Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-115188

QtWebEngine use after free in Extensions GetPreferences

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • P1: Critical
    • 6.5.3
    • 5.15.9, 6.5.0, 6.5.1
    • WebEngine
    • None
    • macOS latest, Linux latest Manjaro
    • Linux/X11, macOS
    • 7af3d247a (dev), 3fd36a572 (6.6), 925efb3a8 (6.5)

    Description

      Sigil has started to explore showing pdfs inside QWebEngineViews and when only one main window is open, showing pdfs is rock solid. As soon as I create a second main window and try to load a pdf, I get a completely reproducible crash deep in QtWebEngine as it tries to use its PrefsService to see if the pdf extension is allowed. The crash is actually caused by invalid data left when the ExtensionsPrefs was freed or deleted (but we never closed any main windows, just opened a new one).

      Here is the completely reproducible backtrace:

      ```

      • thread #1, name = 'CrBrowserMain', queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=EXC_I386_BPT, subcode=0x0)
        frame #0: 0x000000011bb848a5 QtWebEngineCore`PrefService::GetPreferenceValue(base::BasicStringPiece<char, std::__1::char_traits<char> >) const (.cold.1) + 5
        QtWebEngineCore`PrefService::GetPreferenceValue(base::BasicStringPiece<char, std::__1::char_traits<char> >) const (.cold.1):
        -> 0x11bb848a5 <+5>: ud2
        0x11bb848a7 <+7>: nopw (%rax,%rax)

      QtWebEngineCore`PrefService::GetPreferenceValue(base::BasicStringPiece<char, std::__1::char_traits<char> >) const (.cold.2):
      0x11bb848b0 <+0>: pushq %rbp
      0x11bb848b1 <+1>: movq %rsp, %rbp
      Target 0: (Sigil) stopped.
      (lldb) bt

      • thread #1, name = 'CrBrowserMain', queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=EXC_I386_BPT, subcode=0x0)
      • frame #0: 0x000000011bb848a5 QtWebEngineCore`PrefService::GetPreferenceValue(base::BasicStringPiece<char, std::__1::char_traits<char> >) const (.cold.1) + 5
        frame #1: 0x00000001174c129d QtWebEngineCore`PrefService::GetPreferenceValue(base::BasicStringPiece<char, std::__1::char_traits<char> >) const + 285
        frame #2: 0x00000001174c0939 QtWebEngineCore`PrefService::GetValue(base::BasicStringPiece<char, std::__1::char_traits<char> >) const + 9
        frame #3: 0x00000001161e9478 QtWebEngineCore`extensions::ExtensionPrefs::GetExtensionPref(std::_1::basic_string<char, std::1::char_traits<char>, std::_1::allocator<char> > const&) const + 72
        frame #4: 0x00000001161ea399 QtWebEngineCore`extensions::ExtensionPrefs::AllowFileAccess(std::_1::basic_string<char, std::1::char_traits<char>, std::_1::allocator<char> > const&) const + 9
        frame #5: 0x000000011620350a QtWebEngineCore`extensions::util::InitializeFileSchemeAccessForExtension(int, std::_1::basic_string<char, std::1::char_traits<char>, std::_1::allocator<char> > const&, content::BrowserContext*) + 42
        frame #6: 0x00000001162040b6 QtWebEngineCore`extensions::ExtensionWebContentsObserver::RenderFrameCreated(content::RenderFrameHost*) + 118
        frame #7: 0x000000011270eefd QtWebEngineCore`extensions::ExtensionWebContentsObserverQt::RenderFrameCreated(content::RenderFrameHost*) + 29
        frame #8: 0x00000001156914b0 QtWebEngineCore`void content::WebContentsImpl::WebContentsObserverList::NotifyObservers<void (content::WebContentsObserver::)(content::RenderFrameHost), content::RenderFrameHostImpl*&>(void (content::WebContentsObserver::)(content::RenderFrameHost), content::RenderFrameHostImpl*&) + 336
        frame #9: 0x00000001156a8b7b QtWebEngineCore`content::WebContentsImpl::RenderFrameCreated(content::RenderFrameHostImpl*) + 107
        frame #10: 0x00000001154dbf33 QtWebEngineCore`content::RenderFrameHostImpl::RenderFrameCreated() + 211
        frame #11: 0x000000011554ad9f QtWebEngineCore`content::RenderViewHostImpl::CreateRenderView(absl::optional<blink::MultiToken<base::TokenType<blink::LocalFrameTokenTypeMarker>, base::TokenType<blink::RemoteFrameTokenTypeMarker> > > const&, int, bool) + 2511
        frame #12: 0x00000001156b274d QtWebEngineCore`content::WebContentsImpl::CreateRenderViewForRenderManager(content::RenderViewHost*, absl::optional<blink::MultiToken<base::TokenType<blink::LocalFrameTokenTypeMarker>, base::TokenType<blink::RemoteFrameTokenTypeMarker> > > const&, content::RenderFrameProxyHost*) + 141
        frame #13: 0x000000011551dcad QtWebEngineCore`content::RenderFrameHostManager::InitRenderView(content::SiteInstanceGroup*, content::RenderViewHostImpl*, content::RenderFrameProxyHost*) + 285
        frame #14: 0x000000011568a0a9 QtWebEngineCore`content::WebContentsImpl::AttachInnerWebContents(std::_1::unique_ptr<content::WebContents, std::_1::default_delete<content::WebContents> >, content::RenderFrameHost*, mojo::PendingAssociatedRemote<blink::mojom::RemoteFrame>, mojo::PendingAssociatedReceiver<blink::mojom::RemoteFrameHost>, bool) + 377
        frame #15: 0x000000011b9e39f7 QtWebEngineCore`guest_view::GuestViewBase::WillAttach(std::_1::unique_ptr<guest_view::GuestViewBase, std::_1::default_delete<guest_view::GuestViewBase> >, content::WebContents*, content::RenderFrameHost*, int, bool, base::OnceCallback<void ()>, base::OnceCallback<void ()>) + 519
        frame #16: 0x000000011b9e4b33 QtWebEngineCore`guest_view::GuestViewBase::AttachToOuterWebContentsFrame(std::_1::unique_ptr<guest_view::GuestViewBase, std::_1::default_delete<guest_view::GuestViewBase> >, content::RenderFrameHost*, int, bool, base::OnceCallback<void ()>) + 275
        frame #17: 0x0000000116210b48 QtWebEngineCore`extensions::MimeHandlerViewAttachHelper::ResumeAttachOrDestroy(std::_1::unique_ptr<extensions::MimeHandlerViewGuest, std::_1::default_delete<extensions::MimeHandlerViewGuest> >, int, bool, content::RenderFrameHost*) + 344
        frame #18: 0x000000011621293d QtWebEngineCore`base::internal::Invoker<base::internal::BindState<void (extensions::MimeHandlerViewAttachHelper::)(std::_1::unique_ptr<extensions::MimeHandlerViewGuest, std::1::default_delete<extensions::MimeHandlerViewGuest> >, int, bool, content::RenderFrameHost), base::WeakPtr<extensions::MimeHandlerViewAttachHelper>, std::1::unique_ptr<extensions::MimeHandlerViewGuest, std::_1::default_delete<extensions::MimeHandlerViewGuest> >, int, bool>, void (content::RenderFrameHost*)>::RunOnce(base::internal::BindStateBase*, content::RenderFrameHost*) + 125
        frame #19: 0x00000001155207a7 QtWebEngineCore`base::internal::Invoker<base::internal::BindState<content::RenderFrameHostManager::NotifyPrepareForInnerDelegateAttachComplete(bool)::$_14, base::OnceCallback<void (content::RenderFrameHost*)>, int, int>, void ()>::RunOnce(base::internal::BindStateBase*) + 55
        frame #20: 0x00000001168b5137 QtWebEngineCore`base::TaskAnnotator::RunTaskImpl(base::PendingTask&) + 231
        frame #21: 0x00000001168d065f QtWebEngineCore`base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::LazyNow*) + 751
        frame #22: 0x00000001168d00a3 QtWebEngineCore`base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() + 83
        frame #23: 0x00000001168d0d15 QtWebEngineCore`non-virtual thunk to base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() + 21
        frame #24: 0x000000011263edfa QtWebEngineCore`QtWebEngineCore::MessagePumpForUIQt::handleScheduledWork() + 58
        frame #25: 0x0000000103b00ff7 QtCore`QObject::event(QEvent*) + 103
        frame #26: 0x0000000103343fd7 QtWidgets`QApplicationPrivate::notify_helper(QObject*, QEvent*) + 247
        frame #27: 0x0000000103344e73 QtWidgets`QApplication::notify(QObject*, QEvent*) + 499
        frame #28: 0x0000000103ab8d7a QtCore`QCoreApplication::notifyInternal2(QObject*, QEvent*) + 170
        frame #29: 0x0000000103ab9cb3 QtCore`QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) + 803
        frame #30: 0x0000000104121fc6 libqcocoa.dylib`QCocoaEventDispatcherPrivate::processPostedEvents() + 342
        frame #31: 0x00000001041229fd libqcocoa.dylib`QCocoaEventDispatcherPrivate::postedEventsSourceCallback(void*) + 445
        frame #32: 0x00007ff81b188f2a CoreFoundation`_CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION_ + 17
        frame #33: 0x00007ff81b188ecc CoreFoundation`__CFRunLoopDoSource0 + 157
        frame #34: 0x00007ff81b188ca5 CoreFoundation`__CFRunLoopDoSources0 + 217
        frame #35: 0x00007ff81b18792f CoreFoundation`__CFRunLoopRun + 916
        frame #36: 0x00007ff81b186f31 CoreFoundation`CFRunLoopRunSpecific + 560
        frame #37: 0x00007ff824c02dad HIToolbox`RunCurrentEventLoopInMode + 292
        frame #38: 0x00007ff824c02bbe HIToolbox`ReceiveNextEventCommon + 657
        frame #39: 0x00007ff824c02918 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 64
        frame #40: 0x00007ff81e21b5d0 AppKit`_DPSNextEvent + 858
        frame #41: 0x00007ff81e21a47a AppKit`-[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1214
        frame #42: 0x00007ff81e20cae8 AppKit`-[NSApplication run] + 586
        frame #43: 0x000000010412124b libqcocoa.dylib`QCocoaEventDispatcher::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 2235
        frame #44: 0x0000000103ac1ef6 QtCore`QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) + 486
        frame #45: 0x0000000103ab9367 QtCore`QCoreApplication::exec() + 119
        frame #46: 0x00000001000435ee Sigil`main + 10382
        frame #47: 0x00007ff81ad5341f dyld`start + 1903
        ```

      So this appears to be a use after free.

      I have tried to create a very very simple standalone test case but so far have failed.

      And hints or ideas on how best to work around this issue are welcome.

      Attachments

        1. bug_pdf.zip
          644 kB
          Kevin B. Hendricks
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            davidsz Szabolcs David
            kevinhendricks Kevin B. Hendricks
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes