Created attachment 460852 [details] This file is generated by a browser fuzzer description: a heap-use-after-free occured in WebCore::RenderLayer::renderer(). It affects Safari as well as webkitgtk. versions: safari-613.2.4.1-branch (37edf4fcfaa93501189b8492521eb68198cf9fee) and webkitgtk-2.36.4 asan log: ``` ================================================================= ==60503==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120000dded8 at pc 0x7f0815894113 bp 0x7ffd72f05ec0 sp 0x7ffd72f05eb8 READ of size 8 at 0x6120000dded8 thread T0 #0 0x7f0815894112 in WebCore::RenderLayer::renderer() const /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.h:171:55 #1 0x7f0815894112 in WebCore::RenderLayer::repaintIncludingDescendants() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp:5142:5 #2 0x7f08158940ef in WebCore::RenderLayer::repaintIncludingDescendants() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp:5144:18 #3 0x7f081574c883 in WebCore::RenderElement::repaintBeforeStyleChange(WebCore::StyleDifference, WebCore::RenderStyle const&, WebCore::RenderStyle const&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderElement.cpp:485:58 #4 0x7f081574d066 in WebCore::RenderElement::setStyle(WebCore::RenderStyle&&, WebCore::StyleDifference) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderElement.cpp:530:23 #5 0x7f0815e41d13 in WebCore::RenderTreeUpdater::updateRendererStyle(WebCore::RenderElement&, WebCore::RenderStyle&&, WebCore::StyleDifference) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:300:14 #6 0x7f0815e41d13 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdates const&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:367:5 #7 0x7f0815e3f0d0 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:194:13 #8 0x7f0815e3da8e in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:126:9 #9 0x7f0813130c69 in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:1983:21 #10 0x7f0813131a93 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:2073:13 #11 0x7f08131335d8 in WebCore::Document::updateStyleIfNeeded() /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:2168:5 #12 0x7f0813182164 in WebCore::command(WebCore::Document*, WTF::String const&, bool) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:5812:15 #13 0x7f0813181b77 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:5829:12 #14 0x7f08104b1b63 in WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) /root/browser/webkit/Safari-branch2/WebKitBuild_Asan/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5957:5 #15 0x7f08104b1b63 in long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /root/browser/webkit/Safari-branch2/Source/WebCore/bindings/js/JSDOMOperation.h:63:9 #16 0x7f08104b1b63 in WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*) /root/browser/webkit/Safari-branch2/WebKitBuild_Asan/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5962:12 #17 0x7f07bf6921d7 (<unknown module>) 0x6120000dded8 is located 24 bytes inside of 272-byte region [0x6120000ddec0,0x6120000ddfd0) freed by thread T0 here: #0 0x4c3117 in free /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 #1 0x7f081594c984 in WebCore::RenderLayer::operator delete(void*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.h:150:5 #2 0x7f081594c984 in std::default_delete<WebCore::RenderLayer>::operator()(WebCore::RenderLayer*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #3 0x7f081594c984 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::reset(WebCore::RenderLayer*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4 #4 0x7f081594c984 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::operator=(std::nullptr_t) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:336:2 #5 0x7f081594c984 in WebCore::RenderLayerModelObject::destroyLayer() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:82:13 #6 0x7f081594c984 in WebCore::RenderLayerModelObject::willBeDestroyed() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:72:9 #7 0x7f08159d94b9 in WebCore::RenderObject::destroy() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderObject.cpp:1620:5 #8 0x7f0815e12fe9 in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:887:5 #9 0x7f0815e4ada8 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_7::operator()(unsigned int) const /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:608:25 #10 0x7f0815e46d1b in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:621:9 #11 0x7f0815e4a122 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:537:5 #12 0x7f08130a9d7f in WebCore::destroyRenderTreeIfNeeded(WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:321:9 #13 0x7f08130a9d7f in WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:660:5 previously allocated by thread T0 here: #0 0x4c340f in malloc /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7f080be2e1da in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /root/browser/webkit/Safari-branch2/Source/bmalloc/bmalloc/DebugHeap.cpp:102:20 #2 0x7f08155d0845 in WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderBox.cpp:306:27 #3 0x7f08155cf0bc in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderBlock.cpp:435:16 SUMMARY: AddressSanitizer: heap-use-after-free /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.h:171:55 in WebCore::RenderLayer::renderer() const Shadow bytes around the buggy address: 0x0c2480013b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2480013b90: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x0c2480013ba0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c2480013bb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2480013bc0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa =>0x0c2480013bd0: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd 0x0c2480013be0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2480013bf0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c2480013c00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c2480013c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2480013c20: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==60503==ABORTING ```
<rdar://problem/96942207>
This issue has been confirmed by Apple security team that it will not affect Apple products. Will webkitgtk team look into it?
Hello? Is there anyone taking care of this issue?
This issue has been fixed on WebKitGTK 2.36.8 or later.
(In reply to Chijin from comment #2) > This issue has been confirmed by Apple security team that it will not affect > Apple products. Will webkitgtk team look into it? FWIW I'm skeptical of this as this is cross-platform code.
*** This bug has been marked as a duplicate of bug 242683 ***