WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
237037
heap-use-after-free in WebCore::AXObjectCache::textChanged(WebCore::AccessibilityObject*)
https://bugs.webkit.org/show_bug.cgi?id=237037
Summary
heap-use-after-free in WebCore::AXObjectCache::textChanged(WebCore::Accessibi...
Chijin
Reported
2022-02-22 07:06:55 PST
Created
attachment 452869
[details]
This file is generated by a browser fuzzer The attached file cause a heap use after free in AXObjectCache. Version: safari-613.1.5-branch (4f329ebf4c7cb23791f7634fe9b917b20dc2e5a6) and webkitgtk-2.34.6 asan report: ==49262==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000269200 at pc 0x7efe3b5cbf01 bp 0x7ffded3b56f0 sp 0x7ffded3b56e8 READ of size 8 at 0x60c000269200 thread T0 #0 0x7efe3b5cbf00 in WebCore::AXObjectCache::textChanged(WebCore::AccessibilityObject*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:1031:38 #1 0x7efe3b5ee629 in WebCore::AXObjectCache::textChanged(WebCore::Node*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:1007:5 #2 0x7efe3b5ee629 in WebCore::AXObjectCache::performDeferredCacheUpdate() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:3213:9 #3 0x7efe3d878841 in WebCore::FrameView::performPostLayoutTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameView.cpp:3369:16 #4 0x7efe3d8930ed in WebCore::FrameViewLayoutContext::runAsynchronousTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:302:12 #5 0x7efe3d8930ed in WebCore::FrameViewLayoutContext::runOrScheduleAsynchronousTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:288:5 #6 0x7efe3d8424e7 in WebCore::FrameViewLayoutContext::layout() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:261:9 #7 0x7efe3dbbe4ed in WebCore::ThreadTimers::sharedTimerFiredInternal() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/platform/ThreadTimers.cpp:127:23 #8 0x7efe35cf4034 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16 #9 0x7efe35cf4034 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43 #10 0x7efe35cf14dc in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28 #11 0x7efe35cf14dc in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5 #12 0x7efe2edec04d in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5204d) #13 0x7efe2edec3ff (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x523ff) #14 0x7efe2edec6f2 in g_main_loop_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x526f2) #15 0x7efe35cf2ac2 in WTF::RunLoop::run() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:108:9 #16 0x7efe39ab3de7 in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebKit/Shared/AuxiliaryProcessMain.h:70:9 #17 0x7efe39ab3de7 in int WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebKit/Shared/AuxiliaryProcessMain.h:96:27 #18 0x7efe2e7860b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #19 0x41d35d in _start (/root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/INSTALL/libexec/webkit2gtk-4.0/WebKitWebProcess+0x41d35d) 0x60c000269200 is located 0 bytes inside of 120-byte region [0x60c000269200,0x60c000269278) freed by thread T0 here: #0 0x4c2bb7 in free /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 #1 0x7efe3b5c3a78 in WTF::ThreadSafeRefCounted<WebCore::AXCoreObject, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/WTF/Headers/wtf/ThreadSafeRefCounted.h:117:13 #2 0x7efe3b5c3a78 in WTF::ThreadSafeRefCounted<WebCore::AXCoreObject, (WTF::DestructionThread)0>::deref() const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/WTF/Headers/wtf/ThreadSafeRefCounted.h:129:9 #3 0x7efe3b5c3a78 in WTF::DefaultRefDerefTraits<WebCore::AccessibilityObject>::derefIfNotNull(WebCore::AccessibilityObject*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/WTF/Headers/wtf/RefPtr.h:42:18 #4 0x7efe3b5c3a78 in WTF::RefPtr<WebCore::AccessibilityObject, WTF::RawPtrTraits<WebCore::AccessibilityObject>, WTF::DefaultRefDerefTraits<WebCore::AccessibilityObject> >::~RefPtr() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/build_asan_relwithdebug/WTF/Headers/wtf/RefPtr.h:73:31 #5 0x7efe3b5c3a78 in WebCore::AXObjectCache::remove(unsigned long) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:919:1 #6 0x7efe3b5ca4a1 in WebCore::AXObjectCache::remove(WebCore::RenderObject*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:925:5 #7 0x7efe3e67fccd in WebCore::RenderObject::willBeDestroyed() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/RenderObject.cpp:1506:16 #8 0x7efe3e673d49 in WebCore::RenderObject::destroy() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/RenderObject.cpp:1556:5 #9 0x7efe3ea3eb7d in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:871:5 #10 0x7efe3ea73244 in WebCore::RenderTreeUpdater::tearDownTextRenderer(WebCore::Text&, WebCore::RenderTreeBuilder&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:640:13 #11 0x7efe3ea73244 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:623:13 #12 0x7efe3ea6d418 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdates const&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:329:9 #13 0x7efe3ea6ad30 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:194:13 #14 0x7efe3ea69b9e in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:126:9 #15 0x7efe3c2108ca in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/dom/Document.cpp:2023:21 #16 0x7efe3c2116d3 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/dom/Document.cpp:2113:13 #17 0x7efe3c213158 in WebCore::Document::updateStyleIfNeeded() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/dom/Document.cpp:2205:5 previously allocated by thread T0 here: #0 0x4c2eaf in malloc /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7efe35d0fa4a in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/bmalloc/bmalloc/DebugHeap.cpp:102:20 #2 0x7efe3b5c10e4 in WebCore::AXObjectCache::getOrCreate(WebCore::Node*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:684:16 #3 0x7efe3b5ee61e in WebCore::AXObjectCache::textChanged(WebCore::Node*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:1007:17 #4 0x7efe3b5ee61e in WebCore::AXObjectCache::performDeferredCacheUpdate() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:3213:9 #5 0x7efe3d878841 in WebCore::FrameView::performPostLayoutTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameView.cpp:3369:16 #6 0x7efe3d8930ed in WebCore::FrameViewLayoutContext::runAsynchronousTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:302:12 #7 0x7efe3d8930ed in WebCore::FrameViewLayoutContext::runOrScheduleAsynchronousTasks() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:288:5 #8 0x7efe3d8424e7 in WebCore::FrameViewLayoutContext::layout() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/page/FrameViewLayoutContext.cpp:261:9 #9 0x7efe3dbbe4ed in WebCore::ThreadTimers::sharedTimerFiredInternal() /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/platform/ThreadTimers.cpp:127:23 #10 0x7efe35cf4034 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16 #11 0x7efe35cf4034 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43 SUMMARY: AddressSanitizer: heap-use-after-free /root/browser/webkit/webkitgtk/webkitgtk-2.34.6/Source/WebCore/accessibility/AXObjectCache.cpp:1031:38 in WebCore::AXObjectCache::textChanged(WebCore::AccessibilityObject*) Shadow bytes around the buggy address: 0x0c18800451f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c1880045200: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c1880045210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1880045220: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c1880045230: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa =>0x0c1880045240:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c1880045250: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c1880045260: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 0x0c1880045270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 0x0c1880045280: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c1880045290: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==49262==ABORTING
Attachments
This file is generated by a browser fuzzer
(33.97 KB, text/html)
2022-02-22 07:06 PST
,
Chijin
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2022-02-22 07:07:06 PST
<
rdar://problem/89291570
>
Tyler Wilcock
Comment 2
2022-03-11 16:18:53 PST
This will be fixed by
https://bugs.webkit.org/show_bug.cgi?id=237475
.
Brent Fulgham
Comment 3
2022-05-26 15:07:46 PDT
This fix shipped with Safari 15.5 (all platforms).
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug