Bug 244802 (CVE-2023-25362)

Summary: heap-use-after-free in WebCore::RenderLayer::repaintBlockSelectionGaps()
Product: WebKit Reporter: Chijin <tlock.chijin>
Component: WebCore Misc.Assignee: WebKit Security Group <webkit-security-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Critical CC: aperez, bfulgham, cgarcia, heycam, mcatanzaro, m_finkel, rbuis, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: PC   
OS: Linux   
See Also: https://bugs.webkit.org/show_bug.cgi?id=238946
Attachments:
Description Flags
This file is generated by a browser fuzzer none

Chijin
Reported 2022-09-05 04:28:33 PDT
Created attachment 462141 [details] This file is generated by a browser fuzzer description: a heap-use-after-free occured in repaintBlockSelectionGaps(). It only affects webkitgtk (version: webkitgtk-2.36.4) and does not affect Safari. asan log: ``` ================================================================= ==54315==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200011e578 at pc 0x7fe3472bcbb4 bp 0x7ffffaaa61b0 sp 0x7ffffaaa61a8 READ of size 8 at 0x61200011e578 thread T0 #0 0x7fe3472bcbb3 in WebCore::RenderLayer::repaintBlockSelectionGaps() /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderLayer.cpp #1 0x7fe3472bc267 in WebCore::RenderLayer::repaintBlockSelectionGaps() /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderLayer.cpp:4858:16 #2 0x7fe3472bc267 in WebCore::RenderLayer::repaintBlockSelectionGaps() /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderLayer.cpp:4858:16 #3 0x7fe347563463 in WebCore::SelectionRangeData::clear() /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/SelectionRangeData.cpp:138:27 #4 0x7fe34533c48a in WebCore::FrameSelection::respondToNodeModification(WebCore::Node&, bool, bool, bool, bool) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/editing/FrameSelection.cpp:606:37 #5 0x7fe34533b94c in WebCore::FrameSelection::nodeWillBeRemoved(WebCore::Node&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/editing/FrameSelection.cpp:559:5 #6 0x7fe344e46250 in WebCore::Document::nodeWillBeRemoved(WebCore::Node&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/dom/Document.cpp:4951:28 #7 0x7fe344d6a953 in WebCore::ContainerNode::removeNodeWithScriptAssertion(WebCore::Node&, WebCore::ContainerNode::ChildChange::Source) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/dom/ContainerNode.cpp:201:20 #8 0x7fe344d6a953 in WebCore::ContainerNode::removeChild(WebCore::Node&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/dom/ContainerNode.cpp:644:10 #9 0x7fe34506367d in WebCore::Node::remove() /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/dom/Node.cpp:644:20 #10 0x7fe3450d4257 in WebCore::Range::insertNode(WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >&&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/dom/Range.cpp:661:31 #11 0x7fe3450d85ab in WebCore::Range::surroundContents(WebCore::Node&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/dom/Range.cpp:832:25 #12 0x7fe342caa476 in WebCore::jsRangePrototypeFunction_surroundContentsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRange*)::'lambda'()::operator()() const /root/browser/webkit/webkitgtk-2.36.4/build_asan_relwithdebug/WebCore/DerivedSources/JSRange.cpp:589:5 #13 0x7fe342caa476 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsRangePrototypeFunction_surroundContentsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRange*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsRangePrototypeFunction_surroundContentsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRange*)::'lambda'()&&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/bindings/js/JSDOMConvertBase.h:168:27 #14 0x7fe342caa476 in WebCore::jsRangePrototypeFunction_surroundContentsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRange*) /root/browser/webkit/webkitgtk-2.36.4/build_asan_relwithdebug/WebCore/DerivedSources/JSRange.cpp:589:5 #15 0x7fe342caa476 in long WebCore::IDLOperation<WebCore::JSRange>::call<&(WebCore::jsRangePrototypeFunction_surroundContentsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRange*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/bindings/js/JSDOMOperation.h:63:9 #16 0x7fe342caa476 in WebCore::jsRangePrototypeFunction_surroundContents(JSC::JSGlobalObject*, JSC::CallFrame*) /root/browser/webkit/webkitgtk-2.36.4/build_asan_relwithdebug/WebCore/DerivedSources/JSRange.cpp:594:12 #17 0x7fe2f12561d7 (<unknown module>) 0x61200011e578 is located 56 bytes inside of 272-byte region [0x61200011e540,0x61200011e650) freed by thread T0 here: #0 0x4c2097 in free /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 #1 0x7fe347370744 in WebCore::RenderLayer::operator delete(void*) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderLayer.h:151:5 #2 0x7fe347370744 in std::default_delete<WebCore::RenderLayer>::operator()(WebCore::RenderLayer*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #3 0x7fe347370744 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::reset(WebCore::RenderLayer*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4 #4 0x7fe347370744 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::operator=(std::nullptr_t) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:336:2 #5 0x7fe347370744 in WebCore::RenderLayerModelObject::destroyLayer() /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderLayerModelObject.cpp:82:13 #6 0x7fe347370744 in WebCore::RenderLayerModelObject::willBeDestroyed() /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderLayerModelObject.cpp:72:9 #7 0x7fe3473f6519 in WebCore::RenderObject::destroy() /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderObject.cpp:1620:5 #8 0x7fe347810e92 in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:914:5 #9 0x7fe347843298 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_5::operator()(unsigned int) const /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:606:25 #10 0x7fe34783f4fb in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:619:9 #11 0x7fe3478428c3 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:536:5 #12 0x7fe344d75a23 in WebCore::destroyRenderTreeIfNeeded(WebCore::Node&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/dom/ContainerNode.cpp:322:9 #13 0x7fe344d75a23 in WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/dom/ContainerNode.cpp:661:5 previously allocated by thread T0 here: #0 0x4c238f in malloc /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7fe33d6a64fa in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /root/browser/webkit/webkitgtk-2.36.4/Source/bmalloc/bmalloc/DebugHeap.cpp:118:20 #2 0x7fe347021add in WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderBox.cpp:315:27 #3 0x7fe347020957 in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderBlock.cpp:439:16 SUMMARY: AddressSanitizer: heap-use-after-free /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderLayer.cpp in WebCore::RenderLayer::repaintBlockSelectionGaps() Shadow bytes around the buggy address: 0x0c248001bc50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c248001bc60: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c248001bc70: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c248001bc80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c248001bc90: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa =>0x0c248001bca0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd[fd] 0x0c248001bcb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c248001bcc0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c248001bcd0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c248001bce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c248001bcf0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==54315==ABORTING ```
Attachments
This file is generated by a browser fuzzer (252.47 KB, text/html)
2022-09-05 04:28 PDT, Chijin 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-09-05 04:28:45 PDT
<rdar://problem/99565781>
Chijin
Comment 2 2022-09-06 08:09:29 PDT
Hi. Does anyone take care of this issue?
Chijin
Comment 3 2022-09-12 18:51:13 PDT
As I verified, it does not affect safari. Perhaps webkit team should take care of this issue.
Cameron McCormack (:heycam)
Comment 4 2022-10-17 02:56:59 PDT
Bisection shows this issue was resolved by bug 238946. That bug is not in the webkitgtk-2.36 branch though and remains unaddressed in the latest 2.36.8 release.
Cameron McCormack (:heycam)
Comment 5 2022-10-17 02:59:45 PDT
(In reply to Cameron McCormack (:heycam) from comment #4) > Bisection shows this issue was resolved by bug 238946. > > That bug is not in the webkitgtk-2.36 branch though By that I mean the fix is not in the webkitgtk-2.36 branch.
Carlos Garcia Campos
Comment 6 2022-10-17 04:14:50 PDT
Adrian, I think this can be closed if we don't plan to make more 2.36 releases.
Chijin
Comment 7 2022-10-18 01:10:36 PDT
Then just close it if it is fixed.
Michael Catanzaro
Comment 8 2022-10-18 05:38:42 PDT
Thanks for investigating!
Michael Catanzaro
Comment 9 2023-03-13 09:41:29 PDT
*** This bug has been marked as a duplicate of bug 242683 ***
Note You need to log in before you can comment on or make changes to this bug.