260069 2023-08-11 06:39:36 -0700 OSAllocatorWin protect frees page when setting readable and writeable to false 2023-08-14 14:39:12 -0700 1 1 1 Unclassified WebKit WebKit API WebKit Local Build PC Windows 10 RESOLVED FIXED InRadar P2 Normal --- 1 ian.grunert webkit-unassigned webkit-bug-importer oldest_to_newest 1970709 0 ian.grunert 2023-08-11 06:39:36 -0700 In OSAllocatorWin, if you call OSAllocator::protect with readable false and writeable false, it’ll free the page + decommit. To the caller, this looks like it does the right thing - attempting to access the freed page will throw an access violation. However freeing the page there’s a risk that we re-allocate that page. For WasmMemory we want the pages to remain reserved in the virtual address space, so if someone tries to access memory in a “red zone” page it’ll throw an access violation. If that page is re-allocated, we could overflow WasmMemory and read / write that page. OSAllocatorPOSIX always calls mprotect so does not have the same problem. 1970711 1 ian.grunert 2023-08-11 07:02:58 -0700 Pull request: https://github.com/WebKit/WebKit/pull/16605 1971137 2 ews-feeder 2023-08-14 14:38:11 -0700 Committed 266876@main (673b5ea5e903): <https://commits.webkit.org/266876@main> Reviewed commits have been landed. Closing PR #16605 and removing active labels. 1971138 3 webkit-bug-importer 2023-08-14 14:39:12 -0700 <rdar://problem/113873590>