WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
286015
Crash in WTR::AccessibilityUIElement::textMarkerRangeForElement
https://bugs.webkit.org/show_bug.cgi?id=286015
Summary
Crash in WTR::AccessibilityUIElement::textMarkerRangeForElement
michaeldo
Reported
2025-01-15 12:33:18 PST
Created
attachment 473909
[details]
Minimal Test Case Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug. This reproduces in an ASan build of WebKitTestRunner at
288489@main
Stack: ================================================================= ==76035==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7ff81717e7d2 bp 0x7ff7bb704830 sp 0x7ff7bb704830 T0) ==76035==The signal is caused by a READ memory access. ==76035==Hint: address points to the zero page. ==76035==WARNING: failed to spawn external symbolizer (errno: 25) ==76035==WARNING: failed to spawn external symbolizer (errno: 25) ==76035==WARNING: failed to spawn external symbolizer (errno: 25) ==76035==WARNING: failed to spawn external symbolizer (errno: 25) ==76035==WARNING: failed to spawn external symbolizer (errno: 25) ==76035==WARNING: Failed to use and restart external symbolizer! #0 0x7ff81717e7d2 in objc_loadWeak+0x4 (/usr/lib/libobjc.A.dylib:x86_64h+0xb7d2) #1 0x1049b580e in WTR::AccessibilityUIElement::textMarkerRangeForElement(WTR::AccessibilityUIElement*)+0x8e (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKitTestRunnerInjectedBundle.bundle/Contents/MacOS/WebKitTestRunnerInjectedBundle:x86_64+0x3a80e) #2 0x104a420a1 in WTR::JSAccessibilityUIElement::textMarkerRangeForElement(OpaqueJSContext const*, OpaqueJSValue*, OpaqueJSValue*, unsigned long, OpaqueJSValue const* const*, OpaqueJSValue const**)+0xe1 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKitTestRunnerInjectedBundle.bundle/Contents/MacOS/WebKitTestRunnerInjectedBundle:x86_64+0xc70a1) #3 0x110544d4a in long long JSC::APICallbackFunction::callImpl<JSC::JSCallbackFunction>(JSC::JSGlobalObject*, JSC::CallFrame*)+0x67a (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1550d4a) #4 0x1607c8326 (<unknown module>) #5 0x114ca2c10 in llint_entry+0x1f1e8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x5caec10) #6 0x114c838c3 in vmEntryToJavaScript+0xbb (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x5c8f8c3) #7 0x112222514 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)+0x1224 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x322e514) #8 0x112c71b95 in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)+0x405 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3c7db95) #9 0x112c71f97 in JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)+0x107 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3c7df97) #10 0x151dd94fd in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)+0xa2d (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x528c4fd) #11 0x151dda19a in WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&)+0xaa (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x528d19a) #12 0x1535a1065 in WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&)+0x1095 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x6a54065) #13 0x1535960ab in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&)+0x1eeb (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x6a490ab) #14 0x1543c4866 in WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&)+0x1a6 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x7877866) #15 0x1543c4556 in WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement, WTF::RawPtrTraits<WebCore::ScriptElement>, WTF::DefaultRefDerefTraits<WebCore::ScriptElement>>&&, WTF::TextPosition const&)+0x96 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x7877556) #16 0x15433d608 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder()+0x7b8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x77f0608) #17 0x15433e0c8 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&)+0x6a8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x77f10c8) #18 0x15433bd26 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)+0x1d6 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x77eed26) #19 0x15433fb7b in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl>>&&, WebCore::HTMLDocumentParser::SynchronousMode)+0x99b (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x77f2b7b) #20 0x15311bfc9 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&)+0x159 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x65cefc9) #21 0x154b09820 in WebCore::DocumentWriter::end()+0x210 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x7fbc820) #22 0x154b055fd in WebCore::DocumentLoader::finishedLoading()+0x44d (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x7fb85fd) #23 0x154b0476d in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&, WebCore::LoadWillContinueInAnotherProcess)+0x54d (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x7fb776d) #24 0x154ed7a5b in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&, WebCore::LoadWillContinueInAnotherProcess)+0x17b (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x838aa5b) #25 0x154ecf100 in WebCore::CachedRawResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&)+0x930 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x8382100) #26 0x154df0e04 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&)+0x1654 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x82a3e04) #27 0x11faf035f in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics&&)+0x48f (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x4d6c35f) #28 0x11d382492 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, IPC::Connection, WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&))+0x142 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x25fe492) #29 0x11d380a88 in WebKit::WebResourceLoader::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x1d8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x25fca88) #30 0x11fabd809 in WebKit::NetworkProcessConnection::dispatchMessage(IPC::Connection&, IPC::Decoder&)+0x609 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x4d39809) #31 0x11c3afe51 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x3c1 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x162be51) #32 0x1208dd776 in IPC::Connection::dispatchMessage(IPC::Decoder&)+0x926 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x5b59776) #33 0x1208ddcf3 in IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>)+0x243 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x5b59cf3) #34 0x1208de431 in IPC::Connection::dispatchOneIncomingMessage()+0x231 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x5b5a431) #35 0x10f10f312 in WTF::RunLoop::performWork()+0xc42 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11b312) #36 0x10f111efd in WTF::RunLoop::performWork(void*)+0x7d (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11defd) #37 0x7ff817624086 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x10 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7c086) #38 0x7ff817624028 in __CFRunLoopDoSource0+0x9c (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7c028) #39 0x7ff817623df3 in __CFRunLoopDoSources0+0xd6 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7bdf3) #40 0x7ff817622a70 in __CFRunLoopRun+0x396 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7aa70) #41 0x7ff817622111 in CFRunLoopRunSpecific+0x22c (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7a111) #42 0x7ff8185d3b10 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd7 (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x5cb10) #43 0x7ff81865690a in -[NSRunLoop(NSRunLoop) run]+0x4b (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0xdf90a) #44 0x7ff8172603f8 in _xpc_objc_main+0x25d (/usr/lib/system/libxpc.dylib:x86_64+0x163f8) #45 0x7ff81726cfa2 in _xpc_main+0x102 (/usr/lib/system/libxpc.dylib:x86_64+0x22fa2) #46 0x7ff81726001b in xpc_main+0x37 (/usr/lib/system/libxpc.dylib:x86_64+0x1601b) #47 0x11c95b382 in WebKit::XPCServiceMain(int, char const**)+0x82 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x1bd7382) #48 0x7ff8171bb365 in start+0x795 (/usr/lib/dyld:x86_64+0xfffffffffff5c365) ==76035==Register values: rax = 0xf2f2f2f8f1f1f1f1 rbx = 0x0000620000006108 rcx = 0x0000100000000000 rdx = 0x0000000000000000 rdi = 0x0000000000000010 rsi = 0x00006030000e7580 rbp = 0x00007ff7bb704830 rsp = 0x00007ff7bb704830 r8 = 0x00000001154d5240 r9 = 0x0000000015510000 r10 = 0x00007ff7bb7049b8 r11 = 0x00001c1600000f6d r12 = 0x00001ffef76e090c r13 = 0x00001ffef76e0924 r14 = 0x00007ff7bb704940 r15 = 0x00006030000e7580
Attachments
Minimal Test Case
(153 bytes, text/html)
2025-01-15 12:33 PST
,
michaeldo
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2025-01-15 12:33:30 PST
<
rdar://problem/142991187
>
Frédéric Wang (:fredw)
Comment 2
2025-01-22 03:06:30 PST
The generated Derived source for JSAccessibilityUIElement looks like this: ``` JSValueRef JSAccessibilityUIElement::textMarkerRangeForElement(JSContextRef context, JSObjectRef, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) { AccessibilityUIElement* impl = toAccessibilityUIElement(context, thisObject); if (!impl) return JSValueMakeUndefined(context); auto element = argumentCount > 0 ? toAccessibilityUIElement(context, arguments[0]) : nullptr; return toJS(context, WTF::getPtr(callFunction(context, impl, &AccessibilityUIElement::textMarkerRangeForElement, element))); } ``` so when we pass zero argument (as in the testcase) we end up dereferencing a null element pointer here:
https://searchfox.org/wubkat/rev/d4766b667963256e41db8c72a02613067074d834/Tools/WebKitTestRunner/InjectedBundle/mac/AccessibilityUIElementMac.mm#2245
This is port-specific, it does not crash on Linux but probably it does on iOS:
https://searchfox.org/wubkat/search?q=AccessibilityUIElement%3A%3AtextMarkerRangeForElement&path=&case=false®exp=false
It seems we should just null-check the argument as done in
https://commits.webkit.org/224802@main
Frédéric Wang (:fredw)
Comment 3
2025-01-22 06:17:56 PST
I have a patch for this, but my understanding is that this is only a crash in DumpTestRunner / WebkitTestRunner and not in actual code shipped in WebKit-based products... If that's correct, can we change categorization to not treat this as a security bug? And I'll submit a PR directly against the main branch.
Ryosuke Niwa
Comment 4
2025-01-22 16:11:37 PST
Not a security bug.
Frédéric Wang (:fredw)
Comment 5
2025-01-23 00:07:47 PST
Pull request:
https://github.com/WebKit/WebKit/pull/39439
EWS
Comment 6
2025-01-23 09:17:39 PST
Committed
289295@main
(131e516e4f99): <
https://commits.webkit.org/289295@main
> Reviewed commits have been landed. Closing PR #39439 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug