Bug 235931 - [libpas] get_num_free_bytes_for_each_heap_callback() is called with `arg` pointing to uninitialized stack memory
Summary: [libpas] get_num_free_bytes_for_each_heap_callback() is called with `arg` poi...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: bmalloc (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: David Kilzer (:ddkilzer)
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-01-31 17:26 PST by David Kilzer (:ddkilzer)
Modified: 2022-01-31 20:34 PST (History)
4 users (show)

See Also:


Attachments
Patch v1 (1.51 KB, patch)
2022-01-31 17:28 PST, David Kilzer (:ddkilzer)
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description David Kilzer (:ddkilzer) 2022-01-31 17:26:34 PST
In libpas, get_num_free_bytes_for_each_heap_callback() is called with `arg` pointing to uninitialized stack memory.

pas_all_heaps_get_num_free_bytes() is called and doesn't initialize `result` on the stack, then calls the following functions with a pointer to `result`:
- pas_all_heaps_for_each_heap(), 
- pas_all_heaps_for_each_static_heap(), 
- callback() / get_num_free_bytes_for_each_heap_callback().

Found by clang static analyzer.
Comment 1 Radar WebKit Bug Importer 2022-01-31 17:26:59 PST
<rdar://problem/88303899>
Comment 2 David Kilzer (:ddkilzer) 2022-01-31 17:28:47 PST
Created attachment 450482 [details]
Patch v1
Comment 3 Yusuke Suzuki 2022-01-31 17:43:08 PST
Comment on attachment 450482 [details]
Patch v1

r=me
Comment 4 EWS 2022-01-31 20:33:58 PST
Committed r288866 (246618@main): <https://commits.webkit.org/246618@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 450482 [details].