Bug 242686 (CVE-2023-25360) - heap-use-after-free in WebCore::RenderLayer::renderer()
Summary: heap-use-after-free in WebCore::RenderLayer::renderer()
Status: RESOLVED DUPLICATE of bug 242683
Alias: CVE-2023-25360
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Local Build
Hardware: All All
: P2 Critical
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-07-13 03:24 PDT by Chijin
Modified: 2023-03-13 09:41 PDT (History)
5 users (show)

See Also:


Attachments
This file is generated by a browser fuzzer (292.54 KB, text/html)
2022-07-13 03:24 PDT, Chijin
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Chijin 2022-07-13 03:24:26 PDT
Created attachment 460852 [details]
This file is generated by a browser fuzzer

description: a heap-use-after-free occured in WebCore::RenderLayer::renderer(). It affects Safari as well as webkitgtk.

versions: safari-613.2.4.1-branch (37edf4fcfaa93501189b8492521eb68198cf9fee) and webkitgtk-2.36.4

asan log:
```
=================================================================
==60503==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120000dded8 at pc 0x7f0815894113 bp 0x7ffd72f05ec0 sp 0x7ffd72f05eb8
READ of size 8 at 0x6120000dded8 thread T0
    #0 0x7f0815894112 in WebCore::RenderLayer::renderer() const /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.h:171:55
    #1 0x7f0815894112 in WebCore::RenderLayer::repaintIncludingDescendants() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp:5142:5
    #2 0x7f08158940ef in WebCore::RenderLayer::repaintIncludingDescendants() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp:5144:18
    #3 0x7f081574c883 in WebCore::RenderElement::repaintBeforeStyleChange(WebCore::StyleDifference, WebCore::RenderStyle const&, WebCore::RenderStyle const&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderElement.cpp:485:58
    #4 0x7f081574d066 in WebCore::RenderElement::setStyle(WebCore::RenderStyle&&, WebCore::StyleDifference) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderElement.cpp:530:23
    #5 0x7f0815e41d13 in WebCore::RenderTreeUpdater::updateRendererStyle(WebCore::RenderElement&, WebCore::RenderStyle&&, WebCore::StyleDifference) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:300:14
    #6 0x7f0815e41d13 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdates const&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:367:5
    #7 0x7f0815e3f0d0 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:194:13
    #8 0x7f0815e3da8e in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:126:9
    #9 0x7f0813130c69 in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:1983:21
    #10 0x7f0813131a93 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:2073:13
    #11 0x7f08131335d8 in WebCore::Document::updateStyleIfNeeded() /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:2168:5
    #12 0x7f0813182164 in WebCore::command(WebCore::Document*, WTF::String const&, bool) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:5812:15
    #13 0x7f0813181b77 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:5829:12
    #14 0x7f08104b1b63 in WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) /root/browser/webkit/Safari-branch2/WebKitBuild_Asan/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5957:5
    #15 0x7f08104b1b63 in long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /root/browser/webkit/Safari-branch2/Source/WebCore/bindings/js/JSDOMOperation.h:63:9
    #16 0x7f08104b1b63 in WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*) /root/browser/webkit/Safari-branch2/WebKitBuild_Asan/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5962:12
    #17 0x7f07bf6921d7  (<unknown module>)

0x6120000dded8 is located 24 bytes inside of 272-byte region [0x6120000ddec0,0x6120000ddfd0)
freed by thread T0 here:
    #0 0x4c3117 in free /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
    #1 0x7f081594c984 in WebCore::RenderLayer::operator delete(void*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.h:150:5
    #2 0x7f081594c984 in std::default_delete<WebCore::RenderLayer>::operator()(WebCore::RenderLayer*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2
    #3 0x7f081594c984 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::reset(WebCore::RenderLayer*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4
    #4 0x7f081594c984 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::operator=(std::nullptr_t) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:336:2
    #5 0x7f081594c984 in WebCore::RenderLayerModelObject::destroyLayer() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:82:13
    #6 0x7f081594c984 in WebCore::RenderLayerModelObject::willBeDestroyed() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:72:9
    #7 0x7f08159d94b9 in WebCore::RenderObject::destroy() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderObject.cpp:1620:5
    #8 0x7f0815e12fe9 in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:887:5
    #9 0x7f0815e4ada8 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_7::operator()(unsigned int) const /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:608:25
    #10 0x7f0815e46d1b in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:621:9
    #11 0x7f0815e4a122 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:537:5
    #12 0x7f08130a9d7f in WebCore::destroyRenderTreeIfNeeded(WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:321:9
    #13 0x7f08130a9d7f in WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:660:5

previously allocated by thread T0 here:
    #0 0x4c340f in malloc /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7f080be2e1da in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /root/browser/webkit/Safari-branch2/Source/bmalloc/bmalloc/DebugHeap.cpp:102:20
    #2 0x7f08155d0845 in WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderBox.cpp:306:27
    #3 0x7f08155cf0bc in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderBlock.cpp:435:16

SUMMARY: AddressSanitizer: heap-use-after-free /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.h:171:55 in WebCore::RenderLayer::renderer() const
Shadow bytes around the buggy address:
  0x0c2480013b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480013b90: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c2480013ba0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2480013bb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480013bc0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
=>0x0c2480013bd0: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd
  0x0c2480013be0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480013bf0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c2480013c00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2480013c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2480013c20: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==60503==ABORTING
```
Comment 1 Radar WebKit Bug Importer 2022-07-13 03:24:36 PDT
<rdar://problem/96942207>
Comment 2 Chijin 2022-09-12 16:22:47 PDT
This issue has been confirmed by Apple security team that it will not affect Apple products. Will webkitgtk team look into it?
Comment 3 Chijin 2022-10-17 03:24:39 PDT
Hello? Is there anyone taking care of this issue?
Comment 4 Carlos Alberto Lopez Perez 2023-02-02 09:02:42 PST
This issue has been fixed on WebKitGTK 2.36.8 or later.
Comment 5 Michael Catanzaro 2023-03-03 05:50:23 PST
(In reply to Chijin from comment #2)
> This issue has been confirmed by Apple security team that it will not affect
> Apple products. Will webkitgtk team look into it?

FWIW I'm skeptical of this as this is cross-platform code.
Comment 6 Michael Catanzaro 2023-03-13 09:41:15 PDT

*** This bug has been marked as a duplicate of bug 242683 ***