[Webkit-unassigned] [Bug 80333] Crash in RenderLayer::scrollTo

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Mar 8 15:10:01 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=80333





--- Comment #9 from Mario Gomes <netfuzzer at gmail.com>  2012-03-08 15:10:00 PST ---
No. It's not about this null ptr. 

I'm getting this crash on Windows(With outher PoC):
==================
(1558.1584): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000100 ecx=7f31fef4 edx=000e003c esi=7f31fea8 edi=7ff20ba0
eip=00000000 esp=001ff10c ebp=001ff114 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
00000000 ??              ???
0:000> .exr -1
ExceptionAddress: 00000000
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000000
Attempt to read from address 00000000
0:000> .lastevent
Last event: 1558.1584: Access violation - code c0000005 (!!! second chance !!!)
  debugger time: Thu Mar  8 20:04:46.678 2012 (UTC - 3:00)
0:000> !load winext/msec.dll
0:000> !exploitable
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation Near Null at the Instruction Pointer starting at Unknown Symbol @ 0x0000000000000000 called from WebKit!WebCore::isReachableFromDOM+0x0000000000000073 (Hash=0x5a757b12.0x0405104b)

Access violations at the instruction pointer are probably exploitable if near NULL.
==================OR=====================
(d90.ab4): Access violation - code c0000005 (!!! second chance !!!)
eax=7fe94e70 ebx=00100000 ecx=7fe94e70 edx=000e003c esi=7faf2a80 edi=7ff11ba0
eip=584450fb esp=001dedb0 ebp=001dedb4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
WebKit!WebCore::isReachableFromDOM+0x6b:
584450fb 8b421c          mov     eax,dword ptr [edx+1Ch] ds:0023:000e0058=????????
0:000> .exr -1
ExceptionAddress: 584450fb (WebKit!WebCore::isReachableFromDOM+0x0000006b)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 000e0058
Attempt to read from address 000e0058
0:000> .lastevent
Last event: d90.ab4: Access violation - code c0000005 (!!! second chance !!!)
  debugger time: Thu Mar  8 20:07:06.596 2012 (UTC - 3:00)
0:000> u
WebKit!WebCore::isReachableFromDOM+0x6b [c:\cygwin\home\buildbot\slave\win-release\build\source\webcore\bindings\js\jsnodecustom.cpp @ 119]:
584450fb 8b421c          mov     eax,dword ptr [edx+1Ch]
584450fe 8d4e4c          lea     ecx,[esi+4Ch]
58445101 ffd0            call    eax
58445103 84c0            test    al,al
58445105 7506            jne     WebKit!WebCore::isReachableFromDOM+0x7d (5844510d)
58445107 b001            mov     al,1
58445109 8be5            mov     esp,ebp
5844510b 5d              pop     ebp
=====================

A use-after-free exploitable. My doubt is, this vulnerability could affect Apple Safari in the future?

(In reply to comment #8)
> If the problem is still reproducible in a nightly, it means that it's not fixed yet, and we should track it in an open bug.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list