[14] Remove all KVO observers before [m_objcObserver disconnect]
Severity: Medium | Component: WebCore AVFoundation media backend | f2a3aa2
미디어 요소를 생성하고 소멸시키는 모든 페이지에서 도달이 가능합니다. 미디어 요소 teardown 과정에서 Foundation의 KVO hash table 내부에 MTE가 탐지한 stale weak-reference dereference가 발생하며, MTE가 없는 하드웨어에서는 동일한 접근이 해제된 슬롯에 대한 무음 stale-pointer read로 처리됩니다. 이러한 이유로 Medium으로 평가되었습니다.
Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm
[[NSNotificationCenter defaultCenter] removeObserver:m_objcObserver];
+
+ if (m_avPlayerItem) {
+ for (NSString *keyName in itemKVOProperties())
+ [m_avPlayerItem removeObserver:m_objcObserver.get() forKeyPath:keyName];
+ }
+ if (m_avPlayer) {
+ for (NSString *keyName in playerKVOProperties())
+ [m_avPlayer removeObserver:m_objcObserver.get() forKeyPath:keyName];
+ setShouldObserveTimeControlStatus(false);
+ }
+ for (AVPlayerItemTrack *track in m_cachedTracks.get())
+ [track removeObserver:m_objcObserver.get() forKeyPath:@"enabled"];
+
[m_objcObserver disconnect];
Patch Details
MediaPlayerPrivateAVFoundationObjC::cancelLoad()의 cleanup 순서가 변경되었습니다. 세 개의 KVO 등록 해제 루프가 [m_objcObserver disconnect] 호출 이전에 실행되도록 재배치되었습니다. 기존에 이 루프들을 포함하던 disconnect 이후 블록은 member reference를 nil로 설정하고 m_cachedTracks를 비우는 방식으로 단순화되었습니다.
Cocoa observer-lifecycle 순서 위반: 각 observed 객체에서 등록을 해제하기 전에 KVO observer 객체를 무효화하여, Foundation의 KVO hash table에 stale weak reference가 남는 패턴.
Background
KVO는 observer와 observed 객체 중 어느 쪽이 소멸되기 전에 반드시 -removeObserver:forKeyPath:를 통해 등록을 해제해야 합니다. Foundation 내부에는 (observed, observer, keyPath) 트리플을 키로 하는 hash table이 유지됩니다. m_objcObserver는 MediaPlayerPrivateAVFoundationObjC가 소유하는 Objective-C observer wrapper로, disconnect 메서드를 통해 wrapper에서 C++ owner로 향하는 포인터를 끊어 이후 callback이 no-op이 되도록 설계되어 있습니다. MTE(Memory Tagging Extension)는 ARMv8.5+에서 지원하는 하드웨어 기능으로, 각 allocation에 태그를 부여하고 잘못된 태그의 dereference를 trap합니다.
Analysis
cancelLoad()는 observer가 m_avPlayerItem, m_avPlayer, 그리고 m_cachedTracks의 각 track에 여전히 등록된 상태에서 disconnect를 호출했습니다. disconnect 실행 이후, 뒤이은 removeObserver:forKeyPath: 호출이 Foundation의 KVO hash table을 순회합니다. 각 (observed, observer, keyPath) 트리플을 찾는 과정에서, 이미 해제된 상태를 가리키는 weak reference가 역참조됩니다. MTE는 이로 인한 태그 불일치를 탐지했습니다.
a Aaa Aaaaa Aaaaaaaaaaaaaaaaaa Aaa Aaaa Aaaaaa Aaaaaa Aaa Aaaaaaaaaaaaaaa Aaaaaaaa Aaaaa Aaaa Aaa Aaaaa Aaa Aaaaaaaaaa Aaa Aaaaaa Aaa Aaaaa Aaaa Aaa Aaaa Aaaaaa Aaa Aaaaaa Aa Aaa Aa Aaaaaaa Aaaa Aaaa Aaa a Aaaaaaa Aaa Aaaaaaaa Aa Aaa Aaa Aaaa Aa Aaa Aaaaa Aaaa a Aaa Aaa Aaaa a Aa Aaaa Aaa Aa Aaaaa Aaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaaa Aaa Aaaa Aaaaaaaaaa Aa Aaaaaaaaaaaa Aaaaa Aaaaaaaaaaaaaa Aaaa Aaa Aa Aaaa Aaaaaaaa
a Aaaaaaaaaaaaaa Aaaaaaaaaa Aaaaaaaaaa Aaa Aaaaaaaa Aaa Aaa Aaaa Aaaaaaa Aaaa Aaa Aaa Aaa Aaa a Aaaa a Aaa Aaaaaaaaaa Aaa Aaaa Aaaaaa Aaa Aa Aaaaa Aaa Aaa Aaaa Aa Aaaaa Aa Aaa Aaaaaaaa Aaaaaa Aaaa Aaa Aaaaaa
🔒The ownership and lifecycle implications of this teardown ordering, and whether the resulting stale-reference access can be escalated beyond a crash, are explored in depth.
더 확인하려면 구독해 주세요
Audit directions
a Aaaaaaaa Aaaaaaaaaaaaaaa Aaaaaa Aaa Aaaaa Aaaaaaaaaaaaaaaaaa Aa Aaaaa Aaaaaaaa Aaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaa Aa Aaaaaa Aaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaa Aa Aaaaaaaaaaaaaaaaa Aaa Aa Aaaaa Aa Aaaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaa
a Aaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aa Aaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaa Aaa Aaaaaaaaaaaaaaaaaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaa
a Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa
a Aaaaaa Aaa Aaa Aaaaa Aaaa Aaaa Aa Aaaa Aaaaaaaa Aaaaaaaaa Aaaaa Aaa Aaa Aa Aaaaaaa Aaaaaaaaa Aaaaa Aaa a Aaaaa
🔒Multiple reusable audit patterns identified across WebKit's Objective-C/C++ observer bridges, with concrete starting points for variant discovery.
더 확인하려면 구독해 주세요