Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-21806: TALOS-2020-1214 || Cisco Talos Intelligence Group

An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.3 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in remote code execution. The victim needs to visit a malicious web site to trigger the vulnerability.

CVE
#vulnerability#web#ubuntu#linux#cisco#js#java

Summary

An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.3 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in remote code execution. The victim needs to visit a malicious web site to trigger the vulnerability.

Tested Versions

Webkit WebKitGTK 2.30.3

Product URLs

https://webkit.org/

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Details

WebKit is an open-source web content engine for browsers and other applications.

The vulnerabiliy is related with scriptExecutionContext, being more precise, the way it handles Document object reference in the implementation of the fireEventListeners function. A malicious web page can lead to a use-after-free vulnerability and potential remote code execution. Please notice that for fuzzing purposes Webkit has been compiled with modernUnprefixedWebAudioEnabled flag set to true. To understand the vulnerability let’s analyze some parts of the poc.html file and the console output generated by it. Running the poc in Minibrowser we can observe the following output till crash:

Line 1      http://127.0.0.1/webaudio_fuzzer/0.html:639:28: CONSOLE LOG Start fuzzing
Line 2      http://127.0.0.1/webaudio_fuzzer/0.html:497:28: CONSOLE LOG Context created
Line 3      http://127.0.0.1/webaudio_fuzzer/0.html:527:28: CONSOLE LOG Nodes created   
Line 4      http://127.0.0.1/webaudio_fuzzer/0.html:622:28: CONSOLE LOG Mutation nodes amount :  7
Line 5      http://127.0.0.1/webaudio_fuzzer/0.html:551:28: CONSOLE LOG Connecting nodes
Line 6      http://127.0.0.1/webaudio_fuzzer/0.html:555:28: CONSOLE LOG Nodes connected
Line 7      http://127.0.0.1/webaudio_fuzzer/0.html:575:44: CONSOLE LOG [GENERIC] name : OscillatorNode  eventName : onended handler name : eventhandler3
Line 8      http://127.0.0.1/webaudio_fuzzer/0.html:569:44: CONSOLE LOG [CUSTOM] name : ScriptProcessorNode  eventName : onaudioprocess
Line 9      http://127.0.0.1/webaudio_fuzzer/0.html:575:44: CONSOLE LOG [GENERIC] name : AudioContext  eventName : onstatechange handler name : eventhandler4
Line 10     http://127.0.0.1/webaudio_fuzzer/0.html:39:24:  CONSOLE LOG [ 10:10:19 AM ] :: OscillatorNode_handler
Line 11     http://127.0.0.1/webaudio_fuzzer/0.html:39:24:  CONSOLE LOG [ 10:10:19 AM ] :: AudioContext_handler
Line 12     http://127.0.0.1/webaudio_fuzzer/0.html:631:28: CONSOLE LOG Fuzzzing time!
Line 13     http://127.0.0.1/webaudio_fuzzer/0.html:39:24:  CONSOLE LOG [ 10:10:19 AM ] :: ScriptProcessorNode_oncomplete
Line 14     http://127.0.0.1/webaudio_fuzzer/0.html:453:28: CONSOLE LOG eventhandler4
Line 15     http://127.0.0.1/webaudio_fuzzer/0.html:409:28: CONSOLE LOG ========================== DEBUG =========================== :  statechange
Line 16     http://127.0.0.1/webaudio_fuzzer/0.html:409:28: CONSOLE LOG    var00048 = new MutationObserver(eventhandler2);
Line 17     http://127.0.0.1/webaudio_fuzzer/0.html:461:28: CONSOLE LOG    var00048.observe(audioElement,var00049);
Line 18     http://127.0.0.1/webaudio_fuzzer/0.html:466:28: CONSOLE LOG    audioElement.setAttribute("data", "foo"); 
Line 19     http://127.0.0.1/webaudio_fuzzer/0.html:468:28: CONSOLE LOG END eventhandler4
Line 20     http://127.0.0.1/webaudio_fuzzer/0.html:422:28: CONSOLE LOG eventhandler2
Line 21     http://127.0.0.1/webaudio_fuzzer/0.html:389:28: CONSOLE LOG Mutation type :  attributes
Line 22     http://127.0.0.1/webaudio_fuzzer/0.html:403:32: CONSOLE LOG data
Line 23     http://127.0.0.1/webaudio_fuzzer/0.html:428:28: CONSOLE LOG    var00002 = new DOMParser().parseFromString(audioElement.outerHTML,
Line 24     http://127.0.0.1/webaudio_fuzzer/0.html:430:28: CONSOLE LOG    html element index :  2
Line 25     http://127.0.0.1/webaudio_fuzzer/0.html:431:28: CONSOLE LOG    var00002.scrollingElement  :  [object HTMLBodyElement]
Line 26     http://127.0.0.1/webaudio_fuzzer/0.html:432:28: CONSOLE LOG    document.all[elementIndex] :  [object HTMLMetaElement]
Line 27     http://127.0.0.1/webaudio_fuzzer/0.html:434:28: CONSOLE LOG    document.all[elementIndex].appendChild(var00002.scrollingElement);
Line 28     http://127.0.0.1/webaudio_fuzzer/0.html:437:28: CONSOLE LOG    audioElement.style.setProperty("animation", "anim 1s linear 0s");
Line 29     http://127.0.0.1/webaudio_fuzzer/0.html:439:28: CONSOLE LOG END eventhandler2
(...)
Line 54     http://127.0.0.1/webaudio_fuzzer/0.html:162:28: CONSOLE LOG fuzz_nodes
Line 55     http://127.0.0.1/webaudio_fuzzer/0.html:166:28: CONSOLE LOG    document.body.innerHTML = "";
Line 56     http://127.0.0.1/webaudio_fuzzer/0.html:168:28: CONSOLE LOG    audioElement.mediaGroup = "b00m!!!!";
Line 57     =================================================================
Line 58     ==41058==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e0001ac530 at pc 0x7fed494e4db2 bp 0x7ffc7d8b7c90 sp 0x7ffc7d8b7c88

As we can see at Line 17 the MutationObserver object is created which will monitor for any modifications related with audioElement. The events generated by these modifications will be handled inside eventhandler2. One of that type of modifications we can see at the end of eventhandler4 at line 18. Inside eventhandler2, each time the DOM tree is modified in that way that, the HTMLBodyElement created via DOMParser is inserted in “random” places. That happens many times and its caused among the others by line 28 but to simplify our analysis I have presented just one cycle. When eventhandler2 is being executed on and on, simultaneously fuzz_node get called where: - document.body is cleared, line 55 what caused in DOM tree relocations, object release,etc. - line 56 where mediaGroup property of audioElement is being modified which will later turn out to be crucial to trigger the vulnerability.

When the mediaGroup property is modified not only is eventhandler2 re-triggered again but one of the special event handlers is being called to handle “Media group elements”. Frame #5 in the call stack below:

==41058==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e0001ac530 at pc 0x7fed494e4db2 bp 0x7ffc7d8b7c90 sp 0x7ffc7d8b7c88
READ of size 8 at 0x61e0001ac530 thread T0
    #0 0x7fed494e4db1 in WTF::TypeCastTraits<WebCore::Document const, WebCore::ScriptExecutionContext const, false>::isType(WebCore::ScriptExecutionContext const&) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WebCore/dom/Document.h:2188:89
    #1 0x7fed494e4db1 in WTF::TypeCastTraits<WebCore::Document const, WebCore::ScriptExecutionContext const, false>::isOfType(WebCore::ScriptExecutionContext const&) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WebCore/dom/Document.h:2187:1
    #2 0x7fed494e4db1 in bool WTF::is<WebCore::Document, WebCore::ScriptExecutionContext>(WebCore::ScriptExecutionContext*) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/build/DerivedSources/ForwardingHeaders/wtf/TypeCasts.h:65:22
    #3 0x7fed494e4db1 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WebCore/dom/EventTarget.cpp:262:9
    #4 0x7fed494ef319 in WebCore::EventTarget::dispatchEvent(WebCore::Event&) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WebCore/dom/EventTarget.cpp:221:5
    #5 0x7fed49e387ef in WebCore::MediaController::asyncEventTimerFired() /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WebCore/html/MediaController.cpp:549:9
    #6 0x7fed4ace8359 in WebCore::ThreadTimers::sharedTimerFiredInternal() /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WebCore/platform/ThreadTimers.cpp:127:23
    #7 0x7fed4319f738 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16
    #8 0x7fed4319f738 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43
    #9 0x7fed4319ccbc in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28
    #10 0x7fed4319ccbc in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5
    #11 0x7fed3735f284 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c284)
    #12 0x7fed3735f64f  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c64f)
    #13 0x7fed3735f961 in g_main_loop_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c961)
    #14 0x7fed4319e1c6 in WTF::RunLoop::run() /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WTF/wtf/glib/RunLoopGLib.cpp:108:9
    #15 0x7fed46b09ecc in int WebKit::AuxiliaryProcessMain<WebKit::WebProcess, WebKit::WebProcessMainGtk>(int, char**) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WebKit/Shared/AuxiliaryProcessMain.h:68:5
    #16 0x7fed33544b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
    #17 0x41ccd9 in _start (/home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/build/libexec/webkit2gtk-4.0/WebKitWebProcess+0x41ccd9)

“Direct” execution of this event handler seems to ommit some check and because of that a use-after-free vulnerability appears inside the fireEventListeners method:

Source/WebCore/dom/EventTarget
Line 252    void EventTarget::fireEventListeners(Event& event, EventInvokePhase phase)
Line 253    {
Line 254        ASSERT_WITH_SECURITY_IMPLICATION(ScriptDisallowedScope::isEventAllowedInMainThread());
Line 255        ASSERT(event.isInitialized());
Line 256       
Line 257        if (is<Document>(scriptExecutionContext())) {
Line 258            auto* page = downcast<Document>(*scriptExecutionContext()).page();
Line 259            if (page && !page->shouldFireEvents()) {
Line 260                RELEASE_LOG_IF(page->isAlwaysOnLoggingAllowed(), Events, "%p - EventTarget::fireEventListeners: Not firing %{public}s event because events are temporarily disabled for this page", this, event.type().string().utf8().data());
Line 261                return;
Line 262            }
Line 263        }
Line 264

The object returned by scriptExecutionContext is already free when we call it. Proper heap grooming can give an attacker full control of this use-after-free vulnerability and as a result could allow this vulnerability to be turned into arbitrary code execution.

Crash Information

icewall@ubuntu:~/tools/fuzzing/browsers/webkitgtk-2.30.3/build/bin$ ./MiniBrowser --autoplay-policy=allow --enable-write-console-messages-to-stdout=true http://127.0.0.1/webaudio_fuzzer/0.html
WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled.
WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled.
WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled.
http://127.0.0.1/webaudio_fuzzer/0.html:639:28: CONSOLE LOG Start fuzzing
http://127.0.0.1/webaudio_fuzzer/0.html:651:28: CONSOLE LOG SEED :  184960806692
http://127.0.0.1/webaudio_fuzzer/0.html:497:28: CONSOLE LOG Context created
http://127.0.0.1/webaudio_fuzzer/0.html:519:28: CONSOLE LOG G state :  847297323
http://127.0.0.1/webaudio_fuzzer/0.html:527:28: CONSOLE LOG Nodes created
http://127.0.0.1/webaudio_fuzzer/0.html:621:28: CONSOLE LOG [object Object]
http://127.0.0.1/webaudio_fuzzer/0.html:622:28: CONSOLE LOG Mutation nodes amount :  7
http://127.0.0.1/webaudio_fuzzer/0.html:551:28: CONSOLE LOG Connecting nodes
http://127.0.0.1/webaudio_fuzzer/0.html:555:28: CONSOLE LOG Nodes connected
http://127.0.0.1/webaudio_fuzzer/0.html:575:44: CONSOLE LOG [GENERIC] name : OscillatorNode  eventName : onended handler name : eventhandler3
http://127.0.0.1/webaudio_fuzzer/0.html:569:44: CONSOLE LOG [CUSTOM] name : ScriptProcessorNode  eventName : onaudioprocess
http://127.0.0.1/webaudio_fuzzer/0.html:575:44: CONSOLE LOG [GENERIC] name : AudioContext  eventName : onstatechange handler name : eventhandler4
http://127.0.0.1/webaudio_fuzzer/0.html:39:24: CONSOLE LOG [ 10:10:19 AM ] :: OscillatorNode_handler
http://127.0.0.1/webaudio_fuzzer/0.html:39:24: CONSOLE LOG [ 10:10:19 AM ] :: AudioContext_handler
http://127.0.0.1/webaudio_fuzzer/0.html:631:28: CONSOLE LOG Fuzzzing time!
http://127.0.0.1/webaudio_fuzzer/0.html:39:24: CONSOLE LOG [ 10:10:19 AM ] :: ScriptProcessorNode_oncomplete
http://127.0.0.1/webaudio_fuzzer/0.html:146:28: CONSOLE LOG GS :  88984052
http://127.0.0.1/webaudio_fuzzer/0.html:149:28: CONSOLE LOG GS :  1710124953
http://127.0.0.1/webaudio_fuzzer/0.html:453:28: CONSOLE LOG eventhandler4
http://127.0.0.1/webaudio_fuzzer/0.html:409:28: CONSOLE LOG ========================== DEBUG =========================== :  statechange
http://127.0.0.1/webaudio_fuzzer/0.html:409:28: CONSOLE LOG ========================== DEBUG =========================== :  [object AudioContext]
http://127.0.0.1/webaudio_fuzzer/0.html:461:28: CONSOLE LOG    var00048.observe(audioElement,var00049);
http://127.0.0.1/webaudio_fuzzer/0.html:466:28: CONSOLE LOG    audioElement.setAttribute("data", "foo"); 
http://127.0.0.1/webaudio_fuzzer/0.html:468:28: CONSOLE LOG END eventhandler4
http://127.0.0.1/webaudio_fuzzer/0.html:422:28: CONSOLE LOG eventhandler2
http://127.0.0.1/webaudio_fuzzer/0.html:389:28: CONSOLE LOG Mutation type :  attributes
http://127.0.0.1/webaudio_fuzzer/0.html:403:32: CONSOLE LOG data
http://127.0.0.1/webaudio_fuzzer/0.html:428:28: CONSOLE LOG    var00002 = new DOMParser().parseFromString(audioElement.outerHTML,
http://127.0.0.1/webaudio_fuzzer/0.html:430:28: CONSOLE LOG    html element index :  2
http://127.0.0.1/webaudio_fuzzer/0.html:431:28: CONSOLE LOG    var00002.scrollingElement  :  [object HTMLBodyElement]
http://127.0.0.1/webaudio_fuzzer/0.html:432:28: CONSOLE LOG    document.all[elementIndex] :  [object HTMLMetaElement]
http://127.0.0.1/webaudio_fuzzer/0.html:434:28: CONSOLE LOG    document.all[elementIndex].appendChild(var00002.scrollingElement);
http://127.0.0.1/webaudio_fuzzer/0.html:437:28: CONSOLE LOG    audioElement.style.setProperty("animation", "anim 1s linear 0s");
http://127.0.0.1/webaudio_fuzzer/0.html:439:28: CONSOLE LOG END eventhandler2
http://127.0.0.1/webaudio_fuzzer/0.html:422:28: CONSOLE LOG eventhandler2
http://127.0.0.1/webaudio_fuzzer/0.html:389:28: CONSOLE LOG Mutation type :  attributes
http://127.0.0.1/webaudio_fuzzer/0.html:403:32: CONSOLE LOG style
http://127.0.0.1/webaudio_fuzzer/0.html:428:28: CONSOLE LOG    var00002 = new DOMParser().parseFromString(audioElement.outerHTML,
http://127.0.0.1/webaudio_fuzzer/0.html:430:28: CONSOLE LOG    html element index :  21
http://127.0.0.1/webaudio_fuzzer/0.html:431:28: CONSOLE LOG    var00002.scrollingElement  :  [object HTMLBodyElement]
http://127.0.0.1/webaudio_fuzzer/0.html:432:28: CONSOLE LOG    document.all[elementIndex] :  [object HTMLTrackElement]
http://127.0.0.1/webaudio_fuzzer/0.html:434:28: CONSOLE LOG    document.all[elementIndex].appendChild(var00002.scrollingElement);
http://127.0.0.1/webaudio_fuzzer/0.html:437:28: CONSOLE LOG    audioElement.style.setProperty("animation", "anim 1s linear 0s");
http://127.0.0.1/webaudio_fuzzer/0.html:439:28: CONSOLE LOG END eventhandler2
http://127.0.0.1/webaudio_fuzzer/0.html:39:24: CONSOLE LOG [ 10:10:19 AM ] :: ScriptProcessorNode_oncomplete
http://127.0.0.1/webaudio_fuzzer/0.html:146:28: CONSOLE LOG GS :  148953623
http://127.0.0.1/webaudio_fuzzer/0.html:149:28: CONSOLE LOG GS :  1805878221
http://127.0.0.1/webaudio_fuzzer/0.html:162:28: CONSOLE LOG fuzz_nodes
http://127.0.0.1/webaudio_fuzzer/0.html:166:28: CONSOLE LOG    document.body.innerHTML = "";
http://127.0.0.1/webaudio_fuzzer/0.html:168:28: CONSOLE LOG    audioElement.mediaGroup = "b00m!!!!";
http://127.0.0.1/webaudio_fuzzer/0.html:422:28: CONSOLE LOG eventhandler2
http://127.0.0.1/webaudio_fuzzer/0.html:389:28: CONSOLE LOG Mutation type :  attributes
http://127.0.0.1/webaudio_fuzzer/0.html:403:32: CONSOLE LOG mediagroup
http://127.0.0.1/webaudio_fuzzer/0.html:428:28: CONSOLE LOG    var00002 = new DOMParser().parseFromString(audioElement.outerHTML,
http://127.0.0.1/webaudio_fuzzer/0.html:430:28: CONSOLE LOG    html element index :  8
http://127.0.0.1/webaudio_fuzzer/0.html:431:28: CONSOLE LOG    var00002.scrollingElement  :  [object HTMLBodyElement]
http://127.0.0.1/webaudio_fuzzer/0.html:432:28: CONSOLE LOG    document.all[elementIndex] :  [object HTMLScriptElement]
http://127.0.0.1/webaudio_fuzzer/0.html:434:28: CONSOLE LOG    document.all[elementIndex].appendChild(var00002.scrollingElement);
http://127.0.0.1/webaudio_fuzzer/0.html:437:28: CONSOLE LOG    audioElement.style.setProperty("animation", "anim 1s linear 0s");
http://127.0.0.1/webaudio_fuzzer/0.html:439:28: CONSOLE LOG END eventhandler2
http://127.0.0.1/webaudio_fuzzer/0.html:162:28: CONSOLE LOG fuzz_nodes
http://127.0.0.1/webaudio_fuzzer/0.html:166:28: CONSOLE LOG    document.body.innerHTML = "";
http://127.0.0.1/webaudio_fuzzer/0.html:168:28: CONSOLE LOG    audioElement.mediaGroup = "b00m!!!!";
http://127.0.0.1/webaudio_fuzzer/0.html:422:28: CONSOLE LOG eventhandler2
http://127.0.0.1/webaudio_fuzzer/0.html:389:28: CONSOLE LOG Mutation type :  attributes
http://127.0.0.1/webaudio_fuzzer/0.html:403:32: CONSOLE LOG mediagroup
http://127.0.0.1/webaudio_fuzzer/0.html:428:28: CONSOLE LOG    var00002 = new DOMParser().parseFromString(audioElement.outerHTML,
http://127.0.0.1/webaudio_fuzzer/0.html:430:28: CONSOLE LOG    html element index :  2
http://127.0.0.1/webaudio_fuzzer/0.html:431:28: CONSOLE LOG    var00002.scrollingElement  :  [object HTMLBodyElement]
http://127.0.0.1/webaudio_fuzzer/0.html:432:28: CONSOLE LOG    document.all[elementIndex] :  [object HTMLMetaElement]
http://127.0.0.1/webaudio_fuzzer/0.html:434:28: CONSOLE LOG    document.all[elementIndex].appendChild(var00002.scrollingElement);
http://127.0.0.1/webaudio_fuzzer/0.html:437:28: CONSOLE LOG    audioElement.style.setProperty("animation", "anim 1s linear 0s");
http://127.0.0.1/webaudio_fuzzer/0.html:439:28: CONSOLE LOG END eventhandler2
http://127.0.0.1/webaudio_fuzzer/0.html:39:24: CONSOLE LOG [ 10:10:19 AM ] :: ScriptProcessorNode_oncomplete
http://127.0.0.1/webaudio_fuzzer/0.html:146:28: CONSOLE LOG GS :  1008877296
http://127.0.0.1/webaudio_fuzzer/0.html:149:28: CONSOLE LOG GS :  959222793
http://127.0.0.1/webaudio_fuzzer/0.html:39:24: CONSOLE LOG [ 10:10:19 AM ] :: ScriptProcessorNode_oncomplete
http://127.0.0.1/webaudio_fuzzer/0.html:146:28: CONSOLE LOG GS :  497743922
http://127.0.0.1/webaudio_fuzzer/0.html:149:28: CONSOLE LOG GS :  1205993880
http://127.0.0.1/webaudio_fuzzer/0.html:39:24: CONSOLE LOG [ 10:10:20 AM ] :: ScriptProcessorNode_oncomplete
http://127.0.0.1/webaudio_fuzzer/0.html:146:28: CONSOLE LOG GS :  1188480774
http://127.0.0.1/webaudio_fuzzer/0.html:149:28: CONSOLE LOG GS :  1222972372
http://127.0.0.1/webaudio_fuzzer/0.html:39:24: CONSOLE LOG [ 10:10:20 AM ] :: ScriptProcessorNode_oncomplete
http://127.0.0.1/webaudio_fuzzer/0.html:146:28: CONSOLE LOG GS :  930670767
http://127.0.0.1/webaudio_fuzzer/0.html:149:28: CONSOLE LOG GS :  1193680575
http://127.0.0.1/webaudio_fuzzer/0.html:39:24: CONSOLE LOG [ 10:10:20 AM ] :: ScriptProcessorNode_oncomplete
http://127.0.0.1/webaudio_fuzzer/0.html:146:28: CONSOLE LOG GS :  397193751
http://127.0.0.1/webaudio_fuzzer/0.html:149:28: CONSOLE LOG GS :  1982924419
http://127.0.0.1/webaudio_fuzzer/0.html:39:24: CONSOLE LOG [ 10:10:20 AM ] :: ScriptProcessorNode_oncomplete
http://127.0.0.1/webaudio_fuzzer/0.html:146:28: CONSOLE LOG GS :  211992340
http://127.0.0.1/webaudio_fuzzer/0.html:149:28: CONSOLE LOG GS :  893100398
http://127.0.0.1/webaudio_fuzzer/0.html:39:24: CONSOLE LOG [ 10:10:20 AM ] :: ScriptProcessorNode_oncomplete
http://127.0.0.1/webaudio_fuzzer/0.html:146:28: CONSOLE LOG GS :  1575180303
http://127.0.0.1/webaudio_fuzzer/0.html:149:28: CONSOLE LOG GS :  1514371635
=================================================================
==41058==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e0001ac530 at pc 0x7fed494e4db2 bp 0x7ffc7d8b7c90 sp 0x7ffc7d8b7c88
READ of size 8 at 0x61e0001ac530 thread T0
    #0 0x7fed494e4db1 in WTF::TypeCastTraits<WebCore::Document const, WebCore::ScriptExecutionContext const, false>::isType(WebCore::ScriptExecutionContext const&) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WebCore/dom/Document.h:2188:89
    #1 0x7fed494e4db1 in WTF::TypeCastTraits<WebCore::Document const, WebCore::ScriptExecutionContext const, false>::isOfType(WebCore::ScriptExecutionContext const&) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WebCore/dom/Document.h:2187:1
    #2 0x7fed494e4db1 in bool WTF::is<WebCore::Document, WebCore::ScriptExecutionContext>(WebCore::ScriptExecutionContext*) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/build/DerivedSources/ForwardingHeaders/wtf/TypeCasts.h:65:22
    #3 0x7fed494e4db1 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WebCore/dom/EventTarget.cpp:262:9
    #4 0x7fed494ef319 in WebCore::EventTarget::dispatchEvent(WebCore::Event&) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WebCore/dom/EventTarget.cpp:221:5
    #5 0x7fed49e387ef in WebCore::MediaController::asyncEventTimerFired() /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WebCore/html/MediaController.cpp:549:9
    #6 0x7fed4ace8359 in WebCore::ThreadTimers::sharedTimerFiredInternal() /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WebCore/platform/ThreadTimers.cpp:127:23
    #7 0x7fed4319f738 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16
    #8 0x7fed4319f738 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43
    #9 0x7fed4319ccbc in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28
    #10 0x7fed4319ccbc in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5
    #11 0x7fed3735f284 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c284)
    #12 0x7fed3735f64f  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c64f)
    #13 0x7fed3735f961 in g_main_loop_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c961)
    #14 0x7fed4319e1c6 in WTF::RunLoop::run() /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WTF/wtf/glib/RunLoopGLib.cpp:108:9
    #15 0x7fed46b09ecc in int WebKit::AuxiliaryProcessMain<WebKit::WebProcess, WebKit::WebProcessMainGtk>(int, char**) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WebKit/Shared/AuxiliaryProcessMain.h:68:5
    #16 0x7fed33544b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
    #17 0x41ccd9 in _start (/home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/build/libexec/webkit2gtk-4.0/WebKitWebProcess+0x41ccd9)

0x61e0001ac530 is located 176 bytes inside of 2448-byte region [0x61e0001ac480,0x61e0001ace10)
freed by thread T0 here:
    #0 0x49495d in free (/home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/build/libexec/webkit2gtk-4.0/WebKitWebProcess+0x49495d)
    #1 0x7fed4109a1c5 in JSC::Subspace::destroy(JSC::VM&, JSC::JSCell*) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/JavaScriptCore/heap/Subspace.cpp:65:21
    #2 0x7fed4109a1c5 in JSC::PreciseAllocation::sweep() /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/JavaScriptCore/heap/PreciseAllocation.cpp:230:25
    #3 0x7fed41002500 in JSC::Heap::sweepInFinalize() /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/JavaScriptCore/heap/Heap.cpp:2150:19
    #4 0x7fed41002500 in JSC::Heap::finalize() /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/JavaScriptCore/heap/Heap.cpp:2095:9
    #5 0x7fed410010d5 in JSC::Heap::handleNeedFinalize(unsigned int) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/JavaScriptCore/heap/Heap.cpp:2016:9

previously allocated by thread T0 here:
    #0 0x494bdd in malloc (/home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/build/libexec/webkit2gtk-4.0/WebKitWebProcess+0x494bdd)
    #1 0x7fed431bf8ca in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/bmalloc/bmalloc/DebugHeap.cpp:98:20
    #2 0x7fed4c4dba45 in WebCore::DOMParser::parseFromString(WTF::String const&, WTF::String const&) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WebCore/xml/DOMParser.cpp:41:21
    #3 0x7fed4ca7abb4 in WebCore::jsDOMParserPrototypeFunctionParseFromStringBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMParser*) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/build/DerivedSources/WebCore/JSDOMParser.cpp:225:5
    #4 0x7fed4ca7abb4 in long WebCore::IDLOperation<WebCore::JSDOMParser>::call<&(WebCore::jsDOMParserPrototypeFunctionParseFromStringBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMParser*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WebCore/bindings/js/JSDOMOperation.h:53:9
    #5 0x7fed4ca7abb4 in WebCore::jsDOMParserPrototypeFunctionParseFromString(JSC::JSGlobalObject*, JSC::CallFrame*) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/build/DerivedSources/WebCore/JSDOMParser.cpp:230:12
    #6 0x7fece824b177  (<unknown module>)
    #7 0x7fed42fe5ea8  (/home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/build/lib/libjavascriptcoregtk-4.0.so.18+0x4617ea8)
    #8 0x7fed42fcc568  (/home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/build/lib/libjavascriptcoregtk-4.0.so.18+0x45fe568)
    #9 0x7fed41385f04 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/JavaScriptCore/jit/JITCodeInlines.h:42:38
    #10 0x7fed41385f04 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/JavaScriptCore/interpreter/Interpreter.cpp:904:27
    #11 0x7fed41ddc1a9 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/JavaScriptCore/runtime/CallData.cpp:64:22
    #12 0x7fed41ddc1a9 in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/JavaScriptCore/runtime/CallData.cpp:85:12

SUMMARY: AddressSanitizer: heap-use-after-free /home/icewall/tools/fuzzing/browsers/webkitgtk-2.30.3/Source/WebCore/dom/Document.h:2188:89 in WTF::TypeCastTraits<WebCore::Document const, WebCore::ScriptExecutionContext const, false>::isType(WebCore::ScriptExecutionContext const&)
Shadow bytes around the buggy address:
  0x0c3c8002d850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c8002d860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c3c8002d870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c8002d880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c8002d890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3c8002d8a0: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
  0x0c3c8002d8b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c8002d8c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c8002d8d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c8002d8e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c8002d8f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==41058==ABORTING

=================================================================
==41050==ERROR: LeakSanitizer: detected memory leaks

Timeline

2020-12-10 - Vendor Disclosure
2021-03-04 - Vendor patched in 2.32
2021-06-02 - Public Release

Discovered by Marcin ‘Icewall’ Noga of Cisco Talos.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907