[24] ReadableStreamDefaultReader GC-thread UAF on m_stream
Severity: Medium | Component: WebCore Streams | ad57b51
[23]과 동일한 cross-thread UAF 유형이 다른 DOM 객체에서도 발견된 사례입니다. GC-thread visitor가 m_stream을 읽는 사이, main thread에서 releaseLock/genericRelease를 통해 이를 null로 설정할 수 있습니다. Medium으로 평가된 이유입니다.
XMLHttpRequest commit에 대응하는 짝 패치입니다. m_stream은 WTF_GUARDED_BY_LOCK(m_streamLock)으로 보호되며, 모든 접근은 lock을 통해 직렬화됩니다.
Source/WebCore/Modules/streams/ReadableStreamDefaultReader.h
- RefPtr<ReadableStream> m_stream;
+ mutable Lock m_streamLock;
+ RefPtr<ReadableStream> m_stream WTF_GUARDED_BY_LOCK(m_streamLock);
template<typename Visitor>
void ReadableStreamDefaultReader::visitAdditionalChildrenInGCThread(Visitor& visitor)
{
+ Locker locker { m_streamLock };
if (m_stream)
SUPPRESS_UNCOUNTED_ARG m_stream->visitAdditionalChildrenInGCThread(visitor);
}
Main thread에서 수정 가능한 reference-counted 멤버에 대해, GC visitor thread가 동기화 없이 접근하는 패턴입니다. 이로 인해 visitor가 해제 중인 pointer를 역참조하게 됩니다.
commit message에는 "GC thread에서 stream을 쉽게 ref할 수 없다"는 내용이 명시되어 있습니다. atomic ref로는 이 race를 해결할 수 없습니다. ref가 진행되는 도중에 객체가 이미 소멸 중일 수 있기 때문입니다.
Aaaaaa Aaaaaaaaaaaaaaaaa Aaa Aaa Aaaaaa Aaaaaaa Aa a Aaaaa Aaaaaaa Aaaaaaaaaaa Aa Aaaaaaa Aa Aaaa Aaaaaa Aaaaaaaaaaaaaaaaa Aaaaaa Aa Aaa Aaaa a Aaa Aaaaa Aaaaaa Aaaaa Aa Aaa Aaaa Aa Aaa Aaaaaa Aa Aaaaa Aaa Aaaa Aaaa Aaaaaaa Aa Aaaaaaaaaa Aaaaa Aaaaaa
a Aaaaaaaaaaaaaa Aaa Aaaa Aaa Aaa Aaaaa Aaaa Aaaaaa Aaaaaaaa Aaaa Aaaa Aaaaa Aaa Aaaaaaaaaa Aaaaaaa
🔒The cross-thread lifetime and synchronization implications between GC-thread visitors and main-thread mutators are analyzed in depth, with a feasibility assessment for triggering the race from web content.
더 확인하려면 구독해 주세요
Audit directions
a Aaaaaaaa Aaaaaaa Aaaaaaa Aaaaaa Aaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaa Aaa Aa Aaaaa
a Aaaaaaaaaaaaaa Aaaaaaaa Aaaaaa Aaaaaaa a Aaaaaaa Aaaaaaaaaaaaaaaaaaaa Aaaa Aaaa Aaaaaaaaaaaaaaaaaaaaa a Aaaa Aaaaaa a Aaaaaaaa Aaa Aaaaaaaaaa Aaaaaa Aaa Aaaaaaa Aaaa Aaaaaa
a Aaaaaa Aaaaaaaa Aaa Aaaaa Aaaaaa Aaaaaaaa a Aaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aa Aaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaa Aaaa Aaa Aaa Aaaaaa
a Aaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaa Aaaaa Aaaa Aaa Aaaaaa Aa Aaaaa Aaa Aaaaaaaaaaaaaaaaaaa Aaaaaaaaaaa Aaa Aaaa Aaaaaaaa Aa Aaaaaaaa Aaaaaaaaaa Aaa Aaa Aaaaaa
🔒Multiple reusable audit patterns identified for related Streams classes and other WebCore opaque-root participants, with concrete starting points for variant discovery.
더 확인하려면 구독해 주세요