ladybird/Tests/LibWeb/Text/expected/WebSocket/WebSocket-gc.txt at 027c9f53be4b87cf55d799cb41abffa55173f11d - mirrors/ladybird - git.jellysandwich.dev

mirrors/ladybird

mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-10-22 16:09:23 +00:00

Luke Wilde 5146bbe296 LibGC: Visit the edges of the cells that must survive garbage collection

Previously, we would only keep the cell that must survive alive, but
none of it's edges.

This cropped up with a GC UAF in must_survive_garbage_collection of
WebSocket in .NET's SignalR frontend implementation, where an
out-of-scope WebSocket had it's underlying EventTarget properties
garbage collected, and must_survive_garbage_collection read from the
destroyed EventTarget properties.

See: https://github.com/dotnet/aspnetcore/blob/main/src/SignalR/clients/ts/signalr/src/WebSocketTransport.ts#L81
Found on https://www.formula1.com/ during a live session.

Co-Authored-By: Tim Flynn <trflynn89@pm.me>

2025-02-27 14:35:28 -05:00

1 line

21 B

Text

Raw Blame History

PASS! (Didn't crash)