NEW 228234
[GTK] Uninitialized data in UIClient::windowFrame written over IPC 
https://bugs.webkit.org/show_bug.cgi?id=228234
Summary [GTK] Uninitialized data in UIClient::windowFrame written over IPC
Michael Catanzaro
Reported 2021-07-23 07:10:40 PDT
==87186== Thread 55 ReceiveQueue: ==87186== Syscall param sendmsg(msg.msg_iov[1]) points to uninitialised byte(s) ==87186== at 0x59A0ACD: sendmsg (in /usr/lib64/libc-2.33.so) ==87186== by 0x6AC8783: IPC::Connection::sendOutputMessage(IPC::UnixMessage&) (ConnectionUnix.cpp:536) ==87186== by 0x6ACA719: IPC::Connection::sendOutgoingMessage(WTF::UniqueRef<IPC::Encoder>&&) (ConnectionUnix.cpp:454) ==87186== by 0x6AB7997: IPC::Connection::sendOutgoingMessages() [clone .part.0] (Connection.cpp:932) ==87186== by 0xA9C8505: operator() (Function.h:82) ==87186== by 0xA9C8505: WTF::RunLoop::performWork() (RunLoop.cpp:133) ==87186== by 0xAA1D8F8: operator() (RunLoopGLib.cpp:80) ==87186== by 0xAA1D8F8: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (RunLoopGLib.cpp:82) ==87186== by 0xAA1E22E: operator() (RunLoopGLib.cpp:53) ==87186== by 0xAA1E22E: WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (RunLoopGLib.cpp:56) ==87186== by 0x5609922: g_main_dispatch (gmain.c:3344) ==87186== by 0x560A875: g_main_context_dispatch (gmain.c:4062) ==87186== by 0x560AA61: g_main_context_iterate (gmain.c:4138) ==87186== by 0x560AEFE: g_main_loop_run (gmain.c:4336) ==87186== by 0xAA1E34F: WTF::RunLoop::run() (RunLoopGLib.cpp:108) ==87186== Address 0x21525daa is in a rw- anonymous segment ==87186== Uninitialised value was created by a stack allocation ==87186== at 0x6C310A0: UIClient::windowFrame(WebKit::WebPageProxy&, WTF::Function<void (WebCore::FloatRect)>&&) (WebKitUIClient.cpp:240)
Attachments
Add attachment proposed patch, testcase, etc.
Carlos Garcia Campos
Comment 1 2021-08-03 07:29:38 PDT
I guess the stack allocation at UIClient::windowFrame is the GdkRectangle, but it's initialized: GdkRectangle geometry = { 0, 0, 0, 0 }; It could be the default geometry, which is not initialized but it's always set by webkit_window_properties_get_geometry().
Michael Catanzaro
Comment 2 2021-08-03 15:13:07 PDT
> It could be the default geometry, which is not initialized but it's always > set by webkit_window_properties_get_geometry(). webkit_window_properties_get_geometry() copies windowProperties->priv->geometry, so that would mean this would have to somehow be uninitialized. But that seems impossible, because the entire priv struct should be zero-initialized. I don't see the problem either....
Note You need to log in before you can comment on or make changes to this bug.