RESOLVED FIXED Bug 260069
OSAllocatorWin protect frees page when setting readable and writeable to false 
https://bugs.webkit.org/show_bug.cgi?id=260069
Summary OSAllocatorWin protect frees page when setting readable and writeable to false
Ian Grunert
Reported 2023-08-11 06:39:36 PDT
In OSAllocatorWin, if you call OSAllocator::protect with readable false and writeable false, it’ll free the page + decommit. To the caller, this looks like it does the right thing - attempting to access the freed page will throw an access violation. However freeing the page there’s a risk that we re-allocate that page. For WasmMemory we want the pages to remain reserved in the virtual address space, so if someone tries to access memory in a “red zone” page it’ll throw an access violation. If that page is re-allocated, we could overflow WasmMemory and read / write that page. OSAllocatorPOSIX always calls mprotect so does not have the same problem.
Attachments
Add attachment proposed patch, testcase, etc.
Ian Grunert
Comment 1 2023-08-11 07:02:58 PDT
Pull request: https://github.com/WebKit/WebKit/pull/16605
EWS
Comment 2 2023-08-14 14:38:11 PDT
Committed 266876@main (673b5ea5e903): <https://commits.webkit.org/266876@main> Reviewed commits have been landed. Closing PR #16605 and removing active labels.
Radar WebKit Bug Importer
Comment 3 2023-08-14 14:39:12 PDT
<rdar://problem/113873590>
Note You need to log in before you can comment on or make changes to this bug.