WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
166722
[SOUP] AddressSanitizer: heap-use-after-free under WTF::String::fromUTF8()
https://bugs.webkit.org/show_bug.cgi?id=166722
Summary
[SOUP] AddressSanitizer: heap-use-after-free under WTF::String::fromUTF8()
Milan Crha
Reported
2017-01-05 03:19:32 PST
I just faced an address sanitizer error about use-after-free under WTF::String::fromUTF8(). Steps to reproduce (make sure the LD_PRELOAD library exists in your system, or change its name accordingly): $ export LD_PRELOAD=/usr/lib64/libasan.so.3 $ export ASAN_OPTIONS=abort_on_error=1:detect_stack_use_after_return=0:detect_leaks=0:handle_segv=0:check_printf=0:detect_deadlocks=1:replace_str=1:replace_intrin=1:alloc_dealloc_mismatch=1:new_delete_type_mismatch=1:detect_container_overflow=1:symbolize=1 $ export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer $ $PREFIX/libexec/webkit2gtk-4.0/MiniBrowser The MiniBrowser opens in
http://www.webkitgtk.org
and shortly after the page is loaded the WebKitWebProcess crashes due to the ASan report: ==23181==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000a1364 at pc 0x7fe834a72fd3 bp 0x7ffc82df2fc0 sp 0x7ffc82df2768 READ of size 14 at 0x6040000a1364 thread T0 #0 0x7fe834a72fd2 (/usr/lib64/libasan.so.3+0x3cfd2) #1 0x7fe829624656 in WTF::String::fromUTF8(unsigned char const*) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24dc656) #2 0x7fe82e0f1c89 in WTF::String::fromUTF8(char const*) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x724c89) #3 0x7fe82ff5e819 in WebCore::topPrivatelyControlledDomain(WTF::String const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2591819) #4 0x7fe82fef0b5e in WebCore::urlRequiresChromeBrowser(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2523b5e) #5 0x7fe82fef0db1 in WebCore::UserAgentQuirks::quirksForURL(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2523db1) #6 0x7fe82ff4a966 in WebCore::standardUserAgentForURL(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x257d966) #7 0x7fe82e6f47a7 in WebKit::WebPage::platformUserAgent(WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xd277a7) #8 0x7fe82e46afa8 in WebKit::WebPage::userAgent(WebKit::WebFrame*, WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa9dfa8) #9 0x7fe82e422044 in WebKit::WebFrameLoaderClient::userAgent(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa55044) #10 0x7fe82f421e9a in WebCore::FrameLoader::userAgent(WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a54e9a) #11 0x7fe82f42589e in WebCore::FrameLoader::applyUserAgent(WebCore::ResourceRequest&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a5889e) #12 0x7fe82f422602 in WebCore::FrameLoader::addExtraFieldsToRequest(WebCore::ResourceRequest&, WebCore::FrameLoadType, bool) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a55602) #13 0x7fe82f4221cd in WebCore::FrameLoader::addExtraFieldsToMainResourceRequest(WebCore::ResourceRequest&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a551cd) #14 0x7fe82f41cb18 in WebCore::FrameLoader::load(WebCore::DocumentLoader*) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a4fb18) #15 0x7fe82f41c70e in WebCore::FrameLoader::load(WebCore::FrameLoadRequest const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a4f70e) #16 0x7fe82fbcefb7 in WebCore::UserInputBridge::loadRequest(WebCore::FrameLoadRequest const&, WebCore::InputSource) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2201fb7) #17 0x7fe82e4647da in WebKit::WebPage::loadRequest(WebKit::LoadParameters const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa977da) #18 0x7fe82e7eee73 in void IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>, 0ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>&&, std::integer_sequence<unsigned long, 0ul>) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe21e73) #19 0x7fe82e7ed0ed in void IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>, std::integer_sequence<unsigned long, 0ul> >(std::tuple<WebKit::LoadParameters>&&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe200ed) #20 0x7fe82e7e6d30 in void IPC::handleMessage<Messages::WebPage::LoadRequest, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe19d30) #21 0x7fe82e7e193b in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe1493b) #22 0x7fe82e46fc07 in WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xaa2c07) #23 0x7fe82e05d6da in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6906da) #24 0x7fe82e2ee3c9 in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x9213c9) #25 0x7fe82e04265b in IPC::Connection::dispatchMessage(IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x67565b) #26 0x7fe82e0427c5 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6757c5) #27 0x7fe82e0429b7 in IPC::Connection::dispatchOneMessage() ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6759b7) #28 0x7fe82e0424fb in IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}::operator()() ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6754fb) #29 0x7fe82e0490cf in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}>::call() ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x67c0cf) #30 0x7fe8295d73e8 in WTF::Function<void ()>::operator()() const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x248f3e8) #31 0x7fe8295eb839 in WTF::RunLoop::performWork() ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24a3839) #32 0x7fe8296326fb in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::operator()(void*) const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24ea6fb) #33 0x7fe82963271f in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24ea71f) #34 0x7fe82963269b in WTF::{lambda(_GSource*, int (*)(void*), void*)#1}::operator()(_GSource*, int (*)(void*), void*) const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24ea69b) #35 0x7fe8296326ca in WTF::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24ea6ca) #36 0x7fe82a8c5e41 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x49e41) #37 0x7fe82a8c61bf (/lib64/libglib-2.0.so.0+0x4a1bf) #38 0x7fe82a8c64e1 in g_main_loop_run (/lib64/libglib-2.0.so.0+0x4a4e1) #39 0x7fe829632c7b in WTF::RunLoop::run() ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24eac7b) #40 0x7fe82e6faec3 in int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xd2dec3) #41 0x7fe82e6fad71 in WebProcessMainUnix ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xd2dd71) #42 0x400859 in main ($PREFIX/libexec/webkit2gtk-4.0/WebKitWebProcess+0x400859) #43 0x7fe82d627400 in __libc_start_main (/lib64/libc.so.6+0x20400) #44 0x400759 in _start ($PREFIX/libexec/webkit2gtk-4.0/WebKitWebProcess+0x400759) 0x6040000a1364 is located 20 bytes inside of 34-byte region [0x6040000a1350,0x6040000a1372) freed by thread T0 here: #0 0x7fe834afcaf0 in free (/usr/lib64/libasan.so.3+0xc6af0) #1 0x7fe8295d55c6 in WTF::fastFree(void*) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x248d5c6) #2 0x7fe82e011362 in WTF::RefCounted<WTF::CStringBuffer>::operator delete(void*) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x644362) #3 0x7fe82e00f63e in WTF::RefCounted<WTF::CStringBuffer>::deref() const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x64263e) #4 0x7fe82e00d2d9 in void WTF::derefIfNotNull<WTF::CStringBuffer>(WTF::CStringBuffer*) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6402d9) #5 0x7fe82e00b498 in WTF::RefPtr<WTF::CStringBuffer>::~RefPtr() ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x63e498) #6 0x7fe82e00b0f3 in WTF::CString::~CString() ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x63e0f3) #7 0x7fe82ff5e7ff in WebCore::topPrivatelyControlledDomain(WTF::String const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x25917ff) #8 0x7fe82fef0b5e in WebCore::urlRequiresChromeBrowser(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2523b5e) #9 0x7fe82fef0db1 in WebCore::UserAgentQuirks::quirksForURL(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2523db1) #10 0x7fe82ff4a966 in WebCore::standardUserAgentForURL(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x257d966) #11 0x7fe82e6f47a7 in WebKit::WebPage::platformUserAgent(WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xd277a7) #12 0x7fe82e46afa8 in WebKit::WebPage::userAgent(WebKit::WebFrame*, WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa9dfa8) #13 0x7fe82e422044 in WebKit::WebFrameLoaderClient::userAgent(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa55044) #14 0x7fe82f421e9a in WebCore::FrameLoader::userAgent(WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a54e9a) #15 0x7fe82f42589e in WebCore::FrameLoader::applyUserAgent(WebCore::ResourceRequest&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a5889e) #16 0x7fe82f422602 in WebCore::FrameLoader::addExtraFieldsToRequest(WebCore::ResourceRequest&, WebCore::FrameLoadType, bool) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a55602) #17 0x7fe82f4221cd in WebCore::FrameLoader::addExtraFieldsToMainResourceRequest(WebCore::ResourceRequest&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a551cd) #18 0x7fe82f41cb18 in WebCore::FrameLoader::load(WebCore::DocumentLoader*) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a4fb18) #19 0x7fe82f41c70e in WebCore::FrameLoader::load(WebCore::FrameLoadRequest const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a4f70e) #20 0x7fe82fbcefb7 in WebCore::UserInputBridge::loadRequest(WebCore::FrameLoadRequest const&, WebCore::InputSource) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2201fb7) #21 0x7fe82e4647da in WebKit::WebPage::loadRequest(WebKit::LoadParameters const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa977da) #22 0x7fe82e7eee73 in void IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>, 0ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>&&, std::integer_sequence<unsigned long, 0ul>) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe21e73) #23 0x7fe82e7ed0ed in void IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>, std::integer_sequence<unsigned long, 0ul> >(std::tuple<WebKit::LoadParameters>&&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe200ed) #24 0x7fe82e7e6d30 in void IPC::handleMessage<Messages::WebPage::LoadRequest, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe19d30) #25 0x7fe82e7e193b in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe1493b) #26 0x7fe82e46fc07 in WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xaa2c07) #27 0x7fe82e05d6da in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6906da) #28 0x7fe82e2ee3c9 in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x9213c9) #29 0x7fe82e04265b in IPC::Connection::dispatchMessage(IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x67565b) previously allocated by thread T0 here: #0 0x7fe834afce50 in malloc (/usr/lib64/libasan.so.3+0xc6e50) #1 0x7fe8295d5488 in WTF::fastMalloc(unsigned long) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x248d488) #2 0x7fe8296053c6 in WTF::CStringBuffer::createUninitialized(unsigned long) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24bd3c6) #3 0x7fe82960555a in WTF::CString::init(char const*, unsigned long) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24bd55a) #4 0x7fe8296054e1 in WTF::CString::CString(char const*, unsigned long) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24bd4e1) #5 0x7fe82960fb50 in WTF::StringImpl::utf8ForRange(unsigned int, unsigned int, WTF::ConversionMode) const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24c7b50) #6 0x7fe82960fbcb in WTF::StringImpl::utf8(WTF::ConversionMode) const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24c7bcb) #7 0x7fe829624229 in WTF::String::utf8(WTF::ConversionMode) const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24dc229) #8 0x7fe829624257 in WTF::String::utf8() const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24dc257) #9 0x7fe82ff5e7d8 in WebCore::topPrivatelyControlledDomain(WTF::String const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x25917d8) #10 0x7fe82fef0b5e in WebCore::urlRequiresChromeBrowser(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2523b5e) #11 0x7fe82fef0db1 in WebCore::UserAgentQuirks::quirksForURL(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2523db1) #12 0x7fe82ff4a966 in WebCore::standardUserAgentForURL(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x257d966) #13 0x7fe82e6f47a7 in WebKit::WebPage::platformUserAgent(WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xd277a7) #14 0x7fe82e46afa8 in WebKit::WebPage::userAgent(WebKit::WebFrame*, WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa9dfa8) #15 0x7fe82e422044 in WebKit::WebFrameLoaderClient::userAgent(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa55044) #16 0x7fe82f421e9a in WebCore::FrameLoader::userAgent(WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a54e9a) #17 0x7fe82f42589e in WebCore::FrameLoader::applyUserAgent(WebCore::ResourceRequest&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a5889e) #18 0x7fe82f422602 in WebCore::FrameLoader::addExtraFieldsToRequest(WebCore::ResourceRequest&, WebCore::FrameLoadType, bool) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a55602) #19 0x7fe82f4221cd in WebCore::FrameLoader::addExtraFieldsToMainResourceRequest(WebCore::ResourceRequest&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a551cd) #20 0x7fe82f41cb18 in WebCore::FrameLoader::load(WebCore::DocumentLoader*) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a4fb18) #21 0x7fe82f41c70e in WebCore::FrameLoader::load(WebCore::FrameLoadRequest const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a4f70e) #22 0x7fe82fbcefb7 in WebCore::UserInputBridge::loadRequest(WebCore::FrameLoadRequest const&, WebCore::InputSource) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2201fb7) #23 0x7fe82e4647da in WebKit::WebPage::loadRequest(WebKit::LoadParameters const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa977da) #24 0x7fe82e7eee73 in void IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>, 0ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>&&, std::integer_sequence<unsigned long, 0ul>) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe21e73) #25 0x7fe82e7ed0ed in void IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>, std::integer_sequence<unsigned long, 0ul> >(std::tuple<WebKit::LoadParameters>&&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe200ed) #26 0x7fe82e7e6d30 in void IPC::handleMessage<Messages::WebPage::LoadRequest, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe19d30) #27 0x7fe82e7e193b in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe1493b) #28 0x7fe82e46fc07 in WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xaa2c07) #29 0x7fe82e05d6da in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6906da) SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib64/libasan.so.3+0x3cfd2) Shadow bytes around the buggy address: 0x0c088000c210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c088000c220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c088000c230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c088000c240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c088000c250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c088000c260: fa fa fa fa fa fa fa fa fa fa fd fd[fd]fd fd fa 0x0c088000c270: fa fa 00 00 00 00 05 fa fa fa 00 00 00 00 00 05 0x0c088000c280: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa 0x0c088000c290: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c088000c2a0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c088000c2b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==23181==ABORTING This is with git master at commit 5f042ff6a01d0 built with -O0. I'll update the backtrace, if I manage to get one with line numbers.
Attachments
proposed patch
(1.47 KB, patch)
2017-01-05 05:37 PST
,
Milan Crha
cgarcia
: commit-queue-
Details
Formatted Diff
Diff
proposed patch ][
(1.66 KB, patch)
2017-01-05 08:45 PST
,
Milan Crha
no flags
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Milan Crha
Comment 1
2017-01-05 05:37:41 PST
Created
attachment 298095
[details]
proposed patch
WebKit Commit Bot
Comment 2
2017-01-05 05:38:33 PST
Attachment 298095
[details]
did not pass style-queue: ERROR: Source/WebCore/platform/soup/PublicSuffixSoup.cpp:50: domain_utf8 is incorrectly named. Don't use underscores in your identifier names. [readability/naming/underscores] [4] ERROR: Source/WebCore/ChangeLog:8: You should remove the 'No new tests' and either add and list tests, or explain why no new tests were possible. [changelog/nonewtests] [5] ERROR: Source/WebCore/ChangeLog:3: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: use-after-free [changelog/unwantedsecurityterms] [3] Total errors found: 3 in 2 files If any of these errors are false positives, please file a bug against check-webkit-style.
Carlos Garcia Campos
Comment 3
2017-01-05 05:44:53 PST
This is not specific to GTK
Carlos Garcia Campos
Comment 4
2017-01-05 05:49:18 PST
Comment on
attachment 298095
[details]
proposed patch View in context:
https://bugs.webkit.org/attachment.cgi?id=298095&action=review
> Source/WebCore/ChangeLog:8 > + No new tests (OOPS!).
You should remove this line since this patch shouldn't affect tests. And also explain the change, what was broken and how this patch fixes it.
> Source/WebCore/platform/soup/PublicSuffixSoup.cpp:50 > + CString domain_utf8 = domain.utf8();
domain_utf8 -> domainUTF8
> Source/WebCore/platform/soup/PublicSuffixSoup.cpp:52 > + if (const char* baseDomain = soup_tld_get_base_domain(domain_utf8.data(), &error.outPtr())) > return String::fromUTF8(baseDomain);
I don't understand why we can't use the temporary here. Can soup_tld_get_base_domain() return the passed in hostname?
Carlos Garcia Campos
Comment 5
2017-01-05 05:50:36 PST
Ah! "a pointer to the start of the base domain in @hostname" That's what you should explain in the changelog.
Milan Crha
Comment 6
2017-01-05 08:45:27 PST
Created
attachment 298105
[details]
proposed patch ][ (In reply to
comment #4
)
> Comment on
attachment 298095
[details]
> > Source/WebCore/ChangeLog:8 > > + No new tests (OOPS!). > > You should remove this line since this patch shouldn't affect tests. And > also explain the change, what was broken and how this patch fixes it.
Ah, right, that's a long time since I sent any patches to webkit.
> domain_utf8 -> domainUTF8
Yeah, I'm sorry (
bug #166725
filled).
> I don't understand why we can't use the temporary here. Can > soup_tld_get_base_domain() return the passed in hostname?
Right, it consumes 'const char *' and also returns 'const char *', then it makes sense it returns something from within the passed-in string. I tried to write some so-called explanation to the ChangeLog, though it sounds odd to me. I couldn't come up with anything better.
WebKit Commit Bot
Comment 7
2017-01-05 08:46:38 PST
Attachment 298105
[details]
did not pass style-queue: ERROR: Source/WebCore/ChangeLog:3: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: use-after-free [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 2 files If any of these errors are false positives, please file a bug against check-webkit-style.
WebKit Commit Bot
Comment 8
2017-01-05 09:31:55 PST
Comment on
attachment 298105
[details]
proposed patch ][ Clearing flags on attachment: 298105 Committed
r210357
: <
http://trac.webkit.org/changeset/210357
>
WebKit Commit Bot
Comment 9
2017-01-05 09:31:58 PST
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug