[12] MTE Hardening: CompactRefPtrTuple Stale Pointer Zeroing
Severity: Medium | Component: WTF CompactRefPtrTuple | 98bb748
Rated Medium because this is a mitigation weakness rather than a standalone vulnerability — stale compact pointer data surviving destruction creates an MTE bypass vector for attackers who already have a separate UAF primitive, but the CompactRefPtrTuple's role in MTE bypass is inferred from the commit message rather than demonstrated with a concrete exploit chain. Confidence is 0.62.
Patch Details
Adds secureZeroBytes(m_data) in the destructor of CompactRefPtrTuple, immediately after the existing derefIfNotNull call.
Source/WTF/wtf/CompactRefPtrTuple.h
~CompactRefPtrTuple()
{
WTF::DefaultRefDerefTraits<T>::derefIfNotNull(m_data.pointer());
+ secureZeroBytes(m_data);
}
Stale pointer data surviving destruction in a type exempt from hardware memory tagging, creating an MTE bypass vector.
Background
ARM MTE (Memory Tagging Extension) assigns 4-bit tags to memory granules and pointer values; accessing memory with a mismatched tag triggers a hardware fault, catching use-after-free and out-of-bounds accesses. Compact pointers in WebKit use pointer compression — stripping or repurposing upper bits of the pointer — to save memory. This encoding is incompatible with MTE tagging because MTE stores its tag in the same upper bits that compact pointer compression uses. secureZeroBytes is a WebKit utility that zeroes memory in a way that cannot be optimized away by the compiler (unlike a plain memset which a compiler may elide for dead stores in destructors).
Analysis
Before the fix, CompactRefPtrTuple's destructor decremented the reference count of the held pointer but did not zero the m_data storage. Since compact pointers cannot be tagged by ARM MTE — they use pointer compression that strips or repurposes the top bits where MTE tags reside (as stated in the commit message) — a stale compact pointer left in freed and reallocated memory would not trigger an MTE tag mismatch on access. An attacker who could reclaim the freed memory containing a CompactRefPtrTuple (e.g., a ThreadTimerHeapItem, as the commit message references) would find a valid-looking pointer value in the reclaimed slot, bypassing MTE's use-after-free detection for that pointer.
Aaaa Aa a Aaaaaaaaaa Aaaaaaaaa Aaaaaaa Aaaaaa Aaaa a Aaaaaa Aaaaaaaaaaaaa Aaaa Aaa Aaaaaa Aaaaa Aaaaaaaa Aa Aaaaaaaa Aaa Aaaaaaa Aaa a Aaaaaaaaaaaaaa Aaaaaaaaa Aa Aa Aaaaaa Aaaaaaaaaa a Aaaaaaaaaaaaaaaaaaaa a Aaa Aaaaaaa Aaaaaaaa Aaaa Aaaa Aaaaaaaaaa Aaa Aaaaa Aaaaaaa Aaaaaaa Aa Aaaaa Aaa Aaaaaaaaa Aaaaaa Aaa Aaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaa Aaa Aaaaaa Aaaaaa Aaaaaaaaaa Aaaaaaaaa Aaaaaa Aaa Aaaa Aaaaa Aaaaaaa Aaaaaaa Aaaa Aaaaaaaaa Aa Aaaaa Aaaaaaa Aaaaaaa Aa Aaaaaaaa Aaa Aaaaaaaa a Aaaaaaaaaaaaaa Aa Aa Aaaaaa Aaaaaaaaaa a Aaaaaaaaaaaaaaaaaaaa Aaaaa Aaaa Aa Aaaaa Aaa Aaaaa Aaaaaaa Aaaaaaa Aaaaaaaaaa Aa Aaa Aaaaaa
Aaaa Aaaaaa Aaaaaaaaaa a Aaaaaaaa Aaaaaaa Aaaaaaa Aaaaaaa Aaaaaaaaaaa Aaaaaaa Aaaaaaaaaaa Aaa Aaaaaaaa Aaaaaa Aaaaaaa Aaaaaaaaaaa Aaaaaaa Aaaaaaaa Aaaaaaaaaa Aaaaa Aaa Aaaa Aaaa Aaa Aaaaaa Aa Aaa Aaa Aaaaaaaa Aaaaaaaa a Aaaaa Aa Aaaaaaa Aaaaaaaaa Aa Aaaa Aaa Aaaaaa Aaaa Aaaa Aaaa Aaaaaaa Aa Aaaaaa Aaaaaaa Aaaaaaaaaaaaaaa Aaaa Aaaa Aaa Aaaa Aaa Aaaaa Aaaaa
🔒Explores how pointer compression interacts with hardware memory tagging and the implications of stale data surviving object destruction
Subscribe to read more
Audit directions
a Aaaaaaaaa Aaaaaaaaaaa Aaaaaaa Aaaa Aaaaa Aaaaa Aaaa Aaaaaa Aaaaaaaaaaaaa Aaaaaaaaaaa Aaaaa Aaa Aaaaaa Aaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaa Aa Aaaaaaa Aaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaaa Aa Aaaaaa Aaaa Aaaa Aaaaaaa Aa Aaaaaaaaaaaa Aaaa Aaa Aaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaa Aa Aaaaa Aaaaaa Aaaaaaaaaaaa Aaaaaa Aaaaaaa Aaa Aaaa
a Aaaaaaaaaaaaaaaa Aaaaaaa Aaaa Aaaaaaa Aaaaaaa Aaaaaaa Aaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaa Aaaaaaaaaa Aaaaaaaaaa Aaaaaaaa Aaaaaaaaa Aaa Aaaaaa Aaa Aaaaa Aaaaaaa Aaa Aaa Aaaaaaaaaaaa Aaaa Aaa Aaaaaaa Aaaaa Aaaaaaaaaa Aaa Aaaaa Aa Aaaaaaaaaaaaaaaaaaaaa Aaa Aaaaa Aaaaaaaaaaaaa Aaaaaa
a Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaa Aaaaaaaaaaaaaaaa Aaaaaaaa Aaa Aaaa Aaa Aaaa Aaaaaaa Aaaaaaaaaa Aaa Aaaaaaa Aaa Aaaa Aaaaaa Aaa Aaaaaaaaaaa Aaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aa Aaaaa Aaaaaaa Aaaaa Aaaa Aaa Aaaa Aaaaaaaaaa Aaaaaaaa
🔒Multiple audit patterns identified for compact pointer types that may share the same hardware tagging blind spot
Subscribe to read more