Title: [228620] releases/WebKitGTK/webkit-2.20/Source/bmalloc
Revision
228620
Author
carlo...@webkit.org
Date
2018-02-19 01:12:12 -0800 (Mon, 19 Feb 2018)

Log Message

Merge r228108 - Gigacage: enable only for WebContent process and token executables
https://bugs.webkit.org/show_bug.cgi?id=182457
<rdar://problem/35875011>

Reviewed by Keith Miller.

Gigacage is a solid security improvement, but it's probably best
to roll it out incrementally to the most valuable targets first
and progressively try out more and more over time rather than
outright enabling it everywhere. We've gotten some reports that it
has some side-effects that weren't expected, so for now let's
enable it for the WebContent process, JSC, and other executables
we know, and then later we'll enable more gigacage uses.

For now I've chosen the following bundles:

  - com.apple.WebKit.WebContent.Development
  - com.apple.WebKit.WebContent
  - com.apple.WebProcess

And the following processes:

  - jsc
  - wasm
  - anything starting with "test", to match the JSC tests

I tried a different approach first, where I add a function to turn
gigacage on or off and crash if gigacage is initialized without
having been told what to do. Doing this in ChildProcess and a
bunch of the process initialization methods isn't sufficient. I
got MiniBrowser working, but some other builds use static globals
which themselves use hash and string which are allocate with
bmalloc and therefore which initialize gigacage before main is
called and before the process gets a chance to opt in our out. It
gets tricky with API calls too, because we have to do the right
thing in any entry an API user could plausibly use, even the
private ones, so I endend up having to initialize gigacage in e.g.
WebPreferencesExperimentalFeatures.cpp.erb.

Another approach could be to create a free-for-all gigacage
entitlement, and opt-in the processes we want..

As a follow-up we can also check that gigacage allocation always
succeeds if it was allowed for that process. With my change I
expect it to always succeed.

* CMakeLists.txt:
* bmalloc.xcodeproj/project.pbxproj:
* bmalloc/BPlatform.h:
* bmalloc/Gigacage.cpp:
(Gigacage::shouldBeEnabled):
* bmalloc/ProcessCheck.h: Added.
(bmalloc::gigacageEnabledForProcess):
* bmalloc/ProcessCheck.mm: Added.
(bmalloc::gigacageEnabledForProcess):

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.20/Source/bmalloc/CMakeLists.txt (228619 => 228620)


--- releases/WebKitGTK/webkit-2.20/Source/bmalloc/CMakeLists.txt	2018-02-19 09:12:03 UTC (rev 228619)
+++ releases/WebKitGTK/webkit-2.20/Source/bmalloc/CMakeLists.txt	2018-02-19 09:12:12 UTC (rev 228620)
@@ -34,6 +34,7 @@
 
 if (CMAKE_SYSTEM_NAME MATCHES "Darwin")
     list(APPEND bmalloc_SOURCES
+        bmalloc/ProcessCheck.mm
         bmalloc/Zone.cpp
     )
 endif ()

Modified: releases/WebKitGTK/webkit-2.20/Source/bmalloc/ChangeLog (228619 => 228620)


--- releases/WebKitGTK/webkit-2.20/Source/bmalloc/ChangeLog	2018-02-19 09:12:03 UTC (rev 228619)
+++ releases/WebKitGTK/webkit-2.20/Source/bmalloc/ChangeLog	2018-02-19 09:12:12 UTC (rev 228620)
@@ -1,3 +1,61 @@
+2018-02-05  JF Bastien  <jfbast...@apple.com>
+
+        Gigacage: enable only for WebContent process and token executables
+        https://bugs.webkit.org/show_bug.cgi?id=182457
+        <rdar://problem/35875011>
+
+        Reviewed by Keith Miller.
+
+        Gigacage is a solid security improvement, but it's probably best
+        to roll it out incrementally to the most valuable targets first
+        and progressively try out more and more over time rather than
+        outright enabling it everywhere. We've gotten some reports that it
+        has some side-effects that weren't expected, so for now let's
+        enable it for the WebContent process, JSC, and other executables
+        we know, and then later we'll enable more gigacage uses.
+
+        For now I've chosen the following bundles:
+
+          - com.apple.WebKit.WebContent.Development
+          - com.apple.WebKit.WebContent
+          - com.apple.WebProcess
+
+        And the following processes:
+
+          - jsc
+          - wasm
+          - anything starting with "test", to match the JSC tests
+
+        I tried a different approach first, where I add a function to turn
+        gigacage on or off and crash if gigacage is initialized without
+        having been told what to do. Doing this in ChildProcess and a
+        bunch of the process initialization methods isn't sufficient. I
+        got MiniBrowser working, but some other builds use static globals
+        which themselves use hash and string which are allocate with
+        bmalloc and therefore which initialize gigacage before main is
+        called and before the process gets a chance to opt in our out. It
+        gets tricky with API calls too, because we have to do the right
+        thing in any entry an API user could plausibly use, even the
+        private ones, so I endend up having to initialize gigacage in e.g.
+        WebPreferencesExperimentalFeatures.cpp.erb.
+
+        Another approach could be to create a free-for-all gigacage
+        entitlement, and opt-in the processes we want..
+
+        As a follow-up we can also check that gigacage allocation always
+        succeeds if it was allowed for that process. With my change I
+        expect it to always succeed.
+
+        * CMakeLists.txt:
+        * bmalloc.xcodeproj/project.pbxproj:
+        * bmalloc/BPlatform.h:
+        * bmalloc/Gigacage.cpp:
+        (Gigacage::shouldBeEnabled):
+        * bmalloc/ProcessCheck.h: Added.
+        (bmalloc::gigacageEnabledForProcess):
+        * bmalloc/ProcessCheck.mm: Added.
+        (bmalloc::gigacageEnabledForProcess):
+
 2018-02-05  Joseph Pecoraro  <pecor...@apple.com>
 
         Multiple bmalloc scavenger threads is unexpected

Modified: releases/WebKitGTK/webkit-2.20/Source/bmalloc/bmalloc/BPlatform.h (228619 => 228620)


--- releases/WebKitGTK/webkit-2.20/Source/bmalloc/bmalloc/BPlatform.h	2018-02-19 09:12:03 UTC (rev 228619)
+++ releases/WebKitGTK/webkit-2.20/Source/bmalloc/bmalloc/BPlatform.h	2018-02-19 09:12:12 UTC (rev 228620)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -63,6 +63,14 @@
 #endif
 #endif
 
+#if BPLATFORM(MAC) || BPLATFORM(IOS)
+#define BPLATFORM_COCOA 1
+#endif
+
+#if defined(TARGET_OS_WATCH) && TARGET_OS_WATCH
+#define BPLATFORM_WATCHOS 1
+#endif
+
 /* ==== Policy decision macros: these define policy choices for a particular port. ==== */
 
 /* BUSE() - use a particular third-party library or optional OS service */

Modified: releases/WebKitGTK/webkit-2.20/Source/bmalloc/bmalloc/Gigacage.cpp (228619 => 228620)


--- releases/WebKitGTK/webkit-2.20/Source/bmalloc/bmalloc/Gigacage.cpp	2018-02-19 09:12:03 UTC (rev 228619)
+++ releases/WebKitGTK/webkit-2.20/Source/bmalloc/bmalloc/Gigacage.cpp	2018-02-19 09:12:12 UTC (rev 228620)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -28,6 +28,7 @@
 #include "CryptoRandom.h"
 #include "Environment.h"
 #include "PerProcess.h"
+#include "ProcessCheck.h"
 #include "VMAllocate.h"
 #include "Vector.h"
 #include "bmalloc.h"
@@ -250,6 +251,9 @@
     std::call_once(
         onceFlag,
         [] {
+            if (!gigacageEnabledForProcess())
+                return;
+
             bool result = !PerProcess<Environment>::get()->isDebugHeapEnabled();
             if (!result)
                 return;

Added: releases/WebKitGTK/webkit-2.20/Source/bmalloc/bmalloc/ProcessCheck.h (0 => 228620)


--- releases/WebKitGTK/webkit-2.20/Source/bmalloc/bmalloc/ProcessCheck.h	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.20/Source/bmalloc/bmalloc/ProcessCheck.h	2018-02-19 09:12:12 UTC (rev 228620)
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#pragma once
+
+#include "BPlatform.h"
+
+namespace bmalloc {
+
+#if BPLATFORM(COCOA)
+#if BPLATFORM(WATCHOS)
+inline bool gigacageEnabledForProcess() { return false; }
+#else
+bool gigacageEnabledForProcess();
+#endif
+#else
+inline bool gigacageEnabledForProcess() { return true; }
+#endif
+
+}

Added: releases/WebKitGTK/webkit-2.20/Source/bmalloc/bmalloc/ProcessCheck.mm (0 => 228620)


--- releases/WebKitGTK/webkit-2.20/Source/bmalloc/bmalloc/ProcessCheck.mm	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.20/Source/bmalloc/bmalloc/ProcessCheck.mm	2018-02-19 09:12:12 UTC (rev 228620)
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#import "ProcessCheck.h"
+
+#if !BPLATFORM(WATCHOS)
+
+#import <Foundation/Foundation.h>
+
+namespace bmalloc {
+
+bool gigacageEnabledForProcess()
+{
+    static NSString *appName = [[NSBundle mainBundle] bundleIdentifier];
+    if (appName) {
+        static bool isWebProcess = [appName isEqualToString:@"com.apple.WebKit.WebContent.Development"]
+            || [appName isEqualToString:@"com.apple.WebKit.WebContent"]
+            || [appName isEqualToString:@"com.apple.WebProcess"];
+        return isWebProcess;
+    }
+
+    static NSString *processName = [[NSProcessInfo processInfo] processName];
+    static bool isOptInBinary = [processName isEqualToString:@"jsc"]
+        || [processName isEqualToString:@"wasm"]
+        || [processName hasPrefix:@"test"];
+
+    return isOptInBinary;
+}
+
+}
+
+#endif

Modified: releases/WebKitGTK/webkit-2.20/Source/bmalloc/bmalloc.xcodeproj/project.pbxproj (228619 => 228620)


--- releases/WebKitGTK/webkit-2.20/Source/bmalloc/bmalloc.xcodeproj/project.pbxproj	2018-02-19 09:12:03 UTC (rev 228619)
+++ releases/WebKitGTK/webkit-2.20/Source/bmalloc/bmalloc.xcodeproj/project.pbxproj	2018-02-19 09:12:12 UTC (rev 228620)
@@ -133,6 +133,8 @@
 		6599C5CC1EC3F15900A2F7BB /* AvailableMemory.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 6599C5CA1EC3F15900A2F7BB /* AvailableMemory.cpp */; };
 		6599C5CD1EC3F15900A2F7BB /* AvailableMemory.h in Headers */ = {isa = PBXBuildFile; fileRef = 6599C5CB1EC3F15900A2F7BB /* AvailableMemory.h */; settings = {ATTRIBUTES = (Private, ); }; };
 		AD0934331FCF406D00E85EB5 /* BCompiler.h in Headers */ = {isa = PBXBuildFile; fileRef = AD0934321FCF405000E85EB5 /* BCompiler.h */; settings = {ATTRIBUTES = (Private, ); }; };
+		AD14AD29202529C400890E3B /* ProcessCheck.h in Headers */ = {isa = PBXBuildFile; fileRef = AD14AD27202529A600890E3B /* ProcessCheck.h */; };
+		AD14AD2A202529C700890E3B /* ProcessCheck.mm in Sources */ = {isa = PBXBuildFile; fileRef = AD14AD28202529B000890E3B /* ProcessCheck.mm */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXContainerItemProxy section */
@@ -289,6 +291,8 @@
 		6599C5CA1EC3F15900A2F7BB /* AvailableMemory.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = AvailableMemory.cpp; path = bmalloc/AvailableMemory.cpp; sourceTree = "<group>"; };
 		6599C5CB1EC3F15900A2F7BB /* AvailableMemory.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = AvailableMemory.h; path = bmalloc/AvailableMemory.h; sourceTree = "<group>"; };
 		AD0934321FCF405000E85EB5 /* BCompiler.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = BCompiler.h; path = bmalloc/BCompiler.h; sourceTree = "<group>"; };
+		AD14AD27202529A600890E3B /* ProcessCheck.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ProcessCheck.h; path = bmalloc/ProcessCheck.h; sourceTree = "<group>"; };
+		AD14AD28202529B000890E3B /* ProcessCheck.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; name = ProcessCheck.mm; path = bmalloc/ProcessCheck.mm; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -480,6 +484,8 @@
 				144BE11E1CA346520099C8C0 /* Object.h */,
 				14105E8318E14374003A106E /* ObjectType.cpp */,
 				1485656018A43DBA00ED6942 /* ObjectType.h */,
+				AD14AD27202529A600890E3B /* ProcessCheck.h */,
+				AD14AD28202529B000890E3B /* ProcessCheck.mm */,
 				0F5BF1501F22E1570029D91D /* Scavenger.cpp */,
 				0F5BF1511F22E1570029D91D /* Scavenger.h */,
 				145F6874179DF84100D65598 /* Sizes.h */,
@@ -632,6 +638,7 @@
 				14DD78CF18F48D7500950702 /* Vector.h in Headers */,
 				14DD78D018F48D7500950702 /* VMAllocate.h in Headers */,
 				0F7EB83A1F9541B000F1ABCB /* IsoDeallocatorInlines.h in Headers */,
+				AD14AD29202529C400890E3B /* ProcessCheck.h in Headers */,
 				1400274A18F89C2300115C97 /* VMHeap.h in Headers */,
 				1440AFCB1A95261100837FAA /* Zone.h in Headers */,
 			);
@@ -765,6 +772,7 @@
 				142B44361E2839E7001DA6E9 /* DebugHeap.cpp in Sources */,
 				14895D911A3A319C0006235D /* Environment.cpp in Sources */,
 				0F7EB83F1F9541B000F1ABCB /* IsoTLSLayout.cpp in Sources */,
+				AD14AD2A202529C700890E3B /* ProcessCheck.mm in Sources */,
 				14F271C718EA3990008C152F /* Heap.cpp in Sources */,
 				0F7EB8321F9541B000F1ABCB /* IsoTLSEntry.cpp in Sources */,
 				0F74B93F1F89713E00B935D3 /* CryptoRandom.cpp in Sources */,
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to