169029 2017-03-01 04:06:50 -0800 Leak under Options::setOptions 2017-03-08 06:49:32 -0800 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED P2 Normal --- 169055 104114 1 tpopela tpopela commit-queue keith_miller mark.lam mcatanzaro msaboff saam oldest_to_newest 1282233 0 tpopela 2017-03-01 04:06:50 -0800 The optionsStrCopy variable is leaked in Options::setOptions in Source/JavaScriptCore/runtime/Options.cpp 1282234 1 303061 tpopela 2017-03-01 04:09:12 -0800 Created attachment 303061 Patch 1282268 2 303061 msaboff 2017-03-01 07:35:03 -0800 Comment on attachment 303061 Patch r=me 1282272 3 303061 tpopela 2017-03-01 07:40:12 -0800 Comment on attachment 303061 Patch Clearing flags on attachment: 303061 Committed r213222: <http://trac.webkit.org/changeset/213222> 1282273 4 tpopela 2017-03-01 07:40:21 -0800 All reviewed patches have been landed. Closing bug. 1282311 5 303061 mark.lam 2017-03-01 09:59:22 -0800 Comment on attachment 303061 Patch This exposes a problem. Previously, by leaking the optionsStrCopy, we ensure that the option string being parsed by setOption() persists. Now that we free it properly, we can have a use after free scenario because we don't strdup string type options. See the FOR_EACH_OPTION macro in Options::setOptionWithoutAlias(). I think we should revert this patch and take the leak (since we don't parse options like this all the time) until we can fix string type options to strdup appropriately. 1282419 6 ap 2017-03-01 13:32:06 -0800 Yes, please roll out. A use after free is a much worse symptom. 1282436 7 msaboff 2017-03-01 14:01:22 -0800 I talked with Mark and I have a follow patch that fixes the UAF and reduces any leaks. I'll post in a few minutes. Filed <https://bugs.webkit.org/show_bug.cgi?id=169055> to track that change. 303061 2017-03-01 04:09:12 -0800 2017-03-01 07:40:12 -0800 Patch bug-169029-20170301130614.patch text/plain 1854 tpopela U3VidmVyc2lvbiBSZXZpc2lvbjogMjEzMjE2CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvQ2hhbmdlTG9nIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwppbmRleCAw OTBkMDdhNmU4MDJiM2NlYzMxYjhkNTZmZjhlMzc1NzUyMDEwYjkzLi5jOGNkYWY4NzNjODRiMjdk NTNmYzM2YWRjOTM4OWI3YTY5YjMyYjAyIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEs MyArMSwxNSBAQAorMjAxNy0wMy0wMSAgVG9tYXMgUG9wZWxhICA8dHBvcGVsYUByZWRoYXQuY29t PgorCisgICAgICAgIExlYWsgdW5kZXIgT3B0aW9uczo6c2V0T3B0aW9ucworICAgICAgICBodHRw czovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTY5MDI5CisKKyAgICAgICAgUmV2 aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgRG9uJ3QgbGVhayB0aGUgb3B0aW9u c1N0ckNvcHkgdmFyaWFibGUuCisKKyAgICAgICAgKiBydW50aW1lL09wdGlvbnMuY3BwOgorICAg ICAgICAoSlNDOjpPcHRpb25zOjpzZXRPcHRpb25zKToKKwogMjAxNy0wMy0wMSAgWXVzdWtlIFN1 enVraSAgPHV0YXRhbmUudGVhQGdtYWlsLmNvbT4KIAogICAgICAgICBbSlNDXSBBbGxvdyBVbmxp bmtlZENvZGVCbG9jayB0byBkdW1wIGl0cyBieXRlY29kZSBzZXF1ZW5jZQpkaWZmIC0tZ2l0IGEv U291cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUvT3B0aW9ucy5jcHAgYi9Tb3VyY2UvSmF2YVNj cmlwdENvcmUvcnVudGltZS9PcHRpb25zLmNwcAppbmRleCBjNzQ3ODc5ZjU3OWM0ZmI2NDEyY2Jk MzNiN2UyOGIyMGQ4M2E3MzQ5Li41ZDAxOTc1MWQ3MmNjZTZiNzgyNzI1NDc4ODFiNDE2MTBhNjRm ZGZhIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9PcHRpb25zLmNw cAorKysgYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9PcHRpb25zLmNwcApAQCAtNTU3 LDYgKzU1Nyw3IEBAIGJvb2wgT3B0aW9uczo6c2V0T3B0aW9ucyhjb25zdCBjaGFyKiBvcHRpb25z U3RyKQogICAgICAgICBwID0gc3Ryc3RyKHAsICI9Iik7CiAgICAgICAgIGlmICghcCkgewogICAg ICAgICAgICAgZGF0YUxvZ0YoIic9JyBub3QgZm91bmQgaW4gb3B0aW9uIHN0cmluZzogJXBcbiIs IG9wdGlvblN0YXJ0KTsKKyAgICAgICAgICAgIFdURjo6ZmFzdEZyZWUob3B0aW9uc1N0ckNvcHkp OwogICAgICAgICAgICAgcmV0dXJuIGZhbHNlOwogICAgICAgICB9CiAgICAgICAgIHArKzsKQEAg LTU2OCw2ICs1NjksNyBAQCBib29sIE9wdGlvbnM6OnNldE9wdGlvbnMoY29uc3QgY2hhciogb3B0 aW9uc1N0cikKICAgICAgICAgICAgIHAgPSBzdHJzdHIocCArIDEsICJcIiIpOwogICAgICAgICAg ICAgaWYgKCFwKSB7CiAgICAgICAgICAgICAgICAgZGF0YUxvZ0YoIk1pc3NpbmcgdHJhaWxpbmcg J1wiJyBpbiBvcHRpb24gc3RyaW5nOiAlcFxuIiwgb3B0aW9uU3RhcnQpOworICAgICAgICAgICAg ICAgIFdURjo6ZmFzdEZyZWUob3B0aW9uc1N0ckNvcHkpOwogICAgICAgICAgICAgICAgIHJldHVy biBmYWxzZTsgLy8gRW5kIG9mIHN0cmluZyBub3QgZm91bmQuCiAgICAgICAgICAgICB9CiAgICAg ICAgICAgICBoYXNTdHJpbmdWYWx1ZSA9IHRydWU7CkBAIC02MTAsNiArNjEyLDggQEAgYm9vbCBP cHRpb25zOjpzZXRPcHRpb25zKGNvbnN0IGNoYXIqIG9wdGlvbnNTdHIpCiAKICAgICBlbnN1cmVP cHRpb25zQXJlQ29oZXJlbnQoKTsKIAorICAgIFdURjo6ZmFzdEZyZWUob3B0aW9uc1N0ckNvcHkp OworCiAgICAgcmV0dXJuIHN1Y2Nlc3M7CiB9CiAK