Bug 242683 (CVE-2023-25358)

Summary: heap-use-after-free in WebCore::RenderLayer::addChild()
Product: WebKit Reporter: Chijin <tlock.chijin>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Critical CC: bfulgham, clopez, mcatanzaro, nikn, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
This file is generated by a browser fuzzer none

Chijin
Reported 2022-07-13 03:11:34 PDT
Created attachment 460849 [details] This file is generated by a browser fuzzer description: a heap-use-after-free occured in WebCore::RenderLayer::addChild(). It affects Safari as well as webkitgtk. versions: safari-613.2.4.1-branch (37edf4fcfaa93501189b8492521eb68198cf9fee) and webkitgtk-2.36.4 asan log: ``` ================================================================= ==118323==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120000d39f0 at pc 0x7f67b56647dc bp 0x7ffc4292c190 sp 0x7ffc4292c188 WRITE of size 8 at 0x6120000d39f0 thread T0 #0 0x7f67b56647db in WebCore::RenderLayer::addChild(WebCore::RenderLayer&, WebCore::RenderLayer*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp #1 0x7f67b557b68a in WebCore::RenderElement::addLayers(WebCore::RenderLayer*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderElement.cpp:706:5 #2 0x7f67b557b68a in WebCore::RenderElement::insertedIntoTree(WebCore::RenderObject::IsInternalMove) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderElement.cpp:1001:9 #3 0x7f67b5c349bc in WebCore::RenderTreeBuilder::attachToRenderElementInternal(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*, WebCore::RenderObject::IsInternalMove) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:450:19 #4 0x7f67b5c33195 in WebCore::RenderTreeBuilder::attachToRenderElement(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:427:5 #5 0x7f67b5c3ddf7 in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation(WebCore::RenderBlock&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp:246:15 #6 0x7f67b5c3ce53 in WebCore::RenderTreeBuilder::Block::attach(WebCore::RenderBlock&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp:115:9 #7 0x7f67b5c4347f in WebCore::RenderTreeBuilder::BlockFlow::attach(WebCore::RenderBlockFlow&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilderBlockFlow.cpp:59:30 #8 0x7f67b5c31a12 in WebCore::RenderTreeBuilder::attachInternal(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:325:28 #9 0x7f67b5c2f362 in WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:191:5 #10 0x7f67b5c6f2cd in WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:403:15 #11 0x7f67b5c68c0d in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdates const&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:344:9 #12 0x7f67b5c660d0 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:194:13 #13 0x7f67b5c64a8e in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:126:9 #14 0x7f67b2f57c69 in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:1983:21 #15 0x7f67b2f58a93 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:2073:13 #16 0x7f67b2f5a5d8 in WebCore::Document::updateStyleIfNeeded() /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:2168:5 #17 0x7f67b2fa9164 in WebCore::command(WebCore::Document*, WTF::String const&, bool) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:5812:15 #18 0x7f67b2fa8b77 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:5829:12 #19 0x7f67b02d8b63 in WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) /root/browser/webkit/Safari-branch2/WebKitBuild_Asan/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5957:5 #20 0x7f67b02d8b63 in long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /root/browser/webkit/Safari-branch2/Source/WebCore/bindings/js/JSDOMOperation.h:63:9 #21 0x7f67b02d8b63 in WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*) /root/browser/webkit/Safari-branch2/WebKitBuild_Asan/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5962:12 #22 0x7f675f4b91d7 (<unknown module>) 0x6120000d39f0 is located 48 bytes inside of 272-byte region [0x6120000d39c0,0x6120000d3ad0) freed by thread T0 here: #0 0x4c3117 in free /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 #1 0x7f67b5773984 in WebCore::RenderLayer::operator delete(void*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.h:150:5 #2 0x7f67b5773984 in std::default_delete<WebCore::RenderLayer>::operator()(WebCore::RenderLayer*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #3 0x7f67b5773984 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::reset(WebCore::RenderLayer*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4 #4 0x7f67b5773984 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::operator=(std::nullptr_t) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:336:2 #5 0x7f67b5773984 in WebCore::RenderLayerModelObject::destroyLayer() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:82:13 #6 0x7f67b5773984 in WebCore::RenderLayerModelObject::willBeDestroyed() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:72:9 #7 0x7f67b58004b9 in WebCore::RenderObject::destroy() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderObject.cpp:1620:5 #8 0x7f67b577397c in std::default_delete<WebCore::RenderLayer>::operator()(WebCore::RenderLayer*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #9 0x7f67b577397c in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::reset(WebCore::RenderLayer*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4 #10 0x7f67b577397c in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::operator=(std::nullptr_t) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:336:2 #11 0x7f67b577397c in WebCore::RenderLayerModelObject::destroyLayer() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:82:13 #12 0x7f67b577397c in WebCore::RenderLayerModelObject::willBeDestroyed() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:72:9 #13 0x7f67b58004b9 in WebCore::RenderObject::destroy() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderObject.cpp:1620:5 #14 0x7f67b5c39fe9 in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:887:5 #15 0x7f67b5c71da8 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_7::operator()(unsigned int) const /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:608:25 #16 0x7f67b5c6dd1b in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:621:9 #17 0x7f67b5c71122 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:537:5 #18 0x7f67b2ed0d7f in WebCore::destroyRenderTreeIfNeeded(WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:321:9 #19 0x7f67b2ed0d7f in WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:660:5 previously allocated by thread T0 here: #0 0x4c340f in malloc /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7f67abc551da in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /root/browser/webkit/Safari-branch2/Source/bmalloc/bmalloc/DebugHeap.cpp:102:20 #2 0x7f67b53f7845 in WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderBox.cpp:306:27 #3 0x7f67b56c0361 in WebCore::RenderLayer::createReflection() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp:5438:19 #4 0x7f67b56bfcd1 in WebCore::RenderLayer::styleChanged(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp:5394:13 #5 0x7f67b577467e in WebCore::RenderLayerModelObject::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:145:18 #6 0x7f67b53f7845 in WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderBox.cpp:306:27 #7 0x7f67b53f60bc in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderBlock.cpp:435:16 SUMMARY: AddressSanitizer: heap-use-after-free /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp in WebCore::RenderLayer::addChild(WebCore::RenderLayer&, WebCore::RenderLayer*) Shadow bytes around the buggy address: 0x0c24800126e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c24800126f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa 0x0c2480012700: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c2480012710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2480012720: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa =>0x0c2480012730: fa fa fa fa fa fa fa fa fd fd fd fd fd fd[fd]fd 0x0c2480012740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2480012750: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c2480012760: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c2480012770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2480012780: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==118323==ABORTING ```
Attachments
This file is generated by a browser fuzzer (321.42 KB, text/html)
2022-07-13 03:11 PDT, Chijin 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-07-13 03:11:45 PDT
<rdar://problem/96941772>
Chijin
Comment 2 2022-10-17 03:18:59 PDT
Hello? Is there anyone taking care of this issue? Apple team has confirmed that this has been fixed in Safari. Could WebKitGTK team take care of this?
Chijin
Comment 3 2022-10-31 05:31:35 PDT
Is there anyone taking care of this issue?
Carlos Alberto Lopez Perez
Comment 4 2023-02-02 09:00:38 PST
This issue has been fixed on WebKitGTK 2.36.8 or later.
Michael Catanzaro
Comment 5 2023-03-13 09:41:15 PDT
*** Bug 242686 has been marked as a duplicate of this bug. ***
Michael Catanzaro
Comment 6 2023-03-13 09:41:19 PDT
*** Bug 244249 has been marked as a duplicate of this bug. ***
Michael Catanzaro
Comment 7 2023-03-13 09:41:24 PDT
*** Bug 242684 has been marked as a duplicate of this bug. ***
Michael Catanzaro
Comment 8 2023-03-13 09:41:29 PDT
*** Bug 244802 has been marked as a duplicate of this bug. ***
Michael Catanzaro
Comment 9 2023-03-13 09:44:09 PDT
From one of the duplicate issues: this was fixed via bug #238946
Michael Catanzaro
Comment 10 2023-03-13 09:52:21 PDT
BTW I saw some comments that Apple Product Security determined this bug does not affect Safari, but I doubt it. Based on the asan traces and the fix commit, it seems most likely that Apple tested an already-fixed version.
Chijin
Comment 11 2023-03-13 23:29:09 PDT
(In reply to Michael Catanzaro from comment #10) > BTW I saw some comments that Apple Product Security determined this bug does > not affect Safari, but I doubt it. Based on the asan traces and the fix > commit, it seems most likely that Apple tested an already-fixed version. I aggree with you. The original reply from Apple is that "After further investigation, we discovered the behavior you reported was addressed in Safari". I guess this implies that this issue may affect Safari but it has been fixed.
Note You need to log in before you can comment on or make changes to this bug.