[4] WebCore::Color: MTE hardening for compact pointer in destructor

Severity: Low | Component: WebCore graphics (Color value type) | d474526

Rated Low because the diff is defense-in-depth hardening that scrubs a compact-pointer-bearing word in Color's destructor. It does not fix an observable trigger but shrinks the amplification surface of a hypothetical upstream UAF on a Color value; escalation requires an independent UAF that the diff does not exhibit.

WebCore::Color is made of a single field that contains flags in the upper bits and can contain a pointer to an OutOfLineComponents instance. This compact pointer is untagged by libpas, so it must be manually cleared to prevent any security issues if the Color object is freed and later observed. secureZeroBytes and secureZeroSpan are annotated NODELETE so the safer-cpp static analyzer can prove that calling them from ~Color() does not run any destructor or free memory.

Source/WebCore/platform/graphics/Color.h

 inline Color::~Color()
 {
     if (isOutOfLine())
         asOutOfLine().deref();
+    secureZeroBytes(m_colorAndFlags);
 }

Source/WTF/wtf/StdLibExtras.h

 template<typename T, std::size_t Extent>
-void secureZeroSpan(std::span<T, Extent> destination)
+void NODELETE secureZeroSpan(std::span<T, Extent> destination)
 ...
-template<typename T> void secureZeroBytes(T& object)
+template<typename T> void NODELETE secureZeroBytes(T& object)

Patch Details

Color::~Color() is extended to call secureZeroBytes(m_colorAndFlags) after the existing asOutOfLine().deref(), ensuring the compact pointer/flags word is overwritten before the object's storage is released. In wtf/StdLibExtras.h, secureZeroSpan and secureZeroBytes gain the NODELETE annotation so WebKit's safer-cpp static analyzer can prove that invoking them from a destructor does not itself transitively destruct other objects or free memory.

Failure to scrub a pointer-bearing field in a destructor, leaving an exploitable residue if the freed object is reached via use-after-free.

Background

MTE (Memory Tagging Extension) is an ARMv8.5 hardware feature where each allocation is tagged with a 4-bit color, and pointer dereferences trap when the pointer's tag does not match the memory's tag. libpas is WebKit's userspace allocator; it integrates with MTE to retag memory on free, which causes most dangling pointers to fault on access. A compact pointer is a pointer stored alongside other bits in a single word — here, m_colorAndFlags holds a pointer to OutOfLineComponents in the upper bits plus flag bits. Because the bits are not stored as a normal tagged pointer, libpas's MTE retagging logic does not automatically clear or retag the value when the containing object is freed.

NODELETE is a WebKit safer-cpp annotation declaring that a function will not transitively run any destructor or free memory, which lets the static analyzer admit calls to it from contexts that must not re-enter allocator code. secureZeroBytes is a zeroing primitive whose write is guaranteed not to be optimized away by the compiler, intended for scrubbing residual capability-bearing words.

WebCore::Color is a pervasive value type used in CSS parsing, painting, canvas, and SVG. Its layout is a single word m_colorAndFlags that either packs an inline sRGBA color plus flags, or stores a tagged pointer to a ref-counted OutOfLineComponents carrying wide-gamut/float color data.

Analysis

The hardening gap is the absence of a defensive scrub in a destructor whose remaining residue is a usable capability. Before the fix, ~Color() released the OutOfLineComponents reference when out-of-line but left m_colorAndFlags — the single compact word that, for out-of-line colors, contains the pointer to the just-derefed OutOfLineComponents — intact in the dead Color's storage. Color is TZone-allocated, and because the compact pointer is not tagged by libpas's MTE machinery, the freed slot retains a recognizable pointer value even on MTE-enabled hardware.

Aaa Aaaaaaaaa Aaaa Aaaaaaa Aaaaaaaaaaaa Aaaa Aaaaaaaa Aaaa Aa Aaaaaaaaaaa Aaa Aa a Aaaaaaa Aaaaaaa Aa Aaaa Aaaaaaaa Aaaaaaaaa Aaaaaa Aaa Aaaa Aa Aaaaaaaa Aaa Aaaaaaaaa a Aaaaa Aaaaaaaaa Aaaaaaa Aa Aaaaaaa Aaaa Aaaaa Aaaaa Aaaa Aa Aaaa Aa a Aaaaaaa Aaaaa Aaaa Aaa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aa a Aaaaaaaaaaa Aaaaaaaaaaa Aa Aa Aaa Aaaaaaaa Aaaa Aaaa Aaaaaaaaaaaa Aa a Aaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaa Aaaaa Aaaaaaa Aaaaaaaaaaa Aaaaaaaaaa Aa a Aaaaa Aaaaaa a Aaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaa Aaa Aaaa Aaa Aaaaaaaa Aaaa Aa Aaaaa Aa Aaa Aaaa Aaaaa Aaaaaaaaaaaa Aaaa Aaaaaaa Aa a Aaaaa Aaaaaaaa Aaaaaaaaaa a Aaaaaaaaa Aaaaaaaaaa Aaaaaaaaa Aaaa a Aaaaaaaaaaaaa Aaaa Aaaaaaaaaaaa

Aaa Aaaaaa Aaaa Aaa Aaaaaaa Aaaaaaaa Aaaaaaaaaaaa Aaa Aaaa Aaa Aa Aaaaaa Aaaa Aa Aaaaa Aaa Aaaaaaaa Aaaaaaaa Aa Aaaaaaa Aaa Aaaaaaaaaaaaa Aaaaaaa Aa a Aaaaaaaaaaaa Aaaaaaaa Aaa Aa Aaaa Aaaa Aaaaa Aa Aaaaaaaaaa Aaaaaaa Aaaaaaa Aaa Aaaaaaa Aaaa Aa Aaaaaaaaa Aaaa Aaaa Aaa Aaaaaaaaaa Aaaaaaa Aaaaa Aaaaaaa Aaaaaaaaa Aaa Aaa Aaa Aaaaaaa Aaaaaaaaaaaa Aa Aaa Aaaaaaaaa Aaaaaa Aaaa Aaaaaaaaaaaaaaaaa Aaaaaaaaaa

Aaaa Aaaaaa Aaaaaaaaaaa a Aaaaa Aa Aaaaaaaaa Aaa Aaaa Aaa Aaaaaaaa Aa Aaaaaaaaa Aaaaaa Aaaaaaa Aaaaaaa Aaaaaaaa a Aaaaaaa Aaaa Aaaaaa Aaaaaaaaa Aaaaaaaaaaa Aaaa Aaaa Aa a Aaaaaa Aaaa a Aaa Aaaaaaaaa Aa Aaaaaaaaaaaaaaa Aaaaaaaaaa Aa Aaaa Aaaaaaa Aaaa Aa a Aaaaaa Aaaa Aaaa Aa Aaaaaaaaaaa Aaaaaaaaa Aaa Aaaa Aaaaaaa Aaaaaaa Aaaaaaaa Aaaaaa Aaaa Aaaaaaaaaaaaaa Aaaaaa Aaaaaaaaaaaaa Aaaaaa Aaaaaaaaaaaa Aaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaaa Aaaaaaaaaaa Aaaaa Aaaaa Aaaaa Aaaaaaaaaaa Aaaa Aaaaa Aaa Aa Aaa Aaaaaa Aaa Aaaaaaaaaa Aaaaaaaaaa Aa Aaaaaaa Aa Aaaaaaaaaaaaaaa Aa Aaaa Aaa Aaaaaaaaa Aaaaaaaa Aaaaaa Aaaaaaa Aaaaa Aaaa Aaaaaaaaaaa Aa Aaaaa Aaaa Aaaa Aaaaaaaaa Aa Aaaa Aa Aaaaaaaaaa Aaaaaaaaaaaaa Aaaaa Aaaaaaaa Aaaaaa Aa Aaaaaaaaaaa Aaaaaaaaaaaaaaa Aaaaaaaaaa

🔒

The lifetime and residual-capability implications of compact pointer fields under MTE are analysed in depth, including how this hardening reshapes the value of a hypothetical upstream bug.

Subscribe to read more

Audit directions

a Aaaaaaaaaaaaaaaaa Aaaaaa Aaa Aaaaaaaa Aa Aaaaaaaaaaa Aa Aaaaa Aaaaa Aaaaa Aaaaaaa Aaaaaaa Aa Aaa Aaaaaaaaaaaa Aa Aaa Aaaa Aaaaaaaaaaaaaa Aaaaa Aaaaaaaaaaa Aaaaa Aaaaa Aaaa Aaaa Aaaaaa Aa Aaaaaa Aaaaaaaa Aa a Aaaaaa Aaaa a Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaa Aaa Aaaaa Aaaaa Aaaaaaaaaa Aaaa Aaaa Aaaaa Aaaaaaaaa Aaaaaaa Aaaaaaaa Aaaa Aaaaaaaa Aaa Aaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaaaaa Aaa Aaaaaaa Aaaaaaa Aa Aaaaaaaaa Aaa a Aaaaaaaa Aaaaa

a Aaaaaaaaaaaaaaaaa Aaaaa Aaaaa Aaaaa Aaaaaaaaaa Aaaaaa a Aaaaa Aaaaaaa Aaaaaaaaaaaa Aa Aaa Aaaaa Aaaaaaa Aaaaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa a Aaaaaa Aaaaa a Aaaaaa Aaaaaaaaa Aaa Aaa Aaaaaaaaaa Aaaaaaaa Aaaaaaa Aaaaaaaa Aaaaa Aaaa Aaaaaaaa Aa Aaaaaaa Aaaa Aa Aaaaaaaaaaa Aaaaaaaaaa Aaaaaaaaa Aaa Aaaaaa Aa Aaaaa Aaaaaaa Aaa Aaaaaaa Aaaaaaaa Aaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaaaaaaaaaaa

a Aaaaaaaaaaaa Aaaaaaaaaa Aaaaaaaaaaa Aaaaaaa Aaaa Aaaaa Aaaa Aaaaaaa Aaaaaa Aaaa a Aaaaaaaa Aaaaaaaaaa Aaaaaaaa Aaaaaaaa Aaaa Aaaaaaaa Aaaaaaaaa Aaaaaaaa Aaaaaaa Aaaaaaaaaaa Aaaa Aaaaaaaaaaaa Aaa Aaaaaaaaa Aaaaaaa Aaaa Aaa Aaaaaa Aaaa Aaaa Aaa Aaaaaaaaaaa Aaaa Aa Aaa Aaaaaaaaa Aaa Aaaaaaaaa Aaaaaaaa Aaaaaa Aa Aa Aaaaa Aaaaaaaa Aaaaaaaaaaaa

a Aaaaa Aaaaaaa Aaa Aaaaaaaaa Aaaaaa Aaaaa Aaaaaaa Aaa Aaaaaaaaaaaaaaa Aaaaaaaa Aaaaaa Aaaa Aaaaaaaaaaaaa Aaaaaa Aaaaaa a Aaaaaaa Aaaaaaaaaaa Aaaaaa Aa Aaaaaaaaa Aaaaa Aaaaaaa Aaaaaa Aaa Aaaaaaaa Aa Aaaa Aaa Aaaaa Aaa Aaaa Aaa Aaaaaaa Aa Aaaaaa Aaaaaaa Aaaaaaa Aaaa Aaa Aaaaa Aa Aaaaaaaa Aaaaa Aa Aaaaaaaaaaaa Aaaaa Aaaa Aaaaaaaaaaaaaaaaa Aaa Aaaa Aaa Aaaaa Aaaaa Aaaaaaaaaaa Aaa Aaaaaaa Aaaa Aaaaaaaaaaaaaaa Aa Aaaaa Aa Aaaaaaaaaaaaaaaaa Aaaa Aaaaa Aaaaaaa Aaaa Aa Aaaaaaaaaaaaa Aaaaaaaaaa

Aaaaaaaaa Aaaa Aaaaaaaaa a Aaa Aaaaa Aaaa Aaaaaa Aaaa Aaa Aaaaa Aaaaaaa Aaaaaaaaa Aaa Aaaaa Aaaaaaaaa Aa Aaaaaaaaaa a Aaa Aaaaaa Aa Aaa Aaaaaa Aaaaaaa Aaaaaa Aaaa Aaaaaaaa Aaaaaaa Aa Aaa Aaaaa Aaa Aaaaaaaaa Aaaaaa Aaa Aaaaa Aa Aaa Aaaaaaaaaa Aaaaaa Aaa Aaaaaaaaaaaa Aaaaaaaaa Aa Aaa Aaaaaa

🔒

Multiple reusable audit patterns identified for compact-pointer destructor scrubbing and MTE retagging gaps, with concrete starting points across WTF and WebCore graphics.

Subscribe to read more