In May 2022, a vulnerability labeled CVE-2022-30293 was reported in WebKitGTK up to version 2.36. (and the related WPE WebKit). It's a heap-based buffer overflow bug deep inside the WebCore code, specifically affecting the TextureMapperLayer class. If you're a developer or system admin using WebKit-based browsers or embedded web views, understanding this vulnerability is important for keeping your applications secure.
Let’s break down what happened, how it can be exploited, and what you can do.
What is WebKitGTK?
WebKitGTK is the GTK port of the WebKit rendering engine, used for displaying web content in Linux applications. If you use GNOME Web, Epiphany, or other Linux desktop apps with embedded browsers, you’re likely running WebKitGTK under the hood. WPE WebKit is similar but targeted for embedded devices.
The issue sits in the file
WebCore/platform/graphics/texmap/TextureMapperLayer.cpp
Specifically, in the WebCore::TextureMapperLayer::setContentsLayer function.
Here, the code tries to work with layers and textures. Due to improper buffer management, an attacker can trigger a heap-based buffer overflow. This means that by carefully crafting web content, a malicious site could overrun a memory buffer, possibly leading to a crash, data exposure, or even code execution.
Here's a simplified version of the problematic function
void TextureMapperLayer::setContentsLayer(TextureMapperPlatformLayer* layer)
{
if (!m_contentLayer)
m_contentLayer = createContentLayer();
if (m_contentLayer)
m_contentLayer->setContents(layer);
}
Seems harmless, right? But, the real problem lies deeper in how the setContents() function works with raw buffers.
Imagine if setContents() doesn’t properly check the size and ownership of the incoming layer data. If you send a huge or malformed input, it could overrun the expected buffer.
Proof-of-concept (conceptual, simplified)
// Suppose this gets called via JavaScript in a crafty way:
layer.setContentsLayer(payload); // 'payload' is too large or malformed
If that happens, memory gets overwritten, and the attacker is controlling that data on the heap.
How Could It Be Exploited?
A specially crafted web page can exploit this bug. The attacker can feed data through HTML5 canvas, SVG, or other complex content that steers execution into the vulnerable path, causing the heap buffer overflow.
Real-World Impact
WebKitGTK is widely used in the Linux world, not just in desktop web browsers but in apps, kiosks, smart screens, and more. Embedded systems are particularly vulnerable since they might not update often.
If you run any application that embeds a web view using these libraries, you need to be aware and react.
Exploit Details
While a fully weaponized exploit is not public for this bug as of now, researchers have produced crash proofs via malformed HTML and SVG content. Because the overflow happens in the heap, exploitability can depend on system memory layout and other protections like ASLR.
Security researchers and vendors reported
- Triggering the bug via crafted content (see oss-fuzz report for example crash summary)
Mitigation & Patch
WebKitGTK and WPE WebKit patched the bug in version 2.36.1 and above.
Update your libraries! Most Linux distributions have pushed updates. Some examples
- Ubuntu Security Notice: USN-5454-1
- Debian Security Alert: DSA-5134-1
- WebKitGTK Release Notes: 2.36.1 release
References & More Info
- National Vulnerability Database: CVE-2022-30293
- WebKit Bugzilla: Bug 240742
- Exploit Crash Repro: oss-fuzz issue 46885
- WebKitGTK Security Advisories
Summary
CVE-2022-30293 is a heap buffer overflow in WebKitGTK and WPE WebKit up to 2.36.. The problem is in how the TextureMapperLayer::setContentsLayer function handles input, allowing attackers to crash your app or potentially run code on your device if you view a malicious web page.
Restart your apps and services using WebKitGTK after updating
Stay safe, and always keep your libraries up to date!
Timeline
Published on: 05/06/2022 05:15:00 UTC
Last modified on: 06/02/2022 14:15:00 UTC