[18] Navigation API null-deref via reload() in pageswap handler
Severity: Medium | Component: WebCore Navigation API | 8e3ad95
pageswap handler 안에서 navigation.reload()를 재진입 호출하면 renderer에서 null dereference가 발생하는 문제를 수정합니다. 패치 이전에는 중첩된 reload가 HistoryController::updateForCommit()이 역참조하려던 provisional DocumentLoader를 제거했습니다.
Source/WebCore/page/Navigation.cpp
- if (!protect(window->document())->isFullyActive() || window->document()->unloadCounter())
+ if (RefPtr document = window->document(); !document->isFullyActive() || frame()->loader().isDispatchingPageSwapEvent() || document->unloadCounter())
return createErrorResult(WTF::move(committed), WTF::move(finished), ExceptionCode::InvalidStateError, "Invalid state"_s);
Patch Details
Navigation::reload()가 frame()->loader().isDispatchingPageSwapEvent()를 확인하도록 수정되었습니다. 해당 값이 true이면 InvalidStateError로 거부합니다. 이 guard는 Bug 303364에서 Navigation::navigate()에 이미 적용된 것과 동일합니다.
Pageswap event handler 내부에서 호출되는 Navigation API 진입점에 re-entrancy guard가 누락되어, 중첩된 코드가 외부 호출자가 여전히 의존하는 provisional commit state를 무효화할 수 있는 패턴.
reload가 commit 단계에 도달하면 pageswap이 발생합니다. 이 handler 안에서 navigation.reload()를 동기적으로 호출하면 sync policy check가 실행되면서 FrameLoader::m_provisionalDocumentLoader가 제거됩니다. handler가 반환되면 updateForCommit()이 이미 null이 된 loader를 역참조하게 됩니다.
a Aaa Aaa Aaaaaaa Aaaa Aaaaaa Aaaaaa Aaaaa Aaa Aaaaaaa Aaaaa Aaaaaaaaaaaaa Aaa Aaa Aaaaaa Aaaaaaaaaaa Aaa Aaaaa Aa Aaa Aa a Aa Aa Aaaaaaa Aaaa Aaaa Aaa a Aaaaaaaaaaa Aaaaa Aaaaaa
a Aaaaaaaaaaaaaa Aaaaaaaaaaa Aaaaaaa Aaaaaaaaaaa Aa Aaaa Aaaaaaa a Aa Aaaa Aaaaaaaa Aaaaaaa Aaaa Aaaaaaa Aaaaa Aaaaa Aaa Aaaa Aaaaaaaa Aaaaaa Aaaaaaaaaaaaa Aaaaaaaaaa Aaaaaa Aaaa a Aaaaaaa a Aaa Aa Aaaa Aaaaa
🔒Ownership and lifetime implications across the FrameLoader commit pipeline, plus how far this crash can plausibly be escalated under realistic web-content conditions.
더 확인하려면 구독해 주세요
Audit directions
a Aaaaaaa Aaaaaaaaaa Aaa Aaaaa Aaaaaa Aaaaaaa Aaa Aaaaaaaa Aaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aa Aa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaa Aaaaaa
a Aaaaaaaa Aaaaaaaaaaaaaaa Aaaaaaaaa Aaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaaaaaaaaaa Aaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaa Aaaa Aaaaaa Aaaaaaaaa Aaaaaaaaaaaaa Aaaaaaa Aaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaa Aaa Aaaaaaaaaa Aaaaaaaa Aa Aa Aaa Aaaa Aaaa
a Aaaaaaaaaaaaaaaaaa Aaaaaaaaaa Aaaa Aaaaaaa Aaaaaaaaaaa Aa Aaaaaaaaaa Aaaa Aa Aaa Aaa Aaa Aaaaaaa Aaa Aaaaaaa
🔒Four reusable audit patterns covering Navigation API entry-point symmetry and re-entrancy-guard coverage across the FrameLoader commit pipeline, with concrete starting points for variant discovery.
더 확인하려면 구독해 주세요