242683 – (CVE-2023-25358) heap-use-after-free in WebCore::RenderLayer::addChild()

Bug 242683 (CVE-2023-25358) - heap-use-after-free in WebCore::RenderLayer::addChild()

Summary: heap-use-after-free in WebCore::RenderLayer::addChild()

Status:	RESOLVED FIXED

Alias:	CVE-2023-25358

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	WebKit Local Build
Hardware:	All All

Importance:	P2 Critical
Assignee:	Nobody

URL:
Keywords:	InRadar

Duplicates (4):	CVE-2023-25363 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 (view as bug list)
Depends on:
Blocks:

Reported:	2022-07-13 03:11 PDT by Chijin
Modified:	2023-03-13 23:29 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
This file is generated by a browser fuzzer (321.42 KB, text/html) 2022-07-13 03:11 PDT, Chijin	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chijin 2022-07-13 03:11:34 PDT

Created attachment 460849 [details]
This file is generated by a browser fuzzer

description: a heap-use-after-free occured in  WebCore::RenderLayer::addChild(). It affects Safari as well as webkitgtk.

versions: safari-613.2.4.1-branch (37edf4fcfaa93501189b8492521eb68198cf9fee) and webkitgtk-2.36.4

asan log:

```
=================================================================
==118323==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120000d39f0 at pc 0x7f67b56647dc bp 0x7ffc4292c190 sp 0x7ffc4292c188
WRITE of size 8 at 0x6120000d39f0 thread T0
    #0 0x7f67b56647db in WebCore::RenderLayer::addChild(WebCore::RenderLayer&, WebCore::RenderLayer*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp
    #1 0x7f67b557b68a in WebCore::RenderElement::addLayers(WebCore::RenderLayer*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderElement.cpp:706:5
    #2 0x7f67b557b68a in WebCore::RenderElement::insertedIntoTree(WebCore::RenderObject::IsInternalMove) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderElement.cpp:1001:9
    #3 0x7f67b5c349bc in WebCore::RenderTreeBuilder::attachToRenderElementInternal(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*, WebCore::RenderObject::IsInternalMove) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:450:19
    #4 0x7f67b5c33195 in WebCore::RenderTreeBuilder::attachToRenderElement(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:427:5
    #5 0x7f67b5c3ddf7 in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation(WebCore::RenderBlock&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp:246:15
    #6 0x7f67b5c3ce53 in WebCore::RenderTreeBuilder::Block::attach(WebCore::RenderBlock&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp:115:9
    #7 0x7f67b5c4347f in WebCore::RenderTreeBuilder::BlockFlow::attach(WebCore::RenderBlockFlow&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilderBlockFlow.cpp:59:30
    #8 0x7f67b5c31a12 in WebCore::RenderTreeBuilder::attachInternal(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:325:28
    #9 0x7f67b5c2f362 in WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:191:5
    #10 0x7f67b5c6f2cd in WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:403:15
    #11 0x7f67b5c68c0d in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdates const&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:344:9
    #12 0x7f67b5c660d0 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:194:13
    #13 0x7f67b5c64a8e in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:126:9
    #14 0x7f67b2f57c69 in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:1983:21
    #15 0x7f67b2f58a93 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:2073:13
    #16 0x7f67b2f5a5d8 in WebCore::Document::updateStyleIfNeeded() /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:2168:5
    #17 0x7f67b2fa9164 in WebCore::command(WebCore::Document*, WTF::String const&, bool) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:5812:15
    #18 0x7f67b2fa8b77 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:5829:12
    #19 0x7f67b02d8b63 in WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) /root/browser/webkit/Safari-branch2/WebKitBuild_Asan/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5957:5
    #20 0x7f67b02d8b63 in long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /root/browser/webkit/Safari-branch2/Source/WebCore/bindings/js/JSDOMOperation.h:63:9
    #21 0x7f67b02d8b63 in WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*) /root/browser/webkit/Safari-branch2/WebKitBuild_Asan/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5962:12
    #22 0x7f675f4b91d7  (<unknown module>)

0x6120000d39f0 is located 48 bytes inside of 272-byte region [0x6120000d39c0,0x6120000d3ad0)
freed by thread T0 here:
    #0 0x4c3117 in free /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
    #1 0x7f67b5773984 in WebCore::RenderLayer::operator delete(void*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.h:150:5
    #2 0x7f67b5773984 in std::default_delete<WebCore::RenderLayer>::operator()(WebCore::RenderLayer*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2
    #3 0x7f67b5773984 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::reset(WebCore::RenderLayer*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4
    #4 0x7f67b5773984 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::operator=(std::nullptr_t) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:336:2
    #5 0x7f67b5773984 in WebCore::RenderLayerModelObject::destroyLayer() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:82:13
    #6 0x7f67b5773984 in WebCore::RenderLayerModelObject::willBeDestroyed() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:72:9
    #7 0x7f67b58004b9 in WebCore::RenderObject::destroy() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderObject.cpp:1620:5
    #8 0x7f67b577397c in std::default_delete<WebCore::RenderLayer>::operator()(WebCore::RenderLayer*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2
    #9 0x7f67b577397c in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::reset(WebCore::RenderLayer*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4
    #10 0x7f67b577397c in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::operator=(std::nullptr_t) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:336:2
    #11 0x7f67b577397c in WebCore::RenderLayerModelObject::destroyLayer() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:82:13
    #12 0x7f67b577397c in WebCore::RenderLayerModelObject::willBeDestroyed() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:72:9
    #13 0x7f67b58004b9 in WebCore::RenderObject::destroy() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderObject.cpp:1620:5
    #14 0x7f67b5c39fe9 in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:887:5
    #15 0x7f67b5c71da8 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_7::operator()(unsigned int) const /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:608:25
    #16 0x7f67b5c6dd1b in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:621:9
    #17 0x7f67b5c71122 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:537:5
    #18 0x7f67b2ed0d7f in WebCore::destroyRenderTreeIfNeeded(WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:321:9
    #19 0x7f67b2ed0d7f in WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:660:5

previously allocated by thread T0 here:
    #0 0x4c340f in malloc /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7f67abc551da in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /root/browser/webkit/Safari-branch2/Source/bmalloc/bmalloc/DebugHeap.cpp:102:20
    #2 0x7f67b53f7845 in WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderBox.cpp:306:27
    #3 0x7f67b56c0361 in WebCore::RenderLayer::createReflection() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp:5438:19
    #4 0x7f67b56bfcd1 in WebCore::RenderLayer::styleChanged(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp:5394:13
    #5 0x7f67b577467e in WebCore::RenderLayerModelObject::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:145:18
    #6 0x7f67b53f7845 in WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderBox.cpp:306:27
    #7 0x7f67b53f60bc in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderBlock.cpp:435:16

SUMMARY: AddressSanitizer: heap-use-after-free /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp in WebCore::RenderLayer::addChild(WebCore::RenderLayer&, WebCore::RenderLayer*)
Shadow bytes around the buggy address:
  0x0c24800126e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c24800126f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c2480012700: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2480012710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480012720: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
=>0x0c2480012730: fa fa fa fa fa fa fa fa fd fd fd fd fd fd[fd]fd
  0x0c2480012740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480012750: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c2480012760: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2480012770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480012780: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==118323==ABORTING
```

Comment 1 Radar WebKit Bug Importer 2022-07-13 03:11:45 PDT

<rdar://problem/96941772>

Comment 2 Chijin 2022-10-17 03:18:59 PDT

Hello? Is there anyone taking care of this issue? Apple team has confirmed that this has been fixed in Safari. Could WebKitGTK team take care of this?

Comment 3 Chijin 2022-10-31 05:31:35 PDT

Is there anyone taking care of this issue?

Comment 4 Carlos Alberto Lopez Perez 2023-02-02 09:00:38 PST

This issue has been fixed on WebKitGTK 2.36.8 or later.

Comment 5 Michael Catanzaro 2023-03-13 09:41:15 PDT

*** Bug 242686 has been marked as a duplicate of this bug. ***

Comment 6 Michael Catanzaro 2023-03-13 09:41:19 PDT

*** Bug 244249 has been marked as a duplicate of this bug. ***

Comment 7 Michael Catanzaro 2023-03-13 09:41:24 PDT

*** Bug 242684 has been marked as a duplicate of this bug. ***

Comment 8 Michael Catanzaro 2023-03-13 09:41:29 PDT

*** Bug 244802 has been marked as a duplicate of this bug. ***

Comment 9 Michael Catanzaro 2023-03-13 09:44:09 PDT

From one of the duplicate issues: this was fixed via bug #238946

Comment 10 Michael Catanzaro 2023-03-13 09:52:21 PDT

BTW I saw some comments that Apple Product Security determined this bug does not affect Safari, but I doubt it. Based on the asan traces and the fix commit, it seems most likely that Apple tested an already-fixed version.

Comment 11 Chijin 2023-03-13 23:29:09 PDT

(In reply to Michael Catanzaro from comment #10)
> BTW I saw some comments that Apple Product Security determined this bug does
> not affect Safari, but I doubt it. Based on the asan traces and the fix
> commit, it seems most likely that Apple tested an already-fixed version.

I aggree with you. The original reply from Apple is that "After further investigation, we discovered the behavior you reported was addressed in Safari". I guess this implies that this issue may affect Safari but it has been fixed.