Headline
CVE-2023-39928: TALOS-2023-1831 || Cisco Talos Intelligence Group
A use-after-free vulnerability exists in the MediaRecorder API of Webkit WebKitGTK 2.40.5. A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to to visit a malicious webpage to trigger this vulnerability.
SUMMARY
A use-after-free vulnerability exists in the MediaRecorder API of Webkit WebKitGTK 2.40.5. A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to to visit a malicious webpage to trigger this vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Webkit WebKitGTK 2.40.5
PRODUCT URLS
Webkit - https://webkit.org/
CVSSv3 SCORE
8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-416 - Use After Free
DETAILS
WebKit is an open-source web content engine for browsers and other applications.
The vulnerabiliy is related with the MediaRecorder interface and the way this interface handles stop recording process. A malicious web page can trigger a use-after-free vulnerability which can potentialy result in remote code execution. Comapring code responsible for the crash and ASAN output we can pinpoint the following correlation:
Line 9 mediaStreamAudioDst = audioCtx.createMediaStreamDestination();
Line 10 mediaRecorder = new MediaRecorder(mediaStreamAudioDst.stream);
Line 11 mediaRecorder.start();
When we start recording line 11 internaly MediaRecorderPrivateGStreamer object gets allocated:
previously allocated by thread T0 here:
#0 0x562140f4f15e in malloc (/fuzzing/browsers/webkitgtk-2.40.5-debug/build/libexec/webkit2gtk-4.1/WebKitWebProcess+0xa115e) (BuildId: d6d880ff92796ed4f6097a57505dca7ef7439259)
#1 0x7f0669f4bd0b in pas_try_allocate_intrinsic_impl_casual_case(__pas_heap*, unsigned long, unsigned long, pas_intrinsic_heap_support*, pas_heap_config, pas_allocation_result (*)(pas_local_allocator*, unsigned long, unsigned long), pas_allocation_result (*)(__pas_heap_ref*, unsigned long, unsigned long), pas_intrinsic_heap_designation_mode) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/bmalloc/libpas/src/libpas/pas_local_allocator_inlines.h
#2 0x7f0669f4bd0b in bmalloc_allocate_impl_casual_case(unsigned long, unsigned long) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/bmalloc/libpas/src/libpas/bmalloc_heap_inlines.h:69:1
#3 0x7f066e89b6c8 in WebCore::MediaRecorderPrivateGStreamer::operator new(unsigned long) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.h:41:5
#4 0x7f066e89b6c8 in std::_MakeUniq<WebCore::MediaRecorderPrivateGStreamer>::__single_object std::make_unique<WebCore::MediaRecorderPrivateGStreamer, WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&>(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/unique_ptr.h:962:30
#5 0x7f066e89b6c8 in decltype(auto) WTF::makeUnique<WebCore::MediaRecorderPrivateGStreamer, WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&>(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/StdLibExtras.h:569:12
#6 0x7f066e89b6c8 in WebCore::MediaRecorderPrivateGStreamer::create(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.cpp:49:21
#7 0x7f0670fd2bce in WebCore::MediaRecorderProvider::createMediaRecorderPrivate(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorderProvider.cpp:51:12
#8 0x7f0670fa7ae0 in WebCore::MediaRecorder::createMediaRecorderPrivate(WebCore::Document&, WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:91:49
#9 0x7f0670fab19a in WebCore::MediaRecorder::startRecording(std::optional<unsigned int>) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:162:19
#10 0x7f066fd56280 in WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()::operator()() const /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:595:5
#11 0x7f066fd56280 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMConvertBase.h:168:27
#12 0x7f066fd56280 in WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:595:5
#13 0x7f066fd56280 in long WebCore::IDLOperation<WebCore::JSMediaRecorder>::call<&(WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMOperation.h:63:9
#14 0x7f066fd56280 in WebCore::jsMediaRecorderPrototypeFunction_start(JSC::JSGlobalObject*, JSC::CallFrame*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:600:12
#15 0x7f061c2b4037 (<unknown module>)
#16 0x7f0669ce0e8e in js_trampoline_op_call LowLevelInterpreter.cpp
#17 0x7f0669cc3a79 in vmEntryToJavaScript (/fuzzing/browsers/webkitgtk-2.40.5-debug/build/lib/libjavascriptcoregtk-4.1.so.0+0x4e28a79) (BuildId: f55eedc27be823ac6dc7ab91b43c7dc1aa59b9ee)
#18 0x7f06679902f0 in JSC::Interpreter::executeCallImpl(JSC::VM&, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/interpreter/Interpreter.cpp:1123:32
#19 0x7f06679902f0 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/interpreter/Interpreter.cpp:1132:16
#20 0x7f06685770cc in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/runtime/CallData.cpp:57:27
#21 0x7f06685770cc in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/runtime/CallData.cpp:64:22
#22 0x7f0671712d9a in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSEventListener.cpp:224:22
#23 0x7f06726f6ed2 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/EventTarget.cpp:375:40
#24 0x7f06726d9fe1 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/EventTarget.cpp:307:9
#25 0x7f0673d61c5f in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/page/DOMWindow.cpp:2393:5
#26 0x7f0673d8c079 in WebCore::DOMWindow::dispatchLoadEvent() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/page/DOMWindow.cpp:2325:5
#27 0x7f067256cd00 in WebCore::Document::dispatchWindowLoadEvent() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/Document.cpp:5287:18
#28 0x7f067256cd00 in WebCore::Document::implicitClose() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/Document.cpp:3309:5
#29 0x7f0673a9e3f0 in WebCore::FrameLoader::checkCompleted() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/FrameLoader.cpp:911:5
#30 0x7f0673a97e43 in WebCore::FrameLoader::finishedParsing() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/FrameLoader.cpp:810:5
#31 0x7f06725b177f in WebCore::Document::finishedParsing() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/Document.cpp:6380:25
#32 0x7f06732a4267 in WebCore::HTMLDocumentParser::end() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:446:20
#33 0x7f06732a4267 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:455:5
#34 0x7f06732a4267 in WebCore::HTMLDocumentParser::prepareToStopParsing() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:150:5
#35 0x7f06732a9ee5 in WebCore::HTMLDocumentParser::finish() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:495:5
#36 0x7f0673a0c396 in WebCore::DocumentWriter::end() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/DocumentWriter.cpp:322:15
#37 0x7f0673a09327 in WebCore::DocumentLoader::finishedLoading() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/DocumentLoader.cpp:511:14
#38 0x7f0673c97436 in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/cache/CachedResource.cpp:340:17
#39 0x7f0673c86f0f in WebCore::CachedResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/cache/CachedResource.cpp:356:5
#40 0x7f0673c86f0f in WebCore::CachedRawResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/cache/CachedRawResource.cpp:128:21
#41 0x7f0673bc43df in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/SubresourceLoader.cpp:751:17
#42 0x7f066e3ecce3 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp:262:19
#43 0x7f066ce6bcdf in auto void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...)::operator()<WebCore::NetworkLoadMetrics>(auto&&...) const /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/Platform/IPC/HandleMessage.h:136:13
#44 0x7f066ce6bcdf in WebKit::WebResourceLoader std::__invoke_impl<void, void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), WebCore::NetworkLoadMetrics>(std::__invoke_other, WebKit::WebResourceLoader&&, WebCore::NetworkLoadMetrics&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:61:14
#45 0x7f066ce6bcdf in std::__invoke_result<WebKit::WebResourceLoader, WebCore::NetworkLoadMetrics>::type std::__invoke<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), WebCore::NetworkLoadMetrics>(WebKit::WebResourceLoader&&, WebCore::NetworkLoadMetrics&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:96:14
#46 0x7f066ce6bcdf in decltype(auto) std::__apply_impl<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), std::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader&&, WebKit::WebResourceLoader&&, std::integer_sequence<unsigned long, 0ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1858:14
#47 0x7f066ce6bcdf in decltype(auto) std::apply<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader&&, WebKit::WebResourceLoader&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1869:14
#48 0x7f066ce6bcdf in void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/Platform/IPC/HandleMessage.h:134:5
#49 0x7f066ce6bcdf in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&)) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/Platform/IPC/HandleMessage.h:236:9
further when we call stop method:
Line 12 mediaRecorder.stop();
it seems that Locker object is locked on class field m_dataLock which get released before Locker smart pointer destructor gets called which in turn leads to use-after-free:
Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.cpp#111
void MediaRecorderPrivateGStreamer::fetchData(FetchDataCallback&& completionHandler)
{
Locker locker { m_dataLock };
GST_DEBUG_OBJECT(m_transcoder.get(), "Transfering %zu encoded bytes", m_data.size());
auto buffer = m_data.take();
completionHandler(WTFMove(buffer), mimeType(), m_position);
}
ASAN output showing write operation after object has been released :
==9887==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0000fb018 at pc 0x7f066e89d6e1 bp 0x7ffea27d6010 sp 0x7ffea27d6008
WRITE of size 1 at 0x60f0000fb018 thread T0
#0 0x7f066e89d6e0 in std::__atomic_base<unsigned char>::compare_exchange_weak(unsigned char&, unsigned char, std::memory_order, std::memory_order) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/atomic_base.h:522:9
#1 0x7f066e89d6e0 in std::__atomic_base<unsigned char>::compare_exchange_weak(unsigned char&, unsigned char, std::memory_order) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/atomic_base.h:547:9
#2 0x7f066e89d6e0 in WTF::Atomic<unsigned char>::compareExchangeWeak(unsigned char, unsigned char, std::memory_order) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/Atomics.h:89:22
#3 0x7f066e89d6e0 in WTF::LockAlgorithm<unsigned char, (unsigned char)1, (unsigned char)2, WTF::EmptyLockHooks<unsigned char> >::unlockFastAssumingZero(WTF::Atomic<unsigned char>&) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/LockAlgorithm.h:88:21
#4 0x7f066e89d6e0 in WTF::Lock::unlock() /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/Lock.h:92:13
#5 0x7f066e89d6e0 in WTF::Locker<WTF::Lock>::~Locker() /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/Lock.h:168:20
#6 0x7f066e89d6e0 in WebCore::MediaRecorderPrivateGStreamer::fetchData(WTF::CompletionHandler<void (WTF::RefPtr<WebCore::FragmentedSharedBuffer, WTF::RawPtrTraits<WebCore::FragmentedSharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::FragmentedSharedBuffer> >&&, WTF::String const&, double)>&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.cpp:117:1
#7 0x7f0670fac6bc in WebCore::MediaRecorder::fetchData(WTF::Function<void (WTF::RefPtr<WebCore::FragmentedSharedBuffer, WTF::RawPtrTraits<WebCore::FragmentedSharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::FragmentedSharedBuffer> >&&, WTF::String const&, double)>&&, WebCore::MediaRecorder::TakePrivateRecorder) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:312:21
#8 0x7f0670fac08f in WebCore::MediaRecorder::stopRecording() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:217:5
#9 0x7f066fd568b2 in WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()::operator()() const /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:610:5
#10 0x7f066fd568b2 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMConvertBase.h:165:13
#11 0x7f066fd568b2 in WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:610:5
#12 0x7f066fd568b2 in long WebCore::IDLOperation<WebCore::JSMediaRecorder>::call<&(WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMOperation.h:63:9
#13 0x7f066fd568b2 in WebCore::jsMediaRecorderPrototypeFunction_stop(JSC::JSGlobalObject*, JSC::CallFrame*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:615:12
#14 0x7f061c2b4037 (<unknown module>)
Proper heap grooming, and additional precisely timed JavaScript code, can give an attacker full control of this use-after-free vulnerability resulting in arbitrary code execution.
Crash Information
=================================================================
==9887==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0000fb018 at pc 0x7f066e89d6e1 bp 0x7ffea27d6010 sp 0x7ffea27d6008
WRITE of size 1 at 0x60f0000fb018 thread T0
#0 0x7f066e89d6e0 in std::__atomic_base<unsigned char>::compare_exchange_weak(unsigned char&, unsigned char, std::memory_order, std::memory_order) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/atomic_base.h:522:9
#1 0x7f066e89d6e0 in std::__atomic_base<unsigned char>::compare_exchange_weak(unsigned char&, unsigned char, std::memory_order) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/atomic_base.h:547:9
#2 0x7f066e89d6e0 in WTF::Atomic<unsigned char>::compareExchangeWeak(unsigned char, unsigned char, std::memory_order) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/Atomics.h:89:22
#3 0x7f066e89d6e0 in WTF::LockAlgorithm<unsigned char, (unsigned char)1, (unsigned char)2, WTF::EmptyLockHooks<unsigned char> >::unlockFastAssumingZero(WTF::Atomic<unsigned char>&) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/LockAlgorithm.h:88:21
#4 0x7f066e89d6e0 in WTF::Lock::unlock() /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/Lock.h:92:13
#5 0x7f066e89d6e0 in WTF::Locker<WTF::Lock>::~Locker() /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/Lock.h:168:20
#6 0x7f066e89d6e0 in WebCore::MediaRecorderPrivateGStreamer::fetchData(WTF::CompletionHandler<void (WTF::RefPtr<WebCore::FragmentedSharedBuffer, WTF::RawPtrTraits<WebCore::FragmentedSharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::FragmentedSharedBuffer> >&&, WTF::String const&, double)>&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.cpp:117:1
#7 0x7f0670fac6bc in WebCore::MediaRecorder::fetchData(WTF::Function<void (WTF::RefPtr<WebCore::FragmentedSharedBuffer, WTF::RawPtrTraits<WebCore::FragmentedSharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::FragmentedSharedBuffer> >&&, WTF::String const&, double)>&&, WebCore::MediaRecorder::TakePrivateRecorder) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:312:21
#8 0x7f0670fac08f in WebCore::MediaRecorder::stopRecording() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:217:5
#9 0x7f066fd568b2 in WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()::operator()() const /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:610:5
#10 0x7f066fd568b2 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMConvertBase.h:165:13
#11 0x7f066fd568b2 in WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:610:5
#12 0x7f066fd568b2 in long WebCore::IDLOperation<WebCore::JSMediaRecorder>::call<&(WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMOperation.h:63:9
#13 0x7f066fd568b2 in WebCore::jsMediaRecorderPrototypeFunction_stop(JSC::JSGlobalObject*, JSC::CallFrame*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:615:12
#14 0x7f061c2b4037 (<unknown module>)
0x60f0000fb018 is located 136 bytes inside of 168-byte region [0x60f0000faf90,0x60f0000fb038)
freed by thread T0 here:
#0 0x562140f4eeb2 in __interceptor_free (/fuzzing/browsers/webkitgtk-2.40.5-debug/build/libexec/webkit2gtk-4.1/WebKitWebProcess+0xa0eb2) (BuildId: d6d880ff92796ed4f6097a57505dca7ef7439259)
#1 0x7f0669f95cf2 in pas_try_deallocate_not_small_exclusive_segregated(pas_thread_local_cache*, unsigned long, pas_heap_config, pas_deallocation_mode, pas_fast_megapage_kind) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/bmalloc/libpas/src/libpas/pas_deallocate.h:104:9
#2 0x7f0669f95cf2 in bmalloc_heap_config_specialized_try_deallocate_not_small_exclusive_segregated /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/bmalloc/libpas/src/libpas/bmalloc_heap_config.c:43:1
previously allocated by thread T0 here:
#0 0x562140f4f15e in malloc (/fuzzing/browsers/webkitgtk-2.40.5-debug/build/libexec/webkit2gtk-4.1/WebKitWebProcess+0xa115e) (BuildId: d6d880ff92796ed4f6097a57505dca7ef7439259)
#1 0x7f0669f4bd0b in pas_try_allocate_intrinsic_impl_casual_case(__pas_heap*, unsigned long, unsigned long, pas_intrinsic_heap_support*, pas_heap_config, pas_allocation_result (*)(pas_local_allocator*, unsigned long, unsigned long), pas_allocation_result (*)(__pas_heap_ref*, unsigned long, unsigned long), pas_intrinsic_heap_designation_mode) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/bmalloc/libpas/src/libpas/pas_local_allocator_inlines.h
#2 0x7f0669f4bd0b in bmalloc_allocate_impl_casual_case(unsigned long, unsigned long) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/bmalloc/libpas/src/libpas/bmalloc_heap_inlines.h:69:1
#3 0x7f066e89b6c8 in WebCore::MediaRecorderPrivateGStreamer::operator new(unsigned long) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.h:41:5
#4 0x7f066e89b6c8 in std::_MakeUniq<WebCore::MediaRecorderPrivateGStreamer>::__single_object std::make_unique<WebCore::MediaRecorderPrivateGStreamer, WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&>(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/unique_ptr.h:962:30
#5 0x7f066e89b6c8 in decltype(auto) WTF::makeUnique<WebCore::MediaRecorderPrivateGStreamer, WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&>(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/StdLibExtras.h:569:12
#6 0x7f066e89b6c8 in WebCore::MediaRecorderPrivateGStreamer::create(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.cpp:49:21
#7 0x7f0670fd2bce in WebCore::MediaRecorderProvider::createMediaRecorderPrivate(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorderProvider.cpp:51:12
#8 0x7f0670fa7ae0 in WebCore::MediaRecorder::createMediaRecorderPrivate(WebCore::Document&, WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:91:49
#9 0x7f0670fab19a in WebCore::MediaRecorder::startRecording(std::optional<unsigned int>) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:162:19
#10 0x7f066fd56280 in WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()::operator()() const /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:595:5
#11 0x7f066fd56280 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMConvertBase.h:168:27
#12 0x7f066fd56280 in WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:595:5
#13 0x7f066fd56280 in long WebCore::IDLOperation<WebCore::JSMediaRecorder>::call<&(WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMOperation.h:63:9
#14 0x7f066fd56280 in WebCore::jsMediaRecorderPrototypeFunction_start(JSC::JSGlobalObject*, JSC::CallFrame*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:600:12
#15 0x7f061c2b4037 (<unknown module>)
#16 0x7f0669ce0e8e in js_trampoline_op_call LowLevelInterpreter.cpp
#17 0x7f0669cc3a79 in vmEntryToJavaScript (/fuzzing/browsers/webkitgtk-2.40.5-debug/build/lib/libjavascriptcoregtk-4.1.so.0+0x4e28a79) (BuildId: f55eedc27be823ac6dc7ab91b43c7dc1aa59b9ee)
#18 0x7f06679902f0 in JSC::Interpreter::executeCallImpl(JSC::VM&, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/interpreter/Interpreter.cpp:1123:32
#19 0x7f06679902f0 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/interpreter/Interpreter.cpp:1132:16
#20 0x7f06685770cc in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/runtime/CallData.cpp:57:27
#21 0x7f06685770cc in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/runtime/CallData.cpp:64:22
#22 0x7f0671712d9a in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSEventListener.cpp:224:22
#23 0x7f06726f6ed2 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/EventTarget.cpp:375:40
#24 0x7f06726d9fe1 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/EventTarget.cpp:307:9
#25 0x7f0673d61c5f in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/page/DOMWindow.cpp:2393:5
#26 0x7f0673d8c079 in WebCore::DOMWindow::dispatchLoadEvent() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/page/DOMWindow.cpp:2325:5
#27 0x7f067256cd00 in WebCore::Document::dispatchWindowLoadEvent() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/Document.cpp:5287:18
#28 0x7f067256cd00 in WebCore::Document::implicitClose() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/Document.cpp:3309:5
#29 0x7f0673a9e3f0 in WebCore::FrameLoader::checkCompleted() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/FrameLoader.cpp:911:5
#30 0x7f0673a97e43 in WebCore::FrameLoader::finishedParsing() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/FrameLoader.cpp:810:5
#31 0x7f06725b177f in WebCore::Document::finishedParsing() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/Document.cpp:6380:25
#32 0x7f06732a4267 in WebCore::HTMLDocumentParser::end() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:446:20
#33 0x7f06732a4267 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:455:5
#34 0x7f06732a4267 in WebCore::HTMLDocumentParser::prepareToStopParsing() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:150:5
#35 0x7f06732a9ee5 in WebCore::HTMLDocumentParser::finish() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:495:5
#36 0x7f0673a0c396 in WebCore::DocumentWriter::end() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/DocumentWriter.cpp:322:15
#37 0x7f0673a09327 in WebCore::DocumentLoader::finishedLoading() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/DocumentLoader.cpp:511:14
#38 0x7f0673c97436 in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/cache/CachedResource.cpp:340:17
#39 0x7f0673c86f0f in WebCore::CachedResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/cache/CachedResource.cpp:356:5
#40 0x7f0673c86f0f in WebCore::CachedRawResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/cache/CachedRawResource.cpp:128:21
#41 0x7f0673bc43df in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/SubresourceLoader.cpp:751:17
#42 0x7f066e3ecce3 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp:262:19
#43 0x7f066ce6bcdf in auto void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...)::operator()<WebCore::NetworkLoadMetrics>(auto&&...) const /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/Platform/IPC/HandleMessage.h:136:13
#44 0x7f066ce6bcdf in WebKit::WebResourceLoader std::__invoke_impl<void, void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), WebCore::NetworkLoadMetrics>(std::__invoke_other, WebKit::WebResourceLoader&&, WebCore::NetworkLoadMetrics&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:61:14
#45 0x7f066ce6bcdf in std::__invoke_result<WebKit::WebResourceLoader, WebCore::NetworkLoadMetrics>::type std::__invoke<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), WebCore::NetworkLoadMetrics>(WebKit::WebResourceLoader&&, WebCore::NetworkLoadMetrics&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:96:14
#46 0x7f066ce6bcdf in decltype(auto) std::__apply_impl<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), std::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader&&, WebKit::WebResourceLoader&&, std::integer_sequence<unsigned long, 0ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1858:14
#47 0x7f066ce6bcdf in decltype(auto) std::apply<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader&&, WebKit::WebResourceLoader&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1869:14
#48 0x7f066ce6bcdf in void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/Platform/IPC/HandleMessage.h:134:5
#49 0x7f066ce6bcdf in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&)) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/Platform/IPC/HandleMessage.h:236:9
SUMMARY: AddressSanitizer: heap-use-after-free /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/atomic_base.h:522:9 in std::__atomic_base<unsigned char>::compare_exchange_weak(unsigned char&, unsigned char, std::memory_order, std::memory_order)
Shadow bytes around the buggy address:
0x0c1e800175b0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x0c1e800175c0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c1e800175d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1e800175e0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
0x0c1e800175f0: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1e80017600: fd fd fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa
0x0c1e80017610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e80017620: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
0x0c1e80017630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e80017640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e80017650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==9887==ABORTING
VENDOR RESPONSE
Vendor advisory: https://webkitgtk.org/security/WSA-2023-0009.html
TIMELINE
2023-08-24 - Vendor Disclosure
2023-09-28 - Vendor Patch Release
2023-10-06 - Public Release
Discovered by Marcin ‘Icewall’ Noga of Cisco Talos.
Related news
Gentoo Linux Security Advisory 202401-33
Gentoo Linux Security Advisory 202401-33 - Multiple vulnerabilities have been found in WebKitGTK+, the worst of which may lead to remote code execution. Versions greater than or equal to 2.42.2:4 are affected.
Debian Security Advisory 5527-1
Debian Linux Security Advisory 5527-1 - Marcin Noga discovered that a specially crafted web page can abuse a vulnerability in the MediaRecorder API to cause memory corruption and potentially arbitrary code execution. Junsung Lee and Me Li discovered that processing web content may lead to arbitrary code execution. Bill Marczak and Maddie Stone discovered that processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
10 zero-day vulnerabilities in industrial cell router could lead to code execution, buffer overflows
Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device.