[26] WKDateTimePicker SetForScope writes to freed self
Severity: Medium | Component: WebKit UIProcess iOS forms | 7b904b1
Medium severity로 분류됩니다. diff는 UI process 내의 UAF를 수정합니다. [_datePickerController dismissViewControllerAnimated:NO completion:nil] 호출 도중 runloop 작업이 재진입하면서 WKDateTimePicker에 대한 마지막 reference가 해제됩니다. 이때 _isDismissingDatePicker에 바인딩된 SetForScope RAII guard가 self보다 오래 살아남아, scope 종료 시점에 이미 해제된 메모리에 NO를 기록했습니다.
Source/WebKit/UIProcess/ios/forms/WKDateTimeInputControl.mm
- (void)removeDatePickerPresentation
{
if (_datePickerController) {
if (!_isDismissingDatePicker) {
SetForScope isDismissingDatePicker { _isDismissingDatePicker, YES };
- [_datePickerController dismissViewControllerAnimated:NO completion:nil];
+ [protect(_datePickerController) dismissViewControllerAnimated:NO completion:nil];
}
_datePickerController = nil;
}
}
Objective-C re-entrancy 경계에서 RAII scope-guard가 enclosing 객체보다 오래 살아남아 발생하는 use-after-free.
총 세 곳의 호출 지점이 수정되었습니다. removeDatePickerPresentation 외에, WKFormPeripheralBase의 beginEditing/endEditing(controlBeginEditing/controlEndEditing 패턴)도 동일하게 처리되었습니다. 한편 WKDatePickerPopoverController.mm에서도 같은 방식으로 __weak _delegate를 보호합니다.
Aaaa Aaa Aaaa Aaaa Aaaaa Aaaaaa Aaaaaaaaaaaaaaa Aaa Aaaa Aaaaaa Aaaa Aaaa Aa Aaa Aaaaaa Aaaaaaaaaaa Aaaaaaaaa Aaaaaaaaa Aa Aaa Aaa Aa Aaaaaaaaa Aaaa Aaaaa Aaaaaa Aaaaaa Aaaaaaaaa Aa Aaaaaaaaa Aa Aaaa Aaaa Aaa Aaaa Aaaaaaaaaaaa a Aaaaaaaaaaaaaa Aaa Aa Aaa Aaaaa Aaaaaaaaa Aaa Aaaaaaaa Aa a Aaaa Aaa Aaa Aaaa
a Aaaaaaaaaaaaaa Aa Aaaaaaa Aaa Aaaaaa Aaaaaaa Aaaaaaa Aa Aaaaaaaa Aaaaaaaaaaaa Aa Aaa Aaaa Aaaaaaaa Aaaaaaa Aaaa Aaaaaa
🔒The ownership and lifetime story behind a single-byte write into freed UI-process memory, including what an attacker would need to turn this into something more than a crash.
더 확인하려면 구독해 주세요
Audit directions
a Aaaaaaaaaaaaaaa Aa Aaaaa Aaaaaaa Aaaaaaaaaa Aaaaaaaaaaa Aaaaaaaaaaa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aa Aa Aaaaa Aa Aaaa Aa Aaaaaa Aa Aaaa Aaa Aaaa Aaaa Aaaaaaaaa Aaaaaaaaaaaaaaa Aaaaaaaa Aaaa Aa Aa Aaaaaaaaaaaa Aaaaa Aaaa Aaaa
a Aaaaaaaaaaaaa Aaaaa Aaaaa Aaaaaaa Aaaa Aaa Aaaaaaaaaaa Aaa Aaaaaaaaa Aaaa Aa Aaaaa Aaa Aaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaa a Aaaaaaaaaaaaaaa Aaaaa Aaaaaaaaaaaaaa Aa Aa Aaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaa Aaaa Aaa Aaaaaa
a Aaaaaaaaaa Aaaaa Aaaaaaaaaaaa Aaaaaaaa Aaaaa Aa Aaa Aaaaaaaaa a Aaa Aaa Aaaaaaaa Aaaaa Aa a Aaaaa Aaa Aaaa Aaaa a Aaa Aaaa Aaaaa Aaaaaaaaa Aaaa Aaaaaaaaaa Aaa Aaaa Aaaaa
a Aaaaaaaaaaaaaaaaa Aaaa Aaaaa Aaaaaaaaaa Aaaaaaa Aa Aaaaaaaaa Aaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaa Aaa Aaaa Aaaaaaa Aaaa Aaaaaaa Aaa Aaaa Aaaa
🔒Four reusable audit patterns identified, covering RAII scope guards, IPC-driven UIKit dismissal paths, and weak-ivar dereferencing across WebKit's iOS UI process.
더 확인하려면 구독해 주세요