242684 – (CVE-2023-25363) a heap-use-after-free in WebCore::RenderLayer::updateDescendantDependentFlags()

Bug 242684 (CVE-2023-25363) - a heap-use-after-free in WebCore::RenderLayer::updateDescendantDependentFlags()

Summary: a heap-use-after-free in WebCore::RenderLayer::updateDescendantDependentFlags()

Status:	RESOLVED DUPLICATE of bug 242683

Alias:	CVE-2023-25363

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	WebKit Local Build
Hardware:	All Linux

Importance:	P2 Critical
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-07-13 03:19 PDT by Chijin
Modified:	2023-03-13 09:41 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
This file is generated by a browser fuzzer (306.03 KB, text/html) 2022-07-13 03:19 PDT, Chijin	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chijin 2022-07-13 03:19:27 PDT

Created attachment 460850 [details]
This file is generated by a browser fuzzer

description: a heap-use-after-free occured in  WebCore::RenderLayer::updateDescendantDependentFlags(). It affects Safari as well as webkitgtk.

versions: safari-613.2.4.1-branch (37edf4fcfaa93501189b8492521eb68198cf9fee) and webkitgtk-2.36.4

asan log:

```
=================================================================
==11793==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200018c94c at pc 0x7f7bf5498912 bp 0x7ffc5914ea30 sp 0x7ffc5914ea28
READ of size 4 at 0x61200018c94c thread T0
    #0 0x7f7bf5498911 in WebCore::RenderLayer::updateDescendantDependentFlags() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp:1511:9
    #1 0x7f7bf5498207 in WebCore::RenderLayer::updateDescendantDependentFlags() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp:1519:20
    #2 0x7f7bf54996d6 in WebCore::RenderLayer::removeChild(WebCore::RenderLayer&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp:452:14
    #3 0x7f7bf53adc67 in WebCore::RenderElement::willBeRemovedFromTree(WebCore::RenderObject::IsInternalMove) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderElement.cpp:1027:9
    #4 0x7f7bf5a65fa1 in WebCore::RenderTreeBuilder::detachFromRenderElement(WebCore::RenderElement&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::WillBeDestroyed) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:963:15
    #5 0x7f7bf5a72c8a in WebCore::RenderTreeBuilder::Block::detach(WebCore::RenderBlock&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp:294:33
    #6 0x7f7bf5a74e4a in WebCore::RenderTreeBuilder::Block::detach(WebCore::RenderBlockFlow&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp:387:12
    #7 0x7f7bf5a60f26 in WebCore::RenderTreeBuilder::detach(WebCore::RenderElement&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:395:31
    #8 0x7f7bf5a601f5 in WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:160:22
    #9 0x7f7bf5a6bfe9 in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:887:5
    #10 0x7f7bf5aa3da8 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_7::operator()(unsigned int) const /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:608:25
    #11 0x7f7bf5aa0248 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:631:5
    #12 0x7f7bf5aa3122 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:537:5
    #13 0x7f7bf2d02d7f in WebCore::destroyRenderTreeIfNeeded(WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:321:9
    #14 0x7f7bf2d02d7f in WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:660:5
    #15 0x7f7bf2d06a15 in WebCore::ContainerNode::removeAllChildrenWithScriptAssertion(WebCore::ContainerNode::ChildChange::Source, WebCore::ContainerNode::DeferChildrenChanged) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:128:13
    #16 0x7f7bf2d06a15 in WebCore::ContainerNode::removeChildren() /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:744:5
    #17 0x7f7bf2d97c04 in WebCore::Document::implicitOpen() /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:2988:5
    #18 0x7f7bf2d80421 in WebCore::Document::open(WebCore::Document*) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:2938:5
    #19 0x7f7bf2d9eb58 in WebCore::Document::write(WebCore::Document*, WebCore::SegmentedString&&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:3292:23
    #20 0x7f7bf2d9fbdd in WebCore::Document::writeln(WebCore::Document*, WTF::FixedVector<WTF::String>&&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:3324:12
    #21 0x7f7bf0109b9e in WebCore::jsDocumentPrototypeFunction_writelnBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)::'lambda'()::operator()() const /root/browser/webkit/Safari-branch2/WebKitBuild_Asan/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5915:5
    #22 0x7f7bf0109b9e in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsDocumentPrototypeFunction_writelnBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsDocumentPrototypeFunction_writelnBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)::'lambda'()&&) /root/browser/webkit/Safari-branch2/Source/WebCore/bindings/js/JSDOMConvertBase.h:168:27
    #23 0x7f7bf0109b9e in WebCore::jsDocumentPrototypeFunction_writelnBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) /root/browser/webkit/Safari-branch2/WebKitBuild_Asan/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5915:5
    #24 0x7f7bf0109b9e in long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_writelnBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /root/browser/webkit/Safari-branch2/Source/WebCore/bindings/js/JSDOMOperation.h:63:9
    #25 0x7f7bf0109b9e in WebCore::jsDocumentPrototypeFunction_writeln(JSC::JSGlobalObject*, JSC::CallFrame*) /root/browser/webkit/Safari-branch2/WebKitBuild_Asan/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5920:12
    #26 0x7f7b9f2eb1d7  (<unknown module>)

0x61200018c94c is located 12 bytes inside of 272-byte region [0x61200018c940,0x61200018ca50)
freed by thread T0 here:
    #0 0x4c3117 in free /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
    #1 0x7f7bf55a5984 in WebCore::RenderLayer::operator delete(void*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.h:150:5
    #2 0x7f7bf55a5984 in std::default_delete<WebCore::RenderLayer>::operator()(WebCore::RenderLayer*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2
    #3 0x7f7bf55a5984 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::reset(WebCore::RenderLayer*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4
    #4 0x7f7bf55a5984 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::operator=(std::nullptr_t) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:336:2
    #5 0x7f7bf55a5984 in WebCore::RenderLayerModelObject::destroyLayer() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:82:13
    #6 0x7f7bf55a5984 in WebCore::RenderLayerModelObject::willBeDestroyed() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:72:9
    #7 0x7f7bf56324b9 in WebCore::RenderObject::destroy() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderObject.cpp:1620:5
    #8 0x7f7bf5a6bfe9 in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:887:5
    #9 0x7f7bf5aa3da8 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_7::operator()(unsigned int) const /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:608:25
    #10 0x7f7bf5a9fd1b in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:621:9
    #11 0x7f7bf5aa3122 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:537:5
    #12 0x7f7bf2d02d7f in WebCore::destroyRenderTreeIfNeeded(WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:321:9
    #13 0x7f7bf2d02d7f in WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:660:5

previously allocated by thread T0 here:
    #0 0x4c340f in malloc /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7f7beba871da in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /root/browser/webkit/Safari-branch2/Source/bmalloc/bmalloc/DebugHeap.cpp:102:20
    #2 0x7f7bf5229845 in WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderBox.cpp:306:27
    #3 0x7f7bf52280bc in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderBlock.cpp:435:16

SUMMARY: AddressSanitizer: heap-use-after-free /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp:1511:9 in WebCore::RenderLayer::updateDescendantDependentFlags()
Shadow bytes around the buggy address:
  0x0c24800298d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c24800298e0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c24800298f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2480029900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480029910: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
=>0x0c2480029920: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd
  0x0c2480029930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480029940: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c2480029950: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2480029960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2480029970: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==11793==ABORTING
```

Comment 1 Radar WebKit Bug Importer 2022-07-13 03:19:37 PDT

<rdar://problem/96942033>

Comment 2 Chijin 2023-01-15 18:08:49 PST

Hello? It has been 6 months. As I verified, this issue has been addressed in the latest webkit. Can anyone close this issue?

Comment 3 Carlos Alberto Lopez Perez 2023-02-02 09:01:46 PST

This issue has been fixed on WebKitGTK 2.36.8 or later.

Comment 4 Michael Catanzaro 2023-03-13 09:41:24 PDT


*** This bug has been marked as a duplicate of bug 242683 ***