiz: thanks for all your high-quality help as usual :)
We'll reward you $1000 for this bug and consider the other bug for additional reward once we've fixed it and verified all the different repros.

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Labels: -reward-topanel reward-1000 reward-unpaid
Mar 18, 2011
#16 scarybea...@gmail.com
Probably no more M10 patches. Going to let this fix roll into M11. I love having regular release trains :D
Status: FixUnreleased
Labels: -Mstone-10 Mstone-11
Mar 21, 2011
#17 jschuh@chromium.org
(No comment was entered for this change.)
Labels: Type-Security
Apr 22, 2011
#18 scarybea...@gmail.com
(No comment was entered for this change.)
Labels: CVE-2011-1437
May 3, 2011
#20 scarybea...@gmail.com
Invoice finalized; payment is in e-payment system; it can take a couple of weeks.
Labels: -reward-unpaid
Oct 4, 2011
#21 jschuh@chromium.org
Batch update.
Labels: SecImpacts-Stable
Apr 18, 2012
#22 jschuh@chromium.org
Lifting view restrictions.
Labels: -Restrict-View-SecurityNotify
Apr 18, 2012
#23 jschuh@chromium.org
(No comment was entered for this change.)
Status: Fixed
Oct 13, 2012
#24 bugdro...@chromium.org
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Labels: Restrict-AddIssueComment-Commit
Mar 9, 2013
#25 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Area-WebKit -SecSeverity-High -Mstone-11 -Type-Security -SecImpacts-Stable Cr-Content Security-Impact-Stable Type-Bug-Security Security-Severity-High M-11
Mar 13, 2013
#26 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Mar 21, 2013
#27 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Severity-High Security_Severity-High
Mar 21, 2013
#28 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Impact-Stable Security_Impact-Stable
Apr 5, 2013
#29 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Cr-Content Cr-Blink
Sign in to add a comment

Powered by Google Project Hosting