Bug 299882

Summary: [GTK] Crash in FenceMonitor::addFileDescriptor
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: bugs-noreply, mcatanzaro
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Linux   
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=2400463
Attachments:
Description Flags
Backtrace none

Michael Catanzaro
Reported 2025-09-30 10:53:28 PDT
Created attachment 476905 [details] Backtrace Moving this from https://bugzilla.redhat.com/show_bug.cgi?id=2400463 Stack trace attached. There are two bugs here: (1) AcceleratedBackingStore::frame passed an invalid WTF::UnixFileDescriptor to FenceMonitor::addFileDescriptor. Why is the fd invalid? (2) This is an IPC interface; the fd is sent from the web process to the UI process, and it's expected that the message may be malicious and invalid. The UI process should message check it and kill the web process if the message is invalid. It shouldn't be possible for anything the web process does to crash the UI process.
Attachments
Backtrace (123.56 KB, text/plain)
2025-09-30 10:53 PDT, Michael Catanzaro 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2025-09-30 10:55:54 PDT
(I suspect that in general, Linux-specific messages may not be using MESSAGE_CHECK() where required. This could lead to sandbox escapes.)
Michael Catanzaro
Comment 2 2026-01-02 15:44:24 PST
*** This bug has been marked as a duplicate of bug 304204 ***
Note You need to log in before you can comment on or make changes to this bug.