[13] WebAnimation null-deref via stale microtask backpointer
Severity: Medium | Component: WebCore Web Animations / KeyframeEffect | c7e7785
renderer 내부에서 항상 동일하게 null deref가 발생하며, ASan SEGV stack과 일치하는 패턴입니다. UAF read primitive로의 확장 가능성은 backpointer가 단순히 null로 전환된 것인지 아니면 해제된 메모리를 참조했는지에 달려 있어 Medium으로 평가되었습니다. 분석가는 이를 핵심적인 미검증 아키텍처 질문으로 명시하고 있습니다.
Source/WebCore/animation/KeyframeEffect.cpp
void KeyframeEffect::applyPendingAcceleratedActions()
{
if (m_pendingAcceleratedActions.isEmpty())
return;
+ if (!animation())
+ return;
+
CheckedPtr renderer = this->renderer();
Patch Details
KeyframeEffect::applyPendingAcceleratedActions()에 early-return guard가 추가되었습니다. 기존 empty-pending-actions 검사 직후, animation()이 null을 반환하는 경우 즉시 반환하도록 변경되었습니다. Regression 테스트는 wasRemovedFromStack()을 통해 pending accelerated action을 스케줄합니다. 이 과정에서 style을 변경하고 animation.effect = new KeyframeEffect(null, ...)를 재할당한 뒤, 비동기 microtask가 실행되기 전에 effect의 animation 연결을 null로 만들거나 교체합니다.
비동기 microtask 경계를 넘어 소유한 animation의 lifetime이 연장되지 않아, 지연 작업 실행 전에 backpointer가 null이 되거나 해제될 수 있는 상태로 남는 패턴.
Background
KeyframeEffect는 WebAnimation에 연결된 CSS/JS animation effect를 나타냅니다. 각 effect는 자신을 소유한 WebAnimation을 가리키는 backpointer를 가지며, 이는 KeyframeEffect::animation()으로 접근할 수 있습니다. applyPendingAcceleratedActions()는 대기 중인 play/pause/seek 작업을 renderer를 통해 compositor에 전달하는 지연 drain 함수입니다. WebKit의 event loop는 native code가 lambda를 enqueue할 수 있도록 허용하지만, weak reference만 캡처한 lambda는 캡처된 객체의 lifetime을 연장하지 않습니다. animation.effect = new KeyframeEffect(null, ...)를 할당하면 이전 effect가 animation으로부터 분리됩니다.
Analysis
applyPendingAcceleratedActions()는 KeyframeEffect::wasRemovedFromStack()에서 스케줄된 비동기 microtask를 통해 도달할 수 있었습니다. wasRemovedFromStack 자체는 동기 실행 범위 내에서 animation에 대한 Ref/RefPtr을 유지합니다. 그러나 microtask를 위해 enqueue된 lambda는 KeyframeEffect만 캡처하거나 weak reference 경로를 사용하므로, animation의 lifetime을 연장하지 않습니다.
Aaaaa Aa Aaa Aaaaaaa Aaaaaaa Aaaaaaaaaaaaa Aaa a Aaaaa a Aa Aaaaaaaaaa Aaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaa Aaaa Aa Aaaa Aaaa Aaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aa Aaa a Aaaaa Aa Aa Aa Aaa Aa Aaaaa Aaa a Aaaaaaaaa Aaaaaaaaaaaa Aa Aaaa Aaaa Aaaaaa Aaa Aaaaaaaaaa Aaaa Aaa Aaa Aaa Aaaaaa Aa Aaaaa Aaaaa Aaaa Aaaaaaaaaaaaaa Aaaaa Aaaaaa Aa Aaaa Aaa Aaaa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaa Aaa Aaaaaaaaa Aa Aaa Aaaaaaaaa Aaaaa Aa Aaaaa
a Aaaaaaaaaaaaaa Aaaaaaaaaa Aaaaaaaa Aaa Aaa Aaaa Aaaaaaa Aaaaaaaaaaaa Aaa Aaaaa a Aa Aaa Aaa Aaaa Aaaaaa Aaaaaaaaaaaaaaa Aa a Aaa Aaaaaaaaaaaaaaa Aa Aaa Aaaaa Aaa Aaaa Aaaaa
Aaaaaaaaa Aa Aa Aaaaa Aaaaaa Aaaaaa Aa Aaaa Aaaa Aaaa Aaa Aaaa Aaaaa Aaaa Aaa Aaaaa Aaaaaaaaaaaa Aaaaaaaaaaa Aaa Aa Aaaaaa Aaaaaaaaaaaa Aaaaaa Aa Aaa Aaa Aaa Aa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaa Aaaaa Aa Aaaaaa Aa Aa Aaaaaaaaaaaa Aa a Aaaaaa a Aa a Aaaaaaa Aaaaaa Aa Aaaa Aaaaaaa
🔒The lifetime story behind this microtask-deferred crash, and whether the immediate null dereference can plausibly escalate, is examined in detail.
더 확인하려면 구독해 주세요
Audit directions
a Aaaaa Aaaaa Aa a Aaa Aaaa Aa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaa Aaaaaaa Aaa Aaaaa Aa Aaa Aaaaaa Aaaaa Aa Aaa Aaaaaaaaaaaaaaa Aaaa Aaa Aaaaa Aaa Aaaa Aaa Aaaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaa Aaaa Aaaaaa Aaaaaa
a Aaaaaa Aaa Aa Aaaa Aa Aaaaaaaaaaaaaa Aa Aaaa Aaaaaaaaaaaaaaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaa Aaa Aaa Aaaaaa a Aa Aaa Aa Aaaaaa Aaaaaa Aa Aaaaaaaaaa Aa Aaaa Aaaaaa
a Aaaa Aaaa Aaaa Aaaa Aaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaa Aaaaaa Aaaa a Aaaaaaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaa Aaaa Aaa Aaaaaa
a Aaaaaaaaaaaa Aaa Aaaaaaa Aaaaaaaaaaaaaaaaaaaa a Aaa Aaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaa Aaaaaaaaaa Aaaaaaaaaaaa Aaaaaa Aaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaa a Aa Aaa Aaaaaaaaaa Aaaaa Aaaaaaa Aaa Aaa Aaaa Aa Aaa Aaa Aaaaa Aaaaaa
🔒Several reusable audit patterns identified across Web Animations, with concrete entry points for variant discovery in the deferred-work and detach paths.
더 확인하려면 구독해 주세요