64801 CVE-2011-2817 2011-07-19 08:57:26 -0700 Use after free in ReplacementFragment::removeUnrenderedNodes 2014-02-19 01:15:51 -0800 1 1 1 Unclassified Security Security 525.x (Nightly build) All All RESOLVED FIXED InRadar P2 Major --- 1 inferno webkit-security-unassigned ademar aestes cevans commit-queue darin enrica kling rniwa webkit.review.bot yong.li.webkit oldest_to_newest 439175 0 inferno 2011-07-19 08:57:26 -0700 found in my fuzzing + ASAN http://code.google.com/p/chromium/issues/detail?id=89678 Chromium Revision : 92735 Webkit Revision : 91062 Reduced Testcase (run from LayoutTests/editing/pasteboard) <input id="test" contenteditable="true"><script src="../editing.js">></script> <script> var e = document.getElementById("test"); var s = window.getSelection(); s.setPosition(e, 10500000000); insertHTMLCommand("<noscript>baz"); </script> ================================================================== HINT: if your stack trace looks short or garbled, use ASAN_OPTIONS=fast_unwind=0 ==1708== ERROR: AddressSanitizer crashed on address 0x00007f8acbb7bd10 at pc 0x7f8b0e2b09a1 bp 0x7f8af55d0d30 sp 0x7f8af55d0bc0 READ of size 4 at 0x00007f8acbb7bd10 thread T12 #0 0x7f8b0e2b09a1 in WebCore::ReplacementFragment::removeUnrenderedNodes(WebCore::Node*) #1 0x7f8b0e2adc9d in WebCore::ReplacementFragment::ReplacementFragment(WebCore::Document*, WebCore::DocumentFragment*, bool, WebCore::VisibleSelection const&) #2 0x7f8b0e2bba68 in WebCore::ReplaceSelectionCommand::doApply() #3 0x7f8b0e1fe7eb in WebCore::EditCommand::apply() #4 0x7f8b0e252454 in WebCore::executeInsertFragment(WebCore::Frame*, WTF::PassRefPtr<WebCore::DocumentFragment>) third_party/WebKit/Source/WebCore/editing/EditorCommand.cpp:0 #5 0x7f8b0e24a82e in WebCore::executeInsertHTML(WebCore::Frame*, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) third_party/WebKit/Source/WebCore/editing/EditorCommand.cpp:0 #6 0x7f8b0e246fd0 in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const #7 0x7f8b0d9356f1 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) #8 0x7f8b0d425b45 in WebCore::DocumentInternal::execCommandCallback(v8::Arguments const&) out/Release/obj/gen/webkit/bindings/V8DerivedSources16.cpp:0 #9 0x7f8b0c541d9f in v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) v8/src/builtins.cc:0 #10 0x7f8acf2f014e in 0x00007f8acbb7bd10 is located 16 bytes inside of 88-byte region [0x00007f8acbb7bd00,0x00007f8acbb7bd58) freed by thread T12 here: #1 0x7f8b0d8e7246 in void WebCore::removeAllChildrenInContainer<WebCore::Node, WebCore::ContainerNode>(WebCore::ContainerNode*) #2 0x7f8b0d8e8792 in WebCore::ContainerNode::~ContainerNode() #3 0x7f8b0da7e3e5 in non-virtual thunk to WebCore::HTMLElement::~HTMLElement() #4 0x7f8b0e2b0973 in WebCore::ReplacementFragment::removeUnrenderedNodes(WebCore::Node*) #5 0x7f8b0e2adc9d in WebCore::ReplacementFragment::ReplacementFragment(WebCore::Document*, WebCore::DocumentFragment*, bool, WebCore::VisibleSelection const&) #6 0x7f8b0e2bba68 in WebCore::ReplaceSelectionCommand::doApply() #7 0x7f8b0e1fe7eb in WebCore::EditCommand::apply() #8 0x7f8b0e252454 in WebCore::executeInsertFragment(WebCore::Frame*, WTF::PassRefPtr<WebCore::DocumentFragment>) third_party/WebKit/Source/WebCore/editing/EditorCommand.cpp:0 #9 0x7f8b0e24a82e in WebCore::executeInsertHTML(WebCore::Frame*, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) third_party/WebKit/Source/WebCore/editing/EditorCommand.cpp:0 #10 0x7f8b0e246fd0 in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const #11 0x7f8b0d9356f1 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) #12 0x7f8b0d425b45 in WebCore::DocumentInternal::execCommandCallback(v8::Arguments const&) out/Release/obj/gen/webkit/bindings/V8DerivedSources16.cpp:0 #13 0x7f8b0c541d9f in v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) v8/src/builtins.cc:0 #14 0x7f8acf2f014e in #15 0x7f8acf317d0f in previously allocated by thread T12 here: #1 0x7f8b0da39085 in WebCore::Text::create(WebCore::Document*, WTF::String const&) #2 0x7f8b0da3d4a7 in WebCore::Text::createWithLengthLimit(WebCore::Document*, WTF::String const&, unsigned int, unsigned int) #3 0x7f8b0dcd3e13 in WebCore::HTMLConstructionSite::insertTextNode(WTF::String const&) #4 0x7f8b0dc59d44 in WebCore::HTMLTreeBuilder::processCharacterBuffer(WebCore::HTMLTreeBuilder::ExternalCharacterTokenBuffer&) #5 0x7f8b0dc4b804 in WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken&) #6 0x7f8b0dc4b255 in WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken&) #7 0x7f8b0dc4b0f0 in WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&) #8 0x7f8b0dc02d9e in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) #9 0x7f8b0dc042d4 in WebCore::HTMLDocumentParser::insert(WebCore::SegmentedString const&) #10 0x7f8b0dc0657b in WebCore::HTMLDocumentParser::parseDocumentFragment(WTF::String const&, WebCore::DocumentFragment*, WebCore::Element*, WebCore::FragmentScriptingPermission) #11 0x7f8b0d9638c4 in WebCore::Element::deprecatedCreateContextualFragment(WTF::String const&, WebCore::FragmentScriptingPermission) #12 0x7f8b0daa136c in WebCore::HTMLElement::deprecatedCreateContextualFragment(WTF::String const&, WebCore::FragmentScriptingPermission) #13 0x7f8b0e357e4e in WebCore::createFragmentFromMarkup(WebCore::Document*, WTF::String const&, WTF::String const&, WebCore::FragmentScriptingPermission) #14 0x7f8b0e24a823 in WebCore::executeInsertHTML(WebCore::Frame*, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) third_party/WebKit/Source/WebCore/editing/EditorCommand.cpp:0 #15 0x7f8b0e246fd0 in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const Thread T12 created by T0 here: #1 0x7f8b0ba527b1 in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, unsigned long*) base/threading/platform_thread_posix.cc:0 #2 0x7f8b0ba5267a in base::PlatformThread::Create(unsigned long, base::PlatformThread::Delegate*, unsigned long*) #3 0x7f8b0ba532b0 in base::Thread::StartWithOptions(base::Thread::Options const&) #4 0x7f8b0f800e11 in BrowserRenderProcessHost::Init(bool) #5 0x7f8b0f86e56f in RenderViewHost::CreateRenderView(std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> > const&) #6 0x7f8b0f916e77 in TabContents::CreateRenderViewForRenderManager(RenderViewHost*) #7 0x7f8b0f9172bd in non-virtual thunk to TabContents::CreateRenderViewForRenderManager(RenderViewHost*) ==1708== ABORTING Stats: 0M malloced (0M for red zones) by 0 calls Stats: 2M realloced by 6690 calls Stats: 0M freed by 0 calls Stats: 0M really freed by 0 calls Stats: 0M (0 pages) mmaped in 0 calls Stats: 48M of shadow memory allocated in 48 clusters (1M each, 0 low and 48 high) Shadow byte and word: 0x00001ff15976f7a2: fb 0x00001ff15976f7a0: fb fb fb fb fb fb fb fb More shadow bytes: 0x00001ff15976f780: ff ff ff ff ff ff ff ff 0x00001ff15976f788: ff ff ff ff ff ff ff ff 0x00001ff15976f790: ff ff ff ff ff ff ff ff 0x00001ff15976f798: ff ff ff ff ff ff ff ff =>0x00001ff15976f7a0: fb fb fb fb fb fb fb fb 0x00001ff15976f7a8: fb fb fb fb fb fb fb fb 0x00001ff15976f7b0: fb fb fb fb fb fb fb fb 0x00001ff15976f7b8: fb fb fb fb fb fb fb fb 0x00001ff15976f7c0: ff ff ff ff ff ff ff ff The problem is looks to due to the ugly iteration logic with raw pointers. void ReplacementFragment::removeUnrenderedNodes(Node* holder) { Vector<Node*> unrendered; ........... size_t n = unrendered.size(); for (size_t i = 0; i < n; ++i) removeNode(unrendered[i]); 439188 1 lforschler 2011-07-19 09:01:37 -0700 <rdar://problem/9800184> 439202 2 inferno 2011-07-19 09:27:23 -0700 Working on the fix. 439210 3 101335 inferno 2011-07-19 09:36:37 -0700 Created attachment 101335 Patch 439236 4 101335 darin 2011-07-19 10:29:39 -0700 Comment on attachment 101335 Patch Looks like the right fix to me. 439243 5 101335 webkit.review.bot 2011-07-19 10:39:18 -0700 Comment on attachment 101335 Patch Clearing flags on attachment: 101335 Committed r91270: <http://trac.webkit.org/changeset/91270> 439244 6 webkit.review.bot 2011-07-19 10:39:22 -0700 All reviewed patches have been landed. Closing bug. 439924 7 lforschler 2011-07-20 12:24:58 -0700 <rdar://problem/9809494> 441004 8 ademar 2011-07-22 10:46:31 -0700 Revision r91270 cherry-picked into qtwebkit-2.2 with commit 4e1a62f <http://gitorious.org/webkit/qtwebkit/commit/4e1a62f> 101335 2011-07-19 09:36:37 -0700 2011-07-19 10:39:17 -0700 Patch bug-64801-20110719093636.patch text/plain 3409 inferno SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDkxMjYyKQorKysgU291cmNlL1dlYkNvcmUvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTUgQEAKKzIwMTEtMDctMTkgIEFiaGlzaGVr IEFyeWEgIDxpbmZlcm5vQGNocm9taXVtLm9yZz4KKworICAgICAgICBDcmFzaCB3aGVuIHJlbW92 aW5nIHVucmVuZGVyZXJlZCBub2RlcyBpbiByZXBsYWNlbWVudCBmcmFnbWVudC4KKyAgICAgICAg aHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTY0ODAxCisKKyAgICAgICAg UmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgVGVzdDogZWRpdGluZy9wYXN0 ZWJvYXJkL3JlcGxhY2VtZW50LWZyYWdtZW50LXJlbW92ZS11bnJlbmRlcmVkLW5vZGUtY3Jhc2gu aHRtbAorCisgICAgICAgICogZWRpdGluZy9SZXBsYWNlU2VsZWN0aW9uQ29tbWFuZC5jcHA6Cisg ICAgICAgIChXZWJDb3JlOjpSZXBsYWNlbWVudEZyYWdtZW50OjpyZW1vdmVVbnJlbmRlcmVkTm9k ZXMpOgorCiAyMDExLTA3LTE5ICBTdGV2ZSBCbG9jayAgPHN0ZXZlYmxvY2tAZ29vZ2xlLmNvbT4K IAogICAgICAgICBSRUdSRVNTSU9OIChyODIxOTQpOiBqdmFsdWVUb0phdmFWYWx1ZSgpIGRvZXMg bm90IGNvcnJlY3RseSBzZXQgbGVuZ3RoIG9mIFN0cmluZyBwcm9wZXJ0eQpJbmRleDogU291cmNl L1dlYkNvcmUvZWRpdGluZy9SZXBsYWNlU2VsZWN0aW9uQ29tbWFuZC5jcHAKPT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQot LS0gU291cmNlL1dlYkNvcmUvZWRpdGluZy9SZXBsYWNlU2VsZWN0aW9uQ29tbWFuZC5jcHAJKHJl dmlzaW9uIDkxMjM5KQorKysgU291cmNlL1dlYkNvcmUvZWRpdGluZy9SZXBsYWNlU2VsZWN0aW9u Q29tbWFuZC5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTI5Miw3ICsyOTIsNyBAQCB2b2lkIFJlcGxh Y2VtZW50RnJhZ21lbnQ6OnJlc3RvcmVUZXN0UmVuCiAKIHZvaWQgUmVwbGFjZW1lbnRGcmFnbWVu dDo6cmVtb3ZlVW5yZW5kZXJlZE5vZGVzKE5vZGUqIGhvbGRlcikKIHsKLSAgICBWZWN0b3I8Tm9k ZSo+IHVucmVuZGVyZWQ7CisgICAgVmVjdG9yPFJlZlB0cjxOb2RlPiA+IHVucmVuZGVyZWQ7CiAK ICAgICBmb3IgKE5vZGUqIG5vZGUgPSBob2xkZXItPmZpcnN0Q2hpbGQoKTsgbm9kZTsgbm9kZSA9 IG5vZGUtPnRyYXZlcnNlTmV4dE5vZGUoaG9sZGVyKSkKICAgICAgICAgaWYgKCFpc05vZGVSZW5k ZXJlZChub2RlKSAmJiAhaXNUYWJsZVN0cnVjdHVyZU5vZGUobm9kZSkpCkluZGV4OiBMYXlvdXRU ZXN0cy9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCShyZXZp c2lvbiA5MTI2MikKKysrIExheW91dFRlc3RzL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAt MSwzICsxLDE0IEBACisyMDExLTA3LTE5ICBBYmhpc2hlayBBcnlhICA8aW5mZXJub0BjaHJvbWl1 bS5vcmc+CisKKyAgICAgICAgVGVzdHMgdGhhdCB3ZSBkbyBub3QgY3Jhc2ggd2hlbiByZW1vdmlu ZyB1bnJlbmRlcmluZyBub2RlcworICAgICAgICBpbiBhIHJlcGxhY2VtZW50IGZyYWdtZW50Lgor ICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NjQ4MDEKKwor ICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIGVkaXRpbmcv cGFzdGVib2FyZC9yZXBsYWNlbWVudC1mcmFnbWVudC1yZW1vdmUtdW5yZW5kZXJlZC1ub2RlLWNy YXNoLWV4cGVjdGVkLnR4dDogQWRkZWQuCisgICAgICAgICogZWRpdGluZy9wYXN0ZWJvYXJkL3Jl cGxhY2VtZW50LWZyYWdtZW50LXJlbW92ZS11bnJlbmRlcmVkLW5vZGUtY3Jhc2guaHRtbDogQWRk ZWQuCisKIDIwMTEtMDctMTkgIEplcmVteSBNb3Nrb3ZpY2ggIDxqZXJlbXlAY2hyb21pdW0ub3Jn PgogCiAgICAgICAgIFtjaHJvbWl1bV0gcmViYXNlbGluZSBDaHJvbWl1bSByZXN1bHRzIGFmdGVy IHI5MTI0OSAuCkluZGV4OiBMYXlvdXRUZXN0cy9lZGl0aW5nL3Bhc3RlYm9hcmQvcmVwbGFjZW1l bnQtZnJhZ21lbnQtcmVtb3ZlLXVucmVuZGVyZWQtbm9kZS1jcmFzaC1leHBlY3RlZC50eHQKPT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PQotLS0gTGF5b3V0VGVzdHMvZWRpdGluZy9wYXN0ZWJvYXJkL3JlcGxhY2VtZW50LWZy YWdtZW50LXJlbW92ZS11bnJlbmRlcmVkLW5vZGUtY3Jhc2gtZXhwZWN0ZWQudHh0CShyZXZpc2lv biAwKQorKysgTGF5b3V0VGVzdHMvZWRpdGluZy9wYXN0ZWJvYXJkL3JlcGxhY2VtZW50LWZyYWdt ZW50LXJlbW92ZS11bnJlbmRlcmVkLW5vZGUtY3Jhc2gtZXhwZWN0ZWQudHh0CShyZXZpc2lvbiAw KQpAQCAtMCwwICsxIEBACitUZXN0IHBhc3NlcyBpZiBpdCBkb2VzIG5vdCBjcmFzaC4gCkluZGV4 OiBMYXlvdXRUZXN0cy9lZGl0aW5nL3Bhc3RlYm9hcmQvcmVwbGFjZW1lbnQtZnJhZ21lbnQtcmVt b3ZlLXVucmVuZGVyZWQtbm9kZS1jcmFzaC5odG1sCj09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3Rz L2VkaXRpbmcvcGFzdGVib2FyZC9yZXBsYWNlbWVudC1mcmFnbWVudC1yZW1vdmUtdW5yZW5kZXJl ZC1ub2RlLWNyYXNoLmh0bWwJKHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9lZGl0aW5nL3Bh c3RlYm9hcmQvcmVwbGFjZW1lbnQtZnJhZ21lbnQtcmVtb3ZlLXVucmVuZGVyZWQtbm9kZS1jcmFz aC5odG1sCShyZXZpc2lvbiAwKQpAQCAtMCwwICsxLDE2IEBACis8IURPQ1RZUEUgaHRtbD4NCis8 aHRtbD4NCitUZXN0IHBhc3NlcyBpZiBpdCBkb2VzIG5vdCBjcmFzaC4NCis8aW5wdXQgaWQ9InRl c3QiIGNvbnRlbnRlZGl0YWJsZT0idHJ1ZSI+DQorPHNjcmlwdCBzcmM9Ii4uL2VkaXRpbmcuanMi Pjwvc2NyaXB0Pg0KKzxzY3JpcHQ+DQoraWYgKHdpbmRvdy5sYXlvdXRUZXN0Q29udHJvbGxlcikN CisgICAgbGF5b3V0VGVzdENvbnRyb2xsZXIuZHVtcEFzVGV4dCgpOw0KKw0KK3ZhciBlID0gZG9j dW1lbnQuZ2V0RWxlbWVudEJ5SWQoInRlc3QiKTsNCit2YXIgcyA9IHdpbmRvdy5nZXRTZWxlY3Rp b24oKTsNCisNCitzLnNldFBvc2l0aW9uKGUsIDEwNTAwMDAwMDAwKTsNCitpbnNlcnRIVE1MQ29t bWFuZCgiPG5vc2NyaXB0PmJheiIpOw0KKzwvc2NyaXB0Pg0KKzwvaHRtbD4NCg==