[26] WKDateTimePicker SetForScope writes to freed self
Severity: Medium | Component: WebKit UIProcess iOS forms | 7b904b1
Rated Medium because the diff fixes a UAF in the UI process: a SetForScope RAII guard tied to _isDismissingDatePicker outlived self when [_datePickerController dismissViewControllerAnimated:NO completion:nil] re-entered runloop work that dropped the last reference to the WKDateTimePicker, then wrote NO into freed memory at scope exit.
Source/WebKit/UIProcess/ios/forms/WKDateTimeInputControl.mm
- (void)removeDatePickerPresentation
{
if (_datePickerController) {
if (!_isDismissingDatePicker) {
SetForScope isDismissingDatePicker { _isDismissingDatePicker, YES };
- [_datePickerController dismissViewControllerAnimated:NO completion:nil];
+ [protect(_datePickerController) dismissViewControllerAnimated:NO completion:nil];
}
_datePickerController = nil;
}
}
Use-after-free via RAII scope-guard outliving its enclosing object across an Objective-C re-entrancy boundary.
Three call sites wrapped: removeDatePickerPresentation, plus WKFormPeripheralBase's beginEditing/endEditing for the same controlBeginEditing/controlEndEditing shape. WKDatePickerPopoverController.mm similarly protects a __weak _delegate.
Aaaa Aaaaa Aaaaaa Aaaaa Aa Aaaaaaaa Aaaaaaa Aaa a Aaaaa Aaaaaaaaa Aaaaaaaaaaaaa Aaaaaaaa Aaa Aaaaaaaa Aaaa Aaaaaaaaaaa Aaaaaa Aaa Aaaaaaaaaaa Aaaaaaaaa Aaaaaaaa Aaaaaaa Aaaaaaa Aaa Aaaaaaaa Aaaaaa a Aaaaaaaaaaa Aaaaaa Aaaaa Aaaaa Aaaaaaaaaaaa a Aaaaaaaaaaaaaa Aaa Aa Aaaaaa a Aaaaaa Aaaa Aaaaa Aaaa Aaaaaa Aaaaaaaaaa Aa Aaaaaaaaaaaaaaaa Aaaa Aa a Aaaaaa Aaa Aaaaaa Aaa Aaaaaaaa Aa Aaaaaaaaaaaaa Aaaaaaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaaaaa Aaaaaa Aaaaaa Aaa Aa Aaaaaaa a Aaaa Aaaaaaaaaa Aaaa Aaaaaaaaaa Aaa Aaaaaaa Aaa Aaaaaaaa Aaaaaaaa
🔒The ownership and lifetime story behind a single-byte write into freed UI-process memory, including what an attacker would need to turn this into something more than a crash.
Subscribe to read more
Audit directions
a Aaaaaaaaaaaaaaa Aa Aaaaa Aaaaaaa Aaaaaaaaaa Aaaaaaaaaaa Aaaaaaaaaaa Aaaaaaaa Aaaa Aaaaaaaaaaaaaaaa Aaaaaaaa Aaaaaa Aaaaa Aa Aaaa Aa Aaaaaa a Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaa Aa Aaaa Aa Aaaaa Aaaaaaaaaaaa
a Aaaaaaaaaaaaa Aaaaa Aaaaa Aaaaaaa Aaaa Aaa Aaaaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aa Aaaaaa Aaaaa Aaaaaaa Aaaaaaaaaaaaaa Aa Aaaaaaa Aaaaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaa
a Aaaaaaaaaa Aaaaa Aaaaaaaaaaaa Aaaaaaaa Aaaaa Aa Aaa Aaaaaaaaa Aaaa Aaaaaa Aa Aa Aaaaaaaaaaa Aaaa Aaaa Aaa Aaaa Aaaa Aaaaaaaa
a Aaaaaaaaaaaaaaaaa Aaaa Aaaaa Aaaaaaaaaa Aaaaaaa Aa Aaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaa Aaaaaaaaaaaaaaa Aaaaaaa Aaaaaa Aaaaaaaaaaa Aaaaaaaa
🔒Four reusable audit patterns identified, covering RAII scope guards, IPC-driven UIKit dismissal paths, and weak-ivar dereferencing across WebKit's iOS UI process.
Subscribe to read more