Diff
Modified: trunk/Source/WebKit/ChangeLog (230044 => 230045)
--- trunk/Source/WebKit/ChangeLog 2018-03-28 20:36:03 UTC (rev 230044)
+++ trunk/Source/WebKit/ChangeLog 2018-03-28 20:43:10 UTC (rev 230045)
@@ -1,3 +1,20 @@
+2018-03-28 Brent Fulgham <[email protected]>
+
+ Protect against invalid mach ports returned by mach_port_request_notification
+ https://bugs.webkit.org/show_bug.cgi?id=184106
+ <rdar://problem/37865316>
+
+ Reviewed by Chris Dumez.
+
+ * Platform/IPC/Connection.h:
+ (IPC::Connection::Identifier::Identifier): Use default initializer syntax.
+ * Platform/IPC/mac/ConnectionMac.mm:
+ (IPC::Connection::open): Drive-by-fix: Include formatted mach error message in logging.
+ (IPC::Connection::receiveSourceEventHandler): Check return value from 'mach_port_request_notification'
+ and clean up if it experienced an error.
+ * UIProcess/Launcher/mac/ProcessLauncherMac.mm:
+ (WebKit::ProcessLauncher::launchProcess): Ditto.
+
2018-03-28 Dean Jackson <[email protected]>
WKWebViewContentProvider shouldn't be a UIScrollViewDelegate
Modified: trunk/Source/WebKit/Platform/IPC/Connection.h (230044 => 230045)
--- trunk/Source/WebKit/Platform/IPC/Connection.h 2018-03-28 20:36:03 UTC (rev 230044)
+++ trunk/Source/WebKit/Platform/IPC/Connection.h 2018-03-28 20:43:10 UTC (rev 230045)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2018 Apple Inc. All rights reserved.
* Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)
* Portions Copyright (c) 2010 Motorola Mobility, Inc. All rights reserved.
* Copyright (C) 2017 Sony Interactive Entertainment Inc.
@@ -116,7 +116,6 @@
#elif OS(DARWIN)
struct Identifier {
Identifier()
- : port(MACH_PORT_NULL)
{
}
@@ -131,7 +130,7 @@
{
}
- mach_port_t port;
+ mach_port_t port { MACH_PORT_NULL };
OSObjectPtr<xpc_connection_t> xpcConnection;
};
static bool identifierIsNull(Identifier identifier) { return identifier.port == MACH_PORT_NULL; }
Modified: trunk/Source/WebKit/Platform/IPC/mac/ConnectionMac.mm (230044 => 230045)
--- trunk/Source/WebKit/Platform/IPC/mac/ConnectionMac.mm 2018-03-28 20:36:03 UTC (rev 230044)
+++ trunk/Source/WebKit/Platform/IPC/mac/ConnectionMac.mm 2018-03-28 20:43:10 UTC (rev 230045)
@@ -186,7 +186,7 @@
auto kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &m_receivePort);
if (kr != KERN_SUCCESS) {
- LOG_ERROR("Could not allocate mach port, error %x", kr);
+ LOG_ERROR("Could not allocate mach port, error %x: %s", kr, mach_error_string(kr));
CRASH();
}
#if !PLATFORM(WATCHOS)
@@ -533,7 +533,13 @@
if (m_sendPort) {
mach_port_t previousNotificationPort = MACH_PORT_NULL;
- mach_port_request_notification(mach_task_self(), m_receivePort, MACH_NOTIFY_NO_SENDERS, 0, MACH_PORT_NULL, MACH_MSG_TYPE_MOVE_SEND_ONCE, &previousNotificationPort);
+ auto kr = mach_port_request_notification(mach_task_self(), m_receivePort, MACH_NOTIFY_NO_SENDERS, 0, MACH_PORT_NULL, MACH_MSG_TYPE_MOVE_SEND_ONCE, &previousNotificationPort);
+ ASSERT(kr == KERN_SUCCESS);
+ if (kr != KERN_SUCCESS) {
+ // If mach_port_request_notification fails, 'previousNotificationPort' will be uninitialized.
+ LOG_ERROR("mach_port_request_notification failed: (%x) %s", kr, mach_error_string(kr));
+ previousNotificationPort = MACH_PORT_NULL;
+ }
if (previousNotificationPort != MACH_PORT_NULL)
mach_port_deallocate(mach_task_self(), previousNotificationPort);
Modified: trunk/Source/WebKit/UIProcess/Launcher/mac/ProcessLauncherMac.mm (230044 => 230045)
--- trunk/Source/WebKit/UIProcess/Launcher/mac/ProcessLauncherMac.mm 2018-03-28 20:36:03 UTC (rev 230044)
+++ trunk/Source/WebKit/UIProcess/Launcher/mac/ProcessLauncherMac.mm 2018-03-28 20:43:10 UTC (rev 230045)
@@ -153,7 +153,7 @@
mach_port_t listeningPort = MACH_PORT_NULL;
auto kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &listeningPort);
if (kr != KERN_SUCCESS) {
- LOG_ERROR("Could not allocate mach port, error %x", kr);
+ LOG_ERROR("Could not allocate mach port, error %x: %s", kr, mach_error_string(kr));
CRASH();
}
@@ -160,9 +160,14 @@
// Insert a send right so we can send to it.
mach_port_insert_right(mach_task_self(), listeningPort, listeningPort, MACH_MSG_TYPE_MAKE_SEND);
- mach_port_t previousNotificationPort;
- mach_port_request_notification(mach_task_self(), listeningPort, MACH_NOTIFY_NO_SENDERS, 0, listeningPort, MACH_MSG_TYPE_MAKE_SEND_ONCE, &previousNotificationPort);
+ mach_port_t previousNotificationPort = MACH_PORT_NULL;
+ auto mc = mach_port_request_notification(mach_task_self(), listeningPort, MACH_NOTIFY_NO_SENDERS, 0, listeningPort, MACH_MSG_TYPE_MAKE_SEND_ONCE, &previousNotificationPort);
ASSERT(!previousNotificationPort);
+ ASSERT(mc == KERN_SUCCESS);
+ if (mc != KERN_SUCCESS) {
+ // If mach_port_request_notification fails, 'previousNotificationPort' will be uninitialized.
+ LOG_ERROR("mach_port_request_notification failed: (%x) %s", mc, mach_error_string(mc));
+ }
String clientIdentifier;
#if PLATFORM(MAC)
Modified: trunk/Source/WebKitLegacy/mac/ChangeLog (230044 => 230045)
--- trunk/Source/WebKitLegacy/mac/ChangeLog 2018-03-28 20:36:03 UTC (rev 230044)
+++ trunk/Source/WebKitLegacy/mac/ChangeLog 2018-03-28 20:43:10 UTC (rev 230045)
@@ -1,5 +1,18 @@
2018-03-28 Brent Fulgham <[email protected]>
+ Protect against invalid mach ports returned by mach_port_request_notification
+ https://bugs.webkit.org/show_bug.cgi?id=184106
+ <rdar://problem/37865316>
+
+ Reviewed by Chris Dumez.
+
+ * Plugins/Hosted/NetscapePluginHostProxy.mm:
+ (WebKit::NetscapePluginHostProxy::NetscapePluginHostProxy): Check return value from 'mach_port_request_notification'
+ and clean up if it experienced an error.
+ (WebKit::NetscapePluginHostProxy::processRequests): Drive-by-fix: Include formatted mach error message in logging.
+
+2018-03-28 Brent Fulgham <[email protected]>
+
Avoid uninitialized mach ports
https://bugs.webkit.org/show_bug.cgi?id=184090
<rdar://problem/37261129>
Modified: trunk/Source/WebKitLegacy/mac/Plugins/Hosted/NetscapePluginHostProxy.mm (230044 => 230045)
--- trunk/Source/WebKitLegacy/mac/Plugins/Hosted/NetscapePluginHostProxy.mm 2018-03-28 20:36:03 UTC (rev 230044)
+++ trunk/Source/WebKitLegacy/mac/Plugins/Hosted/NetscapePluginHostProxy.mm 2018-03-28 20:43:10 UTC (rev 230045)
@@ -111,10 +111,16 @@
m_deadNameNotificationPort = adoptCF(CFMachPortCreate(0, deadNameNotificationCallback, &context, 0));
mach_port_t previous = MACH_PORT_NULL;
- mach_port_request_notification(mach_task_self(), pluginHostPort, MACH_NOTIFY_DEAD_NAME, 0,
- CFMachPortGetPort(m_deadNameNotificationPort.get()), MACH_MSG_TYPE_MAKE_SEND_ONCE, &previous);
+ auto kr = mach_port_request_notification(mach_task_self(), pluginHostPort, MACH_NOTIFY_DEAD_NAME, 0,
+ CFMachPortGetPort(m_deadNameNotificationPort.get()), MACH_MSG_TYPE_MAKE_SEND_ONCE, &previous);
ASSERT(previous == MACH_PORT_NULL);
-
+ ASSERT(kr == KERN_SUCCESS);
+ if (kr != KERN_SUCCESS) {
+ // If mach_port_request_notification fails, 'previous' will be uninitialized.
+ LOG_ERROR("mach_port_request_notification failed: (%x) %s", kr, mach_error_string(kr));
+ previous = MACH_PORT_NULL;
+ }
+
RetainPtr<CFRunLoopSourceRef> deathPortSource = adoptCF(CFMachPortCreateRunLoopSource(0, m_deadNameNotificationPort.get(), 0));
CFRunLoopAddSource(CFRunLoopGetCurrent(), deathPortSource.get(), kCFRunLoopDefaultMode);
@@ -284,7 +290,7 @@
if (!m_portSet) {
auto kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_PORT_SET, &m_portSet);
if (kr != KERN_SUCCESS) {
- LOG_ERROR("Could not allocate mach port, error %x", kr);
+ LOG_ERROR("Could not allocate mach port, error %x: %s", kr, mach_error_string(kr));
CRASH();
}
mach_port_insert_member(mach_task_self(), m_clientPort, m_portSet);
@@ -298,7 +304,7 @@
kern_return_t kr = mach_msg(msg, MACH_RCV_MSG, 0, sizeof(buffer), m_portSet, 0, MACH_PORT_NULL);
if (kr != KERN_SUCCESS) {
- LOG_ERROR("Could not receive mach message, error %x", kr);
+ LOG_ERROR("Could not receive mach message, error %x: %s", kr, mach_error_string(kr));
s_processingRequests--;
return false;
}
@@ -311,7 +317,7 @@
kr = mach_msg(replyHeader, MACH_SEND_MSG, replyHeader->msgh_size, 0, MACH_PORT_NULL, 0, MACH_PORT_NULL);
if (kr != KERN_SUCCESS) {
- LOG_ERROR("Could not send mach message, error %x", kr);
+ LOG_ERROR("Could not send mach message, error %x: %s", kr, mach_error_string(kr));
s_processingRequests--;
return false;
}
