RESOLVED DUPLICATE of bug 242683 242686
CVE-2023-25360 heap-use-after-free in WebCore::RenderLayer::renderer() 
https://bugs.webkit.org/show_bug.cgi?id=242686
Summary heap-use-after-free in WebCore::RenderLayer::renderer()
Chijin
Reported 2022-07-13 03:24:26 PDT
Created attachment 460852 [details] This file is generated by a browser fuzzer description: a heap-use-after-free occured in WebCore::RenderLayer::renderer(). It affects Safari as well as webkitgtk. versions: safari-613.2.4.1-branch (37edf4fcfaa93501189b8492521eb68198cf9fee) and webkitgtk-2.36.4 asan log: ``` ================================================================= ==60503==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120000dded8 at pc 0x7f0815894113 bp 0x7ffd72f05ec0 sp 0x7ffd72f05eb8 READ of size 8 at 0x6120000dded8 thread T0 #0 0x7f0815894112 in WebCore::RenderLayer::renderer() const /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.h:171:55 #1 0x7f0815894112 in WebCore::RenderLayer::repaintIncludingDescendants() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp:5142:5 #2 0x7f08158940ef in WebCore::RenderLayer::repaintIncludingDescendants() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp:5144:18 #3 0x7f081574c883 in WebCore::RenderElement::repaintBeforeStyleChange(WebCore::StyleDifference, WebCore::RenderStyle const&, WebCore::RenderStyle const&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderElement.cpp:485:58 #4 0x7f081574d066 in WebCore::RenderElement::setStyle(WebCore::RenderStyle&&, WebCore::StyleDifference) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderElement.cpp:530:23 #5 0x7f0815e41d13 in WebCore::RenderTreeUpdater::updateRendererStyle(WebCore::RenderElement&, WebCore::RenderStyle&&, WebCore::StyleDifference) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:300:14 #6 0x7f0815e41d13 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdates const&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:367:5 #7 0x7f0815e3f0d0 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:194:13 #8 0x7f0815e3da8e in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:126:9 #9 0x7f0813130c69 in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:1983:21 #10 0x7f0813131a93 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:2073:13 #11 0x7f08131335d8 in WebCore::Document::updateStyleIfNeeded() /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:2168:5 #12 0x7f0813182164 in WebCore::command(WebCore::Document*, WTF::String const&, bool) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:5812:15 #13 0x7f0813181b77 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:5829:12 #14 0x7f08104b1b63 in WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) /root/browser/webkit/Safari-branch2/WebKitBuild_Asan/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5957:5 #15 0x7f08104b1b63 in long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /root/browser/webkit/Safari-branch2/Source/WebCore/bindings/js/JSDOMOperation.h:63:9 #16 0x7f08104b1b63 in WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*) /root/browser/webkit/Safari-branch2/WebKitBuild_Asan/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5962:12 #17 0x7f07bf6921d7 (<unknown module>) 0x6120000dded8 is located 24 bytes inside of 272-byte region [0x6120000ddec0,0x6120000ddfd0) freed by thread T0 here: #0 0x4c3117 in free /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 #1 0x7f081594c984 in WebCore::RenderLayer::operator delete(void*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.h:150:5 #2 0x7f081594c984 in std::default_delete<WebCore::RenderLayer>::operator()(WebCore::RenderLayer*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #3 0x7f081594c984 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::reset(WebCore::RenderLayer*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4 #4 0x7f081594c984 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::operator=(std::nullptr_t) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:336:2 #5 0x7f081594c984 in WebCore::RenderLayerModelObject::destroyLayer() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:82:13 #6 0x7f081594c984 in WebCore::RenderLayerModelObject::willBeDestroyed() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:72:9 #7 0x7f08159d94b9 in WebCore::RenderObject::destroy() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderObject.cpp:1620:5 #8 0x7f0815e12fe9 in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:887:5 #9 0x7f0815e4ada8 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_7::operator()(unsigned int) const /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:608:25 #10 0x7f0815e46d1b in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:621:9 #11 0x7f0815e4a122 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:537:5 #12 0x7f08130a9d7f in WebCore::destroyRenderTreeIfNeeded(WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:321:9 #13 0x7f08130a9d7f in WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:660:5 previously allocated by thread T0 here: #0 0x4c340f in malloc /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7f080be2e1da in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /root/browser/webkit/Safari-branch2/Source/bmalloc/bmalloc/DebugHeap.cpp:102:20 #2 0x7f08155d0845 in WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderBox.cpp:306:27 #3 0x7f08155cf0bc in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderBlock.cpp:435:16 SUMMARY: AddressSanitizer: heap-use-after-free /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.h:171:55 in WebCore::RenderLayer::renderer() const Shadow bytes around the buggy address: 0x0c2480013b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2480013b90: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x0c2480013ba0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c2480013bb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2480013bc0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa =>0x0c2480013bd0: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd 0x0c2480013be0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2480013bf0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c2480013c00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c2480013c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2480013c20: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==60503==ABORTING ```
Attachments
This file is generated by a browser fuzzer (292.54 KB, text/html)
2022-07-13 03:24 PDT, Chijin 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-07-13 03:24:36 PDT
<rdar://problem/96942207>
Chijin
Comment 2 2022-09-12 16:22:47 PDT
This issue has been confirmed by Apple security team that it will not affect Apple products. Will webkitgtk team look into it?
Chijin
Comment 3 2022-10-17 03:24:39 PDT
Hello? Is there anyone taking care of this issue?
Carlos Alberto Lopez Perez
Comment 4 2023-02-02 09:02:42 PST
This issue has been fixed on WebKitGTK 2.36.8 or later.
Michael Catanzaro
Comment 5 2023-03-03 05:50:23 PST
(In reply to Chijin from comment #2) > This issue has been confirmed by Apple security team that it will not affect > Apple products. Will webkitgtk team look into it? FWIW I'm skeptical of this as this is cross-platform code.
Michael Catanzaro
Comment 6 2023-03-13 09:41:15 PDT
*** This bug has been marked as a duplicate of bug 242683 ***
Note You need to log in before you can comment on or make changes to this bug.