Bug 237037

Summary:

heap-use-after-free in WebCore::AXObjectCache::textChanged(WebCore::AccessibilityObject*)

Product:

WebKit

Reporter:

Chijin <tlock.chijin>

Component:

WebCore Misc.

Assignee:

WebKit Security Group <webkit-security-unassigned>

Status:

RESOLVED FIXED

Severity:

Critical

CC:

andresg_22, bfulgham, tyler_w, webkit-bug-importer, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

OS:

Linux

Attachments:

Description	Flags
This file is generated by a browser fuzzer	none

Description Chijin 2022-02-22 07:06:55 PST

Created attachment 452869 [details]
This file is generated by a browser fuzzer

The attached file cause a heap use after free in AXObjectCache.

Version: safari-613.1.5-branch (4f329ebf4c7cb23791f7634fe9b917b20dc2e5a6) and webkitgtk-2.34.6

asan report:

==49262==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000269200 at pc 0x7efe3b5cbf01 bp 0x7ffded3b56f0 sp 0x7ffded3b56e8
READ of size 8 at 0x60c000269200 thread T0
    #0 0x7efe3b5cbf00 in WebCore::AXObjectCache::textChanged(WebCore::AccessibilityObject*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:1031:38
    #1 0x7efe3b5ee629 in WebCore::AXObjectCache::textChanged(WebCore::Node*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:1007:5
    #2 0x7efe3b5ee629 in WebCore::AXObjectCache::performDeferredCacheUpdate() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:3213:9
    #3 0x7efe3d878841 in WebCore::FrameView::performPostLayoutTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameView.cpp:3369:16
    #4 0x7efe3d8930ed in WebCore::FrameViewLayoutContext::runAsynchronousTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:302:12
    #5 0x7efe3d8930ed in WebCore::FrameViewLayoutContext::runOrScheduleAsynchronousTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:288:5
    #6 0x7efe3d8424e7 in WebCore::FrameViewLayoutContext::layout() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:261:9
    #7 0x7efe3dbbe4ed in WebCore::ThreadTimers::sharedTimerFiredInternal() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/platform/ThreadTimers.cpp:127:23
    #8 0x7efe35cf4034 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16
    #9 0x7efe35cf4034 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43
    #10 0x7efe35cf14dc in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28
    #11 0x7efe35cf14dc in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5
    #12 0x7efe2edec04d in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5204d)
    #13 0x7efe2edec3ff  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x523ff)
    #14 0x7efe2edec6f2 in g_main_loop_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x526f2)
    #15 0x7efe35cf2ac2 in WTF::RunLoop::run() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:108:9
    #16 0x7efe39ab3de7 in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebKit/Shared/AuxiliaryProcessMain.h:70:9
    #17 0x7efe39ab3de7 in int WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebKit/Shared/AuxiliaryProcessMain.h:96:27
    #18 0x7efe2e7860b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #19 0x41d35d in _start (/root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/INSTALL/libexec/webkit2gtk-4.0/WebKitWebProcess+0x41d35d)

0x60c000269200 is located 0 bytes inside of 120-byte region [0x60c000269200,0x60c000269278)
freed by thread T0 here:
    #0 0x4c2bb7 in free /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
    #1 0x7efe3b5c3a78 in WTF::ThreadSafeRefCounted<WebCore::AXCoreObject, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/WTF/Headers/wtf/ThreadSafeRefCounted.h:117:13
    #2 0x7efe3b5c3a78 in WTF::ThreadSafeRefCounted<WebCore::AXCoreObject, (WTF::DestructionThread)0>::deref() const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/WTF/Headers/wtf/ThreadSafeRefCounted.h:129:9
    #3 0x7efe3b5c3a78 in WTF::DefaultRefDerefTraits<WebCore::AccessibilityObject>::derefIfNotNull(WebCore::AccessibilityObject*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/WTF/Headers/wtf/RefPtr.h:42:18
    #4 0x7efe3b5c3a78 in WTF::RefPtr<WebCore::AccessibilityObject, WTF::RawPtrTraits<WebCore::AccessibilityObject>, WTF::DefaultRefDerefTraits<WebCore::AccessibilityObject> >::~RefPtr() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/WTF/Headers/wtf/RefPtr.h:73:31
    #5 0x7efe3b5c3a78 in WebCore::AXObjectCache::remove(unsigned long) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:919:1
    #6 0x7efe3b5ca4a1 in WebCore::AXObjectCache::remove(WebCore::RenderObject*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:925:5
    #7 0x7efe3e67fccd in WebCore::RenderObject::willBeDestroyed() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/RenderObject.cpp:1506:16
    #8 0x7efe3e673d49 in WebCore::RenderObject::destroy() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/RenderObject.cpp:1556:5
    #9 0x7efe3ea3eb7d in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:871:5
    #10 0x7efe3ea73244 in WebCore::RenderTreeUpdater::tearDownTextRenderer(WebCore::Text&, WebCore::RenderTreeBuilder&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:640:13
    #11 0x7efe3ea73244 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:623:13
    #12 0x7efe3ea6d418 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdates const&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:329:9
    #13 0x7efe3ea6ad30 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:194:13
    #14 0x7efe3ea69b9e in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:126:9
    #15 0x7efe3c2108ca in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/dom/Document.cpp:2023:21
    #16 0x7efe3c2116d3 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/dom/Document.cpp:2113:13
    #17 0x7efe3c213158 in WebCore::Document::updateStyleIfNeeded() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/dom/Document.cpp:2205:5

previously allocated by thread T0 here:
    #0 0x4c2eaf in malloc /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7efe35d0fa4a in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/bmalloc/bmalloc/DebugHeap.cpp:102:20
    #2 0x7efe3b5c10e4 in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:684:16
    #3 0x7efe3b5ee61e in WebCore::AXObjectCache::textChanged(WebCore::Node*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:1007:17
    #4 0x7efe3b5ee61e in WebCore::AXObjectCache::performDeferredCacheUpdate() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:3213:9
    #5 0x7efe3d878841 in WebCore::FrameView::performPostLayoutTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameView.cpp:3369:16
    #6 0x7efe3d8930ed in WebCore::FrameViewLayoutContext::runAsynchronousTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:302:12
    #7 0x7efe3d8930ed in WebCore::FrameViewLayoutContext::runOrScheduleAsynchronousTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:288:5
    #8 0x7efe3d8424e7 in WebCore::FrameViewLayoutContext::layout() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:261:9
    #9 0x7efe3dbbe4ed in WebCore::ThreadTimers::sharedTimerFiredInternal() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/platform/ThreadTimers.cpp:127:23
    #10 0x7efe35cf4034 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16
    #11 0x7efe35cf4034 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43

SUMMARY: AddressSanitizer: heap-use-after-free /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:1031:38 in WebCore::AXObjectCache::textChanged(WebCore::AccessibilityObject*)
Shadow bytes around the buggy address:
  0x0c18800451f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1880045200: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1880045210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1880045220: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1880045230: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x0c1880045240:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1880045250: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1880045260: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c1880045270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c1880045280: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1880045290: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==49262==ABORTING

Comment 1 Radar WebKit Bug Importer 2022-02-22 07:07:06 PST

<rdar://problem/89291570>

Comment 2 Tyler Wilcock 2022-03-11 16:18:53 PST

This will be fixed by https://bugs.webkit.org/show_bug.cgi?id=237475.

Comment 3 Brent Fulgham 2022-05-26 15:07:46 PDT

This fix shipped with Safari 15.5 (all platforms).