[Webkit-unassigned] [Bug 260962] Network process crash in WebKit::CacheStorageDiskStore::readRecords

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 4 13:28:27 PST 2023 

https://bugs.webkit.org/show_bug.cgi?id=260962

--- Comment #6 from Michael Catanzaro <mcatanzaro at redhat.com> ---
Hit again today. I somehow got a better backtrace this time and unfortunately it is a buffer overread. In frame 6, we have:

(gdb) print fileDatas
$2 = WTF::Vector of length 0, capacity 0
(gdb) print blobDatas
$3 = WTF::Vector of length 0, capacity 0

So recordInfos is also required to be 0, but:

(gdb) print recordInfos
$1 = WTF::Vector of length 1, capacity 1 = {{key = {m_partition = "record", 
      m_type = "c13dab6b-1248-4ed8-818a-66e7d5c489f4", m_identifier = "1e1f03fa-d804-45c7-b65f-ee68cd9a0421", 
      m_range = "(null)", m_hash = {_M_elems = ",H\023\214~\362\230\027\216Έ\256LH}\347\357/\214D"}, 
      m_partitionHash = {_M_elems = "\"%7H\237\262Y\343\"(&1\201\025\366\366\3776\\\230"}}, 
    insertionTime = 23529902.664000001, identifier = 43, updateResponseCounter = 0, size = 90, url = {
      m_string = "https://globalnews.ca/wp-content/themes/shaw-globalnews/assets/dist/images/pattern-greystripe.png", m_isValid = 1, m_protocolIsInHTTPFamily = 1, m_hasOpaquePath = 0, m_portLength = 0, static maxPortLength = 7, 
      static maxSchemeLength = 67108863, m_schemeEnd = 5, m_userStart = 8, m_userEnd = 8, m_passwordEnd = 8, 
      m_hostEnd = 21, m_pathAfterLastSlash = 75, m_pathEnd = 97, m_queryEnd = 97}, hasVaryStar = false, 
    varyHeaders = {m_impl = {static smallMaxLoadNumerator = 3, static smallMaxLoadDenominator = 4, 
        static largeMaxLoadNumerator = 1, static largeMaxLoadDenominator = 2, static maxSmallTableCapacity = 1024, 
        static minLoad = 6, static tableSizeOffset = -1, static tableSizeMaskOffset = -2, 
        static keyCountOffset = -3, static deletedCountOffset = -4, static metadataSize = 16, {m_table = 0x0, 
          m_tableForLLDB = 0x0}}}}}

There are assertions at the top of the function that would catch this in debug builds:

ASSERT(recordInfos.size() == fileDatas.size());
ASSERT(recordInfos.size() == blobDatas.size());

but they are unfortunately not enabled in release builds.

I'm not sure how this happened. Looking in CacheStorageDiskStore::readRecordsInternal, it really looks like the sizes should always match.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20231204/d5913a75/attachment.htm>

More information about the webkit-unassigned mailing list