[webkit-changes] [127117] trunk

[antonm]

Title: [127117] trunk

Revision

127117

Author

ant...@chromium.org

Date

2012-08-30 02:33:08 -0700 (Thu, 30 Aug 2012)

Log Message

Heap-use-after-free in WebCore::ElementV8Internal::onclickAttrGetter
https://bugs.webkit.org/show_bug.cgi?id=94440

Reviewed by Adam Barth.

The problem appears due to onerror callback which resets onclick attribute.
As a part of changing onclick attribute value, previous event listener
gets deref which led to its destruction and hence use-after-free.
Refing it in ::getListenerObject helps to prevent this unfortunate scenario.

Source/WebCore:

Test: fast/events/set-attribute-listener-window-onerror-crash.html

* bindings/v8/V8AbstractEventListener.h:
(WebCore::V8AbstractEventListener::getListenerObject):

LayoutTests:

* fast/events/set-attribute-listener-window-onerror-crash-expected.txt: Added.
* fast/events/set-attribute-listener-window-onerror-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/bindings/v8/V8AbstractEventListener.h

Added Paths

• trunk/LayoutTests/fast/events/set-attribute-listener-window-onerror-crash-expected.txt
• trunk/LayoutTests/fast/events/set-attribute-listener-window-onerror-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (127116 => 127117)

--- trunk/LayoutTests/ChangeLog	2012-08-30 09:06:43 UTC (rev 127116)
+++ trunk/LayoutTests/ChangeLog	2012-08-30 09:33:08 UTC (rev 127117)
@@ -1,3 +1,18 @@
+2012-08-30  Anton Muhin  <ant...@chromium.org>
+
+        Heap-use-after-free in WebCore::ElementV8Internal::onclickAttrGetter
+        https://bugs.webkit.org/show_bug.cgi?id=94440
+
+        Reviewed by Adam Barth.
+
+        The problem appears due to onerror callback which resets onclick attribute.
+        As a part of changing onclick attribute value, previous event listener
+        gets deref which led to its destruction and hence use-after-free.
+        Refing it in ::getListenerObject helps to prevent this unfortunate scenario.
+
+        * fast/events/set-attribute-listener-window-onerror-crash-expected.txt: Added.
+        * fast/events/set-attribute-listener-window-onerror-crash.html: Added.
+
 2012-08-30  Mikhail Pozdnyakov  <mikhail.pozdnya...@intel.com>
 
         [EFL] Gardening after r127135, r127039

Added: trunk/LayoutTests/fast/events/set-attribute-listener-window-onerror-crash-expected.txt (0 => 127117)

--- trunk/LayoutTests/fast/events/set-attribute-listener-window-onerror-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/events/set-attribute-listener-window-onerror-crash-expected.txt	2012-08-30 09:33:08 UTC (rev 127117)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 16: Uncaught SyntaxError: Unexpected token ;
+Test passes if it does not crash.

Added: trunk/LayoutTests/fast/events/set-attribute-listener-window-onerror-crash.html (0 => 127117)

--- trunk/LayoutTests/fast/events/set-attribute-listener-window-onerror-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/events/set-attribute-listener-window-onerror-crash.html	2012-08-30 09:33:08 UTC (rev 127117)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<body>
+Test passes if it does not crash.
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+function errorHandler() {
+    document.body.setAttribute("onclick", "var x=;");
+}
+
+window._onerror_ = errorHandler;
+document.body.setAttribute("onclick", "var x=;");
+document.body.onclick;
+</script>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (127116 => 127117)

--- trunk/Source/WebCore/ChangeLog	2012-08-30 09:06:43 UTC (rev 127116)
+++ trunk/Source/WebCore/ChangeLog	2012-08-30 09:33:08 UTC (rev 127117)
@@ -1,3 +1,20 @@
+2012-08-30  Anton Muhin  <ant...@chromium.org>
+
+        Heap-use-after-free in WebCore::ElementV8Internal::onclickAttrGetter
+        https://bugs.webkit.org/show_bug.cgi?id=94440
+
+        Reviewed by Adam Barth.
+
+        The problem appears due to onerror callback which resets onclick attribute.
+        As a part of changing onclick attribute value, previous event listener
+        gets deref which led to its destruction and hence use-after-free.
+        Refing it in ::getListenerObject helps to prevent this unfortunate scenario.
+
+        Test: fast/events/set-attribute-listener-window-onerror-crash.html
+
+        * bindings/v8/V8AbstractEventListener.h:
+        (WebCore::V8AbstractEventListener::getListenerObject):
+
 2012-08-30  Vsevolod Vlasov  <vse...@chromium.org>
 
         Web Inspector: [Sources] Invisible right sidebar issue

Modified: trunk/Source/WebCore/bindings/v8/V8AbstractEventListener.h (127116 => 127117)

--- trunk/Source/WebCore/bindings/v8/V8AbstractEventListener.h	2012-08-30 09:06:43 UTC (rev 127116)
+++ trunk/Source/WebCore/bindings/v8/V8AbstractEventListener.h	2012-08-30 09:33:08 UTC (rev 127117)
@@ -77,6 +77,11 @@
         // Returns the listener object, either a function or an object.
         v8::Local<v8::Object> getListenerObject(ScriptExecutionContext* context)
         {
+            // prepareListenerObject can potentially deref this event listener
+            // as it may attempt to compile a function (lazy event listener), get an error
+            // and invoke onerror callback which can execute arbitrary JS code.
+            // Protect this event listener to keep it alive.
+            RefPtr<V8AbstractEventListener> guard(this);
             prepareListenerObject(context);
             return v8::Local<v8::Object>::New(m_listener.get());
         }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes