Bug 244802 (CVE-2023-25362)

Summary: heap-use-after-free in WebCore::RenderLayer::repaintBlockSelectionGaps()
Product: WebKit Reporter: Chijin <tlock.chijin>
Component: WebCore Misc.Assignee: WebKit Security Group <webkit-security-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Critical CC: aperez, bfulgham, cgarcia, heycam, mcatanzaro, m_finkel, rbuis, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: PC   
OS: Linux   
See Also: https://bugs.webkit.org/show_bug.cgi?id=238946
Attachments:
Description Flags
This file is generated by a browser fuzzer none

Description Chijin 2022-09-05 04:28:33 PDT
Created attachment 462141 [details]
This file is generated by a browser fuzzer

description: a heap-use-after-free occured in repaintBlockSelectionGaps(). It only affects webkitgtk (version: webkitgtk-2.36.4) and does not affect Safari.

asan log:

```
=================================================================
==54315==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200011e578 at pc 0x7fe3472bcbb4 bp 0x7ffffaaa61b0 sp 0x7ffffaaa61a8
READ of size 8 at 0x61200011e578 thread T0
    #0 0x7fe3472bcbb3 in WebCore::RenderLayer::repaintBlockSelectionGaps() /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderLayer.cpp
    #1 0x7fe3472bc267 in WebCore::RenderLayer::repaintBlockSelectionGaps() /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderLayer.cpp:4858:16
    #2 0x7fe3472bc267 in WebCore::RenderLayer::repaintBlockSelectionGaps() /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderLayer.cpp:4858:16
    #3 0x7fe347563463 in WebCore::SelectionRangeData::clear() /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/SelectionRangeData.cpp:138:27
    #4 0x7fe34533c48a in WebCore::FrameSelection::respondToNodeModification(WebCore::Node&, bool, bool, bool, bool) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/editing/FrameSelection.cpp:606:37
    #5 0x7fe34533b94c in WebCore::FrameSelection::nodeWillBeRemoved(WebCore::Node&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/editing/FrameSelection.cpp:559:5
    #6 0x7fe344e46250 in WebCore::Document::nodeWillBeRemoved(WebCore::Node&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/dom/Document.cpp:4951:28
    #7 0x7fe344d6a953 in WebCore::ContainerNode::removeNodeWithScriptAssertion(WebCore::Node&, WebCore::ContainerNode::ChildChange::Source) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/dom/ContainerNode.cpp:201:20
    #8 0x7fe344d6a953 in WebCore::ContainerNode::removeChild(WebCore::Node&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/dom/ContainerNode.cpp:644:10
    #9 0x7fe34506367d in WebCore::Node::remove() /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/dom/Node.cpp:644:20
    #10 0x7fe3450d4257 in WebCore::Range::insertNode(WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >&&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/dom/Range.cpp:661:31
    #11 0x7fe3450d85ab in WebCore::Range::surroundContents(WebCore::Node&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/dom/Range.cpp:832:25
    #12 0x7fe342caa476 in WebCore::jsRangePrototypeFunction_surroundContentsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRange*)::'lambda'()::operator()() const /root/browser/webkit/webkitgtk-2.36.4/build_asan_relwithdebug/WebCore/DerivedSources/JSRange.cpp:589:5
    #13 0x7fe342caa476 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsRangePrototypeFunction_surroundContentsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRange*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsRangePrototypeFunction_surroundContentsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRange*)::'lambda'()&&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/bindings/js/JSDOMConvertBase.h:168:27
    #14 0x7fe342caa476 in WebCore::jsRangePrototypeFunction_surroundContentsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRange*) /root/browser/webkit/webkitgtk-2.36.4/build_asan_relwithdebug/WebCore/DerivedSources/JSRange.cpp:589:5
    #15 0x7fe342caa476 in long WebCore::IDLOperation<WebCore::JSRange>::call<&(WebCore::jsRangePrototypeFunction_surroundContentsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRange*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/bindings/js/JSDOMOperation.h:63:9
    #16 0x7fe342caa476 in WebCore::jsRangePrototypeFunction_surroundContents(JSC::JSGlobalObject*, JSC::CallFrame*) /root/browser/webkit/webkitgtk-2.36.4/build_asan_relwithdebug/WebCore/DerivedSources/JSRange.cpp:594:12
    #17 0x7fe2f12561d7  (<unknown module>)

0x61200011e578 is located 56 bytes inside of 272-byte region [0x61200011e540,0x61200011e650)
freed by thread T0 here:
    #0 0x4c2097 in free /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
    #1 0x7fe347370744 in WebCore::RenderLayer::operator delete(void*) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderLayer.h:151:5
    #2 0x7fe347370744 in std::default_delete<WebCore::RenderLayer>::operator()(WebCore::RenderLayer*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2
    #3 0x7fe347370744 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::reset(WebCore::RenderLayer*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4
    #4 0x7fe347370744 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::operator=(std::nullptr_t) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:336:2
    #5 0x7fe347370744 in WebCore::RenderLayerModelObject::destroyLayer() /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderLayerModelObject.cpp:82:13
    #6 0x7fe347370744 in WebCore::RenderLayerModelObject::willBeDestroyed() /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderLayerModelObject.cpp:72:9
    #7 0x7fe3473f6519 in WebCore::RenderObject::destroy() /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderObject.cpp:1620:5
    #8 0x7fe347810e92 in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:914:5
    #9 0x7fe347843298 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_5::operator()(unsigned int) const /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:606:25
    #10 0x7fe34783f4fb in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:619:9
    #11 0x7fe3478428c3 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:536:5
    #12 0x7fe344d75a23 in WebCore::destroyRenderTreeIfNeeded(WebCore::Node&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/dom/ContainerNode.cpp:322:9
    #13 0x7fe344d75a23 in WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/dom/ContainerNode.cpp:661:5

previously allocated by thread T0 here:
    #0 0x4c238f in malloc /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7fe33d6a64fa in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /root/browser/webkit/webkitgtk-2.36.4/Source/bmalloc/bmalloc/DebugHeap.cpp:118:20
    #2 0x7fe347021add in WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderBox.cpp:315:27
    #3 0x7fe347020957 in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderBlock.cpp:439:16

SUMMARY: AddressSanitizer: heap-use-after-free /root/browser/webkit/webkitgtk-2.36.4/Source/WebCore/rendering/RenderLayer.cpp in WebCore::RenderLayer::repaintBlockSelectionGaps()
Shadow bytes around the buggy address:
  0x0c248001bc50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c248001bc60: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c248001bc70: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c248001bc80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c248001bc90: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
=>0x0c248001bca0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd[fd]
  0x0c248001bcb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c248001bcc0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c248001bcd0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c248001bce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c248001bcf0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==54315==ABORTING
```
Comment 1 Radar WebKit Bug Importer 2022-09-05 04:28:45 PDT
<rdar://problem/99565781>
Comment 2 Chijin 2022-09-06 08:09:29 PDT
Hi. Does anyone take care of this issue?
Comment 3 Chijin 2022-09-12 18:51:13 PDT
As I verified, it does not affect safari. Perhaps webkit team should take care of this issue.
Comment 4 Cameron McCormack (:heycam) 2022-10-17 02:56:59 PDT
Bisection shows this issue was resolved by bug 238946.

That bug is not in the webkitgtk-2.36 branch though and remains unaddressed in the latest 2.36.8 release.
Comment 5 Cameron McCormack (:heycam) 2022-10-17 02:59:45 PDT
(In reply to Cameron McCormack (:heycam) from comment #4)
> Bisection shows this issue was resolved by bug 238946.
> 
> That bug is not in the webkitgtk-2.36 branch though

By that I mean the fix is not in the webkitgtk-2.36 branch.
Comment 6 Carlos Garcia Campos 2022-10-17 04:14:50 PDT
Adrian, I think this can be closed if we don't plan to make more 2.36 releases.
Comment 7 Chijin 2022-10-18 01:10:36 PDT
Then just close it if it is fixed.
Comment 8 Michael Catanzaro 2022-10-18 05:38:42 PDT
Thanks for investigating!
Comment 9 Michael Catanzaro 2023-03-13 09:41:29 PDT

*** This bug has been marked as a duplicate of bug 242683 ***