Safari 9.0 (11601.1.56) file prefix crash in HashTable

2015.10.20
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Safari 9.0 (11601.1.56) file prefix crash in HashTable Credit: Maksymilian Arciemowicz ( CXSECURITY.COM ) Put into address bar this URL: file:///.file/ safari crash due to NULL pointer in %rdi. ======================================= Process: Safari [60870] Path: /Applications/Safari.app/Contents/MacOS/Safari Identifier: com.apple.Safari Version: 9.0 (11601.1.56) Build Info: WebBrowser-7601001056000000~2 Code Type: X86-64 (Native) Parent Process: ??? [1] Responsible: Safari [60870] User ID: XXXXXXX Date/Time: 2015-10-20 16:46:49.152 +0200 OS Version: Mac OS X 10.11 (15A284) Report Version: 11 Time Awake Since Boot: 59000 seconds Time Since Wake: 14000 seconds System Integrity Protection: enabled Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000010 Exception Note: EXC_CORPSE_NOTIFY VM Regions Near 0x10: --> __TEXT 0000000102169000-000000010216a000 [ 4K] r-x/rwx SM=COW /Applications/Safari.app/Contents/MacOS/Safari ======================================= LLDB output: Process 2724 stopped * thread #1: tid = 0x18363, 0x00007fff8b2f7d53 WebKit`WTF::HashTable<WTF::String, WTF::String, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String> >::add(WTF::String&&) + 59, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x10) frame #0: 0x00007fff8b2f7d53 WebKit`WTF::HashTable<WTF::String, WTF::String, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String> >::add(WTF::String&&) + 59 WebKit`WTF::HashTable<WTF::String, WTF::String, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String> >::add: -> 0x7fff8b2f7d53 <+59>: movl 0x10(%rdi), %ebx <================== 0x7fff8b2f7d56 <+62>: cmpl $0x40, %ebx 0x7fff8b2f7d59 <+65>: jb 0x7fff8b2f7d64 ; <+76> 0x7fff8b2f7d5b <+67>: movq %r15, -0x38(%rbp) (lldb) register read General Purpose Registers: rax = 0x00007fff5fbfdb78 rbx = 0x0000000104ec80d0 rcx = 0x00000000001f8100 rdx = 0x00007fff5fbfdb78 rdi = 0x0000000000000000 rsi = 0x0000000104ec80d0 rbp = 0x00007fff5fbfdb50 rsp = 0x00007fff5fbfdb00 r8 = 0x0000000000000001 r9 = 0x0000000000000000 r10 = 0x00000000084df4f4 r11 = 0x0000000107400000 r12 = 0x0000000102006530 r13 = 0x0000000000000007 r14 = 0x0000000104f80cc0 r15 = 0x00007fff5fbfdb78 rip = 0x00007fff8b2f7d53 WebKit`WTF::HashTable<WTF::String, WTF::String, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String> >::add(WTF::String&&) + 59 rflags = 0x0000000000010206 cs = 0x000000000000002b fs = 0x0000000000000000 gs = 0x0000000000000000 (lldb) bt * thread #1: tid = 0x18363, 0x00007fff8b2f7d53 WebKit`WTF::HashTable<WTF::String, WTF::String, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String> >::add(WTF::String&&) + 59, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x10) * frame #0: 0x00007fff8b2f7d53 WebKit`WTF::HashTable<WTF::String, WTF::String, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String> >::add(WTF::String&&) + 59 frame #1: 0x00007fff8b256b57 WebKit`WebKit::WebProcessProxy::assumeReadAccessToBaseURL(WTF::String const&) + 307 frame #2: 0x00007fff8b425de3 WebKit`WebKit::WebPageProxy::loadAlternateHTMLString(WTF::String const&, WTF::String const&, WTF::String const&, API::Object*) + 161 frame #3: 0x00007fff8b2569b4 WebKit`WKPageLoadAlternateHTMLString + 169 frame #4: 0x00007fff9988a615 Safari`Safari::WK::Page::loadAlternateHTMLString(NSString*, NSURL*, NSURL*) const + 161 frame #5: 0x00007fff99665951 Safari`Safari::BrowserContentViewController::showErrorPage(NSURL*, NSString*, NSString*, Safari::PageLoadErrorTemplate, NSString*) + 193 frame #6: 0x00007fff9966313b Safari`Safari::BrowserContentViewController::handleError(Safari::WK::Frame const&, Safari::PageLoadType, Safari::WK::Error const&, bool&) + 1517 frame #7: 0x00007fff99662a21 Safari`Safari::BrowserContentViewController::locationChangeDone(Safari::WK::Frame const&, Safari::PageLoadType, Safari::WK::Error const&) + 63 frame #8: 0x00007fff996a40ad Safari`Safari::BrowserPageLoaderClient::locationChangeDone(Safari::WK::Frame const&, Safari::PageLoadType, Safari::WK::Error const&) + 25 frame #9: 0x00007fff996a3e68 Safari`Safari::BrowserPageLoaderClient::didFailProvisionalLoadWithErrorForFrame(Safari::WK::Page const&, Safari::WK::Frame const&, Safari::WK::Error const&, Safari::WK::Type const&) + 36 frame #10: 0x00007fff9988e1f4 Safari`Safari::WK::didFailProvisionalLoadWithErrorForFrame(OpaqueWKPage const*, OpaqueWKFrame const*, OpaqueWKError const*, void const*, void const*) + 120 frame #11: 0x00007fff8b4a8ace WebKit`WKPageSetPageLoaderClient::LoaderClient::didFailProvisionalLoadWithErrorForFrame(WebKit::WebPageProxy&, WebKit::WebFrameProxy&, API::Navigation*, WebCore::ResourceError const&, API::Object*) + 118 frame #12: 0x00007fff8b429876 WebKit`WebKit::WebPageProxy::didFailProvisionalLoadForFrame(unsigned long long, WebKit::SecurityOriginData const&, unsigned long long, WTF::String const&, WebCore::ResourceError const&, WebKit::UserData const&) + 430 frame #13: 0x00007fff8b445ae4 WebKit`void IPC::handleMessage<Messages::WebPageProxy::DidFailProvisionalLoadForFrame, WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(unsigned long long, WebKit::SecurityOriginData const&, unsigned long long, WTF::String const&, WebCore::ResourceError const&, WebKit::UserData const&)>(IPC::MessageDecoder&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(unsigned long long, WebKit::SecurityOriginData const&, unsigned long long, WTF::String const&, WebCore::ResourceError const&, WebKit::UserData const&)) + 167 frame #14: 0x00007fff8b2f8ed1 WebKit`IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::MessageDecoder&) + 113 frame #15: 0x00007fff8b47a016 WebKit`WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) + 24 frame #16: 0x00007fff8b2c0972 WebKit`IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 102 frame #17: 0x00007fff8b2c2e9e WebKit`IPC::Connection::dispatchOneMessage() + 114 frame #18: 0x00007fff9c047d35 JavaScriptCore`WTF::RunLoop::performWork() + 437 frame #19: 0x00007fff9c048412 JavaScriptCore`WTF::RunLoop::performWork(void*) + 34 frame #20: 0x00007fff91f89621 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 frame #21: 0x00007fff91f68e1c CoreFoundation`__CFRunLoopDoSources0 + 556 frame #22: 0x00007fff91f6833f CoreFoundation`__CFRunLoopRun + 927 frame #23: 0x00007fff91f67d38 CoreFoundation`CFRunLoopRunSpecific + 296 frame #24: 0x00007fff90b62d55 HIToolbox`RunCurrentEventLoopInMode + 235 frame #25: 0x00007fff90b62b8f HIToolbox`ReceiveNextEventCommon + 432 frame #26: 0x00007fff90b629cf HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71 frame #27: 0x00007fff8cd52f3a AppKit`_DPSNextEvent + 1067 frame #28: 0x00007fff8cd52369 AppKit`-[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454 frame #29: 0x00007fff9963d795 Safari`-[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 252 frame #30: 0x00007fff8cd46ecc AppKit`-[NSApplication run] + 682 frame #31: 0x00007fff8cd10162 AppKit`NSApplicationMain + 1176 frame #32: 0x00007fff91e275ad libdyld.dylib`start + 1


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top