Bug 237037

Summary: heap-use-after-free in WebCore::AXObjectCache::textChanged(WebCore::AccessibilityObject*)
Product: WebKit Reporter: Chijin <tlock.chijin>
Component: WebCore Misc.Assignee: WebKit Security Group <webkit-security-unassigned>
Status: RESOLVED FIXED    
Severity: Critical CC: andresg_22, bfulgham, tyler_w, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
This file is generated by a browser fuzzer none

Chijin
Reported 2022-02-22 07:06:55 PST
Created attachment 452869 [details] This file is generated by a browser fuzzer The attached file cause a heap use after free in AXObjectCache. Version: safari-613.1.5-branch (4f329ebf4c7cb23791f7634fe9b917b20dc2e5a6) and webkitgtk-2.34.6 asan report: ==49262==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000269200 at pc 0x7efe3b5cbf01 bp 0x7ffded3b56f0 sp 0x7ffded3b56e8 READ of size 8 at 0x60c000269200 thread T0 #0 0x7efe3b5cbf00 in WebCore::AXObjectCache::textChanged(WebCore::AccessibilityObject*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:1031:38 #1 0x7efe3b5ee629 in WebCore::AXObjectCache::textChanged(WebCore::Node*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:1007:5 #2 0x7efe3b5ee629 in WebCore::AXObjectCache::performDeferredCacheUpdate() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:3213:9 #3 0x7efe3d878841 in WebCore::FrameView::performPostLayoutTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameView.cpp:3369:16 #4 0x7efe3d8930ed in WebCore::FrameViewLayoutContext::runAsynchronousTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:302:12 #5 0x7efe3d8930ed in WebCore::FrameViewLayoutContext::runOrScheduleAsynchronousTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:288:5 #6 0x7efe3d8424e7 in WebCore::FrameViewLayoutContext::layout() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:261:9 #7 0x7efe3dbbe4ed in WebCore::ThreadTimers::sharedTimerFiredInternal() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/platform/ThreadTimers.cpp:127:23 #8 0x7efe35cf4034 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16 #9 0x7efe35cf4034 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43 #10 0x7efe35cf14dc in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28 #11 0x7efe35cf14dc in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5 #12 0x7efe2edec04d in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5204d) #13 0x7efe2edec3ff (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x523ff) #14 0x7efe2edec6f2 in g_main_loop_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x526f2) #15 0x7efe35cf2ac2 in WTF::RunLoop::run() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:108:9 #16 0x7efe39ab3de7 in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebKit/Shared/AuxiliaryProcessMain.h:70:9 #17 0x7efe39ab3de7 in int WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebKit/Shared/AuxiliaryProcessMain.h:96:27 #18 0x7efe2e7860b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #19 0x41d35d in _start (/root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/INSTALL/libexec/webkit2gtk-4.0/WebKitWebProcess+0x41d35d) 0x60c000269200 is located 0 bytes inside of 120-byte region [0x60c000269200,0x60c000269278) freed by thread T0 here: #0 0x4c2bb7 in free /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 #1 0x7efe3b5c3a78 in WTF::ThreadSafeRefCounted<WebCore::AXCoreObject, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/WTF/Headers/wtf/ThreadSafeRefCounted.h:117:13 #2 0x7efe3b5c3a78 in WTF::ThreadSafeRefCounted<WebCore::AXCoreObject, (WTF::DestructionThread)0>::deref() const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/WTF/Headers/wtf/ThreadSafeRefCounted.h:129:9 #3 0x7efe3b5c3a78 in WTF::DefaultRefDerefTraits<WebCore::AccessibilityObject>::derefIfNotNull(WebCore::AccessibilityObject*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/WTF/Headers/wtf/RefPtr.h:42:18 #4 0x7efe3b5c3a78 in WTF::RefPtr<WebCore::AccessibilityObject, WTF::RawPtrTraits<WebCore::AccessibilityObject>, WTF::DefaultRefDerefTraits<WebCore::AccessibilityObject> >::~RefPtr() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/WTF/Headers/wtf/RefPtr.h:73:31 #5 0x7efe3b5c3a78 in WebCore::AXObjectCache::remove(unsigned long) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:919:1 #6 0x7efe3b5ca4a1 in WebCore::AXObjectCache::remove(WebCore::RenderObject*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:925:5 #7 0x7efe3e67fccd in WebCore::RenderObject::willBeDestroyed() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/RenderObject.cpp:1506:16 #8 0x7efe3e673d49 in WebCore::RenderObject::destroy() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/RenderObject.cpp:1556:5 #9 0x7efe3ea3eb7d in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:871:5 #10 0x7efe3ea73244 in WebCore::RenderTreeUpdater::tearDownTextRenderer(WebCore::Text&, WebCore::RenderTreeBuilder&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:640:13 #11 0x7efe3ea73244 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:623:13 #12 0x7efe3ea6d418 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdates const&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:329:9 #13 0x7efe3ea6ad30 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:194:13 #14 0x7efe3ea69b9e in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:126:9 #15 0x7efe3c2108ca in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/dom/Document.cpp:2023:21 #16 0x7efe3c2116d3 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/dom/Document.cpp:2113:13 #17 0x7efe3c213158 in WebCore::Document::updateStyleIfNeeded() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/dom/Document.cpp:2205:5 previously allocated by thread T0 here: #0 0x4c2eaf in malloc /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7efe35d0fa4a in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/bmalloc/bmalloc/DebugHeap.cpp:102:20 #2 0x7efe3b5c10e4 in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:684:16 #3 0x7efe3b5ee61e in WebCore::AXObjectCache::textChanged(WebCore::Node*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:1007:17 #4 0x7efe3b5ee61e in WebCore::AXObjectCache::performDeferredCacheUpdate() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:3213:9 #5 0x7efe3d878841 in WebCore::FrameView::performPostLayoutTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameView.cpp:3369:16 #6 0x7efe3d8930ed in WebCore::FrameViewLayoutContext::runAsynchronousTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:302:12 #7 0x7efe3d8930ed in WebCore::FrameViewLayoutContext::runOrScheduleAsynchronousTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:288:5 #8 0x7efe3d8424e7 in WebCore::FrameViewLayoutContext::layout() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:261:9 #9 0x7efe3dbbe4ed in WebCore::ThreadTimers::sharedTimerFiredInternal() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/platform/ThreadTimers.cpp:127:23 #10 0x7efe35cf4034 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16 #11 0x7efe35cf4034 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43 SUMMARY: AddressSanitizer: heap-use-after-free /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:1031:38 in WebCore::AXObjectCache::textChanged(WebCore::AccessibilityObject*) Shadow bytes around the buggy address: 0x0c18800451f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c1880045200: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c1880045210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1880045220: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c1880045230: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa =>0x0c1880045240:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c1880045250: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c1880045260: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 0x0c1880045270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 0x0c1880045280: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c1880045290: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==49262==ABORTING
Attachments
This file is generated by a browser fuzzer (33.97 KB, text/html)
2022-02-22 07:06 PST, Chijin 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-02-22 07:07:06 PST
<rdar://problem/89291570>
Tyler Wilcock
Comment 2 2022-03-11 16:18:53 PST
This will be fixed by https://bugs.webkit.org/show_bug.cgi?id=237475.
Brent Fulgham
Comment 3 2022-05-26 15:07:46 PDT
This fix shipped with Safari 15.5 (all platforms).
Note You need to log in before you can comment on or make changes to this bug.