Bug 260069 - OSAllocatorWin protect frees page when setting readable and writeable to false
Summary: OSAllocatorWin protect frees page when setting readable and writeable to false
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit API (show other bugs)
Version: WebKit Local Build
Hardware: PC Windows 10
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-08-11 06:39 PDT by Ian Grunert
Modified: 2023-08-14 14:39 PDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Grunert 2023-08-11 06:39:36 PDT 
In OSAllocatorWin, if you call OSAllocator::protect with readable false and writeable false, it’ll free the page + decommit. To the caller, this looks like it does the right thing - attempting to access the freed page will throw an access violation. However freeing the page there’s a risk that we re-allocate that page.

For WasmMemory we want the pages to remain reserved in the virtual address space, so if someone tries to access memory in a “red zone” page it’ll throw an access violation. If that page is re-allocated, we could overflow WasmMemory and read / write that page.

OSAllocatorPOSIX always calls mprotect so does not have the same problem.
Comment 1 Ian Grunert 2023-08-11 07:02:58 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/16605
Comment 2 EWS 2023-08-14 14:38:11 PDT 
Committed 266876@main (673b5ea5e903): <https://commits.webkit.org/266876@main>

Reviewed commits have been landed. Closing PR #16605 and removing active labels.
Comment 3 Radar WebKit Bug Importer 2023-08-14 14:39:12 PDT 
<rdar://problem/113873590>