[Webkit-unassigned] [Bug 41601] New: Security: WebKit: Editing: multiple different NULL ptr crashes from the same repro
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jul 5 03:39:21 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=41601
Summary: Security: WebKit: Editing: multiple different NULL ptr
crashes from the same repro
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
URL: http://code.google.com/p/chromium/issues/detail?id=483
28
OS/Version: Windows Vista
Status: NEW
Severity: Normal
Priority: P1
Component: HTML Editing
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: skylined at chromium.org
CC: eric at webkit.org
It appears that repros found using a fuzzer can trigger various crashes, my FuzzFramework found these two:
- WebCore::Node::hasTagName ReadAV at NULL (43ed3b87b6b20d63d6ffb8101c4a723f)
- WebCore::CompositeEditCommand::insertNodeAfter ReadAV at NULL (13e3a47574b811a7fa0c431eb5becc53)
The FuzzFramework also reported that the NULL pointer crash happened only 4 out of the 12 times it tried with the exact same repro file, which indicates the crash is not deterministic and thus may be a reentrancy/security issue.
When I manually try to reproduce I get only this one:
- WebCore::canHaveChildrenForEditing ReadAV at NULL (8a73a14a041b70b60a58e6bba9e1a7de)
Because a non-security NULL ptr would consistently crash with the same stack trace, I am worried that this is potentially more than a plain NULL ptr. Also, when I try to turn the repro files produced by FuzzFramework into one .html that reproduces the issue, it fails to trigger it and I can't figure out why.
The repro follows a pattern I have seen before ( issue 29341 and various others). We have had a lot of this type of NULL ptr crashes before, but never anything exploitable AFAIK, so this may not be a vulnerability either.
You can reproduce this issue by putting the following files in one folder, then run the Python script repro_server.py with one of the .repro.pickle.zip files as an argument. It will act as a small web server that serves the repro at http://localhost:28876 Point Chrome there and it will run the repro and crash.
http://chromium.googlecode.com/issues/attachment?aid=1972620968279643699&name=repro_server.py&token=6f05ae61b589413f8d876b6cf1fef038
http://chromium.googlecode.com/issues/attachment?aid=-5020044298225048251&name=WebCore..CompositeEditCommand..insertNodeAfter+ReadAV%40NULL+%2813e3a47574b811a7fa0c431eb5becc53%29.repro.pickle.zip&token=e0f25bb2f3dadb206ceb98b29dc51ffe
http://chromium.googlecode.com/issues/attachment?aid=4437006288659367084&name=WebCore..Node..hasTagName+ReadAV%40NULL+%2843ed3b87b6b20d63d6ffb8101c4a723f%29.repro.pickle.zip&token=39c35e61fecd479cf858e2247ecfea67
Also, you can unzip the .repro.pickle.zip files to get Python pickles that contain the repro steps; each of which is a http response served by repro_server.py in order. You can open them in a text editor to get an idea of what is being served.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list