Bug 208309

Summary: Crash in CSSValue::isPrimitiveValue
Product: WebKit Reporter: Ali Juma <ajuma>
Component: HTML EditingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, bfulgham, commit-queue, eugenebut, ews-feeder, pgyanchandani, product-security, rniwa, rohitrao, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Minimal test case
none
Patch
none
Patch none

Ali Juma
Reported 2020-02-27 07:34:25 PST
Created attachment 391864 [details] Minimal test case Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug. Crash stack: ================================================================= ==37021==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00047109ce22 bp 0x7ffeef071510 sp 0x7ffeef071510 T0) ==37021==The signal is caused by a READ memory access. ==37021==Hint: address points to the zero page. ==37021==WARNING: invalid path to external symbolizer! ==37021==WARNING: Failed to use and restart external symbolizer! #0 0x47109ce21 in WebCore::CSSValue::isPrimitiveValue() const (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x196e21) #1 0x47108032d in WTF::match_constness<WebCore::CSSValue, WebCore::CSSPrimitiveValue>::type& WTF::downcast<WebCore::CSSPrimitiveValue, WebCore::CSSValue>(WebCore::CSSValue&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x17a32d) #2 0x47412a086 in WebCore::ApplyStyleCommand::computedFontSize(WebCore::Node*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3224086) #3 0x474126a8b in WebCore::ApplyStyleCommand::applyRelativeFontStyleChange(WebCore::EditingStyle*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3220a8b) #4 0x474125246 in WebCore::ApplyStyleCommand::doApply() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x321f246) #5 0x47411c476 in WebCore::CompositeEditCommand::apply() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3216476) #6 0x47418658c in WebCore::Editor::applyStyle(WTF::RefPtr<WebCore::EditingStyle, WTF::DumbPtrTraits<WebCore::EditingStyle> >&&, WebCore::EditAction, WebCore::Editor::ColorFilterMode) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x328058c) #7 0x4741ce885 in WebCore::applyCommandToFrame(WebCore::Frame&, WebCore::EditorCommandSource, WebCore::EditAction, WTF::Ref<WebCore::EditingStyle, WTF::DumbPtrTraits<WebCore::EditingStyle> >&&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32c8885) #8 0x4741ce72b in WebCore::executeApplyStyle(WebCore::Frame&, WebCore::EditorCommandSource, WebCore::EditAction, WebCore::CSSPropertyID, WTF::String const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32c872b) #9 0x473e59c91 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f53c91) #10 0x471913800 in WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xa0d800) #11 0x4717d0625 in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8ca625) #12 0x2a06fda01177 (<unknown module>) #13 0x48ba6745b in llint_entry (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa8c45b) #14 0x48ba503d8 in vmEntryToJavaScript (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa753d8) #15 0x48d07440d in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x209940d) #16 0x48d7263fb in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x274b3fb) #17 0x48d7266cc in JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x274b6cc) #18 0x47386dcd3 in WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2967cd3) #19 0x47386d4fb in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29674fb) #20 0x47386d10c in WebCore::ScriptController::evaluateInWorldIgnoringException(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x296710c) #21 0x474049481 in WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3143481) #22 0x474046490 in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3140490) #23 0x4746f528e in WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37ef28e) #24 0x4746f4f64 in WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement, WTF::DumbPtrTraits<WebCore::ScriptElement> >&&, WTF::TextPosition const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37eef64) #25 0x4746d535c in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37cf35c) #26 0x4746d59f4 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37cf9f4) #27 0x4746d49dd in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37ce9dd) #28 0x4746d6859 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >&&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d0859) #29 0x473e1985a in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f1385a) #30 0x474ac48b4 in WebCore::DocumentWriter::end() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bbe8b4) #31 0x474ac31a8 in WebCore::DocumentLoader::finishedLoading() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bbd1a8) #32 0x474ac2dee in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bbcdee) #33 0x474c50927 in WebCore::CachedResource::checkNotify() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3d4a927) #34 0x474c4cac8 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3d46ac8) #35 0x474bd0cde in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3ccacde) #36 0x1022e7ca6 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1754ca6) #37 0x1029e9547 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1e56547) #38 0x1029e8649 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1e55649) #39 0x1022a4334 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1711334) #40 0x100c1898a in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x8598a) #41 0x100c1967a in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x8667a) #42 0x100c1a2b8 in IPC::Connection::dispatchOneIncomingMessage() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x872b8) #43 0x48b098679 in WTF::RunLoop::performWork() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xbd679) #44 0x48b09925a in WTF::RunLoop::performWork(void*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xbe25a) #45 0x7fff338f631a in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x5731a) #46 0x7fff338f62c0 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x572c0) #47 0x7fff338da1ba in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3b1ba) #48 0x7fff338d9782 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3a782) #49 0x7fff338d9084 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3a084) #50 0x7fff35b4da9e in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1ca9e) #51 0x7fff35b4d973 in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1c973) #52 0x7fff5ffc51d6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x111d6) #53 0x7fff5ffc4cd8 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10cd8) #54 0x101497465 in WebKit::XPCServiceMain(int, char const**) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x904465) #55 0x7fff5fd923d4 in start (/usr/lib/system/libdyld.dylib:x86_64+0x163d4) ==37021==Register values: rax = 0x0000000000000000 rbx = 0x0000000000000000 rcx = 0x0000100000000001 rdx = 0x0000000000000009 rdi = 0x0000000000000008 rsi = 0x00007ffeef071580 rbp = 0x00007ffeef071510 rsp = 0x00007ffeef071510 r8 = 0x0000100000000000 r9 = 0x0000000000000000 r10 = 0xffffffffffffffff r11 = 0x00000fffffffffff r12 = 0x00007ffeef071560 r13 = 0x00007ffeef071580 r14 = 0x00007ffeef071540 r15 = 0x00001fffdde0e2a8
Attachments
Minimal test case (431 bytes, text/html)
2020-02-27 07:34 PST, Ali Juma 		no flags
Details
Patch (3.50 KB, patch)
2020-03-16 10:54 PDT, Pinki Gyanchandani 		no flags
DetailsFormatted DiffDiff
Patch (3.50 KB, patch)
2020-03-16 13:14 PDT, Pinki Gyanchandani 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-02-27 07:34:37 PST
<rdar://problem/59846646>
Eugene But
Comment 2 2020-03-13 10:49:12 PDT
Ali helped to debug this issue. Crash happens inside ApplyStyleCommand::computedFontSize, because |value| variable is null: float ApplyStyleCommand::computedFontSize(Node* node) { if (!node) return 0; auto value = ComputedStyleExtractor(node).propertyValue(CSSPropertyFontSize); return downcast<CSSPrimitiveValue>(*value).floatValue(CSSPrimitiveValue::CSS_PX); } |node| is WebCoreText with whitespace value (" "), but the browser also crashes with non-whitespace text. |node| has a parent (HTMLTextAreaElement), and that parent has shadow root, but shadow root does not have an assigned slot: inline ComposedTreeAncestorIterator& ComposedTreeAncestorIterator::traverseParent() { auto* parent = m_current->parentNode(); ... if (auto* shadowRoot = parent->shadowRoot()) { m_current = shadowRoot->findAssignedSlot(*m_current); return *this; } The fact that HTMLTextAreaElement has shadow root seems correct: Ref<HTMLTextAreaElement> HTMLTextAreaElement::create(const QualifiedName& tagName, Document& document, HTMLFormElement* form) { auto textArea = adoptRef(*new HTMLTextAreaElement(tagName, document, form)); textArea->ensureUserAgentShadowRoot(); Does it mean that root cause of this crash is the absence of assigned slot for |node|?
Ryosuke Niwa
Comment 3 2020-03-14 23:42:59 PDT
(In reply to Eugene But from comment #2) > > |node| is WebCoreText with whitespace value (" "), but the browser also > crashes with non-whitespace text. |node| has a parent (HTMLTextAreaElement), > and that parent has shadow root, but shadow root does not have an assigned > slot: > > > inline ComposedTreeAncestorIterator& > ComposedTreeAncestorIterator::traverseParent() > { > auto* parent = m_current->parentNode(); > ... > if (auto* shadowRoot = parent->shadowRoot()) { > m_current = shadowRoot->findAssignedSlot(*m_current); > return *this; > } > > The fact that HTMLTextAreaElement has shadow root seems correct: Yes, that's expected. > Ref<HTMLTextAreaElement> HTMLTextAreaElement::create(const QualifiedName& > tagName, Document& document, HTMLFormElement* form) > { > auto textArea = adoptRef(*new HTMLTextAreaElement(tagName, document, > form)); > textArea->ensureUserAgentShadowRoot(); > > Does it mean that root cause of this crash is the absence of assigned slot > for |node|? No, that on its own is not an issue. In fact, some shadow trees would never have a slot. The bug here is that we're missing nullptr check of value in ApplyStyleCommand::computedFontSize. Pinki (cc'ed) and I were investigating investigating this bug yesterday, and we concluded that we want to add a null check here.
Eugene But
Comment 4 2020-03-16 09:38:43 PDT
Thanks for the update. I'm trying to learn more about WebKit and information like this is very useful.
Pinki Gyanchandani
Comment 5 2020-03-16 10:54:49 PDT
Created attachment 393663 [details] Patch
Pinki Gyanchandani
Comment 6 2020-03-16 13:14:41 PDT
Created attachment 393677 [details] Patch
Pinki Gyanchandani
Comment 7 2020-03-16 13:16:10 PDT
Comment on attachment 393677 [details] Patch Updated Reviewed By section in Change log. Kindly commit the patch
Ryosuke Niwa
Comment 8 2020-03-16 14:14:00 PDT
Comment on attachment 393677 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=393677&action=review > Source/WebCore/ChangeLog:6 > + Reviewed by Alex Christensen. You need to revert this. > LayoutTests/ChangeLog:6 > + Reviewed by Alex Christensen. Ditto.
Alex Christensen
Comment 9 2020-03-16 14:17:04 PDT
Comment on attachment 393677 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=393677&action=review >> Source/WebCore/ChangeLog:6 >> + Reviewed by Alex Christensen. > > You need to revert this. Why? I did review it.
Ryosuke Niwa
Comment 10 2020-03-16 14:24:07 PDT
This is not a security bug.
WebKit Commit Bot
Comment 11 2020-03-16 15:10:39 PDT
Comment on attachment 393663 [details] Patch Clearing flags on attachment: 393663 Committed r258522: <https://trac.webkit.org/changeset/258522>
WebKit Commit Bot
Comment 12 2020-03-16 15:10:41 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.