Bug 220392 - null ptr deref with ::highlight {background: red}
Summary: null ptr deref with ::highlight {background: red}
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Rob Buis
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-01-06 17:16 PST by Ryosuke Niwa
Modified: 2021-01-13 13:04 PST (History)
12 users (show)

See Also:


Attachments
Test (47 bytes, text/html)
2021-01-06 17:16 PST, Ryosuke Niwa
no flags Details
Patch (3.12 KB, patch)
2021-01-12 01:14 PST, Rob Buis
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2021-01-06 17:16:31 PST
Created attachment 417142 [details]
Test

AddressSanitizer: SEGV on unknown address 0x00000000000c (pc 0x0002274bf3c2 bp 0x7ffee9a9fe40 sp 0x7ffee9a9fe40 T0)

    #0 0x2274bf3c2 in WTF::Vector<WTF::AtomString, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::size() const+0x22 (WebCore.framework/Versions/A/WebCore:x86_64+0x7d3c2)
    #1 0x2274bf431 in WTF::Vector<WTF::AtomString, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at(unsigned long) const+0x11 (WebCore.framework/Versions/A/WebCore:x86_64+0x7d431)
    #2 0x22a9d198a in WTF::Vector<WTF::AtomString, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::first() const+0xa (WebCore.framework/Versions/A/WebCore:x86_64+0x358f98a)
    #3 0x22a9cc7ed in WebCore::SelectorChecker::checkOne(WebCore::SelectorChecker::CheckingContext&, WebCore::SelectorChecker::LocalContext const&, WebCore::SelectorChecker::MatchType&) const+0x9ad (WebCore.framework/Versions/A/WebCore:x86_64+0x358a7ed)
    #4 0x22a9ca7dd in WebCore::SelectorChecker::matchRecursively(WebCore::SelectorChecker::CheckingContext&, WebCore::SelectorChecker::LocalContext const&, WebCore::PseudoIdSet&) const+0x13d (WebCore.framework/Versions/A/WebCore:x86_64+0x35887dd)
    #5 0x22a9ca33d in WebCore::SelectorChecker::match(WebCore::CSSSelector const&, WebCore::Element const&, WebCore::SelectorChecker::CheckingContext&) const+0x18d (WebCore.framework/Versions/A/WebCore:x86_64+0x358833d)
    #6 0x22cdeedcf in WebCore::Style::ElementRuleCollector::ruleMatches(WebCore::Style::RuleData const&, unsigned int&)+0x43f (WebCore.framework/Versions/A/WebCore:x86_64+0x59acdcf)
    #7 0x22cdec067 in WebCore::Style::ElementRuleCollector::collectMatchingRulesForList(WTF::Vector<WebCore::Style::RuleData, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const*, WebCore::Style::MatchRequest const&)+0x227 (WebCore.framework/Versions/A/WebCore:x86_64+0x59aa067)
    #8 0x22cdebcc3 in WebCore::Style::ElementRuleCollector::collectMatchingRules(WebCore::Style::MatchRequest const&)+0x2f3 (WebCore.framework/Versions/A/WebCore:x86_64+0x59a9cc3)
    #9 0x22cdecf34 in WebCore::Style::ElementRuleCollector::collectMatchingAuthorRules()+0xc4 (WebCore.framework/Versions/A/WebCore:x86_64+0x59aaf34)
    #10 0x22cdece55 in WebCore::Style::ElementRuleCollector::matchAuthorRules()+0x15 (WebCore.framework/Versions/A/WebCore:x86_64+0x59aae55)
    #11 0x22ce5b88c in WebCore::Style::Resolver::pseudoStyleForElement(WebCore::Element const&, WebCore::Style::PseudoElementRequest const&, WebCore::RenderStyle const&, WebCore::RenderStyle const*, WebCore::SelectorFilter const*)+0x2ac (WebCore.framework/Versions/A/WebCore:x86_64+0x5a1988c)
    #12 0x22ce797c9 in WebCore::Style::TreeResolver::resolvePseudoStyle(WebCore::Element&, WebCore::Style::ElementUpdate const&, WebCore::PseudoId)+0x209 (WebCore.framework/Versions/A/WebCore:x86_64+0x5a377c9)
    #13 0x22ce786b5 in WebCore::Style::TreeResolver::resolveElement(WebCore::Element&)+0x7f5 (WebCore.framework/Versions/A/WebCore:x86_64+0x5a366b5)
    #14 0x22ce7a8ae in WebCore::Style::TreeResolver::resolveComposedTree()+0x55e (WebCore.framework/Versions/A/WebCore:x86_64+0x5a388ae)
    #15 0x22ce7bc18 in WebCore::Style::TreeResolver::resolve()+0x4b8 (WebCore.framework/Versions/A/WebCore:x86_64+0x5a39c18)
    #16 0x22ac09747 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType)+0x5b7 (WebCore.framework/Versions/A/WebCore:x86_64+0x37c7747)
    #17 0x22ac0a6fb in WebCore::Document::updateStyleIfNeeded()+0x23b (WebCore.framework/Versions/A/WebCore:x86_64+0x37c86fb)
    #18 0x22ac32e07 in WebCore::Document::finishedParsing()+0x247 (WebCore.framework/Versions/A/WebCore:x86_64+0x37f0e07)
    #19 0x22b56de84 in WebCore::HTMLConstructionSite::finishedParsing()+0x24 (WebCore.framework/Versions/A/WebCore:x86_64+0x412be84)
    #20 0x22b5d21dd in WebCore::HTMLTreeBuilder::finished()+0x1d (WebCore.framework/Versions/A/WebCore:x86_64+0x41901dd)
    #21 0x22b576cb7 in WebCore::HTMLDocumentParser::end()+0x17 (WebCore.framework/Versions/A/WebCore:x86_64+0x4134cb7)
    #22 0x22b574498 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd()+0x38 (WebCore.framework/Versions/A/WebCore:x86_64+0x4132498)
    #23 0x22b57436a in WebCore::HTMLDocumentParser::prepareToStopParsing()+0x10a (WebCore.framework/Versions/A/WebCore:x86_64+0x413236a)
    #24 0x22b576cff in WebCore::HTMLDocumentParser::attemptToEnd()+0x3f (WebCore.framework/Versions/A/WebCore:x86_64+0x4134cff)
    #25 0x22b576dd9 in WebCore::HTMLDocumentParser::finish()+0x29 (WebCore.framework/Versions/A/WebCore:x86_64+0x4134dd9)
    #26 0x22baf5400 in WebCore::DocumentWriter::end()+0x1a0 (WebCore.framework/Versions/A/WebCore:x86_64+0x46b3400)
    #27 0x22baa5dbc in WebCore::DocumentLoader::finishedLoading()+0x2dc (WebCore.framework/Versions/A/WebCore:x86_64+0x4663dbc)
    #28 0x22baa5739 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&)+0x2c9 (WebCore.framework/Versions/A/WebCore:x86_64+0x4663739)
    #29 0x22bc7a79f in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&)+0x17f (WebCore.framework/Versions/A/WebCore:x86_64+0x483879f)
    #30 0x22bc74dee in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&)+0x4e (WebCore.framework/Versions/A/WebCore:x86_64+0x4832dee)
    #31 0x22bc766a8 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&)+0x258 (WebCore.framework/Versions/A/WebCore:x86_64+0x48346a8)
    #32 0x22bbead92 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&)+0x732 (WebCore.framework/Versions/A/WebCore:x86_64+0x47a8d92)
    #33 0x21a0d3c66 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&)+0x286 (WebKit.framework/Versions/A/WebKit:x86_64+0x20d1c66)
    #34 0x21a7ad121 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&, std::__1::integer_sequence<unsigned long, 0ul>)+0x61 (WebKit.framework/Versions/A/WebKit:x86_64+0x27ab121)
    #35 0x21a7ad0a8 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebCore::NetworkLoadMetrics>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&))+0x28 (WebKit.framework/Versions/A/WebKit:x86_64+0x27ab0a8)
    #36 0x21a7aab16 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&))+0x146 (WebKit.framework/Versions/A/WebKit:x86_64+0x27a8b16)
    #37 0x21a7aa123 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&)+0x1a3 (WebKit.framework/Versions/A/WebKit:x86_64+0x27a8123)
    #38 0x21a0bfc0a in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0xfa (WebKit.framework/Versions/A/WebKit:x86_64+0x20bdc0a)
    #39 0x2180a5b93 in IPC::Connection::dispatchMessage(IPC::Decoder&)+0x293 (WebKit.framework/Versions/A/WebKit:x86_64+0xa3b93)
    #40 0x2180a7507 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)+0x167 (WebKit.framework/Versions/A/WebKit:x86_64+0xa5507)
    #41 0x2180a8026 in IPC::Connection::dispatchOneIncomingMessage()+0x196 (WebKit.framework/Versions/A/WebKit:x86_64+0xa6026)
    #42 0x2180c65f5 in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_8::operator()()+0x35 (WebKit.framework/Versions/A/WebKit:x86_64+0xc45f5)
    #43 0x2180c655c in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_8, void>::call()+0xc (WebKit.framework/Versions/A/WebKit:x86_64+0xc455c)
    #44 0x2472725ce in WTF::Function<void ()>::operator()() const+0x3e (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x385ce)
    #45 0x24730ba28 in WTF::RunLoop::performWork()+0x228 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xd1a28)
    #46 0x24730ed45 in WTF::RunLoop::performWork(void*)+0xb5 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xd4d45)


<rdar://problem/72094069>
Comment 1 Rob Buis 2021-01-11 12:03:12 PST
This should be simple to fix:

--- a/Source/WebCore/css/SelectorChecker.cpp
+++ b/Source/WebCore/css/SelectorChecker.cpp
@@ -1143,7 +1143,7 @@ bool SelectorChecker::checkOne(CheckingContext& checkingContext, const LocalCont
             // Always matches when not specifically requested so it gets added to the pseudoIdSet.
             if (checkingContext.pseudoId == PseudoId::None)
                 return true;
-            if (checkingContext.pseudoId != PseudoId::Highlight)
+            if (checkingContext.pseudoId != PseudoId::Highlight || !selector.argumentList())
                 return false;
             return selector.argumentList()->first() == checkingContext.nameForHightlightPseudoElement;

I'll make a patch tomorrow. It does not look like a security bug to me.
Comment 2 Rob Buis 2021-01-12 01:14:22 PST
Created attachment 417440 [details]
Patch
Comment 3 Ryosuke Niwa 2021-01-12 20:19:41 PST
Looks like this is not a security issue?
Comment 4 Rob Buis 2021-01-12 22:12:28 PST
(In reply to Ryosuke Niwa from comment #3)
> Looks like this is not a security issue?

Indeed, AFAICS this is not a security issue.
Comment 5 EWS 2021-01-13 13:04:17 PST
Committed r271451: <https://trac.webkit.org/changeset/271451>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 417440 [details].