[Webkit-unassigned] [Bug 230206] New: WebKit2 crashes when initializing due to not-threadsafe call to _NSGetEnviron()

Sun Sep 12 20:45:03 PDT 2021

https://bugs.webkit.org/show_bug.cgi?id=230206

            Bug ID: 230206
           Summary: WebKit2 crashes when initializing due to
                    not-threadsafe call to _NSGetEnviron()
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: iPhone / iPad
                OS: iOS 14
            Status: NEW
          Severity: Major
          Priority: P2
         Component: WebKit2
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jinhao.zhang at icloud.com
                CC: kkinnunen at apple.com

When WebKit2 is to initialize, it calls _NSGetEnviron() to get all env variables.
The code is as below: ( in file: Options.cpp, method: void Options::initialize() )

#if PLATFORM(COCOA)
            bool hasBadOptions = false;
            for (char** envp = *_NSGetEnviron(); *envp; envp++) {
                const char* env = *envp;
                if (!strncmp("JSC_", env, 4)) {
                    if (!Options::setOption(&env[4])) {
                        dataLog("ERROR: invalid option: ", *envp, "\n");
                        hasBadOptions = true;
                    }
                }
            }

However, _NSGetEnviron is not thread-safe. If there is another thread calling putenv(),
there is a small chance that WebKit crashes due to invalid pointer sent to strncpm().
This is due to putenv() is using 'realloc' when necessary, which invalidates the old pointer values.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210913/412c6fe2/attachment-0001.htm>