[6] [WebCore] Fix UAF in Range::createContextualFragment via Trusted Types policy callback

Severity: High | Component: WebCore DOM Range | 1e11f2a

Rated High because the diff promotes raw Node/Element captures to Ref/RefPtr across the Trusted Types createHTML callback in Range::createContextualFragment; without promotion, attacker-controlled JS in the policy callback can drop all references and force GC, then post-callback dereference operates on freed memory.

Captured Node/Element references in Range::createContextualFragment become Ref/RefPtr, pinning lifetime across the Trusted Types policy invocation.

Source/WebCore/dom/Range.cpp

-    auto* node = startContainer.get();
+    Ref node = startContainer;
     ...
     auto sanitized = trustedTypes->createHTML(input);
     // attacker JS may mutate range, drop refs, force GC here
-    parse(*node, sanitized);
+    parse(node.get(), sanitized);

Re-entrancy UAF: a raw Node pointer is captured before invoking a Trusted Types policy callback that runs attacker JavaScript synchronously, then dereferenced after.

Patch Details

The function's local captures for context node and start container become reference-counted. The policy callback is unchanged.

Background

Range::createContextualFragment parses an HTML fragment in the context of the Range's start container. Trusted Types' createHTML policy sits on the input string path, sanitizing the supplied HTML by running a user-installed JavaScript callback before parsing.

Analysis

Pre-fix, the function extracted a raw Node*/Element* from the Range's boundary and continued using it across the createHTML call. That callback is attacker-controlled JS. It can mutate the Range (e.g., range.setEnd(document, 0) — setEnd collapses start to end on order inversion per the visible implementation), drop all other live references, and force GC.

Aaaa Aaaaaaa Aaaaaaa Aaaa Aaaaaaaaaaaaa Aaa Aaaaaa Aaa Aaaaaaa Aaaaaaaaaa a Aaaaaaaaa Aaaaa Aaaaaaaaaa Aaaaaaa Aaaaaaa Aaaaaaa Aaaaaaaa Aaaaaaaaaaaaa Aa Aaaaaa Aaaaaaaa Aa Aaaaa Aaaaaaa Aaaaaaaaa Aaa Aaaaaaaa Aa Aaaaaaaaaaaaaa Aaaaa Aaa Aaaa Aaaaa Aaa Aaa Aaaaaaaa Aa Aaa Aaaaa Aaaaaa Aaaaaaaaa Aaa Aaaaaaaaaa

Aaaa Aaaaaaa Aaa Aaa Aaaaaaaa Aaaaaaaaa Aaaaaa Aa Aaaaaaaaaaa Aaaaaaa Aaa Aaaaaaa Aaaaaaaaa Aa Aaa Aa a Aaa Aaaa Aaaaaaaaa Aaaa Aaaaaaa

🔒

Detailed analysis of how Trusted Types reshapes the re-entrancy model of DOM string sinks, and the realistic exploitation path for the resulting UAF.

Subscribe to read more

Audit directions

a Aaaaa Aaaaaaaaa Aaaa Aaaaaa Aaaaaaaaaaaaaaaaa Aaaaaaaaaaa Aaaaaaaa Aaaaa Aaaaaaaaa Aaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaaaa Aaa Aaaaaaaaaaaa Aaaaaaaaa Aaaa Aaa Aaaaaaaa Aaaaaaaaaaa Aaaaaaaa Aa a Aaaaa Aaaaaaaa Aaaaaaaa Aaaaa
a Aaaaaaa Aaaaa Aaaaaaaa Aaaa Aaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaa Aaa Aaaaaaaaa Aaaaa Aaaaaaaaaaa
a Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaa Aaaa Aaaaaaa a Aaaaaaa Aaaa Aaa Aaaaaaaa Aaaaaa Aaaaaa Aaaaaaaa

🔒

Four reusable audit patterns identified across DOM string sinks, Range/Selection consumers, and GC-driven finalization, with concrete grep starting points.

Subscribe to read more