Bug 244249 (CVE-2023-25361)

Summary: heap-use-after-free in WebCore::RenderLayer::setNextSibling()
Product: WebKit Reporter: Chijin <tlock.chijin>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Critical CC: bfulgham, clopez, mcatanzaro, nikn, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
This file is generated by a browser fuzzer none

Chijin
Reported 2022-08-23 06:40:33 PDT
Created attachment 461819 [details] This file is generated by a browser fuzzer description: a heap-use-after-free occured in WebCore::RenderLayer::setNextSibling(). It affects Safari as well as webkitgtk. versions: safari-613.2.4.1-branch (37edf4fcfaa93501189b8492521eb68198cf9fee) and webkitgtk-2.36.4. asan log: ================================================================= ==93892==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120001237f0 at pc 0x7f21ba7eea7c bp 0x7ffcabea9850 sp 0x7ffcabea9848 WRITE of size 8 at 0x6120001237f0 thread T0 #0 0x7f21ba7eea7b in WebCore::RenderLayer::setNextSibling(WebCore::RenderLayer*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.h:863:53 #1 0x7f21ba7eea7b in WebCore::RenderLayer::removeChild(WebCore::RenderLayer&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp:437:37 #2 0x7f21ba702c67 in WebCore::RenderElement::willBeRemovedFromTree(WebCore::RenderObject::IsInternalMove) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderElement.cpp:1027:9 #3 0x7f21badbafa1 in WebCore::RenderTreeBuilder::detachFromRenderElement(WebCore::RenderElement&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::WillBeDestroyed) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:963:15 #4 0x7f21badc7c8a in WebCore::RenderTreeBuilder::Block::detach(WebCore::RenderBlock&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp:294:33 #5 0x7f21badc9e4a in WebCore::RenderTreeBuilder::Block::detach(WebCore::RenderBlockFlow&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp:387:12 #6 0x7f21badb5f26 in WebCore::RenderTreeBuilder::detach(WebCore::RenderElement&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:395:31 #7 0x7f21badb51f5 in WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:160:22 #8 0x7f21badc0fe9 in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:887:5 #9 0x7f21badf8da8 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_7::operator()(unsigned int) const /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:608:25 #10 0x7f21badf4d1b in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:621:9 #11 0x7f21badf8122 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:537:5 #12 0x7f21b8057d7f in WebCore::destroyRenderTreeIfNeeded(WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:321:9 #13 0x7f21b8057d7f in WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:660:5 #14 0x7f21b8066b8b in WebCore::ContainerNode::removeAllChildrenWithScriptAssertion(WebCore::ContainerNode::ChildChange::Source, WebCore::ContainerNode::DeferChildrenChanged) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:128:13 #15 0x7f21b8066b8b in WebCore::ContainerNode::replaceChildren(WTF::FixedVector<std::variant<WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >, WTF::String> >&&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:1047:5 #16 0x7f21b546767e in WebCore::jsDocumentPrototypeFunction_replaceChildrenBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)::'lambda'()::operator()() const /root/browser/webkit/Safari-branch2/WebKitBuild_Asan/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:6393:5 #17 0x7f21b546767e in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsDocumentPrototypeFunction_replaceChildrenBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsDocumentPrototypeFunction_replaceChildrenBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)::'lambda'()&&) /root/browser/webkit/Safari-branch2/Source/WebCore/bindings/js/JSDOMConvertBase.h:168:27 #18 0x7f21b546767e in WebCore::jsDocumentPrototypeFunction_replaceChildrenBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) /root/browser/webkit/Safari-branch2/WebKitBuild_Asan/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:6393:5 #19 0x7f21b546767e in long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_replaceChildrenBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /root/browser/webkit/Safari-branch2/Source/WebCore/bindings/js/JSDOMOperation.h:63:9 #20 0x7f21b546767e in WebCore::jsDocumentPrototypeFunction_replaceChildren(JSC::JSGlobalObject*, JSC::CallFrame*) /root/browser/webkit/Safari-branch2/WebKitBuild_Asan/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:6398:12 #21 0x7f21646401d7 (<unknown module>) 0x6120001237f0 is located 48 bytes inside of 272-byte region [0x6120001237c0,0x6120001238d0) freed by thread T0 here: #0 0x4c3117 in free /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 #1 0x7f21ba8fa984 in WebCore::RenderLayer::operator delete(void*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.h:150:5 #2 0x7f21ba8fa984 in std::default_delete<WebCore::RenderLayer>::operator()(WebCore::RenderLayer*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #3 0x7f21ba8fa984 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::reset(WebCore::RenderLayer*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4 #4 0x7f21ba8fa984 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::operator=(std::nullptr_t) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:336:2 #5 0x7f21ba8fa984 in WebCore::RenderLayerModelObject::destroyLayer() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:82:13 #6 0x7f21ba8fa984 in WebCore::RenderLayerModelObject::willBeDestroyed() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:72:9 #7 0x7f21ba9874b9 in WebCore::RenderObject::destroy() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderObject.cpp:1620:5 #8 0x7f21badc0fe9 in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:887:5 #9 0x7f21badf8da8 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_7::operator()(unsigned int) const /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:608:25 #10 0x7f21badf4d1b in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:621:9 #11 0x7f21badf8122 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:537:5 #12 0x7f21b8057d7f in WebCore::destroyRenderTreeIfNeeded(WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:321:9 #13 0x7f21b8057d7f in WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:660:5 previously allocated by thread T0 here: #0 0x4c340f in malloc /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7f21b0ddc1da in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /root/browser/webkit/Safari-branch2/Source/bmalloc/bmalloc/DebugHeap.cpp:102:20 #2 0x7f21ba57e845 in WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderBox.cpp:306:27 #3 0x7f21ba57d0bc in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderBlock.cpp:435:16 SUMMARY: AddressSanitizer: heap-use-after-free /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.h:863:53 in WebCore::RenderLayer::setNextSibling(WebCore::RenderLayer*) Shadow bytes around the buggy address: 0x0c248001c6a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c248001c6b0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c248001c6c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c248001c6d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c248001c6e0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa =>0x0c248001c6f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd[fd]fd 0x0c248001c700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c248001c710: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c248001c720: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c248001c730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c248001c740: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==93892==ABORTING
Attachments
This file is generated by a browser fuzzer (305.46 KB, text/html)
2022-08-23 06:40 PDT, Chijin 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-08-23 06:40:45 PDT
<rdar://problem/99030660>
Chijin
Comment 2 2023-01-10 00:33:02 PST
It has been half of a year. Apple security team has confirmed that this issue does not affect any Apple products. As I verified, it has been resolved in the latest WebkitGTK version. Can anyone close this issue?
Carlos Alberto Lopez Perez
Comment 3 2023-02-02 08:58:50 PST
This issue has been fixed on WebKitGTK 2.36.8 or later.
Michael Catanzaro
Comment 4 2023-03-13 09:41:19 PDT
*** This bug has been marked as a duplicate of bug 242683 ***
Note You need to log in before you can comment on or make changes to this bug.