Bug 286015

Summary: Crash in WTR::AccessibilityUIElement::textMarkerRangeForElement
Product: WebKit Reporter: michaeldo
Component: AccessibilityAssignee: Frédéric Wang (:fredw) <fred.wang>
Status: RESOLVED FIXED    
Severity: Normal CC: andresg_22, beidson, bfulgham, csaavedra, darin, fpizlo, fred.wang, mario, msaboff, rbuis, rniwa, rohitrao, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Minimal Test Case none

michaeldo
Reported 2025-01-15 12:33:18 PST
Created attachment 473909 [details] Minimal Test Case Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug. This reproduces in an ASan build of WebKitTestRunner at 288489@main Stack: ================================================================= ==76035==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7ff81717e7d2 bp 0x7ff7bb704830 sp 0x7ff7bb704830 T0) ==76035==The signal is caused by a READ memory access. ==76035==Hint: address points to the zero page. ==76035==WARNING: failed to spawn external symbolizer (errno: 25) ==76035==WARNING: failed to spawn external symbolizer (errno: 25) ==76035==WARNING: failed to spawn external symbolizer (errno: 25) ==76035==WARNING: failed to spawn external symbolizer (errno: 25) ==76035==WARNING: failed to spawn external symbolizer (errno: 25) ==76035==WARNING: Failed to use and restart external symbolizer! #0 0x7ff81717e7d2 in objc_loadWeak+0x4 (/usr/lib/libobjc.A.dylib:x86_64h+0xb7d2) #1 0x1049b580e in WTR::AccessibilityUIElement::textMarkerRangeForElement(WTR::AccessibilityUIElement*)+0x8e (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKitTestRunnerInjectedBundle.bundle/Contents/MacOS/WebKitTestRunnerInjectedBundle:x86_64+0x3a80e) #2 0x104a420a1 in WTR::JSAccessibilityUIElement::textMarkerRangeForElement(OpaqueJSContext const*, OpaqueJSValue*, OpaqueJSValue*, unsigned long, OpaqueJSValue const* const*, OpaqueJSValue const**)+0xe1 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKitTestRunnerInjectedBundle.bundle/Contents/MacOS/WebKitTestRunnerInjectedBundle:x86_64+0xc70a1) #3 0x110544d4a in long long JSC::APICallbackFunction::callImpl<JSC::JSCallbackFunction>(JSC::JSGlobalObject*, JSC::CallFrame*)+0x67a (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1550d4a) #4 0x1607c8326 (<unknown module>) #5 0x114ca2c10 in llint_entry+0x1f1e8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x5caec10) #6 0x114c838c3 in vmEntryToJavaScript+0xbb (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x5c8f8c3) #7 0x112222514 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)+0x1224 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x322e514) #8 0x112c71b95 in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)+0x405 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3c7db95) #9 0x112c71f97 in JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)+0x107 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3c7df97) #10 0x151dd94fd in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)+0xa2d (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x528c4fd) #11 0x151dda19a in WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&)+0xaa (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x528d19a) #12 0x1535a1065 in WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&)+0x1095 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x6a54065) #13 0x1535960ab in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&)+0x1eeb (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x6a490ab) #14 0x1543c4866 in WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&)+0x1a6 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x7877866) #15 0x1543c4556 in WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement, WTF::RawPtrTraits<WebCore::ScriptElement>, WTF::DefaultRefDerefTraits<WebCore::ScriptElement>>&&, WTF::TextPosition const&)+0x96 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x7877556) #16 0x15433d608 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder()+0x7b8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x77f0608) #17 0x15433e0c8 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&)+0x6a8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x77f10c8) #18 0x15433bd26 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)+0x1d6 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x77eed26) #19 0x15433fb7b in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl>>&&, WebCore::HTMLDocumentParser::SynchronousMode)+0x99b (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x77f2b7b) #20 0x15311bfc9 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&)+0x159 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x65cefc9) #21 0x154b09820 in WebCore::DocumentWriter::end()+0x210 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x7fbc820) #22 0x154b055fd in WebCore::DocumentLoader::finishedLoading()+0x44d (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x7fb85fd) #23 0x154b0476d in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&, WebCore::LoadWillContinueInAnotherProcess)+0x54d (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x7fb776d) #24 0x154ed7a5b in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&, WebCore::LoadWillContinueInAnotherProcess)+0x17b (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x838aa5b) #25 0x154ecf100 in WebCore::CachedRawResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&)+0x930 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x8382100) #26 0x154df0e04 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&)+0x1654 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x82a3e04) #27 0x11faf035f in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics&&)+0x48f (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x4d6c35f) #28 0x11d382492 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, IPC::Connection, WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&))+0x142 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x25fe492) #29 0x11d380a88 in WebKit::WebResourceLoader::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x1d8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x25fca88) #30 0x11fabd809 in WebKit::NetworkProcessConnection::dispatchMessage(IPC::Connection&, IPC::Decoder&)+0x609 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x4d39809) #31 0x11c3afe51 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x3c1 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x162be51) #32 0x1208dd776 in IPC::Connection::dispatchMessage(IPC::Decoder&)+0x926 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x5b59776) #33 0x1208ddcf3 in IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>)+0x243 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x5b59cf3) #34 0x1208de431 in IPC::Connection::dispatchOneIncomingMessage()+0x231 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x5b5a431) #35 0x10f10f312 in WTF::RunLoop::performWork()+0xc42 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11b312) #36 0x10f111efd in WTF::RunLoop::performWork(void*)+0x7d (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11defd) #37 0x7ff817624086 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x10 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7c086) #38 0x7ff817624028 in __CFRunLoopDoSource0+0x9c (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7c028) #39 0x7ff817623df3 in __CFRunLoopDoSources0+0xd6 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7bdf3) #40 0x7ff817622a70 in __CFRunLoopRun+0x396 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7aa70) #41 0x7ff817622111 in CFRunLoopRunSpecific+0x22c (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7a111) #42 0x7ff8185d3b10 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd7 (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x5cb10) #43 0x7ff81865690a in -[NSRunLoop(NSRunLoop) run]+0x4b (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0xdf90a) #44 0x7ff8172603f8 in _xpc_objc_main+0x25d (/usr/lib/system/libxpc.dylib:x86_64+0x163f8) #45 0x7ff81726cfa2 in _xpc_main+0x102 (/usr/lib/system/libxpc.dylib:x86_64+0x22fa2) #46 0x7ff81726001b in xpc_main+0x37 (/usr/lib/system/libxpc.dylib:x86_64+0x1601b) #47 0x11c95b382 in WebKit::XPCServiceMain(int, char const**)+0x82 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x1bd7382) #48 0x7ff8171bb365 in start+0x795 (/usr/lib/dyld:x86_64+0xfffffffffff5c365) ==76035==Register values: rax = 0xf2f2f2f8f1f1f1f1 rbx = 0x0000620000006108 rcx = 0x0000100000000000 rdx = 0x0000000000000000 rdi = 0x0000000000000010 rsi = 0x00006030000e7580 rbp = 0x00007ff7bb704830 rsp = 0x00007ff7bb704830 r8 = 0x00000001154d5240 r9 = 0x0000000015510000 r10 = 0x00007ff7bb7049b8 r11 = 0x00001c1600000f6d r12 = 0x00001ffef76e090c r13 = 0x00001ffef76e0924 r14 = 0x00007ff7bb704940 r15 = 0x00006030000e7580
Attachments
Minimal Test Case (153 bytes, text/html)
2025-01-15 12:33 PST, michaeldo 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-01-15 12:33:30 PST
<rdar://problem/142991187>
Frédéric Wang (:fredw)
Comment 2 2025-01-22 03:06:30 PST
The generated Derived source for JSAccessibilityUIElement looks like this: ``` JSValueRef JSAccessibilityUIElement::textMarkerRangeForElement(JSContextRef context, JSObjectRef, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) { AccessibilityUIElement* impl = toAccessibilityUIElement(context, thisObject); if (!impl) return JSValueMakeUndefined(context); auto element = argumentCount > 0 ? toAccessibilityUIElement(context, arguments[0]) : nullptr; return toJS(context, WTF::getPtr(callFunction(context, impl, &AccessibilityUIElement::textMarkerRangeForElement, element))); } ``` so when we pass zero argument (as in the testcase) we end up dereferencing a null element pointer here: https://searchfox.org/wubkat/rev/d4766b667963256e41db8c72a02613067074d834/Tools/WebKitTestRunner/InjectedBundle/mac/AccessibilityUIElementMac.mm#2245 This is port-specific, it does not crash on Linux but probably it does on iOS: https://searchfox.org/wubkat/search?q=AccessibilityUIElement%3A%3AtextMarkerRangeForElement&path=&case=false&regexp=false It seems we should just null-check the argument as done in https://commits.webkit.org/224802@main
Frédéric Wang (:fredw)
Comment 3 2025-01-22 06:17:56 PST
I have a patch for this, but my understanding is that this is only a crash in DumpTestRunner / WebkitTestRunner and not in actual code shipped in WebKit-based products... If that's correct, can we change categorization to not treat this as a security bug? And I'll submit a PR directly against the main branch.
Ryosuke Niwa
Comment 4 2025-01-22 16:11:37 PST
Not a security bug.
Frédéric Wang (:fredw)
Comment 5 2025-01-23 00:07:47 PST
Pull request: https://github.com/WebKit/WebKit/pull/39439
EWS
Comment 6 2025-01-23 09:17:39 PST
Committed 289295@main (131e516e4f99): <https://commits.webkit.org/289295@main> Reviewed commits have been landed. Closing PR #39439 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.