Bug 260069
| Summary: | OSAllocatorWin protect frees page when setting readable and writeable to false | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Ian Grunert <ian.grunert> |
| Component: | WebKit API | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Local Build | ||
| Hardware: | PC | ||
| OS: | Windows 10 | ||
Ian Grunert
In OSAllocatorWin, if you call OSAllocator::protect with readable false and writeable false, it’ll free the page + decommit. To the caller, this looks like it does the right thing - attempting to access the freed page will throw an access violation. However freeing the page there’s a risk that we re-allocate that page.
For WasmMemory we want the pages to remain reserved in the virtual address space, so if someone tries to access memory in a “red zone” page it’ll throw an access violation. If that page is re-allocated, we could overflow WasmMemory and read / write that page.
OSAllocatorPOSIX always calls mprotect so does not have the same problem.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Ian Grunert
Pull request: https://github.com/WebKit/WebKit/pull/16605
EWS
Committed 266876@main (673b5ea5e903): <https://commits.webkit.org/266876@main>
Reviewed commits have been landed. Closing PR #16605 and removing active labels.
Radar WebKit Bug Importer
<rdar://problem/113873590>