237037 – heap-use-after-free in WebCore::AXObjectCache::textChanged(WebCore::AccessibilityObject*)

Bug 237037 - heap-use-after-free in WebCore::AXObjectCache::textChanged(WebCore::AccessibilityObject*)

Summary: heap-use-after-free in WebCore::AXObjectCache::textChanged(WebCore::Accessibi...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	WebKit Local Build
Hardware:	PC Linux

Importance:	P2 Critical
Assignee:	WebKit Security Group

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-02-22 07:06 PST by Chijin
Modified:	2023-02-04 00:45 PST (History)
CC List:	5 users (show)

See Also:

Attachments
This file is generated by a browser fuzzer (33.97 KB, text/html) 2022-02-22 07:06 PST, Chijin	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chijin 2022-02-22 07:06:55 PST

Created attachment 452869 [details]
This file is generated by a browser fuzzer

The attached file cause a heap use after free in AXObjectCache.

Version: safari-613.1.5-branch (4f329ebf4c7cb23791f7634fe9b917b20dc2e5a6) and webkitgtk-2.34.6

asan report:

==49262==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000269200 at pc 0x7efe3b5cbf01 bp 0x7ffded3b56f0 sp 0x7ffded3b56e8
READ of size 8 at 0x60c000269200 thread T0
    #0 0x7efe3b5cbf00 in WebCore::AXObjectCache::textChanged(WebCore::AccessibilityObject*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:1031:38
    #1 0x7efe3b5ee629 in WebCore::AXObjectCache::textChanged(WebCore::Node*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:1007:5
    #2 0x7efe3b5ee629 in WebCore::AXObjectCache::performDeferredCacheUpdate() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:3213:9
    #3 0x7efe3d878841 in WebCore::FrameView::performPostLayoutTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameView.cpp:3369:16
    #4 0x7efe3d8930ed in WebCore::FrameViewLayoutContext::runAsynchronousTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:302:12
    #5 0x7efe3d8930ed in WebCore::FrameViewLayoutContext::runOrScheduleAsynchronousTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:288:5
    #6 0x7efe3d8424e7 in WebCore::FrameViewLayoutContext::layout() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:261:9
    #7 0x7efe3dbbe4ed in WebCore::ThreadTimers::sharedTimerFiredInternal() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/platform/ThreadTimers.cpp:127:23
    #8 0x7efe35cf4034 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16
    #9 0x7efe35cf4034 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43
    #10 0x7efe35cf14dc in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28
    #11 0x7efe35cf14dc in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5
    #12 0x7efe2edec04d in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5204d)
    #13 0x7efe2edec3ff  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x523ff)
    #14 0x7efe2edec6f2 in g_main_loop_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x526f2)
    #15 0x7efe35cf2ac2 in WTF::RunLoop::run() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:108:9
    #16 0x7efe39ab3de7 in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebKit/Shared/AuxiliaryProcessMain.h:70:9
    #17 0x7efe39ab3de7 in int WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebKit/Shared/AuxiliaryProcessMain.h:96:27
    #18 0x7efe2e7860b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #19 0x41d35d in _start (/root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/INSTALL/libexec/webkit2gtk-4.0/WebKitWebProcess+0x41d35d)

0x60c000269200 is located 0 bytes inside of 120-byte region [0x60c000269200,0x60c000269278)
freed by thread T0 here:
    #0 0x4c2bb7 in free /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
    #1 0x7efe3b5c3a78 in WTF::ThreadSafeRefCounted<WebCore::AXCoreObject, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/WTF/Headers/wtf/ThreadSafeRefCounted.h:117:13
    #2 0x7efe3b5c3a78 in WTF::ThreadSafeRefCounted<WebCore::AXCoreObject, (WTF::DestructionThread)0>::deref() const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/WTF/Headers/wtf/ThreadSafeRefCounted.h:129:9
    #3 0x7efe3b5c3a78 in WTF::DefaultRefDerefTraits<WebCore::AccessibilityObject>::derefIfNotNull(WebCore::AccessibilityObject*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/WTF/Headers/wtf/RefPtr.h:42:18
    #4 0x7efe3b5c3a78 in WTF::RefPtr<WebCore::AccessibilityObject, WTF::RawPtrTraits<WebCore::AccessibilityObject>, WTF::DefaultRefDerefTraits<WebCore::AccessibilityObject> >::~RefPtr() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/WTF/Headers/wtf/RefPtr.h:73:31
    #5 0x7efe3b5c3a78 in WebCore::AXObjectCache::remove(unsigned long) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:919:1
    #6 0x7efe3b5ca4a1 in WebCore::AXObjectCache::remove(WebCore::RenderObject*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:925:5
    #7 0x7efe3e67fccd in WebCore::RenderObject::willBeDestroyed() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/RenderObject.cpp:1506:16
    #8 0x7efe3e673d49 in WebCore::RenderObject::destroy() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/RenderObject.cpp:1556:5
    #9 0x7efe3ea3eb7d in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:871:5
    #10 0x7efe3ea73244 in WebCore::RenderTreeUpdater::tearDownTextRenderer(WebCore::Text&, WebCore::RenderTreeBuilder&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:640:13
    #11 0x7efe3ea73244 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:623:13
    #12 0x7efe3ea6d418 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdates const&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:329:9
    #13 0x7efe3ea6ad30 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:194:13
    #14 0x7efe3ea69b9e in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:126:9
    #15 0x7efe3c2108ca in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/dom/Document.cpp:2023:21
    #16 0x7efe3c2116d3 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/dom/Document.cpp:2113:13
    #17 0x7efe3c213158 in WebCore::Document::updateStyleIfNeeded() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/dom/Document.cpp:2205:5

previously allocated by thread T0 here:
    #0 0x4c2eaf in malloc /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7efe35d0fa4a in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/bmalloc/bmalloc/DebugHeap.cpp:102:20
    #2 0x7efe3b5c10e4 in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:684:16
    #3 0x7efe3b5ee61e in WebCore::AXObjectCache::textChanged(WebCore::Node*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:1007:17
    #4 0x7efe3b5ee61e in WebCore::AXObjectCache::performDeferredCacheUpdate() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:3213:9
    #5 0x7efe3d878841 in WebCore::FrameView::performPostLayoutTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameView.cpp:3369:16
    #6 0x7efe3d8930ed in WebCore::FrameViewLayoutContext::runAsynchronousTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:302:12
    #7 0x7efe3d8930ed in WebCore::FrameViewLayoutContext::runOrScheduleAsynchronousTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:288:5
    #8 0x7efe3d8424e7 in WebCore::FrameViewLayoutContext::layout() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:261:9
    #9 0x7efe3dbbe4ed in WebCore::ThreadTimers::sharedTimerFiredInternal() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/platform/ThreadTimers.cpp:127:23
    #10 0x7efe35cf4034 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16
    #11 0x7efe35cf4034 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43

SUMMARY: AddressSanitizer: heap-use-after-free /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:1031:38 in WebCore::AXObjectCache::textChanged(WebCore::AccessibilityObject*)
Shadow bytes around the buggy address:
  0x0c18800451f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1880045200: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1880045210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1880045220: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1880045230: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x0c1880045240:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1880045250: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1880045260: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c1880045270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c1880045280: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1880045290: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==49262==ABORTING

Comment 1 Radar WebKit Bug Importer 2022-02-22 07:07:06 PST

<rdar://problem/89291570>

Comment 2 Tyler Wilcock 2022-03-11 16:18:53 PST

This will be fixed by https://bugs.webkit.org/show_bug.cgi?id=237475.

Comment 3 Brent Fulgham 2022-05-26 15:07:46 PDT

This fix shipped with Safari 15.5 (all platforms).