91419 2012-07-16 13:07:37 -0700 [Blackberry] Any webpage can crash webkit via qnx.callExtensionMethod assuming 'this' is the 'qnx' object 2012-07-16 13:45:03 -0700 1 1 1 Unclassified WebKit WebKit BlackBerry 525.x (Safari 3.1) Other Other RESOLVED FIXED javascript:qnx.callExtensionMethod.apply(window, []); P2 Normal --- 1 ben webkit-unassigned mifenton tonikitoo webkit.review.bot yong.li.webkit oldest_to_newest 670595 0 ben 2012-07-16 13:07:37 -0700 Run the following in inspector to crash WebKit qnx.callExtensionMethod.apply(window, []); In the c++ that handles the function it assumes that when callExtensionMethod is called that 'this' is the object 'qnx'. The qnx object has a hidden variable that the code casts and uses, but when 'this' is not qnx such as the example this will cause a crash. Any website can insert the above JavaScript to cause the crash. 670601 1 152601 ben 2012-07-16 13:12:50 -0700 Created attachment 152601 patch 670605 2 yong.li.webkit 2012-07-16 13:22:18 -0700 Are we sure it is null? If so it shouldn't be security issue. But the change log makes me think it could be a non-zero pointer. Then the patch won't fix it. We could compare the vptr. 670606 3 ben 2012-07-16 13:23:53 -0700 It is null, I have a test page for this and confirmed it works. 670610 4 ben 2012-07-16 13:28:01 -0700 Edit: to be more clear in JSObjectRef.cpp JSObjectGetPrivate() will return 0 when the object is not a JSCallbackObject so a simple check is good enough to stop the crash. 670611 5 yong.li.webkit 2012-07-16 13:29:07 -0700 changing back from security 670628 6 152601 webkit.review.bot 2012-07-16 13:44:59 -0700 Comment on attachment 152601 patch Clearing flags on attachment: 152601 Committed r122757: <http://trac.webkit.org/changeset/122757> 670630 7 webkit.review.bot 2012-07-16 13:45:03 -0700 All reviewed patches have been landed. Closing bug. 152601 2012-07-16 13:12:50 -0700 2012-07-16 13:44:58 -0700 patch 0001-2012-07-16-Benjamin-C-Meyer-bmeyer-rim.com.patch text/plain 3134 ben RnJvbSA4OGZlZGNkOWU4ZDI5ZDRjNWM2ODA0YWNkYjQzNGMyYjJhZDhkYzdmIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBCZW5qYW1pbiBDIE1leWVyIDxibWV5ZXJAcmltLmNvbT4KRGF0 ZTogTW9uLCAxNiBKdWwgMjAxMiAxNjoxMjozNyAtMDQwMApTdWJqZWN0OiBbUEFUQ0hdIDIwMTIt MDctMTYgIEJlbmphbWluIEMgTWV5ZXIgIDxibWV5ZXJAcmltLmNvbT4KCiAgICAgICAgQW55IHdl YnBhZ2UgY2FuIGNyYXNoIHdlYmtpdCB2aWEgcW54LmNhbGxFeHRlbnNpb25NZXRob2QgYXNzdW1p bmcgJ3RoaXMnIGlzIHRoZSAncW54JyBvYmplY3QuCiAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtp dC5vcmcvc2hvd19idWcuY2dpP2lkPTkxNDE5CgogICAgICAgIFJ1biB0aGUgZm9sbG93aW5nIGlu IGluc3BlY3RvciB0byBjcmFzaCBXZWJLaXQKCiAgICAgICAgcW54LmNhbGxFeHRlbnNpb25NZXRo b2QuYXBwbHkod2luZG93LCBbXSk7CgogICAgICAgIEluIHRoZSBjKysgdGhhdCBoYW5kbGVzIHRo ZSBmdW5jdGlvbiBpdCBhc3N1bWVzIHRoYXQgd2hlbiBjYWxsRXh0ZW5zaW9uTWV0aG9kCiAgICAg ICAgaXMgY2FsbGVkIHRoYXQgJ3RoaXMnIGlzIHRoZSBvYmplY3QgJ3FueCcuICBUaGUgcW54IG9i amVjdCBoYXMgYSBoaWRkZW4KICAgICAgICB2YXJpYWJsZSB0aGF0IHRoZSBjb2RlIGNhc3RzIGFu ZCB1c2VzLCBidXQgd2hlbiAndGhpcycgaXMgbm90IHFueCBzdWNoIGFzIHRoZQogICAgICAgIGV4 YW1wbGUgdGhpcyB3aWxsIGNhdXNlIGEgY3Jhc2guICBBbnkgd2Vic2l0ZSBjYW4gaW5zZXJ0IHRo ZSBhYm92ZSBKYXZhU2NyaXB0CiAgICAgICAgdG8gY2F1c2UgdGhlIGNyYXNoLgoKICAgICAgICBS ZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KCiAgICAgICAgKiBXZWJDb3JlU3VwcG9ydC9DbGll bnRFeHRlbnNpb24uY3BwOgogICAgICAgIChjbGllbnRFeHRlbnNpb25NZXRob2QpOgotLS0KIFNv dXJjZS9XZWJLaXQvYmxhY2tiZXJyeS9DaGFuZ2VMb2cgICAgICAgICAgICAgICAgIHwgICAyMCAr KysrKysrKysrKysrKysrKysrKwogLi4uL2JsYWNrYmVycnkvV2ViQ29yZVN1cHBvcnQvQ2xpZW50 RXh0ZW5zaW9uLmNwcCAgfCAgICA0ICsrKy0KIDIgZmlsZXMgY2hhbmdlZCwgMjMgaW5zZXJ0aW9u cygrKSwgMSBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L2JsYWNrYmVy cnkvQ2hhbmdlTG9nIGIvU291cmNlL1dlYktpdC9ibGFja2JlcnJ5L0NoYW5nZUxvZwppbmRleCA4 MjM4YzBmLi41MGNjNzNmIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViS2l0L2JsYWNrYmVycnkvQ2hh bmdlTG9nCisrKyBiL1NvdXJjZS9XZWJLaXQvYmxhY2tiZXJyeS9DaGFuZ2VMb2cKQEAgLTEsMyAr MSwyMyBAQAorMjAxMi0wNy0xNiAgQmVuamFtaW4gQyBNZXllciAgPGJtZXllckByaW0uY29tPgor CisgICAgICAgIEFueSB3ZWJwYWdlIGNhbiBjcmFzaCB3ZWJraXQgdmlhIHFueC5jYWxsRXh0ZW5z aW9uTWV0aG9kIGFzc3VtaW5nICd0aGlzJyBpcyB0aGUgJ3FueCcgb2JqZWN0LgorICAgICAgICBo dHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9OTE0MTkKKworICAgICAgICBS dW4gdGhlIGZvbGxvd2luZyBpbiBpbnNwZWN0b3IgdG8gY3Jhc2ggV2ViS2l0CisKKyAgICAgICAg cW54LmNhbGxFeHRlbnNpb25NZXRob2QuYXBwbHkod2luZG93LCBbXSk7CisKKyAgICAgICAgSW4g dGhlIGMrKyB0aGF0IGhhbmRsZXMgdGhlIGZ1bmN0aW9uIGl0IGFzc3VtZXMgdGhhdCB3aGVuIGNh bGxFeHRlbnNpb25NZXRob2QKKyAgICAgICAgaXMgY2FsbGVkIHRoYXQgJ3RoaXMnIGlzIHRoZSBv YmplY3QgJ3FueCcuICBUaGUgcW54IG9iamVjdCBoYXMgYSBoaWRkZW4KKyAgICAgICAgdmFyaWFi bGUgdGhhdCB0aGUgY29kZSBjYXN0cyBhbmQgdXNlcywgYnV0IHdoZW4gJ3RoaXMnIGlzIG5vdCBx bnggc3VjaCBhcyB0aGUKKyAgICAgICAgZXhhbXBsZSB0aGlzIHdpbGwgY2F1c2UgYSBjcmFzaC4g IEFueSB3ZWJzaXRlIGNhbiBpbnNlcnQgdGhlIGFib3ZlIEphdmFTY3JpcHQKKyAgICAgICAgdG8g Y2F1c2UgdGhlIGNyYXNoLgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgor CisgICAgICAgICogV2ViQ29yZVN1cHBvcnQvQ2xpZW50RXh0ZW5zaW9uLmNwcDoKKyAgICAgICAg KGNsaWVudEV4dGVuc2lvbk1ldGhvZCk6CisKIDIwMTItMDctMTMgIEphY2t5IEppYW5nICA8emhh amlhbmdAcmltLmNvbT4KIAogICAgICAgICBbQmxhY2tCZXJyeV0gcmVzZXRCaXRtYXBab29tU2Nh bGUgY2FsbGVkIHdoaWxlIHpvb21pbmcgcHJldmVudGluZyBwaW5jaCB6b29tCmRpZmYgLS1naXQg YS9Tb3VyY2UvV2ViS2l0L2JsYWNrYmVycnkvV2ViQ29yZVN1cHBvcnQvQ2xpZW50RXh0ZW5zaW9u LmNwcCBiL1NvdXJjZS9XZWJLaXQvYmxhY2tiZXJyeS9XZWJDb3JlU3VwcG9ydC9DbGllbnRFeHRl bnNpb24uY3BwCmluZGV4IGQzZDdiNjIuLmJjZDdiOTggMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJL aXQvYmxhY2tiZXJyeS9XZWJDb3JlU3VwcG9ydC9DbGllbnRFeHRlbnNpb24uY3BwCisrKyBiL1Nv dXJjZS9XZWJLaXQvYmxhY2tiZXJyeS9XZWJDb3JlU3VwcG9ydC9DbGllbnRFeHRlbnNpb24uY3Bw CkBAIC01MCw3ICs1MCw5IEBAIHN0YXRpYyBKU1ZhbHVlUmVmIGNsaWVudEV4dGVuc2lvbk1ldGhv ZCgKICAgICB9CiAKICAgICBXZWJQYWdlQ2xpZW50KiBjbGllbnQgPSByZWludGVycHJldF9jYXN0 PFdlYlBhZ2VDbGllbnQqPihKU09iamVjdEdldFByaXZhdGUodGhpc09iamVjdCkpOwotICAgIHN0 cmluZyByZXRWYWwgPSBjbGllbnQtPmludm9rZUNsaWVudEphdmFTY3JpcHRDYWxsYmFjayhzdHJB cmdzLCBhcmd1bWVudENvdW50KS51dGY4KCk7CisgICAgc3RyaW5nIHJldFZhbDsKKyAgICBpZiAo Y2xpZW50KQorICAgICAgICByZXRWYWwgPSBjbGllbnQtPmludm9rZUNsaWVudEphdmFTY3JpcHRD YWxsYmFjayhzdHJBcmdzLCBhcmd1bWVudENvdW50KS51dGY4KCk7CiAgICAgaWYgKCFyZXRWYWwu ZW1wdHkoKSkKICAgICAgICAganNSZXRWYWwgPSBKU1ZhbHVlTWFrZVN0cmluZyhjdHgsIEpTU3Ry aW5nQ3JlYXRlV2l0aFVURjhDU3RyaW5nKHJldFZhbC5jX3N0cigpKSk7CiAKLS0gCjEuNy4xCgo=