[3] WKRevealItemPresenter: re-entrancy UAF in showContextMenu
Severity: Medium | Component: WebKit UIProcess (macOS) | d089fe1
Rated Medium because the diff fixes a use-after-free in the UI process triggered by an IPC handler re-entering during a nested AppKit modal run loop and reassigning the sole-owner WebViewImpl::m_revealItemPresenter member. The UAF is reachable from WebContent via crafted data-detection click results; sandbox escape from this UAF requires a separate exploitation chain the diff does not establish.
A crash occurs in -[WKRevealItemPresenter showContextMenu] because the presenter is held by a single strong reference m_revealItemPresenter in WebViewImpl. During the modal popup, this reference may be cleared by a new data-detection click arriving via IPC, which overwrites m_revealItemPresenter with a newly allocated presenter, releasing the old one. The fix uses protect(m_revealItemPresenter) to retain the presenter for the duration of the showContextMenu call.
Source/WebKit/UIProcess/mac/WebViewImpl.mm
m_revealItemPresenter = adoptNS([[WKRevealItemPresenter alloc] initWithWebViewImpl:*this item:adoptNS([PAL::allocRVItemInstance() initWithDDResult:info.result.get()]).get() frame:info.elementBounds menuLocation:clickLocation]);
[m_revealItemPresenter setShouldUseDefaultHighlight:NO];
- [m_revealItemPresenter showContextMenu];
+ [protect(m_revealItemPresenter) showContextMenu];
Patch Details
A single-line change in WebKit::WebViewImpl::handleClickForDataDetectionResult. The direct call [m_revealItemPresenter showContextMenu] is replaced with [protect(m_revealItemPresenter) showContextMenu]. protect() is a WebKit idiom that materializes a local strong reference (a RetainPtr<> temporary) from a smart-pointer member; the temporary's lifetime extends through the full statement, so the presenter object is held alive for the entire duration of the modal showContextMenu invocation regardless of any subsequent reassignment to m_revealItemPresenter.
Sole-owner member pointer mutated by re-entrant IPC during a nested modal run loop, freeing the receiver of the in-flight method call.
Background
WKRevealItemPresenter is an Objective-C UI helper that displays a context menu for a data-detection match (phone number, address, calendar event) using Apple's Reveal framework. WebViewImpl is the per-WKWebView C++ object on macOS that owns UI-process state, including a single strong reference m_revealItemPresenter held via an adoptNS-style smart pointer. handleClickForDataDetectionResult is invoked when the WebContent process sends back a data-detection click hit result via IPC.
showContextMenu displays an AppKit context menu, which is modal: AppKit spins a nested run loop until the user dismisses the menu. While that nested run loop is active, the UI-process main thread continues to dispatch incoming IPC messages — meaning new messages from the WebContent process can re-enter UI-process IPC handlers before the outer showContextMenu call has returned. protect(...) is a WebKit idiom that materializes a local strong reference from a smart-pointer member so the referenced object survives even if the member is mutated during the call.
Analysis
The bug is a textbook use-after-free via re-entrant overwrite of a sole-owner strong reference during a nested modal run loop. Before the fix, WebViewImpl held the WKRevealItemPresenter solely via the strong member m_revealItemPresenter. The call sequence is the dangerous shape: m_revealItemPresenter = adoptNS([[WKRevealItemPresenter alloc] init...]) allocates the presenter and stores it via assignment; the next line invokes a modal Objective-C method on that member directly.
Aaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaa Aaaaa Aaaaaa Aaaaa Aaa Aaaaaa Aaa Aaaaa Aaaaa Aaaa Aaaa Aa Aaaaaaa Aaa Aa Aaaaaaa Aa Aaaaa Aaaaaaa Aaaa a Aaaaaa Aaaaaaaaaaaaaa Aaaaa Aaaaaa Aaaa Aaaaaaaaaa a Aaaaaaaaa Aaaa Aaa Aaaa Aaaa Aaaaaaaa Aaaaaaa Aaaaaaaaaaaaaa Aaaaa Aaaaaa Aaa Aaaa Aa Aaaaaaaaa a Aaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaa Aaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aa a Aaaaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaaaaaa Aaa Aaaaaaaaaaaaa Aaaaaaaaaa Aaaaaaaa Aaa Aaaaaaaa Aaaaaa Aaaaaaaaa a Aaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aa Aaa Aaaa Aaaaaa Aaa Aaaaaaaa Aaaaaaaaa Aaaaa Aaaaa Aa Aaaa Aaa Aaa Aaaaaaaa Aaaaaaaaa Aa Aaaaaaaaaaaa Aaaaaaa Aaaaaaa Aaaaaaa Aaa Aaaaaa Aaa Aaaa Aaaa Aaa Aaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaa Aaaaaa Aaaaa Aaaaaa Aaa Aaaaaa Aa Aaaaa Aaaaaaaaaaa Aaaaaaa Aaaaaaa Aaaaaaaa Aaaaaa Aaaa
Aaa
Aaaaa Aaaaa Aaa Aaaaaaa Aaaa Aaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaa
Aaaaaaaaaaaaaaaaaaaaa a Aaaaaaaaaaaa Aa Aaaaaaaa a
Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aa Aaaaaa Aaaaa Aaa Aaaa
a
a Aaaaa Aaaaaa Aaa Aaaa Aaaaaa Aaa Aaaaaaaaaaaaa
a
Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaa Aaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaa a Aaaaaaaaaaa Aaaaaaaaaa Aa Aaaaaaaa Aaa Aaaaaaa
Aaa
a
a
Aaaaaaaaaaaaaaa Aaaaa Aaaaaaa Aa Aaaaa Aaaa Aaa Aaa
Aaa
Aa Aaaaaaaa Aaaaa Aaaa Aa a Aaaaaaaaaaa Aaaaaaaaaa Aaaaaaa Aaaa Aa Aaaa a Aaaaaaa Aaaaaa Aaaaaaaaaaaaaa Aaaaa Aaaaaa Aaaaa Aaa Aaaaa Aa Aaaaaaa Aaa Aaaaa Aaa Aaaaaa Aa Aaaaa Aa Aaaaaa a Aaa Aaaaa Aaa Aaaa Aaaaaaaa Aaa Aa Aaaa Aa Aaa Aaaa Aaa Aaa Aaa Aaaaaaa Aaaaa Aaa Aaaaaaaaa Aaa Aaaaa Aa Aaa Aa Aaaaaaaa Aaa Aaaaaaaaaa Aaaa Aa Aaa Aaaaaaaaaa Aaaaaaa Aaaaaaaaa Aaaaa Aa Aaaaaaa Aaa Aaaa Aa Aaaaaaaaaaaaaa Aaa Aaaa Aaaaaa Aaa Aaaaaaa Aaaaaa Aaaaaaaaaaa Aaa Aaaa Aaaa Aaa Aaaaaaaaa a Aaaaaaaa Aaaaaaaaaa Aaaaaaaaa Aa Aaa Aaaaa Aaaaaaaaaa Aaa Aaaaaaaaa Aaaaaaaaa Aaaaaaa Aa Aaaa Aaaaaa Aaa Aaaaa Aaaaaaaaaaa Aaaa Aaaaaa Aaa Aaa Aaa Aaaaa Aaaaaaa Aaa Aaaaaaaaaaaa Aaaaaaaaaa Aa Aaa Aaaaaaaa Aaaaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaaaaa Aaaaaa Aaaaaa Aaa Aa Aaaaaaa Aa Aaaaaaaaa Aaa Aaaaaaaa Aaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaa Aaaaaaa Aa Aaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaaa Aaa Aa Aaa Aaaaaa Aaaa Aaaaaaaaaa Aaaaaa Aaaaaaaa Aa Aaa Aaaaaaa Aa Aaaaaaaaaa Aaaaaaa a Aaaaaa Aaaaa Aaa Aaaa Aaa Aaaaaaaaa Aaa Aaaaaaa
🔒The ownership and lifetime implications of a re-entrant IPC during a nested modal run loop are explored in depth, along with what an attacker could realistically gain in the UI process.
더 확인하려면 구독해 주세요
Audit directions
a Aaaaaaaaaaaa Aaaaaa Aaaaa Aaaaaaa Aaaaaaaaaaaaaaa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaaaaaaa Aaaa a Aaaa Aaaa Aaaaa a Aaaaaa Aaa Aaaaa Aaaaa Aaa Aaaa Aaaaaa Aa Aaaaaaaaaaaa Aaaa Aa Aaa Aaaaaaa Aa Aaa Aaaa Aaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaa Aaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaa Aaaaa a Aaaaa Aaaaa Aaaaaa Aaaaaaaa Aa Aaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaa Aaaaaa Aaaaa Aa Aaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaaaaaaaaaaa Aaaaaaaaa Aaaaaaa Aa Aaaaa Aaaa Aaaaaa
a Aaaaaaaaaaaa Aaa Aaaaaaaa Aaaa Aaaaaa Aaaaaaaaa Aaaaaa Aaaaa Aaaaaaa Aaaaa Aaaaaaaaaa Aaaaa Aaaaaaaaa Aaaaaaa Aaaaa Aaaaaaaaaaaaa Aaa Aaaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaa Aaaaaaa Aaa Aaa Aaaaaaaa Aaaa a Aaaaaaaaaaaaaaaaaaa Aaaaaaaaaaa Aaaaaaaa Aa Aaaaa Aaaaaaaaaaaaaaa Aaa Aaaaaa Aaaaaaaaaaa Aaa Aaa Aaaaaaaaaa Aaaaaaaaaa Aa a Aaaaaa Aaaaaaa Aaa Aaaaaaaaa Aaaaaaaaaaa Aaa Aa Aaaa Aaaaaa Aa a Aaaaaa Aaaa Aaaaa Aaa Aaa Aaaaa Aaa Aa Aaaaa Aaaaaaa
a Aaaaaaaa Aaaaa Aaaaa Aa Aaaaa Aaaaaaaaa Aaaa Aaaa Aaa Aaaaaa Aaa Aaaaaaaa Aaaa a Aaaaaaaaaa Aaaaaaaa Aaaaaa Aaaaa Aaa Aaaaaaaa Aaa Aaaaa Aaaaaaaaaa Aa Aaa Aaaa Aaaaaa Aaaaa Aaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaa Aaaaa Aaa Aaaaaaaa Aaa Aaaaaaaa Aaaaa Aa Aaaaa Aaaaaaaa Aaaaaa Aaaaa Aaaaaaaaa Aaaaaa Aaaaaaaaa Aaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaaa Aa Aaaaaaaaaaaaaa a Aaaaaaaaaaaaa Aaa Aaaaaaaa Aaaa Aaaaa Aaaaaaaaaaaaa Aaaaaaaa
a Aaaaaaaaaaaaa Aaaaaa Aaaaaaaa Aaaaaa Aaaaaa Aaa Aaaaa Aaaaa Aaaaaa Aa Aaaaa Aaaaaa Aa a Aaa Aaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaa Aaaaaaa Aaaa Aaaaaaaaaa Aaaa Aaa Aaaaa Aaa Aaaaaa Aaaaaa Aa Aaaa Aaaaa Aaaa Aa Aaa Aaaaa Aaa Aaaaaa Aaaaa Aaa Aaaaa Aaaaaa Aaaaaa Aaaaaaaaa Aaaaaaaaa Aaaaa Aaa Aaa Aaaaaaaaa Aaa Aaaa Aaaaa Aa Aaaaaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaa Aaaaaaaaa
Aaaaaaaaa Aaa Aaaaa Aaaaaaaaaaa Aaaaaaaaa a Aaaa Aaa Aaaaaaaaaa Aa Aaa Aaaa Aaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaa Aaa Aaaa Aa Aaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaa Aaa Aaaa Aaaaaa Aaaaaaaaa a Aaa Aaaaaaaa Aaaa Aaa Aaaaaa Aaaaaaa Aaaa Aaa Aaa Aaaaa Aa Aaa Aaa Aaaaaa Aaaa Aaaa Aaa Aaaa Aaaaaa Aaa Aaaaaaaaaaaaaaa Aaaaaaaaa Aa Aaaaaaaaaaaa Aaaaaaaaa Aa Aaa Aaaaaa
🔒Multiple reusable audit patterns identified across UIProcess presenter/controller members, with concrete starting points for variant discovery on macOS.
더 확인하려면 구독해 주세요