WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
276589
[Skia] Use after free when serializing SkColorSpace
https://bugs.webkit.org/show_bug.cgi?id=276589
Summary
[Skia] Use after free when serializing SkColorSpace
Michael Catanzaro
Reported
2024-07-14 06:43:57 PDT
==48240== Invalid read of size 8 ==48240== at 0x48518DF: memmove (vg_replace_strmem.c:1414) ==48240== by 0x6B77877: operator<<<WebKit::CoreIPCSkColorSpace> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6B77877: IPC::ArgumentCoder<sk_sp<SkColorSpace>, void>::encode(IPC::Encoder&, sk_sp<SkColorSpace> const&) (Source/WebKit/Shared/skia/WebCoreArgumentCodersSkia.cpp:62) ==48240== by 0x6CD001E: operator<<<sk_sp<SkColorSpace> > (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6CD001E: encode (GeneratedSerializers.cpp:23451) ==48240== by 0x6CD001E: operator<<<const WebCore::DestinationColorSpace &> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6CD001E: IPC::ArgumentCoder<WebCore::ScreenData, void>::encode(IPC::Encoder&, WebCore::ScreenData const&) (GeneratedSerializers.cpp:24736) ==48240== by 0x6D1B60C: operator<<<const WebCore::ScreenData &> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6D1B60C: encode<IPC::Encoder, const WTF::KeyValuePair<unsigned int, WebCore::ScreenData> &> (Source/WebKit/Platform/IPC/ArgumentCoders.h:385) ==48240== by 0x6D1B60C: operator<<<const WTF::KeyValuePair<unsigned int, WebCore::ScreenData> &> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6D1B60C: void IPC::ArgumentCoder<WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits>, void>::encode<IPC::Encoder, WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits> const&>(IPC::Encoder&, WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits> const&) (Source/WebKit/Platform/IPC/ArgumentCoders.h:526) ==48240== by 0x6CF9206: operator<<<const WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits> &> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6CF9206: encode (GeneratedSerializers.cpp:24857) ==48240== by 0x6CF9206: operator<<<WebCore::ScreenProperties> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6CF9206: IPC::ArgumentCoder<WebKit::WebProcessCreationParameters, void>::encode(IPC::Encoder&, WebKit::WebProcessCreationParameters&&) (GeneratedSerializers.cpp:48557) ==48240== by 0x6FACAE4: operator<<<WebKit::WebProcessCreationParameters> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6FACAE4: encode<IPC::Encoder, std::tuple<WebKit::WebProcessCreationParameters &&>, 0UL> (Source/WebKit/Platform/IPC/ArgumentCoders.h:358) ==48240== by 0x6FACAE4: encode<IPC::Encoder, std::tuple<WebKit::WebProcessCreationParameters &&> > (Source/WebKit/Platform/IPC/ArgumentCoders.h:351) ==48240== by 0x6FACAE4: operator<<<std::tuple<WebKit::WebProcessCreationParameters &&> > (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6FACAE4: sendWithAsyncReply<Messages::WebProcess::InitializeWebProcess, (lambda at /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/WebProcessProxy.cpp:466:89)> (Source/WebKit/UIProcess/AuxiliaryProcessProxy.h:349) ==48240== by 0x6FACAE4: WebKit::WebProcessProxy::initializeWebProcess(WebKit::WebProcessCreationParameters&&) (Source/WebKit/UIProcess/WebProcessProxy.cpp:466) ==48240== by 0x6FAB4C9: WebKit::WebProcessPool::initializeNewWebProcess(WebKit::WebProcessProxy&, WebKit::WebsiteDataStore*, WebKit::WebProcessProxy::IsPrewarmed) (Source/WebKit/UIProcess/WebProcessPool.cpp:1003) ==48240== by 0x6FABC06: WebKit::WebProcessPool::createNewWebProcess(WebKit::WebsiteDataStore*, WebKit::WebProcessProxy::LockdownMode, WebKit::WebProcessProxy::IsPrewarmed, WebCore::CrossOriginMode) (Source/WebKit/UIProcess/WebProcessPool.cpp:761) ==48240== by 0x6FAE0FA: WebKit::WebProcessPool::processForRegistrableDomain(WebKit::WebsiteDataStore&, WebCore::RegistrableDomain const&, WebKit::WebProcessProxy::LockdownMode, API::PageConfiguration const&) (Source/WebKit/UIProcess/WebProcessPool.cpp:1194) ==48240== by 0x6F4BAAF: WebKit::WebPageProxy::launchProcess(WebCore::RegistrableDomain const&, WebKit::WebPageProxy::ProcessLaunchReason) (Source/WebKit/UIProcess/WebPageProxy.cpp:1212) ==48240== by 0x6F4FF28: WebKit::WebPageProxy::loadRequest(WebCore::ResourceRequest&&, WebCore::ShouldOpenExternalURLsPolicy, API::Object*) (Source/WebKit/UIProcess/WebPageProxy.cpp:1821) ==48240== by 0x6F50A10: WebKit::WebPageProxy::loadRequest(WebCore::ResourceRequest&&) (Source/WebKit/UIProcess/WebPageProxy.cpp:1842) ==48240== Address 0x85df6ce8 is 40 bytes inside a block of size 108 free'd ==48240== at 0x48476C6: operator delete(void*) (vg_replace_malloc.c:1131) ==48240== by 0x6D3FA17: unref (Source/ThirdParty/skia/include/core/SkRefCnt.h:181) ==48240== by 0x6D3FA17: SkSafeUnref<SkData> (Source/ThirdParty/skia/include/core/SkRefCnt.h:151) ==48240== by 0x6D3FA17: ~sk_sp (Source/ThirdParty/skia/include/core/SkRefCnt.h:256) ==48240== by 0x6D3FA17: dataReference (Source/WebKit/Shared/skia/CoreIPCSkColorSpace.h:50) ==48240== by 0x6D3FA17: IPC::ArgumentCoder<WebKit::CoreIPCSkColorSpace, void>::encode(IPC::Encoder&, WebKit::CoreIPCSkColorSpace const&) (WebKitPlatformGeneratedSerializers.cpp:5011) ==48240== by 0x6B77877: operator<<<WebKit::CoreIPCSkColorSpace> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6B77877: IPC::ArgumentCoder<sk_sp<SkColorSpace>, void>::encode(IPC::Encoder&, sk_sp<SkColorSpace> const&) (Source/WebKit/Shared/skia/WebCoreArgumentCodersSkia.cpp:62) ==48240== by 0x6CD001E: operator<<<sk_sp<SkColorSpace> > (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6CD001E: encode (GeneratedSerializers.cpp:23451) ==48240== by 0x6CD001E: operator<<<const WebCore::DestinationColorSpace &> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6CD001E: IPC::ArgumentCoder<WebCore::ScreenData, void>::encode(IPC::Encoder&, WebCore::ScreenData const&) (GeneratedSerializers.cpp:24736) ==48240== by 0x6D1B60C: operator<<<const WebCore::ScreenData &> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6D1B60C: encode<IPC::Encoder, const WTF::KeyValuePair<unsigned int, WebCore::ScreenData> &> (Source/WebKit/Platform/IPC/ArgumentCoders.h:385) ==48240== by 0x6D1B60C: operator<<<const WTF::KeyValuePair<unsigned int, WebCore::ScreenData> &> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6D1B60C: void IPC::ArgumentCoder<WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits>, void>::encode<IPC::Encoder, WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits> const&>(IPC::Encoder&, WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits> const&) (Source/WebKit/Platform/IPC/ArgumentCoders.h:526) ==48240== by 0x6CF9206: operator<<<const WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits> &> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6CF9206: encode (GeneratedSerializers.cpp:24857) ==48240== by 0x6CF9206: operator<<<WebCore::ScreenProperties> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6CF9206: IPC::ArgumentCoder<WebKit::WebProcessCreationParameters, void>::encode(IPC::Encoder&, WebKit::WebProcessCreationParameters&&) (GeneratedSerializers.cpp:48557) ==48240== by 0x6FACAE4: operator<<<WebKit::WebProcessCreationParameters> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6FACAE4: encode<IPC::Encoder, std::tuple<WebKit::WebProcessCreationParameters &&>, 0UL> (Source/WebKit/Platform/IPC/ArgumentCoders.h:358) ==48240== by 0x6FACAE4: encode<IPC::Encoder, std::tuple<WebKit::WebProcessCreationParameters &&> > (Source/WebKit/Platform/IPC/ArgumentCoders.h:351) ==48240== by 0x6FACAE4: operator<<<std::tuple<WebKit::WebProcessCreationParameters &&> > (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6FACAE4: sendWithAsyncReply<Messages::WebProcess::InitializeWebProcess, (lambda at /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/WebProcessProxy.cpp:466:89)> (Source/WebKit/UIProcess/AuxiliaryProcessProxy.h:349) ==48240== by 0x6FACAE4: WebKit::WebProcessProxy::initializeWebProcess(WebKit::WebProcessCreationParameters&&) (Source/WebKit/UIProcess/WebProcessProxy.cpp:466) ==48240== by 0x6FAB4C9: WebKit::WebProcessPool::initializeNewWebProcess(WebKit::WebProcessProxy&, WebKit::WebsiteDataStore*, WebKit::WebProcessProxy::IsPrewarmed) (Source/WebKit/UIProcess/WebProcessPool.cpp:1003) ==48240== by 0x6FABC06: WebKit::WebProcessPool::createNewWebProcess(WebKit::WebsiteDataStore*, WebKit::WebProcessProxy::LockdownMode, WebKit::WebProcessProxy::IsPrewarmed, WebCore::CrossOriginMode) (Source/WebKit/UIProcess/WebProcessPool.cpp:761) ==48240== by 0x6FAE0FA: WebKit::WebProcessPool::processForRegistrableDomain(WebKit::WebsiteDataStore&, WebCore::RegistrableDomain const&, WebKit::WebProcessProxy::LockdownMode, API::PageConfiguration const&) (Source/WebKit/UIProcess/WebProcessPool.cpp:1194) ==48240== by 0x6F4BAAF: WebKit::WebPageProxy::launchProcess(WebCore::RegistrableDomain const&, WebKit::WebPageProxy::ProcessLaunchReason) (Source/WebKit/UIProcess/WebPageProxy.cpp:1212) ==48240== by 0x6F4FF28: WebKit::WebPageProxy::loadRequest(WebCore::ResourceRequest&&, WebCore::ShouldOpenExternalURLsPolicy, API::Object*) (Source/WebKit/UIProcess/WebPageProxy.cpp:1821) ==48240== Block was alloc'd at ==48240== at 0x4843FEC: operator new(unsigned long) (vg_replace_malloc.c:487) ==48240== by 0x9215A9E: PrivateNewWithCopy (Source/ThirdParty/skia/src/core/SkData.cpp:82) ==48240== by 0x9215A9E: SkData::MakeUninitialized(unsigned long) (Source/ThirdParty/skia/src/core/SkData.cpp:117) ==48240== by 0x9214B2D: SkColorSpace::serialize() const (Source/ThirdParty/skia/src/core/SkColorSpace.cpp:261) ==48240== by 0x6D3F9F2: dataReference (Source/WebKit/Shared/skia/CoreIPCSkColorSpace.h:50) ==48240== by 0x6D3F9F2: IPC::ArgumentCoder<WebKit::CoreIPCSkColorSpace, void>::encode(IPC::Encoder&, WebKit::CoreIPCSkColorSpace const&) (WebKitPlatformGeneratedSerializers.cpp:5011) ==48240== by 0x6B77877: operator<<<WebKit::CoreIPCSkColorSpace> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6B77877: IPC::ArgumentCoder<sk_sp<SkColorSpace>, void>::encode(IPC::Encoder&, sk_sp<SkColorSpace> const&) (Source/WebKit/Shared/skia/WebCoreArgumentCodersSkia.cpp:62) ==48240== by 0x6CD001E: operator<<<sk_sp<SkColorSpace> > (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6CD001E: encode (GeneratedSerializers.cpp:23451) ==48240== by 0x6CD001E: operator<<<const WebCore::DestinationColorSpace &> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6CD001E: IPC::ArgumentCoder<WebCore::ScreenData, void>::encode(IPC::Encoder&, WebCore::ScreenData const&) (GeneratedSerializers.cpp:24736) ==48240== by 0x6D1B60C: operator<<<const WebCore::ScreenData &> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6D1B60C: encode<IPC::Encoder, const WTF::KeyValuePair<unsigned int, WebCore::ScreenData> &> (Source/WebKit/Platform/IPC/ArgumentCoders.h:385) ==48240== by 0x6D1B60C: operator<<<const WTF::KeyValuePair<unsigned int, WebCore::ScreenData> &> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6D1B60C: void IPC::ArgumentCoder<WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits>, void>::encode<IPC::Encoder, WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits> const&>(IPC::Encoder&, WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits> const&) (Source/WebKit/Platform/IPC/ArgumentCoders.h:526) ==48240== by 0x6CF9206: operator<<<const WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits> &> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6CF9206: encode (GeneratedSerializers.cpp:24857) ==48240== by 0x6CF9206: operator<<<WebCore::ScreenProperties> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6CF9206: IPC::ArgumentCoder<WebKit::WebProcessCreationParameters, void>::encode(IPC::Encoder&, WebKit::WebProcessCreationParameters&&) (GeneratedSerializers.cpp:48557) ==48240== by 0x6FACAE4: operator<<<WebKit::WebProcessCreationParameters> (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6FACAE4: encode<IPC::Encoder, std::tuple<WebKit::WebProcessCreationParameters &&>, 0UL> (Source/WebKit/Platform/IPC/ArgumentCoders.h:358) ==48240== by 0x6FACAE4: encode<IPC::Encoder, std::tuple<WebKit::WebProcessCreationParameters &&> > (Source/WebKit/Platform/IPC/ArgumentCoders.h:351) ==48240== by 0x6FACAE4: operator<<<std::tuple<WebKit::WebProcessCreationParameters &&> > (Source/WebKit/Platform/IPC/Encoder.h:80) ==48240== by 0x6FACAE4: sendWithAsyncReply<Messages::WebProcess::InitializeWebProcess, (lambda at /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/WebProcessProxy.cpp:466:89)> (Source/WebKit/UIProcess/AuxiliaryProcessProxy.h:349) ==48240== by 0x6FACAE4: WebKit::WebProcessProxy::initializeWebProcess(WebKit::WebProcessCreationParameters&&) (Source/WebKit/UIProcess/WebProcessProxy.cpp:466) ==48240== by 0x6FAB4C9: WebKit::WebProcessPool::initializeNewWebProcess(WebKit::WebProcessProxy&, WebKit::WebsiteDataStore*, WebKit::WebProcessProxy::IsPrewarmed) (Source/WebKit/UIProcess/WebProcessPool.cpp:1003) ==48240== by 0x6FABC06: WebKit::WebProcessPool::createNewWebProcess(WebKit::WebsiteDataStore*, WebKit::WebProcessProxy::LockdownMode, WebKit::WebProcessProxy::IsPrewarmed, WebCore::CrossOriginMode) (Source/WebKit/UIProcess/WebProcessPool.cpp:761) ==48240== by 0x6FAE0FA: WebKit::WebProcessPool::processForRegistrableDomain(WebKit::WebsiteDataStore&, WebCore::RegistrableDomain const&, WebKit::WebProcessProxy::LockdownMode, API::PageConfiguration const&) (Source/WebKit/UIProcess/WebProcessPool.cpp:1194)
Attachments
Add attachment
proposed patch, testcase, etc.
Michael Catanzaro
Comment 1
2024-07-14 07:06:09 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/30799
EWS
Comment 2
2024-07-16 04:34:07 PDT
Committed
281006@main
(3f928ad98a0e): <
https://commits.webkit.org/281006@main
> Reviewed commits have been landed. Closing PR #30799 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug