Bug 260649 (CVE-2023-39928)

Summary: A use-after-free vulnerability exists in the MediaRecorder API of Webkit WebKitGTK 2.40.5. A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution.
Product: Security Reporter: vulndiscovery
Component: SecurityAssignee: WebKit Security Group <webkit-security-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, clopez, ddkilzer, eric.carlson, mcatanzaro, philn, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
TALOS-2023-1831.txt
none
Proof of concept none

Description vulndiscovery 2023-08-24 01:51:19 PDT 
Created attachment 467413 [details]
TALOS-2023-1831.txt

TALOS-2023-1831
CVE-2023-39928

Webkit MediaRecorder API stopRecording use-after-free vulnerability
Summary

A use-after-free vulnerability exists in the MediaRecorder API of Webkit WebKitGTK 2.40.5. A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to to visit a malicious webpage to trigger this vulnerability.
Confirmed Vulnerable Versions

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Webkit WebKitGTK 2.40.5
Product URLs

Webkit - https://webkit.org/
CVSSv3 Score

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE

CWE-416 - Use After Free
Details

WebKit is an open-source web content engine for browsers and other applications.

The vulnerabiliy is related with the MediaRecorder interface and the way this interface handles stop recording process. A malicious web page can trigger a use-after-free vulnerability which can potentialy result in remote code execution.
Comapring code responsible for the crash and ASAN output we can pinpoint the following correlation:

Line 9              mediaStreamAudioDst = audioCtx.createMediaStreamDestination();
Line 10             mediaRecorder = new MediaRecorder(mediaStreamAudioDst.stream);
Line 11             mediaRecorder.start();

When we start recording line 11 internaly MediaRecorderPrivateGStreamer object gets allocated:

previously allocated by thread T0 here:
    #0 0x562140f4f15e in malloc (/fuzzing/browsers/webkitgtk-2.40.5-debug/build/libexec/webkit2gtk-4.1/WebKitWebProcess+0xa115e) (BuildId: d6d880ff92796ed4f6097a57505dca7ef7439259)
    #1 0x7f0669f4bd0b in pas_try_allocate_intrinsic_impl_casual_case(__pas_heap*, unsigned long, unsigned long, pas_intrinsic_heap_support*, pas_heap_config, pas_allocation_result (*)(pas_local_allocator*, unsigned long, unsigned long), pas_allocation_result (*)(__pas_heap_ref*, unsigned long, unsigned long), pas_intrinsic_heap_designation_mode) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/bmalloc/libpas/src/libpas/pas_local_allocator_inlines.h
    #2 0x7f0669f4bd0b in bmalloc_allocate_impl_casual_case(unsigned long, unsigned long) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/bmalloc/libpas/src/libpas/bmalloc_heap_inlines.h:69:1
    #3 0x7f066e89b6c8 in WebCore::MediaRecorderPrivateGStreamer::operator new(unsigned long) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.h:41:5
    #4 0x7f066e89b6c8 in std::_MakeUniq<WebCore::MediaRecorderPrivateGStreamer>::__single_object std::make_unique<WebCore::MediaRecorderPrivateGStreamer, WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&>(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/unique_ptr.h:962:30
    #5 0x7f066e89b6c8 in decltype(auto) WTF::makeUnique<WebCore::MediaRecorderPrivateGStreamer, WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&>(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/StdLibExtras.h:569:12
    #6 0x7f066e89b6c8 in WebCore::MediaRecorderPrivateGStreamer::create(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.cpp:49:21
    #7 0x7f0670fd2bce in WebCore::MediaRecorderProvider::createMediaRecorderPrivate(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorderProvider.cpp:51:12
    #8 0x7f0670fa7ae0 in WebCore::MediaRecorder::createMediaRecorderPrivate(WebCore::Document&, WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:91:49
    #9 0x7f0670fab19a in WebCore::MediaRecorder::startRecording(std::optional<unsigned int>) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:162:19
    #10 0x7f066fd56280 in WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()::operator()() const /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:595:5
    #11 0x7f066fd56280 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMConvertBase.h:168:27
    #12 0x7f066fd56280 in WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:595:5
    #13 0x7f066fd56280 in long WebCore::IDLOperation<WebCore::JSMediaRecorder>::call<&(WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMOperation.h:63:9
    #14 0x7f066fd56280 in WebCore::jsMediaRecorderPrototypeFunction_start(JSC::JSGlobalObject*, JSC::CallFrame*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:600:12
    #15 0x7f061c2b4037  (<unknown module>)
    #16 0x7f0669ce0e8e in js_trampoline_op_call LowLevelInterpreter.cpp
    #17 0x7f0669cc3a79 in vmEntryToJavaScript (/fuzzing/browsers/webkitgtk-2.40.5-debug/build/lib/libjavascriptcoregtk-4.1.so.0+0x4e28a79) (BuildId: f55eedc27be823ac6dc7ab91b43c7dc1aa59b9ee)
    #18 0x7f06679902f0 in JSC::Interpreter::executeCallImpl(JSC::VM&, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/interpreter/Interpreter.cpp:1123:32
    #19 0x7f06679902f0 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/interpreter/Interpreter.cpp:1132:16
    #20 0x7f06685770cc in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/runtime/CallData.cpp:57:27
    #21 0x7f06685770cc in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/runtime/CallData.cpp:64:22
    #22 0x7f0671712d9a in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSEventListener.cpp:224:22
    #23 0x7f06726f6ed2 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/EventTarget.cpp:375:40
    #24 0x7f06726d9fe1 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/EventTarget.cpp:307:9
    #25 0x7f0673d61c5f in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/page/DOMWindow.cpp:2393:5
    #26 0x7f0673d8c079 in WebCore::DOMWindow::dispatchLoadEvent() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/page/DOMWindow.cpp:2325:5
    #27 0x7f067256cd00 in WebCore::Document::dispatchWindowLoadEvent() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/Document.cpp:5287:18
    #28 0x7f067256cd00 in WebCore::Document::implicitClose() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/Document.cpp:3309:5
    #29 0x7f0673a9e3f0 in WebCore::FrameLoader::checkCompleted() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/FrameLoader.cpp:911:5
    #30 0x7f0673a97e43 in WebCore::FrameLoader::finishedParsing() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/FrameLoader.cpp:810:5
    #31 0x7f06725b177f in WebCore::Document::finishedParsing() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/Document.cpp:6380:25
    #32 0x7f06732a4267 in WebCore::HTMLDocumentParser::end() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:446:20
    #33 0x7f06732a4267 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:455:5
    #34 0x7f06732a4267 in WebCore::HTMLDocumentParser::prepareToStopParsing() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:150:5
    #35 0x7f06732a9ee5 in WebCore::HTMLDocumentParser::finish() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:495:5
    #36 0x7f0673a0c396 in WebCore::DocumentWriter::end() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/DocumentWriter.cpp:322:15
    #37 0x7f0673a09327 in WebCore::DocumentLoader::finishedLoading() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/DocumentLoader.cpp:511:14
    #38 0x7f0673c97436 in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/cache/CachedResource.cpp:340:17
    #39 0x7f0673c86f0f in WebCore::CachedResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/cache/CachedResource.cpp:356:5
    #40 0x7f0673c86f0f in WebCore::CachedRawResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/cache/CachedRawResource.cpp:128:21
    #41 0x7f0673bc43df in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/SubresourceLoader.cpp:751:17
    #42 0x7f066e3ecce3 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp:262:19
    #43 0x7f066ce6bcdf in auto void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...)::operator()<WebCore::NetworkLoadMetrics>(auto&&...) const /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/Platform/IPC/HandleMessage.h:136:13
    #44 0x7f066ce6bcdf in WebKit::WebResourceLoader std::__invoke_impl<void, void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), WebCore::NetworkLoadMetrics>(std::__invoke_other, WebKit::WebResourceLoader&&, WebCore::NetworkLoadMetrics&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:61:14
    #45 0x7f066ce6bcdf in std::__invoke_result<WebKit::WebResourceLoader, WebCore::NetworkLoadMetrics>::type std::__invoke<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), WebCore::NetworkLoadMetrics>(WebKit::WebResourceLoader&&, WebCore::NetworkLoadMetrics&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:96:14
    #46 0x7f066ce6bcdf in decltype(auto) std::__apply_impl<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), std::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader&&, WebKit::WebResourceLoader&&, std::integer_sequence<unsigned long, 0ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1858:14
    #47 0x7f066ce6bcdf in decltype(auto) std::apply<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader&&, WebKit::WebResourceLoader&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1869:14
    #48 0x7f066ce6bcdf in void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/Platform/IPC/HandleMessage.h:134:5
    #49 0x7f066ce6bcdf in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&)) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/Platform/IPC/HandleMessage.h:236:9

further when we call stop method:

Line 12             mediaRecorder.stop();

it seems that Locker object is locked on class field m_dataLock which get released before Locker smart pointer destructor gets called which in turn leads to use-after-free:

 Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.cpp#111


void MediaRecorderPrivateGStreamer::fetchData(FetchDataCallback&& completionHandler)
{
    Locker locker { m_dataLock };
    GST_DEBUG_OBJECT(m_transcoder.get(), "Transfering %zu encoded bytes", m_data.size());
    auto buffer = m_data.take();
    completionHandler(WTFMove(buffer), mimeType(), m_position);
}

ASAN output showing write operation after object has been released :

==9887==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0000fb018 at pc 0x7f066e89d6e1 bp 0x7ffea27d6010 sp 0x7ffea27d6008
WRITE of size 1 at 0x60f0000fb018 thread T0
    #0 0x7f066e89d6e0 in std::__atomic_base<unsigned char>::compare_exchange_weak(unsigned char&, unsigned char, std::memory_order, std::memory_order) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/atomic_base.h:522:9
    #1 0x7f066e89d6e0 in std::__atomic_base<unsigned char>::compare_exchange_weak(unsigned char&, unsigned char, std::memory_order) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/atomic_base.h:547:9
    #2 0x7f066e89d6e0 in WTF::Atomic<unsigned char>::compareExchangeWeak(unsigned char, unsigned char, std::memory_order) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/Atomics.h:89:22
    #3 0x7f066e89d6e0 in WTF::LockAlgorithm<unsigned char, (unsigned char)1, (unsigned char)2, WTF::EmptyLockHooks<unsigned char> >::unlockFastAssumingZero(WTF::Atomic<unsigned char>&) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/LockAlgorithm.h:88:21
    #4 0x7f066e89d6e0 in WTF::Lock::unlock() /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/Lock.h:92:13
    #5 0x7f066e89d6e0 in WTF::Locker<WTF::Lock>::~Locker() /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/Lock.h:168:20
    #6 0x7f066e89d6e0 in WebCore::MediaRecorderPrivateGStreamer::fetchData(WTF::CompletionHandler<void (WTF::RefPtr<WebCore::FragmentedSharedBuffer, WTF::RawPtrTraits<WebCore::FragmentedSharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::FragmentedSharedBuffer> >&&, WTF::String const&, double)>&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.cpp:117:1
    #7 0x7f0670fac6bc in WebCore::MediaRecorder::fetchData(WTF::Function<void (WTF::RefPtr<WebCore::FragmentedSharedBuffer, WTF::RawPtrTraits<WebCore::FragmentedSharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::FragmentedSharedBuffer> >&&, WTF::String const&, double)>&&, WebCore::MediaRecorder::TakePrivateRecorder) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:312:21
    #8 0x7f0670fac08f in WebCore::MediaRecorder::stopRecording() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:217:5
    #9 0x7f066fd568b2 in WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()::operator()() const /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:610:5
    #10 0x7f066fd568b2 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMConvertBase.h:165:13
    #11 0x7f066fd568b2 in WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:610:5
    #12 0x7f066fd568b2 in long WebCore::IDLOperation<WebCore::JSMediaRecorder>::call<&(WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMOperation.h:63:9
    #13 0x7f066fd568b2 in WebCore::jsMediaRecorderPrototypeFunction_stop(JSC::JSGlobalObject*, JSC::CallFrame*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:615:12
    #14 0x7f061c2b4037  (<unknown module>)

Proper heap grooming, and additional precisely timed JavaScript code, can give an attacker full control of this use-after-free vulnerability resulting in arbitrary code execution.
Crash Information

=================================================================
==9887==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0000fb018 at pc 0x7f066e89d6e1 bp 0x7ffea27d6010 sp 0x7ffea27d6008
WRITE of size 1 at 0x60f0000fb018 thread T0
    #0 0x7f066e89d6e0 in std::__atomic_base<unsigned char>::compare_exchange_weak(unsigned char&, unsigned char, std::memory_order, std::memory_order) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/atomic_base.h:522:9
    #1 0x7f066e89d6e0 in std::__atomic_base<unsigned char>::compare_exchange_weak(unsigned char&, unsigned char, std::memory_order) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/atomic_base.h:547:9
    #2 0x7f066e89d6e0 in WTF::Atomic<unsigned char>::compareExchangeWeak(unsigned char, unsigned char, std::memory_order) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/Atomics.h:89:22
    #3 0x7f066e89d6e0 in WTF::LockAlgorithm<unsigned char, (unsigned char)1, (unsigned char)2, WTF::EmptyLockHooks<unsigned char> >::unlockFastAssumingZero(WTF::Atomic<unsigned char>&) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/LockAlgorithm.h:88:21
    #4 0x7f066e89d6e0 in WTF::Lock::unlock() /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/Lock.h:92:13
    #5 0x7f066e89d6e0 in WTF::Locker<WTF::Lock>::~Locker() /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/Lock.h:168:20
    #6 0x7f066e89d6e0 in WebCore::MediaRecorderPrivateGStreamer::fetchData(WTF::CompletionHandler<void (WTF::RefPtr<WebCore::FragmentedSharedBuffer, WTF::RawPtrTraits<WebCore::FragmentedSharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::FragmentedSharedBuffer> >&&, WTF::String const&, double)>&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.cpp:117:1
    #7 0x7f0670fac6bc in WebCore::MediaRecorder::fetchData(WTF::Function<void (WTF::RefPtr<WebCore::FragmentedSharedBuffer, WTF::RawPtrTraits<WebCore::FragmentedSharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::FragmentedSharedBuffer> >&&, WTF::String const&, double)>&&, WebCore::MediaRecorder::TakePrivateRecorder) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:312:21
    #8 0x7f0670fac08f in WebCore::MediaRecorder::stopRecording() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:217:5
    #9 0x7f066fd568b2 in WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()::operator()() const /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:610:5
    #10 0x7f066fd568b2 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMConvertBase.h:165:13
    #11 0x7f066fd568b2 in WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:610:5
    #12 0x7f066fd568b2 in long WebCore::IDLOperation<WebCore::JSMediaRecorder>::call<&(WebCore::jsMediaRecorderPrototypeFunction_stopBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMOperation.h:63:9
    #13 0x7f066fd568b2 in WebCore::jsMediaRecorderPrototypeFunction_stop(JSC::JSGlobalObject*, JSC::CallFrame*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:615:12
    #14 0x7f061c2b4037  (<unknown module>)

0x60f0000fb018 is located 136 bytes inside of 168-byte region [0x60f0000faf90,0x60f0000fb038)
freed by thread T0 here:
    #0 0x562140f4eeb2 in __interceptor_free (/fuzzing/browsers/webkitgtk-2.40.5-debug/build/libexec/webkit2gtk-4.1/WebKitWebProcess+0xa0eb2) (BuildId: d6d880ff92796ed4f6097a57505dca7ef7439259)
    #1 0x7f0669f95cf2 in pas_try_deallocate_not_small_exclusive_segregated(pas_thread_local_cache*, unsigned long, pas_heap_config, pas_deallocation_mode, pas_fast_megapage_kind) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/bmalloc/libpas/src/libpas/pas_deallocate.h:104:9
    #2 0x7f0669f95cf2 in bmalloc_heap_config_specialized_try_deallocate_not_small_exclusive_segregated /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/bmalloc/libpas/src/libpas/bmalloc_heap_config.c:43:1

previously allocated by thread T0 here:
    #0 0x562140f4f15e in malloc (/fuzzing/browsers/webkitgtk-2.40.5-debug/build/libexec/webkit2gtk-4.1/WebKitWebProcess+0xa115e) (BuildId: d6d880ff92796ed4f6097a57505dca7ef7439259)
    #1 0x7f0669f4bd0b in pas_try_allocate_intrinsic_impl_casual_case(__pas_heap*, unsigned long, unsigned long, pas_intrinsic_heap_support*, pas_heap_config, pas_allocation_result (*)(pas_local_allocator*, unsigned long, unsigned long), pas_allocation_result (*)(__pas_heap_ref*, unsigned long, unsigned long), pas_intrinsic_heap_designation_mode) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/bmalloc/libpas/src/libpas/pas_local_allocator_inlines.h
    #2 0x7f0669f4bd0b in bmalloc_allocate_impl_casual_case(unsigned long, unsigned long) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/bmalloc/libpas/src/libpas/bmalloc_heap_inlines.h:69:1
    #3 0x7f066e89b6c8 in WebCore::MediaRecorderPrivateGStreamer::operator new(unsigned long) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.h:41:5
    #4 0x7f066e89b6c8 in std::_MakeUniq<WebCore::MediaRecorderPrivateGStreamer>::__single_object std::make_unique<WebCore::MediaRecorderPrivateGStreamer, WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&>(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/unique_ptr.h:962:30
    #5 0x7f066e89b6c8 in decltype(auto) WTF::makeUnique<WebCore::MediaRecorderPrivateGStreamer, WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&>(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WTF/Headers/wtf/StdLibExtras.h:569:12
    #6 0x7f066e89b6c8 in WebCore::MediaRecorderPrivateGStreamer::create(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/platform/mediarecorder/MediaRecorderPrivateGStreamer.cpp:49:21
    #7 0x7f0670fd2bce in WebCore::MediaRecorderProvider::createMediaRecorderPrivate(WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorderProvider.cpp:51:12
    #8 0x7f0670fa7ae0 in WebCore::MediaRecorder::createMediaRecorderPrivate(WebCore::Document&, WebCore::MediaStreamPrivate&, WebCore::MediaRecorderPrivateOptions const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:91:49
    #9 0x7f0670fab19a in WebCore::MediaRecorder::startRecording(std::optional<unsigned int>) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:162:19
    #10 0x7f066fd56280 in WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()::operator()() const /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:595:5
    #11 0x7f066fd56280 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)::'lambda'()&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMConvertBase.h:168:27
    #12 0x7f066fd56280 in WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:595:5
    #13 0x7f066fd56280 in long WebCore::IDLOperation<WebCore::JSMediaRecorder>::call<&(WebCore::jsMediaRecorderPrototypeFunction_startBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSMediaRecorder*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSDOMOperation.h:63:9
    #14 0x7f066fd56280 in WebCore::jsMediaRecorderPrototypeFunction_start(JSC::JSGlobalObject*, JSC::CallFrame*) /fuzzing/browsers/webkitgtk-2.40.5-debug/build/WebCore/DerivedSources/JSMediaRecorder.cpp:600:12
    #15 0x7f061c2b4037  (<unknown module>)
    #16 0x7f0669ce0e8e in js_trampoline_op_call LowLevelInterpreter.cpp
    #17 0x7f0669cc3a79 in vmEntryToJavaScript (/fuzzing/browsers/webkitgtk-2.40.5-debug/build/lib/libjavascriptcoregtk-4.1.so.0+0x4e28a79) (BuildId: f55eedc27be823ac6dc7ab91b43c7dc1aa59b9ee)
    #18 0x7f06679902f0 in JSC::Interpreter::executeCallImpl(JSC::VM&, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/interpreter/Interpreter.cpp:1123:32
    #19 0x7f06679902f0 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/interpreter/Interpreter.cpp:1132:16
    #20 0x7f06685770cc in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/runtime/CallData.cpp:57:27
    #21 0x7f06685770cc in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/JavaScriptCore/runtime/CallData.cpp:64:22
    #22 0x7f0671712d9a in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/bindings/js/JSEventListener.cpp:224:22
    #23 0x7f06726f6ed2 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/EventTarget.cpp:375:40
    #24 0x7f06726d9fe1 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/EventTarget.cpp:307:9
    #25 0x7f0673d61c5f in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/page/DOMWindow.cpp:2393:5
    #26 0x7f0673d8c079 in WebCore::DOMWindow::dispatchLoadEvent() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/page/DOMWindow.cpp:2325:5
    #27 0x7f067256cd00 in WebCore::Document::dispatchWindowLoadEvent() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/Document.cpp:5287:18
    #28 0x7f067256cd00 in WebCore::Document::implicitClose() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/Document.cpp:3309:5
    #29 0x7f0673a9e3f0 in WebCore::FrameLoader::checkCompleted() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/FrameLoader.cpp:911:5
    #30 0x7f0673a97e43 in WebCore::FrameLoader::finishedParsing() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/FrameLoader.cpp:810:5
    #31 0x7f06725b177f in WebCore::Document::finishedParsing() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/dom/Document.cpp:6380:25
    #32 0x7f06732a4267 in WebCore::HTMLDocumentParser::end() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:446:20
    #33 0x7f06732a4267 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:455:5
    #34 0x7f06732a4267 in WebCore::HTMLDocumentParser::prepareToStopParsing() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:150:5
    #35 0x7f06732a9ee5 in WebCore::HTMLDocumentParser::finish() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/html/parser/HTMLDocumentParser.cpp:495:5
    #36 0x7f0673a0c396 in WebCore::DocumentWriter::end() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/DocumentWriter.cpp:322:15
    #37 0x7f0673a09327 in WebCore::DocumentLoader::finishedLoading() /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/DocumentLoader.cpp:511:14
    #38 0x7f0673c97436 in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/cache/CachedResource.cpp:340:17
    #39 0x7f0673c86f0f in WebCore::CachedResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/cache/CachedResource.cpp:356:5
    #40 0x7f0673c86f0f in WebCore::CachedRawResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/cache/CachedRawResource.cpp:128:21
    #41 0x7f0673bc43df in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebCore/loader/SubresourceLoader.cpp:751:17
    #42 0x7f066e3ecce3 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp:262:19
    #43 0x7f066ce6bcdf in auto void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...)::operator()<WebCore::NetworkLoadMetrics>(auto&&...) const /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/Platform/IPC/HandleMessage.h:136:13
    #44 0x7f066ce6bcdf in WebKit::WebResourceLoader std::__invoke_impl<void, void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), WebCore::NetworkLoadMetrics>(std::__invoke_other, WebKit::WebResourceLoader&&, WebCore::NetworkLoadMetrics&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:61:14
    #45 0x7f066ce6bcdf in std::__invoke_result<WebKit::WebResourceLoader, WebCore::NetworkLoadMetrics>::type std::__invoke<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), WebCore::NetworkLoadMetrics>(WebKit::WebResourceLoader&&, WebCore::NetworkLoadMetrics&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:96:14
    #46 0x7f066ce6bcdf in decltype(auto) std::__apply_impl<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), std::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader&&, WebKit::WebResourceLoader&&, std::integer_sequence<unsigned long, 0ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1858:14
    #47 0x7f066ce6bcdf in decltype(auto) std::apply<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader&&, WebKit::WebResourceLoader&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1869:14
    #48 0x7f066ce6bcdf in void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/Platform/IPC/HandleMessage.h:134:5
    #49 0x7f066ce6bcdf in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&)) /fuzzing/browsers/webkitgtk-2.40.5-debug/Source/WebKit/Platform/IPC/HandleMessage.h:236:9

SUMMARY: AddressSanitizer: heap-use-after-free /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/atomic_base.h:522:9 in std::__atomic_base<unsigned char>::compare_exchange_weak(unsigned char&, unsigned char, std::memory_order, std::memory_order)
Shadow bytes around the buggy address:
  0x0c1e800175b0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c1e800175c0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c1e800175d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e800175e0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c1e800175f0: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1e80017600: fd fd fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c1e80017610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1e80017620: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x0c1e80017630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e80017640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e80017650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9887==ABORTING

Credit

Discovered by Marcin &#39;Icewall&#39; Noga of Cisco Talos.
Comment 1 Radar WebKit Bug Importer 2023-08-24 01:51:29 PDT 
<rdar://problem/114370120>
Comment 2 vulndiscovery 2023-08-24 01:52:04 PDT 
Created attachment 467414 [details]
Proof of concept
Comment 3 Eric Carlson 2023-08-25 12:50:14 PDT 
cc'd @philn for visibility.
Comment 4 Philippe Normand 2023-08-26 04:09:46 PDT 
https://github.com/WebKit/WebKit/pull/17103
Comment 5 Philippe Normand 2023-08-27 07:59:27 PDT 
In MediaRecorder::fetchData() we have this:

    auto& privateRecorder = *m_private;

    std::unique_ptr<MediaRecorderPrivate> takenPrivateRecorder;
    if (takeRecorder == TakePrivateRecorder::Yes)
        takenPrivateRecorder = WTFMove(m_private);


I wonder, is it safe to use privateRecorder after m_private was moved?
Comment 6 Philippe Normand 2023-08-27 08:07:50 PDT 
Answering myself, yes, seems safe. A bit convoluted though
Comment 7 Philippe Normand 2023-08-28 01:37:18 PDT 
https://commits.webkit.org/267345@main
Comment 8 Michael Catanzaro 2023-09-27 12:52:08 PDT 
Hi, consider CCing bugs-noreply@webkitgtk.org on platform-specific security issues, or else we don't know about them. Anyway, this looks like a clear candidate for a CVE, so we will request one.
Comment 9 Michael Catanzaro 2023-09-27 12:56:12 PDT 
(In reply to vulndiscovery from comment #0)
> TALOS-2023-1831
> CVE-2023-39928

Hold up, we already have one :)
Comment 10 Carlos Alberto Lopez Perez 2023-09-28 06:36:36 PDT 
Included in advisory https://webkitgtk.org/security/WSA-2023-0009.html