CSS Animations NULL pointers

Fixed, not yet flighted Issue #7492534

Details

Created
May 9, 2016
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
11
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

Repro:

<style>body{animation-name:a}@keyframes a{0%{font:menu

I have multiple slightly different repros that lead to crashes with slightly different stacks, but all these appear to have the same root cause, so I won’t upload them all.

At first glance this may appear to be a security issue, as the code reads from an apparently arbitrary address. However, it turns out the code attempts to use a NULL pointer in a function call that is protected with Control Flow Guard (CFG) mitigations. The CFG code attempts to lookup the function address in a table, but since there is no memory allocated at address 0, no memory is allocated for that part of the table either, causing the access violation. The memory at this address is reserved however, so CFG cannot be bypassed by attempting to allocate memory there under an attackers control.

Attachments

1 attachment

Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “Ibrahim O.”

    Changed Assigned To to “Travis L.”

    Changed Assigned To from “Travis L.” to “Joseph S.”

    Changed Status to “Confirmed”

    Changed Status from “Confirmed”

    Changed Assigned To to “Bogdan B.”

    Changed Assigned To to “Rick J.”

    Changed Status to “Confirmed”

    Changed Assigned To from “Rick J.” to “Olga G.”

    Changed Status from “Confirmed” to “In code review”

    Changed Status from “In code review” to “In progress”

    Changed Status from “In progress” to “Fixed, not yet flighted”

  • We are showing this as fixed with builds higher than 14374.14374.  Thank you for your feedback.

    All the best,
    The MS Edge Team

You need to sign in to your Microsoft account to add a comment.

Sign in