[Webkit-unassigned] [Bug 80333] Crash in RenderLayer::scrollTo
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Mar 8 15:10:01 PST 2012
https://bugs.webkit.org/show_bug.cgi?id=80333
--- Comment #9 from Mario Gomes <netfuzzer at gmail.com> 2012-03-08 15:10:00 PST ---
No. It's not about this null ptr.
I'm getting this crash on Windows(With outher PoC):
==================
(1558.1584): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000100 ecx=7f31fef4 edx=000e003c esi=7f31fea8 edi=7ff20ba0
eip=00000000 esp=001ff10c ebp=001ff114 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
00000000 ?? ???
0:000> .exr -1
ExceptionAddress: 00000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000
0:000> .lastevent
Last event: 1558.1584: Access violation - code c0000005 (!!! second chance !!!)
debugger time: Thu Mar 8 20:04:46.678 2012 (UTC - 3:00)
0:000> !load winext/msec.dll
0:000> !exploitable
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation Near Null at the Instruction Pointer starting at Unknown Symbol @ 0x0000000000000000 called from WebKit!WebCore::isReachableFromDOM+0x0000000000000073 (Hash=0x5a757b12.0x0405104b)
Access violations at the instruction pointer are probably exploitable if near NULL.
==================OR=====================
(d90.ab4): Access violation - code c0000005 (!!! second chance !!!)
eax=7fe94e70 ebx=00100000 ecx=7fe94e70 edx=000e003c esi=7faf2a80 edi=7ff11ba0
eip=584450fb esp=001dedb0 ebp=001dedb4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
WebKit!WebCore::isReachableFromDOM+0x6b:
584450fb 8b421c mov eax,dword ptr [edx+1Ch] ds:0023:000e0058=????????
0:000> .exr -1
ExceptionAddress: 584450fb (WebKit!WebCore::isReachableFromDOM+0x0000006b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 000e0058
Attempt to read from address 000e0058
0:000> .lastevent
Last event: d90.ab4: Access violation - code c0000005 (!!! second chance !!!)
debugger time: Thu Mar 8 20:07:06.596 2012 (UTC - 3:00)
0:000> u
WebKit!WebCore::isReachableFromDOM+0x6b [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\bindings\js\jsnodecustom.cpp @ 119]:
584450fb 8b421c mov eax,dword ptr [edx+1Ch]
584450fe 8d4e4c lea ecx,[esi+4Ch]
58445101 ffd0 call eax
58445103 84c0 test al,al
58445105 7506 jne WebKit!WebCore::isReachableFromDOM+0x7d (5844510d)
58445107 b001 mov al,1
58445109 8be5 mov esp,ebp
5844510b 5d pop ebp
=====================
A use-after-free exploitable. My doubt is, this vulnerability could affect Apple Safari in the future?
(In reply to comment #8)
> If the problem is still reproducible in a nightly, it means that it's not fixed yet, and we should track it in an open bug.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list