299882 – [GTK] Crash in FenceMonitor::addFileDescriptor

RESOLVED DUPLICATE of bug 304204299882

[GTK] Crash in FenceMonitor::addFileDescriptor

https://bugs.webkit.org/show_bug.cgi?id=299882

Summary [GTK] Crash in FenceMonitor::addFileDescriptor

Michael Catanzaro

Reported 2025-09-30 10:53:28 PDT

Created attachment 476905 [details] Backtrace Moving this from https://bugzilla.redhat.com/show_bug.cgi?id=2400463 Stack trace attached. There are two bugs here: (1) AcceleratedBackingStore::frame passed an invalid WTF::UnixFileDescriptor to FenceMonitor::addFileDescriptor. Why is the fd invalid? (2) This is an IPC interface; the fd is sent from the web process to the UI process, and it's expected that the message may be malicious and invalid. The UI process should message check it and kill the web process if the message is invalid. It shouldn't be possible for anything the web process does to crash the UI process.

Attachments
Backtrace (123.56 KB, text/plain) 2025-09-30 10:53 PDT, Michael Catanzaro	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Michael Catanzaro

Comment 1 2025-09-30 10:55:54 PDT

(I suspect that in general, Linux-specific messages may not be using MESSAGE_CHECK() where required. This could lead to sandbox escapes.)

Michael Catanzaro

Comment 2 2026-01-02 15:44:24 PST

*** This bug has been marked as a duplicate of bug 304204 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 304204

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Linux

Product WebKit

Component WebKitGTK

Assignee

Nobody

Reported

2025-09-30 10:53 PDT

Modified

2026-01-02 15:44 PST History

CC List

2 users Show

URL

Keywords

Depends on

Blocks