![]() \n\nAccording to the description, the patch in October 2016 was intended to \u201cReplace all uses of ExceptionCodeWithMessage with WebCore::Exception\u201d. When looking at those two options for the type of an argument, then it\u2019s potentially understandable that the developer thought that loadInSameDocument did not need to share ownership of stateObject.\n\nSo why then was HistoryItem::stateObject\u2019s return value changed from a RefPtr to a raw pointer in October 2016? That I\u2019m struggling to find an explanation for. When the author was evaluating the refactoring changes needed in the dom directory in December 2016, it would have appeared that the only calls to loadInSameDocument passed in either a null value or the result of stateObject() which as of October 2016 now passed a raw SerializedScriptValue* pointer. No one was passing ownership.\n\nMy assessment is that it\u2019s due to the October 2016 changes in HistoryItem:stateObject. From the (): Take a raw pointer for the serialized script value state object. The question is, why did the patch author think that loadInSameDocument would not need to hold a reference. While the originally reported trigger called deserialize on the stateObject through the V8History::stateAccessorGetter function, the developers\u2019 fix also caught and patched the path to deserialize through loadInSameDocument.\n\nThe timeline of the changes impacting the stateObject is:\n\n * ()\n * HistoryItem.m_stateObject is type RefPtr\n * HistoryItem::stateObject() returns SerializedScriptValue*\n * FrameLoader::loadInSameDocument takes stateObject argument as SerializedScriptValue*\n * ()\n * HistoryItem::stateObject returns a PassRefPtr\n * FrameLoader::loadInSameDocument takes stateObject argument as PassRefPtr\n * ()\n * HistoryItem::stateObject returns RefPtr instead of PassRefPtr\n * ()\n * HistoryItem::stateObject() is changed to return raw pointer instead of RefPtr\n * ()\n * FrameLoader::loadInSameDocument changed to take stateObject as a raw pointer instead of PassRefPtr\n * ()\n * FrameLoader::loadInSameDocument changed to take stateObject as a RefPtr\n\n# The Autopsy\n\nWhen we look at the timeline of changes for FrameLoader::loadInSameDocument it seems that the bug was re-introduced in December 2016 due to refactoring. When the callback returned, the rest of SerializedScriptValue::deserialize ran with a free'd this pointer.\n\nIn order to fix this bug, it appears that the developers decided to change every caller of SerializedScriptValue::deserialize to increase the reference count on the stateObject by changing the argument types from a raw pointer to PassRefPtr.![]() As SerializedScriptValue::deserialize could trigger a callback into user JavaScript, the callback could call replaceState to drop the only reference to the history entry value by replacing it with a new value. \n \nThe bug was that in the implementation of the getter for state, SerializedScriptValue::deserialize was called on the current \"most recent\" history entry value without increasing its reference count. The History API exposes a getter for state, and a method replaceState which allows overwriting the \"most recent\" history entry. This API allows access to (and modification of) a stack of the pages visited in the current frame, and these page states are stored as a SerializedScriptValue. Chromium forked().) I saw that my now Project Zero teammate, Sergei Glazunov, originally reported the () back in 2013, so I asked him for the details.\n\nThe use-after-free from 2013 (no CVE was assigned) was a bug in the implementation of the History API. (During this time Chromium still used the WebKit rendering engine. Unfortunately, it didn\u2019t crash.\n\nThe commit description included the comment to check out a Chromium bug. , \"\") \n\ \n \n- \n \nMy hope was that the test would crash the vulnerable version of WebKit and I\u2019d be done with my root cause analysis and could move on to the next bug.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |