mirror of
				https://github.com/RGBCube/serenity
				synced 2025-10-26 05:02:33 +00:00 
			
		
		
		
	 7e701f6256
			
		
	
	
		7e701f6256
		
	
	
	
	
		
			
			This is fixed by making the "about to be notified rejected promises
list" use JS::Handle instead of JS::NonnullGCPtr. This UAF happens
because notify_about_rejected_promises makes a local copy of this list,
empties the member variable list and then moves the local copy into a
JS::SafeFunction lambda. JS::SafeFunction can only see GC pointers that
are in its storage, not external storage.
Example exploit (requires fixed microtask timing by removing the dummy
execution context):
```html
<script>
Promise.reject(new Error);
// Exit the script block, causing a microtask checkpoint and thus
// queuing of a task to fire the unhandled rejection event for the
// above promise.
// During the time after being queued but before being ran, these
// promises are not kept alive. This is because JS::SafeFunction cannot
// see into a Vector, meaning it can't visit the stored NonnullGCPtrs.
</script>
<script defer>
// Cause a garbage collection, destroying the above promise.
const b = [];
for (var i = 0; i < 200000; i++)
    b.push({});
// Some time after this script block, the queued unhandled rejection
// event task will fire, with the event object containing the dead
// promise.
window.onunhandledrejection = (event) => {
    let value = event.promise;
    console.log(value);
}
</script>
```
		
	
			
		
			
				
	
	
		
			154 lines
		
	
	
	
		
			5.7 KiB
		
	
	
	
		
			C++
		
	
	
	
	
	
			
		
		
	
	
			154 lines
		
	
	
	
		
			5.7 KiB
		
	
	
	
		
			C++
		
	
	
	
	
	
| /*
 | |
|  * Copyright (c) 2021, Luke Wilde <lukew@serenityos.org>
 | |
|  * Copyright (c) 2022, Linus Groh <linusg@serenityos.org>
 | |
|  *
 | |
|  * SPDX-License-Identifier: BSD-2-Clause
 | |
|  */
 | |
| 
 | |
| #pragma once
 | |
| 
 | |
| #include <AK/URL.h>
 | |
| #include <LibJS/Runtime/ExecutionContext.h>
 | |
| #include <LibJS/Runtime/GlobalObject.h>
 | |
| #include <LibJS/Runtime/Object.h>
 | |
| #include <LibJS/Runtime/Realm.h>
 | |
| #include <LibWeb/HTML/EventLoop/EventLoop.h>
 | |
| #include <LibWeb/HTML/Origin.h>
 | |
| #include <LibWeb/HTML/Scripting/ModuleMap.h>
 | |
| 
 | |
| namespace Web::HTML {
 | |
| 
 | |
| // https://html.spec.whatwg.org/multipage/webappapis.html#environment
 | |
| struct Environment {
 | |
|     virtual ~Environment() = default;
 | |
| 
 | |
|     // An id https://html.spec.whatwg.org/multipage/webappapis.html#concept-environment-id
 | |
|     DeprecatedString id;
 | |
| 
 | |
|     // https://html.spec.whatwg.org/multipage/webappapis.html#concept-environment-creation-url
 | |
|     AK::URL creation_url;
 | |
| 
 | |
|     // https://html.spec.whatwg.org/multipage/webappapis.html#concept-environment-top-level-creation-url
 | |
|     AK::URL top_level_creation_url;
 | |
| 
 | |
|     // https://html.spec.whatwg.org/multipage/webappapis.html#concept-environment-top-level-origin
 | |
|     Origin top_level_origin;
 | |
| 
 | |
|     // https://html.spec.whatwg.org/multipage/webappapis.html#concept-environment-target-browsing-context
 | |
|     JS::GCPtr<BrowsingContext> target_browsing_context;
 | |
| 
 | |
|     // FIXME: An active service worker https://html.spec.whatwg.org/multipage/webappapis.html#concept-environment-active-service-worker
 | |
| 
 | |
|     // https://html.spec.whatwg.org/multipage/webappapis.html#concept-environment-execution-ready-flag
 | |
|     bool execution_ready { false };
 | |
| };
 | |
| 
 | |
| enum class CanUseCrossOriginIsolatedAPIs {
 | |
|     No,
 | |
|     Yes,
 | |
| };
 | |
| 
 | |
| enum class RunScriptDecision {
 | |
|     Run,
 | |
|     DoNotRun,
 | |
| };
 | |
| 
 | |
| // https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object
 | |
| struct EnvironmentSettingsObject
 | |
|     : public JS::Cell
 | |
|     , public Environment {
 | |
|     JS_CELL(EnvironmentSettingsObject, JS::Cell);
 | |
| 
 | |
|     virtual ~EnvironmentSettingsObject() override;
 | |
| 
 | |
|     // https://html.spec.whatwg.org/multipage/webappapis.html#concept-environment-target-browsing-context
 | |
|     JS::ExecutionContext& realm_execution_context();
 | |
| 
 | |
|     // https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-module-map
 | |
|     ModuleMap& module_map();
 | |
| 
 | |
|     // https://html.spec.whatwg.org/multipage/webappapis.html#responsible-document
 | |
|     virtual JS::GCPtr<DOM::Document> responsible_document() = 0;
 | |
| 
 | |
|     // https://html.spec.whatwg.org/multipage/webappapis.html#api-url-character-encoding
 | |
|     virtual DeprecatedString api_url_character_encoding() = 0;
 | |
| 
 | |
|     // https://html.spec.whatwg.org/multipage/webappapis.html#api-base-url
 | |
|     virtual AK::URL api_base_url() = 0;
 | |
| 
 | |
|     // https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin
 | |
|     virtual Origin origin() = 0;
 | |
| 
 | |
|     // A policy container https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-policy-container
 | |
|     virtual PolicyContainer policy_container() = 0;
 | |
| 
 | |
|     // https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-cross-origin-isolated-capability
 | |
|     virtual CanUseCrossOriginIsolatedAPIs cross_origin_isolated_capability() = 0;
 | |
| 
 | |
|     AK::URL parse_url(StringView);
 | |
| 
 | |
|     JS::Realm& realm();
 | |
|     JS::Object& global_object();
 | |
|     EventLoop& responsible_event_loop();
 | |
| 
 | |
|     RunScriptDecision can_run_script();
 | |
|     void prepare_to_run_script();
 | |
|     void clean_up_after_running_script();
 | |
| 
 | |
|     void prepare_to_run_callback();
 | |
|     void clean_up_after_running_callback();
 | |
| 
 | |
|     void push_onto_outstanding_rejected_promises_weak_set(JS::Promise*);
 | |
| 
 | |
|     // Returns true if removed, false otherwise.
 | |
|     bool remove_from_outstanding_rejected_promises_weak_set(JS::Promise*);
 | |
| 
 | |
|     void push_onto_about_to_be_notified_rejected_promises_list(JS::NonnullGCPtr<JS::Promise>);
 | |
| 
 | |
|     // Returns true if removed, false otherwise.
 | |
|     bool remove_from_about_to_be_notified_rejected_promises_list(JS::NonnullGCPtr<JS::Promise>);
 | |
| 
 | |
|     void notify_about_rejected_promises(Badge<EventLoop>);
 | |
| 
 | |
|     bool is_scripting_enabled() const;
 | |
|     bool is_scripting_disabled() const;
 | |
| 
 | |
|     bool module_type_allowed(DeprecatedString const& module_type) const;
 | |
| 
 | |
|     void disallow_further_import_maps();
 | |
| 
 | |
| protected:
 | |
|     explicit EnvironmentSettingsObject(NonnullOwnPtr<JS::ExecutionContext>);
 | |
| 
 | |
|     virtual void visit_edges(Cell::Visitor&) override;
 | |
| 
 | |
| private:
 | |
|     NonnullOwnPtr<JS::ExecutionContext> m_realm_execution_context;
 | |
|     ModuleMap m_module_map;
 | |
| 
 | |
|     EventLoop* m_responsible_event_loop { nullptr };
 | |
| 
 | |
|     // https://html.spec.whatwg.org/multipage/webappapis.html#outstanding-rejected-promises-weak-set
 | |
|     // The outstanding rejected promises weak set must not create strong references to any of its members, and implementations are free to limit its size, e.g. by removing old entries from it when new ones are added.
 | |
|     Vector<JS::Promise*> m_outstanding_rejected_promises_weak_set;
 | |
| 
 | |
|     // https://html.spec.whatwg.org/multipage/webappapis.html#about-to-be-notified-rejected-promises-list
 | |
|     Vector<JS::Handle<JS::Promise>> m_about_to_be_notified_rejected_promises_list;
 | |
| };
 | |
| 
 | |
| EnvironmentSettingsObject& incumbent_settings_object();
 | |
| JS::Realm& incumbent_realm();
 | |
| JS::Object& incumbent_global_object();
 | |
| EnvironmentSettingsObject& current_settings_object();
 | |
| JS::Object& current_global_object();
 | |
| JS::Realm& relevant_realm(JS::Object const&);
 | |
| EnvironmentSettingsObject& relevant_settings_object(JS::Object const&);
 | |
| EnvironmentSettingsObject& relevant_settings_object(DOM::Node const&);
 | |
| JS::Object& relevant_global_object(JS::Object const&);
 | |
| JS::Realm& entry_realm();
 | |
| EnvironmentSettingsObject& entry_settings_object();
 | |
| JS::Object& entry_global_object();
 | |
| [[nodiscard]] bool is_secure_context(Environment const&);
 | |
| [[nodiscard]] bool is_non_secure_context(Environment const&);
 | |
| 
 | |
| }
 |