RESOLVED FIXED 277031
Stack overflow in ContainerNode::cloneChildNodes 
https://bugs.webkit.org/show_bug.cgi?id=277031
Summary Stack overflow in ContainerNode::cloneChildNodes
Ali Juma
Reported 2024-07-24 13:31:33 PDT
Created attachment 471958 [details] Minimal test case Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug. This reproduces in an ASan build of WebKitTestRunner at 281262@main Stack: ================================================================= AddressSanitizer: stack-overflow on address 0x7ff7bd5e1fe0 (pc 0x000180501077 bp 0x7ff7bd5e2040 sp 0x7ff7bd5e1fe0 T0) #0 0x180501077 in __sanitizer::StackDepotBase<__sanitizer::StackDepotNode, 1, 20>::Put(__sanitizer::StackTrace, bool*)+0x17 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x106077) #1 0x1803fdf4c in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool)+0x3cc (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x2f4c) #2 0x1803fdb58 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*)+0x28 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x2b58) #3 0x1804d8330 in __sanitizer_mz_malloc+0x100 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0xdd330) #4 0x7ff81b839732 in _malloc_zone_malloc_instrumented_or_legacy+0x71 (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2b732) #5 0x18f752b51 in pas_debug_heap_allocate+0x21 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x5851b51) #6 0x18f751764 in bmalloc_heap_config_specialized_try_allocate_common_impl_slow+0x7f4 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x5850764) #7 0x18f736784 in bmalloc_iso_allocate_impl_impl_slow+0x24 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x5835784) #8 0x1c70944bc in WebCore::HTMLModElement::create(WebCore::QualifiedName const&, WebCore::Document&)+0x2c (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x69c74bc) #9 0x1c0f2d899 in WebCore::modConstructor(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool)+0x79 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x860899) #10 0x1c0f396c9 in WebCore::HTMLElementFactory::createKnownElementWithName(WebCore::TagName, WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool)+0x3259 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x86c6c9) #11 0x1c0f3c935 in WebCore::HTMLElementFactory::createKnownElement(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool)+0x65 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x86f935) #12 0x1c63f13b6 in WebCore::Document::createElement(WebCore::QualifiedName const&, bool)+0x2b6 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5d243b6) #13 0x1c6542e29 in WebCore::Element::cloneElementWithoutAttributesAndChildren(WebCore::Document&)+0x19 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5e75e29) #14 0x1c6541057 in WebCore::Element::cloneNodeInternal(WebCore::Document&, WebCore::Node::CloningOperation)+0xc7 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5e74057) #15 0x1c633ba48 in WebCore::ContainerNode::cloneChildNodes(WebCore::ContainerNode&)+0x328 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5c6ea48) ... The last frame (WebCore::ContainerNode::cloneChildNodes) repeats over and over again
Attachments
Minimal test case (1.14 KB, text/html)
2024-07-24 13:31 PDT, Ali Juma 		no flags
Details
Reduction (597 bytes, text/html)
2024-08-18 23:46 PDT, Ryosuke Niwa 		no flags
Details
Reduction 2 (572 bytes, text/html)
2024-08-18 23:51 PDT, Ryosuke Niwa 		no flags
Details
Reduction 3 (494 bytes, text/html)
2024-08-18 23:52 PDT, Ryosuke Niwa 		no flags
Details
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-07-24 13:31:49 PDT
<rdar://problem/132430642>
Ryosuke Niwa
Comment 2 2024-08-18 23:46:06 PDT
Created attachment 472214 [details] Reduction
Ryosuke Niwa
Comment 3 2024-08-18 23:51:22 PDT
Created attachment 472216 [details] Reduction 2
Ryosuke Niwa
Comment 4 2024-08-18 23:52:55 PDT
Created attachment 472217 [details] Reduction 3
Ryosuke Niwa
Comment 5 2024-08-19 00:45:00 PDT
Hm... this test case also crashes in Chrome & Firefox...
zak ridouh
Comment 6 2024-09-03 15:30:49 PDT
Test crashes on Safari, Chrome, and Firefox, but does not crash on Chrome Canary (v130.0.6696.0)
zak ridouh
Comment 7 2025-02-19 11:56:05 PST
Pull request: https://github.com/apple/WebKit/pull/2639
Ryosuke Niwa
Comment 8 2025-02-19 15:05:36 PST
Not a security bug.
zak ridouh
Comment 9 2025-02-19 15:07:08 PST
Pull request: https://github.com/WebKit/WebKit/pull/40903
EWS
Comment 10 2025-02-19 18:59:58 PST
Committed 290680@main (80914b1cad40): <https://commits.webkit.org/290680@main> Reviewed commits have been landed. Closing PR #40903 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.