Bug 216659 - Crash in FontCascade::fontMetrics
Summary: Crash in FontCascade::fontMetrics
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Frédéric Wang (:fredw)
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-09-17 12:18 PDT by Ali Juma
Modified: 2021-01-21 01:51 PST (History)
15 users (show)

See Also:

Attachments
Minimized test case (527 bytes, text/html)
2020-09-17 12:18 PDT, Ali Juma 		no flags Details
Further reduction (112 bytes, text/html)
2021-01-13 06:26 PST, Frédéric Wang (:fredw) 		no flags Details
Patch (4.55 KB, patch)
2021-01-13 08:09 PST, Frédéric Wang (:fredw) 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ali Juma 2020-09-17 12:18:30 PDT 
Created attachment 409055 [details]
Minimized test case

Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug.

Crash stack:
=================================================================
==97273==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000060 (pc 0x000110d986f5 bp 0x7ffeec6f3e00 sp 0x7ffeec6f3dd0 T0)
==97273==The signal is caused by a READ memory access.
==97273==Hint: address points to the zero page.
==97273==WARNING: invalid path to external symbolizer!
==97273==WARNING: Failed to use and restart external symbolizer!
    #0 0x110d986f4 in WebCore::FontCascadeFonts::primaryFont(WebCore::FontCascadeDescription const&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1966f4)
    #1 0x114684178 in WebCore::FontCascade::fontMetrics() const (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3a82178)
    #2 0x113bfe974 in WebCore::CSSPrimitiveValue::computeNonCalcLengthDouble(WebCore::CSSToLengthConversionData const&, WebCore::CSSUnitType, double) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ffc974)
    #3 0x113b06e2b in WTF::Vector<double, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::DumbPtrTraits<WebCore::CSSCalcExpressionNode> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WebCore::CSSCalcOperationNode::computeLengthPx(WebCore::CSSToLengthConversionData const&) const::$_1, double>(WebCore::CSSCalcOperationNode::computeLengthPx(WebCore::CSSToLengthConversionData const&) const::$_1) const (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f04e2b)
    #4 0x113b06c6d in WebCore::CSSCalcOperationNode::computeLengthPx(WebCore::CSSToLengthConversionData const&) const (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f04c6d)
    #5 0x113b0b73f in WebCore::CSSCalcValue::computeLengthPx(WebCore::CSSToLengthConversionData const&) const (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f0973f)
    #6 0x113bfe788 in float WebCore::CSSPrimitiveValue::computeLength<float>(WebCore::CSSToLengthConversionData const&) const (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ffc788)
    #7 0x1129b7dc6 in WebCore::Style::BuilderConverter::convertSpacing(WebCore::Style::BuilderState&, WebCore::CSSValue const&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1db5dc6)
    #8 0x112913c7c in WebCore::Style::BuilderCustom::applyValueLetterSpacing(WebCore::Style::BuilderState&, WebCore::CSSValue&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d11c7c)
    #9 0x115ebc942 in WebCore::Style::Builder::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue&, WebCore::SelectorChecker::LinkMatchMask) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52ba942)
    #10 0x115ec9c9b in WebCore::Style::Builder::applyCascadeProperty(WebCore::Style::PropertyCascade::Property const&)::'lambda'(WebCore::SelectorChecker::LinkMatchMask)::operator()(WebCore::SelectorChecker::LinkMatchMask) const (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52c7c9b)
    #11 0x115ebcc49 in WebCore::Style::Builder::applyCascadeProperty(WebCore::Style::PropertyCascade::Property const&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52bac49)
    #12 0x115ebcdfe in void WebCore::Style::Builder::applyPropertiesImpl<(WebCore::Style::Builder::CustomPropertyCycleTracking)1>(int, int) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52badfe)
    #13 0x115ebbcfb in WebCore::Style::Builder::applyHighPriorityProperties() (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52b9cfb)
    #14 0x115ef1e5e in WebCore::Style::Resolver::applyMatchedProperties(WebCore::Style::Resolver::State&, WebCore::Style::MatchResult const&, WebCore::Style::Resolver::UseMatchedDeclarationsCache) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52efe5e)
    #15 0x115ef01cc in WebCore::Style::Resolver::styleForElement(WebCore::Element const&, WebCore::RenderStyle const*, WebCore::RenderStyle const*, WebCore::RuleMatchingBehavior, WebCore::SelectorFilter const*) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52ee1cc)
    #16 0x115f1805f in WebCore::Style::TreeResolver::styleForElement(WebCore::Element&, WebCore::RenderStyle const&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x531605f)
    #17 0x115f185f6 in WebCore::Style::TreeResolver::resolveElement(WebCore::Element&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x53165f6)
    #18 0x115f1ac06 in WebCore::Style::TreeResolver::resolveComposedTree() (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5318c06)
    #19 0x115f1bf66 in WebCore::Style::TreeResolver::resolve() (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5319f66)
    #20 0x113ea61f5 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32a41f5)
    #21 0x113ea715b in WebCore::Document::updateStyleIfNeeded() (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32a515b)
    #22 0x113ecc7a6 in WebCore::Document::finishedParsing() (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32ca7a6)
    #23 0x114797b7a in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b95b7a)
    #24 0x114c3d6b8 in WebCore::DocumentWriter::end() (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x403b6b8)
    #25 0x114c3c1cc in WebCore::DocumentLoader::finishedLoading() (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x403a1cc)
    #26 0x114c3bb33 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4039b33)
    #27 0x114de82ff in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x41e62ff)
    #28 0x114de418b in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x41e218b)
    #29 0x114d60ed7 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x415eed7)
    #30 0x1070400a6 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x197e0a6)
    #31 0x107719216 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/ajuma/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x2057216)
    #32 0x107718823 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x2056823)
    #33 0x10700417a in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x194217a)
    #34 0x105745f8e in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/ajuma/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x83f8e)
    #35 0x105746c08 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/ajuma/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x84c08)
    #36 0x10574776d in IPC::Connection::dispatchOneIncomingMessage() (/Users/ajuma/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x8576d)
    #37 0x12dc6aa0c in WTF::RunLoop::performWork() (/Users/ajuma/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc7a0c)
    #38 0x12dc6dd75 in WTF::RunLoop::performWork(void*) (/Users/ajuma/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xcad75)
    #39 0x7fff34b86d51 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83d51)
    #40 0x7fff34b86cf0 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83cf0)
    #41 0x7fff34b86b0a in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83b0a)
    #42 0x7fff34b85839 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x82839)
    #43 0x7fff34b84e3d in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x81e3d)
    #44 0x7fff372201c7 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x601c7)
    #45 0x7fff372d2c6e in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x112c6e)
    #46 0x7fff6ee824e9 in _xpc_objc_main.cold.4 (/usr/lib/system/libxpc.dylib:x86_64+0x164e9)
    #47 0x7fff6ee8242f in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1642f)
    #48 0x7fff6ee81f62 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x15f62)
    #49 0x1060bfac4 in WebKit::XPCServiceMain(int, char const**) (/Users/ajuma/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x9fdac4)
    #50 0x7fff6ec34cc8 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8)

==97273==Register values:
rax = 0x0000100000000000  rbx = 0x0000000000000000  rcx = 0x00001c1e000034f2  rdx = 0x0000000000000000
rdi = 0x0000000000000000  rsi = 0x000060f00001a738  rbp = 0x00007ffeec6f3e00  rsp = 0x00007ffeec6f3dd0
 r8 = 0x0000200000000000   r9 = 0x00000fffffffffff  r10 = 0x0000000000000000  r11 = 0xffffffffffffffff
r12 = 0x000010000000000c  r13 = 0x00001fffdd8de7cc  r14 = 0x0000000000000060  r15 = 0x000060300016efb0
Comment 1 Radar WebKit Bug Importer 2020-09-17 12:18:44 PDT 
<rdar://problem/69087507>
Comment 2 Frédéric Wang (:fredw) 2021-01-13 06:26:53 PST 
Created attachment 417528 [details]
Further reduction

This reduces to

      letter-spacing: -webkit-calc(1ex);
      text-rendering: geometricPrecision;
Comment 3 Frédéric Wang (:fredw) 2021-01-13 08:09:58 PST 
Created attachment 417533 [details]
Patch
Comment 4 Ryosuke Niwa 2021-01-13 13:02:01 PST 
I guess there is no security implication here?
Comment 5 Frédéric Wang (:fredw) 2021-01-20 01:52:01 PST 
(In reply to Ryosuke Niwa from comment #4)
> I guess there is no security implication here?

So basically CSSPrimitiveValue::computeNonCalcLengthDouble may need to call conversionData.style()->fontMetrics() which will in turn calls FontCascade::primaryFont() and hits a null pointer m_fonts ; so I'm not a security expert but my understanding is that there is no way to exploit this.
Comment 6 Ryosuke Niwa 2021-01-20 17:47:13 PST 
Comment on attachment 417533 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=417533&action=review

> Source/WebCore/style/StyleBuilderCustom.h:-657
> -    if (is<CSSPrimitiveValue>(value) && downcast<CSSPrimitiveValue>(value).isFontRelativeLength())

Okay, I was initially concerned that isFontRelativeLength will do out-of-bound memory access
in release builds but m_primitiveUnitType is a member of CSSValue so this should be fine.
Comment 7 EWS 2021-01-21 01:51:16 PST 
Committed r271688: <https://trac.webkit.org/changeset/271688>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 417533 [details].