[24] ReadableStreamDefaultReader GC-thread UAF on m_stream
Severity: Medium | Component: WebCore Streams | ad57b51
Rated Medium because the diff fixes the same cross-thread UAF class as #23 in a different DOM object: GC-thread visitors read m_stream while the main thread can null it via releaseLock/genericRelease.
Sister fix to the XMLHttpRequest commit. m_stream becomes WTF_GUARDED_BY_LOCK(m_streamLock); every access serialises through the lock.
Source/WebCore/Modules/streams/ReadableStreamDefaultReader.h
- RefPtr<ReadableStream> m_stream;
+ mutable Lock m_streamLock;
+ RefPtr<ReadableStream> m_stream WTF_GUARDED_BY_LOCK(m_streamLock);
template<typename Visitor>
void ReadableStreamDefaultReader::visitAdditionalChildrenInGCThread(Visitor& visitor)
{
+ Locker locker { m_streamLock };
if (m_stream)
SUPPRESS_UNCOUNTED_ARG m_stream->visitAdditionalChildrenInGCThread(visitor);
}
Unsynchronized access from a GC visitor thread to a main-thread-mutable reference-counted member, allowing the visitor to dereference a pointer concurrently being released.
The commit message explicitly notes "we cannot easily ref the stream on the GC thread" — atomic ref does not solve the race because the object could be destroying mid-ref.
a Aaaaaa Aaaaaaaaaaaaaaaa Aaa Aaaa Aa Aaaa Aaa Aaaaaa Aaaaaaa Aaa Aaaaaa Aaaaa Aaaaaaaaaa Aaaa Aa Aaa Aaaaaaa Aaaaaaaaaaaaaaa Aaa Aaaaaaaaaaa Aaaaaaa Aaaaa Aaaaa Aaa Aaaa Aaaaaaaaaa Aaaaaaa Aaaaaaa Aa Aaaaa a Aaa Aa Aaaaa Aaaaaa Aaaa a Aaaaaa Aaaa Aaaaaaa Aa Aaaaaaaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaaa Aaaa Aaaa Aaaaaaaaaa Aaaaaaa Aa Aaa Aa Aaa Aaaaaa Aaaaaaaaa Aa Aaaaaaaa Aaaaa Aaaaaaaaaaaaaaa Aaaa Aaaaaaaaaaa Aaaaaaaaa
🔒The cross-thread lifetime and synchronization implications between GC-thread visitors and main-thread mutators are analyzed in depth, with a feasibility assessment for triggering the race from web content.
Subscribe to read more
Audit directions
a Aaaaaaaa Aaaaaaa Aaaaaaa Aaaaaa Aaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a Aaaa Aaaaaaaaaaa Aaaaaaaa
a Aaaaaaaaaaaaaa Aaaaaaaa Aaaaaa Aaaaaaa a Aaaaaaa Aaaa Aaaaaaa Aaa Aaaaaaaaaa Aaaaaa Aaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaa a Aaa Aa Aaaaaa a Aaaaaaaa Aa Aaaaaaa Aaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaa
a Aaaaaa Aaaaaaaa Aaa Aaaaa Aaaaaa Aaaaaaaa a Aaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaaa Aaaaaa Aa Aaaa Aaaaa Aa Aaaaaaaa Aaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaa
a Aaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaa Aaaaa Aaaa Aaa Aaaaaa Aaaaaaa Aaaa Aaaaa Aaaa a Aaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaa Aaaaaaaaaa
🔒Multiple reusable audit patterns identified for related Streams classes and other WebCore opaque-root participants, with concrete starting points for variant discovery.
Subscribe to read more