Talos Vulnerability Report

TALOS-2019-0967

Apple Safari FontFaceSet Remote Code Execution Vulnerability

February 12, 2020
CVE Number

CVE-2020-3868

Summary

A type confusion vulnerability exists in the Fonts feature of Apple Safari version 13.0.3. A specially crafted HTML web page can cause a type confusion, resulting in memory corruption and possibly arbitrary code execution. To trigger this vulnerability, a specifically crafted HTML web page needs to be processed by the target application.

Tested Versions

Safari Version 13.0.3 (15608.3.10.1.4) Safari Technology Preview Release 96 (Safari 13.1, WebKit 15609.1.9.7) Webkit GIT e4cd3b4fab6166d1288984ded40c588439dab925

Product URLs

https://www.apple.com/safari/ https://webkit.org/

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-704: Incorrect Type Conversion or Cast

Details

WebCore is the DOM rendering system for Webkit web browser engine which is utilized by many applications, including Apple Safari.

The supplied PoC code was tested and confirmed, on the current release branch of Safari, Technology Preview, as well as the latest git head version of WebKit.

FontFaceSet object in Javascript exposes a check and load methods which are used to to load fonts. First parameter of these represents a font specification using standard CSS value syntax. The crux of this vulnerability lies in a way malformed font descriptions that contain certain CSS keywords are processed. Keywords that trigger this vulnerability are inherit, unset and initial. CSS font description parser returns an unexpected object type which is confused and results in a wild memory access. We can observe the following crashes with different CSS keywords.

Crash with unset keyword:

 0x10ec28e60 <+896>:  cvttss2si %xmm1, %r12d
    0x10ec28e65 <+901>:  movq   0x8(%r14), %rax
->  0x10ec28e69 <+905>:  movzwl 0x4(%rax), %ecx
General Purpose Registers:
   rax = 0x0000d00000000001

We see a crash on the same instruction but with a different value with initial keyword:

General Purpose Registers:
       rax = 0x0000c80000000001

Similarly, keyword inherit results in a crash with the following dereference:

General Purpose Registers:
       rax = 0x0100c00000000001

Further analysis between debug and release version reveals more details. Debug build with modification of Webkit source code, crashes within function that is responsible for downcast:

inline typename match_constness<Source, Target>::type& downcast(Source& source)
{
        static_assert(!std::is_same<Source, Target>::value, "Unnecessary cast to same type");
        static_assert(std::is_base_of<Source, Target>::value, "Should be a downcast");
        ASSERT_WITH_SECURITY_IMPLICATION(is<Target>(source));
        return static_cast<typename match_constness<Source, Target>::type&>(source);
}

From this, we can see that there is an issue with casting 1st argument of function that has special CSS meaning to CSSFontStyleValue.

This type confusion results in a wild memory access. With more precise memory layout control, it is possible that this could result in further memory corruption.

Crash Information

=================================================================
==78958==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000138f8 at pc 0x00015241ee57 bp 0x7ffee96a3600 sp 0x7ffee96a35f8
READ of size 8 at 0x6020000138f8 thread T0
==78958==WARNING: invalid path to external symbolizer!
==78958==WARNING: Failed to use and restart external symbolizer!
    #0 0x15241ee56 in WTF::Ref<WebCore::CSSPrimitiveValue, WTF::DumbPtrTraits<WebCore::CSSPrimitiveValue> >::operator->() const (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9e0e56)
    #1 0x1535bf85f in WebCore::Style::BuilderConverter::convertFontStyleFromValue(WebCore::CSSValue const&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1b8185f)
    #2 0x154682607 in WebCore::computeFontSelectionRequest(WebCore::MutableStyleProperties&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c44607)
    #3 0x15468186c in WebCore::CSSFontFaceSet::matchingFacesExcludingPreinstalledFonts(WTF::String const&, WTF::String const&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c4386c)
    #4 0x15468425d in WebCore::CSSFontFaceSet::check(WTF::String const&, WTF::String const&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c4625d)
    #5 0x15477eaec in WebCore::FontFaceSet::check(WTF::String const&, WTF::String const&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d40aec)
    #6 0x15257a501 in WebCore::jsFontFaceSetPrototypeFunctionCheckBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*, JSC::ThrowScope&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb3c501)
    #7 0x1524dad75 in long long WebCore::IDLOperation<WebCore::JSFontFaceSet>::call<&(WebCore::jsFontFaceSetPrototypeFunctionCheckBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xa9cd75)
    #8 0x572e5be0116a  (<unknown module>)
    #9 0x16bb1bbf0 in llint_entry (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa85bf0)
    #10 0x16bb1bbf0 in llint_entry (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa85bf0)
    #11 0x16bb04f28 in vmEntryToJavaScript (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa6ef28)
    #12 0x16d108a6b in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2072a6b)
    #13 0x16d725b10 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x268fb10)
    #14 0x16d725c11 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x268fc11)
    #15 0x16d725fef in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x268ffef)
    #16 0x154322b5b in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28e4b5b)
    #17 0x154349832 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x290b832)
    #18 0x154a9d108 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x305f108)
    #19 0x154a984b7 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x305a4b7)
    #20 0x154a8573d in WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x304773d)
    #21 0x154a865c6 in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x30485c6)
    #22 0x154a86073 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3048073)
    #23 0x154e901f8 in WebCore::HTMLDetailsElement::dispatchPendingEvent(WebCore::EventSender<WebCore::HTMLDetailsElement>*) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x34521f8)
    #24 0x154e93347 in WebCore::EventSender<WebCore::HTMLDetailsElement>::dispatchPendingEvents() (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3455347)
    #25 0x155af3c26 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40b5c26)
        #26 0x155b739ce in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x41359ce)
        #27 0x7fff3805e703 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x5a703)
        #28 0x7fff3805e2bd in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x5a2bd)
        #29 0x7fff3805dcdd in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x59cdd)
        #30 0x7fff3803eb0c in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x3ab0c)
        #31 0x7fff3803dfe2 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x39fe2)
        #32 0x7fff3a6e26ec in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1b6ec)
        #33 0x7fff3a6e2605 in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1b605)
        #34 0x7fff6f77e935 in _xpc_objc_main.cold.4 (/usr/lib/system/libxpc.dylib:x86_64+0x26935)
        #35 0x7fff6f76770c in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf70c)
    #36 0x7fff6f767227 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf227)
    #37 0x106e34d95 in WebKit::XPCServiceMain(int, char const**) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x8d1d95)
    #38 0x7fff6f5182e4 in start (/usr/lib/system/libdyld.dylib:x86_64+0x112e4)

0x6020000138f8 is located 0 bytes to the right of 8-byte region [0x6020000138f0,0x6020000138f8)
allocated by thread T0 here:
    #0 0x1500622f3 in __sanitizer_mz_malloc (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/com.apple.WebKit.WebContent.xpc/Contents/Frameworks/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x622f3)
    #1 0x7fff6f6d67ef in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x17ef)
    #2 0x16b237aa8 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1a1aa8)
    #3 0x154733483 in WebCore::CSSInitialValue::createExplicit() (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf5483)
    #4 0x1547330b3 in WebCore::CSSValuePool::CSSValuePool() (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf50b3)
    #5 0x154743358 in WTF::NeverDestroyed<WebCore::CSSValuePool>::NeverDestroyed<>() (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d05358)
    #6 0x154732f35 in WebCore::CSSValuePool::singleton() (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf4f35)
    #7 0x154827124 in WebCore::CSSPropertyParserHelpers::consumeIdent(WebCore::CSSParserTokenRange&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2de9124)
    #8 0x15481cd1a in WebCore::CSSPropertyParser::parseSingleValue(WebCore::CSSPropertyID, WebCore::CSSPropertyID) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dded1a)
    #9 0x15481c556 in WebCore::CSSPropertyParser::parseValueStart(WebCore::CSSPropertyID, bool) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dde556)
    #10 0x15481bcd2 in WebCore::CSSPropertyParser::parseValue(WebCore::CSSPropertyID, bool, WebCore::CSSParserTokenRange const&, WebCore::CSSParserContext const&, WTF::Vector<WebCore::CSSProperty, 256ul, WTF::CrashOnOverflow, 16ul>&, WebCore::StyleRuleType) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dddcd2)
    #11 0x1547fd8c0 in WebCore::CSSParserImpl::consumeDeclarationValue(WebCore::CSSParserTokenRange, WebCore::CSSPropertyID, bool, WebCore::StyleRuleType) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dbf8c0)
    #12 0x15480157d in WebCore::CSSParserImpl::consumeDeclaration(WebCore::CSSParserTokenRange, WebCore::StyleRuleType) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dc357d)
    #13 0x1547fdfe1 in WebCore::CSSParserImpl::consumeDeclarationList(WebCore::CSSParserTokenRange, WebCore::StyleRuleType) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dbffe1)
    #14 0x154804c60 in WebCore::CSSParserImpl::consumeStyleRule(WebCore::CSSParserTokenRange, WebCore::CSSParserTokenRange) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dc6c60)
    #15 0x1547ffa3a in WebCore::CSSParserImpl::consumeQualifiedRule(WebCore::CSSParserTokenRange&, WebCore::CSSParserImpl::AllowedRulesType) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dc1a3a)
    #16 0x1547ffdb9 in bool WebCore::CSSParserImpl::consumeRuleList<WebCore::CSSParserImpl::parseStyleSheet(WTF::String const&, WebCore::CSSParserContext const&, WebCore::StyleSheetContents*, WebCore::CSSParser::RuleParsing)::$_2>(WebCore::CSSParserTokenRange, WebCore::CSSParserImpl::RuleListType, WebCore::CSSParserImpl::parseStyleSheet(WTF::String const&, WebCore::CSSParserContext const&, WebCore::StyleSheetContents*, WebCore::CSSParser::RuleParsing)::$_2) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dc1db9)
    #17 0x1547f4b5d in WebCore::CSSParserImpl::parseStyleSheet(WTF::String const&, WebCore::CSSParserContext const&, WebCore::StyleSheetContents*, WebCore::CSSParser::RuleParsing) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2db6b5d)
    #18 0x1547de806 in WebCore::StyleSheetContents::parseString(WTF::String const&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2da0806)
    #19 0x1567aa610 in WebCore::Style::parseUASheet(WTF::String const&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4d6c610)
    #20 0x1567aa765 in WebCore::Style::parseUASheet(char const*, unsigned int) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4d6c765)
    #21 0x1567a987d in WebCore::Style::UserAgentStyle::loadSimpleDefaultStyle() (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4d6b87d)
    #22 0x156779852 in WebCore::Style::Resolver::Resolver(WebCore::Document&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4d3b852)
    #23 0x15678b38f in std::__1::__unique_if<WebCore::Style::Resolver>::__unique_single std::__1::make_unique<WebCore::Style::Resolver, WebCore::Document&>(WebCore::Document&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4d4d38f)
    #24 0x156780341 in WebCore::Style::Scope::resolver() (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4d42341)
    #25 0x1567a6bfd in WebCore::Style::TreeResolver::resolve() (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4d68bfd)
    #26 0x154971c90 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f33c90)
    #27 0x154974bf5 in WebCore::Document::createRenderTree() (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f36bf5)
    #28 0x154974db8 in WebCore::Document::didBecomeCurrentDocumentInFrame() (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f36db8)
    #29 0x155841c46 in WebCore::Frame::setDocument(WTF::RefPtr<WebCore::Document, WTF::DumbPtrTraits<WebCore::Document> >&&) (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3e03c46)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/Users/mt_talos/Work/Browsers/builds/webkit_release_asan/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9e0e56) in WTF::Ref<WebCore::CSSPrimitiveValue, WTF::DumbPtrTraits<WebCore::CSSPrimitiveValue> >::operator->() const
Shadow bytes around the buggy address:
  0x1c04000026c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x1c04000026d0: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fd
  0x1c04000026e0: fa fa 00 00 fa fa 00 04 fa fa 00 00 fa fa 00 00
  0x1c04000026f0: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fd
  0x1c0400002700: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
=>0x1c0400002710: fa fa fd fd fa fa 00 fa fa fa 00 fa fa fa 00[fa]
  0x1c0400002720: fa fa 00 fa fa fa 00 fa fa fa 00 00 fa fa 00 fa
  0x1c0400002730: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 00 fa
  0x1c0400002740: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x1c0400002750: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x1c0400002760: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==78958==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 78958)

Timeline

2019-12-11 - Vendor Disclosure
2020-01-28 - Vendor Patched/Released
2020-02-12 - Public Release

Credit

Discovered by Marcin Towalski of Cisco Talos.