Talos Vulnerability Report

TALOS-2023-1831

Webkit MediaRecorder API stopRecording use-after-free vulnerability

October 6, 2023
CVE Number

CVE-2023-39928

SUMMARY

A use-after-free vulnerability exists in the MediaRecorder API of Webkit WebKitGTK 2.40.5. A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to to visit a malicious webpage to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Webkit WebKitGTK 2.40.5

PRODUCT URLS

Webkit - https://webkit.org/

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

DETAILS

WebKit is an open-source web content engine for browsers and other applications.

The vulnerabiliy is related to the MediaRecorder interface and the way this interface handles the stop recording process. A malicious web page can trigger a use-after-free vulnerability, which can potentialy result in remote code execution. Comapring code responsible for the crash and ASAN output we can pinpoint the following correlation:

Line 9 				mediaStreamAudioDst = audioCtx.createMediaStreamDestination();
Line 10				mediaRecorder = new MediaRecorder(mediaStreamAudioDst.stream);
Line 11				mediaRecorder.start();

When we start recording line 11 internaly MediaRecorderPrivateGStreamer object gets allocated:

previously allocated by thread T0 here:
    #0 0x562140f4f15e in malloc (/fuzzing/browsers/webkitgtk-2.40.5-debug/build/libexec/webkit2gtk-4.1/WebKitWebProcess+0xa115e) (BuildId: d6d880ff92796ed4f6097a57505dca7ef7439259)
    #1 0x7f0669f4bd0b in pas_try_allocate_intrinsic_impl_casual_case(__pas_heap*, unsigned long, unsigned long, pas_intrinsic_heap_support*, pas_heap_config, pas_allocation_result (*)(pas_local_allocator*, unsigned long, unsigned long), pas_allocation_result (*)(__pas_heap_ref*, unsigned long, unsigned long), pas_intrinsic_heap_designation_mode) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/bmalloc/libpas/src/libpas/pas_local_allocator_inlines.h
    #2 0x7f0669f4bd0b in bmalloc_allocate_impl_casual_case(unsigned long, unsigned long) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/bmalloc/libpas/src/libpas/bmalloc_heap_inlines.h:69:1
    #3 0x7f066e89b6c8 in WebCore::MediaRecorderPrivateGStreamer::operator new(unsigned long) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.h:41:5
    #4 0x7f066e89b6c8 in std::_MakeUniq<WebCore::MediaRecorderPrivateGStreamer>::__single_object std::make_unique<WebCore::MediaRecorderPrivateGStreamer, WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&>(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/unique_ptr.h:962:30
    #5 0x7f066e89b6c8 in decltype(auto) WTF::makeUnique<WebCore::MediaRecorderPrivateGStreamer, WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&>(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/StdLibExtras.h:569:12
    #6 0x7f066e89b6c8 in WebCore::MediaRecorderPrivateGStreamer::create(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.cpp:49:21
    #7 0x7f0670fd2bce in WebCore::MediaRecorderProvider::createMediaRecorderPrivate(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorderProvider.cpp:51:12
    #8 0x7f0670fa7ae0 in WebCore::MediaRecorder::createMediaRecorderPrivate(WebCore::Document&, WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:91:49
    #9 0x7f0670fab19a in WebCore::MediaRecorder::startRecording(std::optional<unsigned int>) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:162:19
    #10 0x7f066fd56280 in WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()::operator()() const /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:595:5
    #11 0x7f066fd56280 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMConvertBase.h:168:27
    #12 0x7f066fd56280 in WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:595:5
    #13 0x7f066fd56280 in long WebCore::IDLOperation<WebCore::JSMediaRecorder>::call<&(WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMOperation.h:63:9
    #14 0x7f066fd56280 in WebCore::jsMediaRecorderPrototypeFunction_start(JSC::JSGlobalObject*, JSC::CallFrame*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:600:12
    #15 0x7f061c2b4037  (<unknown module>)
    #16 0x7f0669ce0e8e in js_trampoline_op_call LowLevelInterpreter.cpp
    #17 0x7f0669cc3a79 in vmEntryToJavaScript (/fuzzing/browsers/webkitgtk-2.40.5-debug/build/lib/libjavascriptcoregtk-4.1.so.0+0x4e28a79) (BuildId: f55eedc27be823ac6dc7ab91b43c7dc1aa59b9ee)
    #18 0x7f06679902f0 in JSC::Interpreter::executeCallImpl(JSC::VM&, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/interpreter/Interpreter.cpp:1123:32
    #19 0x7f06679902f0 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/interpreter/Interpreter.cpp:1132:16
    #20 0x7f06685770cc in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/runtime/CallData.cpp:57:27
    #21 0x7f06685770cc in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/runtime/CallData.cpp:64:22
    #22 0x7f0671712d9a in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSEventListener.cpp:224:22
    #23 0x7f06726f6ed2 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/EventTarget.cpp:375:40
    #24 0x7f06726d9fe1 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/EventTarget.cpp:307:9
    #25 0x7f0673d61c5f in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/page/DOMWindow.cpp:2393:5
    #26 0x7f0673d8c079 in WebCore::DOMWindow::dispatchLoadEvent() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/page/DOMWindow.cpp:2325:5
    #27 0x7f067256cd00 in WebCore::Document::dispatchWindowLoadEvent() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/Document.cpp:5287:18
    #28 0x7f067256cd00 in WebCore::Document::implicitClose() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/Document.cpp:3309:5
    #29 0x7f0673a9e3f0 in WebCore::FrameLoader::checkCompleted() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/FrameLoader.cpp:911:5
    #30 0x7f0673a97e43 in WebCore::FrameLoader::finishedParsing() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/FrameLoader.cpp:810:5
    #31 0x7f06725b177f in WebCore::Document::finishedParsing() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/Document.cpp:6380:25
    #32 0x7f06732a4267 in WebCore::HTMLDocumentParser::end() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:446:20
    #33 0x7f06732a4267 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:455:5
    #34 0x7f06732a4267 in WebCore::HTMLDocumentParser::prepareToStopParsing() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:150:5
    #35 0x7f06732a9ee5 in WebCore::HTMLDocumentParser::finish() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:495:5
    #36 0x7f0673a0c396 in WebCore::DocumentWriter::end() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/DocumentWriter.cpp:322:15
    #37 0x7f0673a09327 in WebCore::DocumentLoader::finishedLoading() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/DocumentLoader.cpp:511:14
    #38 0x7f0673c97436 in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/cache/CachedResource.cpp:340:17
    #39 0x7f0673c86f0f in WebCore::CachedResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/cache/CachedResource.cpp:356:5
    #40 0x7f0673c86f0f in WebCore::CachedRawResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/cache/CachedRawResource.cpp:128:21
    #41 0x7f0673bc43df in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/SubresourceLoader.cpp:751:17
    #42 0x7f066e3ecce3 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp:262:19
    #43 0x7f066ce6bcdf in auto void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...)::operator()<WebCore::NetworkLoadMetrics>(auto&&...) const /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/Platform/IPC/HandleMessage.h:136:13
    #44 0x7f066ce6bcdf in WebKit::WebResourceLoader std::__invoke_impl<void, void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), WebCore::NetworkLoadMetrics>(std::__invoke_other, WebKit::WebResourceLoader&&, WebCore::NetworkLoadMetrics&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:61:14
    #45 0x7f066ce6bcdf in std::__invoke_result<WebKit::WebResourceLoader, WebCore::NetworkLoadMetrics>::type std::__invoke<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), WebCore::NetworkLoadMetrics>(WebKit::WebResourceLoader&&, WebCore::NetworkLoadMetrics&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:96:14
    #46 0x7f066ce6bcdf in decltype(auto) std::__apply_impl<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), std::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader&&, WebKit::WebResourceLoader&&, std::integer_sequence<unsigned long, 0ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1858:14
    #47 0x7f066ce6bcdf in decltype(auto) std::apply<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader&&, WebKit::WebResourceLoader&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1869:14
    #48 0x7f066ce6bcdf in void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/Platform/IPC/HandleMessage.h:134:5
    #49 0x7f066ce6bcdf in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&)) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/Platform/IPC/HandleMessage.h:236:9

Further, when we call the stop method:

Line 12				mediaRecorder.stop();

It seems that Locker object is locked on class field m_dataLock, which gets released before Locker smart pointer destructor gets called. This leads to use-after-free:

 Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.cpp#111
 
 
void MediaRecorderPrivateGStreamer::fetchData(FetchDataCallback&& completionHandler)
{
    Locker locker { m_dataLock };
    GST_DEBUG_OBJECT(m_transcoder.get(), "Transfering %zu encoded bytes", m_data.size());
    auto buffer = m_data.take();
    completionHandler(WTFMove(buffer), mimeType(), m_position);
}    

ASAN output showing the write operation after object has been released :

==9887==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0000fb018 at pc 0x7f066e89d6e1 bp 0x7ffea27d6010 sp 0x7ffea27d6008
WRITE of size 1 at 0x60f0000fb018 thread T0
    #0 0x7f066e89d6e0 in std::__atomic_base<unsigned char>::compare_exchange_weak(unsigned char&, unsigned char, std::memory_order, std::memory_order) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/atomic_base.h:522:9
    #1 0x7f066e89d6e0 in std::__atomic_base<unsigned char>::compare_exchange_weak(unsigned char&, unsigned char, std::memory_order) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/atomic_base.h:547:9
    #2 0x7f066e89d6e0 in WTF::Atomic<unsigned char>::compareExchangeWeak(unsigned char, unsigned char, std::memory_order) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/Atomics.h:89:22
    #3 0x7f066e89d6e0 in WTF::LockAlgorithm<unsigned char, (unsigned char)1, (unsigned char)2, WTF::EmptyLockHooks<unsigned char> >::unlockFastAssumingZero(WTF::Atomic<unsigned char>&) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/LockAlgorithm.h:88:21
    #4 0x7f066e89d6e0 in WTF::Lock::unlock() /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/Lock.h:92:13
    #5 0x7f066e89d6e0 in WTF::Locker<WTF::Lock>::~Locker() /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/Lock.h:168:20
    #6 0x7f066e89d6e0 in WebCore::MediaRecorderPrivateGStreamer::fetchData(WTF::CompletionHandler<void (WTF::RefPtr<WebCore::FragmentedSharedBuffer, WTF::RawPtrTraits<WebCore::FragmentedSharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::FragmentedSharedBuffer> >&&, WTF::String const&, double)>&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.cpp:117:1
    #7 0x7f0670fac6bc in WebCore::MediaRecorder::fetchData(WTF::Function<void (WTF::RefPtr<WebCore::FragmentedSharedBuffer, WTF::RawPtrTraits<WebCore::FragmentedSharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::FragmentedSharedBuffer> >&&, WTF::String const&, double)>&&, WebCore::MediaRecorder::TakePrivateRecorder) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:312:21
    #8 0x7f0670fac08f in WebCore::MediaRecorder::stopRecording() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:217:5
    #9 0x7f066fd568b2 in WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()::operator()() const /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:610:5
    #10 0x7f066fd568b2 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMConvertBase.h:165:13
    #11 0x7f066fd568b2 in WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:610:5
    #12 0x7f066fd568b2 in long WebCore::IDLOperation<WebCore::JSMediaRecorder>::call<&(WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMOperation.h:63:9
    #13 0x7f066fd568b2 in WebCore::jsMediaRecorderPrototypeFunction_stop(JSC::JSGlobalObject*, JSC::CallFrame*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:615:12
    #14 0x7f061c2b4037  (<unknown module>)

Proper heap grooming, and additional precisely timed JavaScript code, can give an attacker full control of this use-after-free vulnerability, resulting in arbitrary code execution.

Crash Information

=================================================================
==9887==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0000fb018 at pc 0x7f066e89d6e1 bp 0x7ffea27d6010 sp 0x7ffea27d6008
WRITE of size 1 at 0x60f0000fb018 thread T0
    #0 0x7f066e89d6e0 in std::__atomic_base<unsigned char>::compare_exchange_weak(unsigned char&, unsigned char, std::memory_order, std::memory_order) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/atomic_base.h:522:9
    #1 0x7f066e89d6e0 in std::__atomic_base<unsigned char>::compare_exchange_weak(unsigned char&, unsigned char, std::memory_order) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/atomic_base.h:547:9
    #2 0x7f066e89d6e0 in WTF::Atomic<unsigned char>::compareExchangeWeak(unsigned char, unsigned char, std::memory_order) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/Atomics.h:89:22
    #3 0x7f066e89d6e0 in WTF::LockAlgorithm<unsigned char, (unsigned char)1, (unsigned char)2, WTF::EmptyLockHooks<unsigned char> >::unlockFastAssumingZero(WTF::Atomic<unsigned char>&) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/LockAlgorithm.h:88:21
    #4 0x7f066e89d6e0 in WTF::Lock::unlock() /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/Lock.h:92:13
    #5 0x7f066e89d6e0 in WTF::Locker<WTF::Lock>::~Locker() /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/Lock.h:168:20
    #6 0x7f066e89d6e0 in WebCore::MediaRecorderPrivateGStreamer::fetchData(WTF::CompletionHandler<void (WTF::RefPtr<WebCore::FragmentedSharedBuffer, WTF::RawPtrTraits<WebCore::FragmentedSharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::FragmentedSharedBuffer> >&&, WTF::String const&, double)>&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.cpp:117:1
    #7 0x7f0670fac6bc in WebCore::MediaRecorder::fetchData(WTF::Function<void (WTF::RefPtr<WebCore::FragmentedSharedBuffer, WTF::RawPtrTraits<WebCore::FragmentedSharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::FragmentedSharedBuffer> >&&, WTF::String const&, double)>&&, WebCore::MediaRecorder::TakePrivateRecorder) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:312:21
    #8 0x7f0670fac08f in WebCore::MediaRecorder::stopRecording() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:217:5
    #9 0x7f066fd568b2 in WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()::operator()() const /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:610:5
    #10 0x7f066fd568b2 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMConvertBase.h:165:13
    #11 0x7f066fd568b2 in WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:610:5
    #12 0x7f066fd568b2 in long WebCore::IDLOperation<WebCore::JSMediaRecorder>::call<&(WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMOperation.h:63:9
    #13 0x7f066fd568b2 in WebCore::jsMediaRecorderPrototypeFunction_stop(JSC::JSGlobalObject*, JSC::CallFrame*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:615:12
    #14 0x7f061c2b4037  (<unknown module>)

0x60f0000fb018 is located 136 bytes inside of 168-byte region [0x60f0000faf90,0x60f0000fb038)
freed by thread T0 here:
    #0 0x562140f4eeb2 in __interceptor_free (/fuzzing/browsers/webkitgtk-2.40.5-debug/build/libexec/webkit2gtk-4.1/WebKitWebProcess+0xa0eb2) (BuildId: d6d880ff92796ed4f6097a57505dca7ef7439259)
    #1 0x7f0669f95cf2 in pas_try_deallocate_not_small_exclusive_segregated(pas_thread_local_cache*, unsigned long, pas_heap_config, pas_deallocation_mode, pas_fast_megapage_kind) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/bmalloc/libpas/src/libpas/pas_deallocate.h:104:9
    #2 0x7f0669f95cf2 in bmalloc_heap_config_specialized_try_deallocate_not_small_exclusive_segregated /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/bmalloc/libpas/src/libpas/bmalloc_heap_config.c:43:1

previously allocated by thread T0 here:
    #0 0x562140f4f15e in malloc (/fuzzing/browsers/webkitgtk-2.40.5-debug/build/libexec/webkit2gtk-4.1/WebKitWebProcess+0xa115e) (BuildId: d6d880ff92796ed4f6097a57505dca7ef7439259)
    #1 0x7f0669f4bd0b in pas_try_allocate_intrinsic_impl_casual_case(__pas_heap*, unsigned long, unsigned long, pas_intrinsic_heap_support*, pas_heap_config, pas_allocation_result (*)(pas_local_allocator*, unsigned long, unsigned long), pas_allocation_result (*)(__pas_heap_ref*, unsigned long, unsigned long), pas_intrinsic_heap_designation_mode) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/bmalloc/libpas/src/libpas/pas_local_allocator_inlines.h
    #2 0x7f0669f4bd0b in bmalloc_allocate_impl_casual_case(unsigned long, unsigned long) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/bmalloc/libpas/src/libpas/bmalloc_heap_inlines.h:69:1
    #3 0x7f066e89b6c8 in WebCore::MediaRecorderPrivateGStreamer::operator new(unsigned long) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.h:41:5
    #4 0x7f066e89b6c8 in std::_MakeUniq<WebCore::MediaRecorderPrivateGStreamer>::__single_object std::make_unique<WebCore::MediaRecorderPrivateGStreamer, WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&>(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/unique_ptr.h:962:30
    #5 0x7f066e89b6c8 in decltype(auto) WTF::makeUnique<WebCore::MediaRecorderPrivateGStreamer, WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&>(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/StdLibExtras.h:569:12
    #6 0x7f066e89b6c8 in WebCore::MediaRecorderPrivateGStreamer::create(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.cpp:49:21
    #7 0x7f0670fd2bce in WebCore::MediaRecorderProvider::createMediaRecorderPrivate(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorderProvider.cpp:51:12
    #8 0x7f0670fa7ae0 in WebCore::MediaRecorder::createMediaRecorderPrivate(WebCore::Document&, WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:91:49
    #9 0x7f0670fab19a in WebCore::MediaRecorder::startRecording(std::optional<unsigned int>) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:162:19
    #10 0x7f066fd56280 in WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()::operator()() const /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:595:5
    #11 0x7f066fd56280 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMConvertBase.h:168:27
    #12 0x7f066fd56280 in WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:595:5
    #13 0x7f066fd56280 in long WebCore::IDLOperation<WebCore::JSMediaRecorder>::call<&(WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMOperation.h:63:9
    #14 0x7f066fd56280 in WebCore::jsMediaRecorderPrototypeFunction_start(JSC::JSGlobalObject*, JSC::CallFrame*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:600:12
    #15 0x7f061c2b4037  (<unknown module>)
    #16 0x7f0669ce0e8e in js_trampoline_op_call LowLevelInterpreter.cpp
    #17 0x7f0669cc3a79 in vmEntryToJavaScript (/fuzzing/browsers/webkitgtk-2.40.5-debug/build/lib/libjavascriptcoregtk-4.1.so.0+0x4e28a79) (BuildId: f55eedc27be823ac6dc7ab91b43c7dc1aa59b9ee)
    #18 0x7f06679902f0 in JSC::Interpreter::executeCallImpl(JSC::VM&, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/interpreter/Interpreter.cpp:1123:32
    #19 0x7f06679902f0 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/interpreter/Interpreter.cpp:1132:16
    #20 0x7f06685770cc in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/runtime/CallData.cpp:57:27
    #21 0x7f06685770cc in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/runtime/CallData.cpp:64:22
    #22 0x7f0671712d9a in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSEventListener.cpp:224:22
    #23 0x7f06726f6ed2 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/EventTarget.cpp:375:40
    #24 0x7f06726d9fe1 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/EventTarget.cpp:307:9
    #25 0x7f0673d61c5f in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/page/DOMWindow.cpp:2393:5
    #26 0x7f0673d8c079 in WebCore::DOMWindow::dispatchLoadEvent() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/page/DOMWindow.cpp:2325:5
    #27 0x7f067256cd00 in WebCore::Document::dispatchWindowLoadEvent() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/Document.cpp:5287:18
    #28 0x7f067256cd00 in WebCore::Document::implicitClose() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/Document.cpp:3309:5
    #29 0x7f0673a9e3f0 in WebCore::FrameLoader::checkCompleted() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/FrameLoader.cpp:911:5
    #30 0x7f0673a97e43 in WebCore::FrameLoader::finishedParsing() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/FrameLoader.cpp:810:5
    #31 0x7f06725b177f in WebCore::Document::finishedParsing() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/Document.cpp:6380:25
    #32 0x7f06732a4267 in WebCore::HTMLDocumentParser::end() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:446:20
    #33 0x7f06732a4267 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:455:5
    #34 0x7f06732a4267 in WebCore::HTMLDocumentParser::prepareToStopParsing() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:150:5
    #35 0x7f06732a9ee5 in WebCore::HTMLDocumentParser::finish() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:495:5
    #36 0x7f0673a0c396 in WebCore::DocumentWriter::end() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/DocumentWriter.cpp:322:15
    #37 0x7f0673a09327 in WebCore::DocumentLoader::finishedLoading() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/DocumentLoader.cpp:511:14
    #38 0x7f0673c97436 in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/cache/CachedResource.cpp:340:17
    #39 0x7f0673c86f0f in WebCore::CachedResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/cache/CachedResource.cpp:356:5
    #40 0x7f0673c86f0f in WebCore::CachedRawResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/cache/CachedRawResource.cpp:128:21
    #41 0x7f0673bc43df in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/SubresourceLoader.cpp:751:17
    #42 0x7f066e3ecce3 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp:262:19
    #43 0x7f066ce6bcdf in auto void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...)::operator()<WebCore::NetworkLoadMetrics>(auto&&...) const /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/Platform/IPC/HandleMessage.h:136:13
    #44 0x7f066ce6bcdf in WebKit::WebResourceLoader std::__invoke_impl<void, void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), WebCore::NetworkLoadMetrics>(std::__invoke_other, WebKit::WebResourceLoader&&, WebCore::NetworkLoadMetrics&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:61:14
    #45 0x7f066ce6bcdf in std::__invoke_result<WebKit::WebResourceLoader, WebCore::NetworkLoadMetrics>::type std::__invoke<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), WebCore::NetworkLoadMetrics>(WebKit::WebResourceLoader&&, WebCore::NetworkLoadMetrics&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:96:14
    #46 0x7f066ce6bcdf in decltype(auto) std::__apply_impl<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), std::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader&&, WebKit::WebResourceLoader&&, std::integer_sequence<unsigned long, 0ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1858:14
    #47 0x7f066ce6bcdf in decltype(auto) std::apply<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader&&, WebKit::WebResourceLoader&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1869:14
    #48 0x7f066ce6bcdf in void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/Platform/IPC/HandleMessage.h:134:5
    #49 0x7f066ce6bcdf in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&)) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/Platform/IPC/HandleMessage.h:236:9

SUMMARY: AddressSanitizer: heap-use-after-free /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/atomic_base.h:522:9 in std::__atomic_base<unsigned char>::compare_exchange_weak(unsigned char&, unsigned char, std::memory_order, std::memory_order)
Shadow bytes around the buggy address:
  0x0c1e800175b0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c1e800175c0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c1e800175d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e800175e0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c1e800175f0: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1e80017600: fd fd fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c1e80017610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1e80017620: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x0c1e80017630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e80017640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e80017650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9887==ABORTING
VENDOR RESPONSE

Vendor advisory: https://webkitgtk.org/security/WSA-2023-0009.html

TIMELINE

2023-08-24 - Vendor Disclosure
2023-09-28 - Vendor Patch Release
2023-10-06 - Public Release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.