[Webkit-unassigned] [Bug 130122] W32: Use-after-free in WTF threading code

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu May 8 09:46:19 PDT 2014 

https://bugs.webkit.org/show_bug.cgi?id=130122





--- Comment #7 from LRN <lrn1986 at gmail.com>  2014-05-08 09:46:39 PST ---
Without hardening it's easier to see:

Breakpoint 2, WTF::PageHeapAllocator<WTF::TCMalloc_ThreadCache>::Delete (this=0x8c4978 <WTF::threadheap_allocator>, p=0x7ef306a0) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:1131
1131        HardenedSLL new_head = HardenedSLL::create(p);
(gdb) n
[New Thread 4012.0x1e58]
1132        SLL_SetNext(new_head, free_list_, entropy_);
(gdb)
1133        free_list_ = new_head;
(gdb)
Hardware watchpoint 1: WTF::threadheap_allocator.free_list_

Old value = {m_value = 0x0}
New value = {m_value = 0x7ef306a0}
WTF::PageHeapAllocator<WTF::TCMalloc_ThreadCache>::Delete (this=0x8c4978 <WTF::threadheap_allocator>, p=0x7ef306a0) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:1134
1134        inuse_--;
(gdb) bt
#0  WTF::PageHeapAllocator<WTF::TCMalloc_ThreadCache>::Delete (this=0x8c4978 <WTF::threadheap_allocator>, p=0x7ef306a0) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:1134
#1  0x0064197e in WTF::TCMalloc_ThreadCache::DeleteCache (heap=0x7ef306a0) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:3649
#2  0x006418d5 in WTF::TCMalloc_ThreadCache::DestroyThreadCache (ptr=0x7ef306a0) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:3634
#3  0x0078c001 in WTF::PlatformThreadSpecificKey::callDestructor (this=0x2c76f008) at ../webkitgtk-2.2.6/Source/WTF/wtf/ThreadSpecificWin.cpp:70
#4  0x00647ae8 in WTF::ThreadSpecificThreadExit () at ../webkitgtk-2.2.6/Source/WTF/wtf/ThreadSpecificWin.cpp:133
#5  0x00647e8d in WTF::wtfThreadEntryPoint (param=0x7ee3e0f0) at ../webkitgtk-2.2.6/Source/WTF/wtf/ThreadingWin.cpp:222
#6  0x774e1287 in msvcrt!_itow_s () from C:\Windows\syswow64\msvcrt.dll
#7  0x774e1328 in msvcrt!_endthreadex () from C:\Windows\syswow64\msvcrt.dll
#8  0x7598338a in KERNEL32!BaseThreadInitThunk () from C:\Windows\syswow64\kernel32.dll
#9  0x77b89f72 in ntdll!RtlInitializeExceptionChain () from C:\Windows\system32\ntdll.dll
#10 0x77b89f45 in ntdll!RtlInitializeExceptionChain () from C:\Windows\system32\ntdll.dll
#11 0x00000000 in ?? ()
(gdb) p *(void**)0x7ef306a0
$46 = (void *) 0x0
(gdb) watch *(void**)0x7ef306a0
Hardware watchpoint 6: *(void**)0x7ef306a0
(gdb) c
Continuing.
Hardware watchpoint 6: *(void**)0x7ef306a0

Old value = (void *) 0x0
New value = (void *) 0x8
WTF::TCMalloc_ThreadCache::Deallocate (this=0x7ef306a0, ptr=..., cl=1) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:3328
3328      FreeList* list = &list_[cl];
(gdb) bt
#0  WTF::TCMalloc_ThreadCache::Deallocate (this=0x7ef306a0, ptr=..., cl=1) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:3328
#1  0x00641b34 in WTF::do_free (ptr=0x7ee3e0f0) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:4091
#2  0x00641c6e in WTF::fastFree (ptr=0x7ee3e0f0) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:4307
#3  0x0078be84 in WTF::ThreadFunctionInvocation::operator delete (p=0x7ee3e0f0) at ../webkitgtk-2.2.6/Source/WTF/wtf/ThreadFunctionInvocation.h:37
#4  0x00770359 in WTF::deleteOwnedPtr<WTF::ThreadFunctionInvocation> (ptr=0x7ee3e0f0) at ../webkitgtk-2.2.6/Source/WTF/wtf/OwnPtrCommon.h:63
#5  0x00792372 in WTF::OwnPtr<WTF::ThreadFunctionInvocation>::~OwnPtr (this=0x2f09ff34, __in_chrg=<optimized out>) at ../webkitgtk-2.2.6/Source/WTF/wtf/OwnPtr.h:63
#6  0x00647e9c in WTF::wtfThreadEntryPoint (param=0x7ee3e0f0) at ../webkitgtk-2.2.6/Source/WTF/wtf/ThreadingWin.cpp:224
#7  0x774e1287 in msvcrt!_itow_s () from C:\Windows\syswow64\msvcrt.dll
#8  0x774e1328 in msvcrt!_endthreadex () from C:\Windows\syswow64\msvcrt.dll
#9  0x7598338a in KERNEL32!BaseThreadInitThunk () from C:\Windows\syswow64\kernel32.dll
#10 0x77b89f72 in ntdll!RtlInitializeExceptionChain () from C:\Windows\system32\ntdll.dll
#11 0x77b89f45 in ntdll!RtlInitializeExceptionChain () from C:\Windows\system32\ntdll.dll
#12 0x00000000 in ?? ()
(gdb) l
3323    }
3324
3325    inline void TCMalloc_ThreadCache::Deallocate(HardenedSLL ptr, size_t cl) {
3326      size_t allocationSize = ByteSizeForClass(cl);
3327      size_ += allocationSize;
3328      FreeList* list = &list_[cl];
3329      if (MAY_BE_POISONED(ptr.value(), allocationSize))
3330          list->Validate(ptr, allocationSize);
3331
3332      POISON_DEALLOCATION(ptr.value(), allocationSize);
(gdb) p list_
$47 = {{list_ = {m_value = 0x0}, length_ = 0, lowater_ = 0, entropy_ = 0} <repeats 68 times>}
(gdb) p cl
$48 = 1
(gdb) p list_[cl]
$49 = {list_ = {m_value = 0x0}, length_ = 0, lowater_ = 0, entropy_ = 0}
(gdb) p size_
$50 = 8
(gdb) p this
$51 = (WTF::TCMalloc_ThreadCache * const) 0x7ef306a0
(gdb) p *this
$52 = {size_ = 8, tid_ = 5916, in_setspecific_ = true, list_ = {{list_ = {m_value = 0x0}, length_ = 0, lowater_ = 0, entropy_ = 0} <repeats 68 times>}, rnd_ = 2242692540, bytes_until_sample_ = 1556019, entropy_ = 0, next_ = 0x7ef30350, prev_ = 0x0}

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list