[webkit-changes] [261515] branches/safari-609-branch/Source/WebKit

[alancoon]

Title: [261515] branches/safari-609-branch/Source/WebKit

Revision

261515

Author

alanc...@apple.com

Date

2020-05-11 17:21:39 -0700 (Mon, 11 May 2020)

Log Message

Cherry-pick r260229. rdar://problem/62978244

    Re-land: [IPC Hardening] MachMessage::create() should use checked arithmetic
    <https://webkit.org/b/210572>
    <rdar://problem/61729947>

    Reviewed by Chris Dumez.

    * Platform/IPC/cocoa/ConnectionCocoa.mm:
    (IPC::Connection::sendOutgoingMessage):
    - Add nullptr check since MachMessage::create() can return an
      empty std::unique_ptr<> now.
    * Platform/IPC/cocoa/MachMessage.cpp:
    (IPC::MachMessage::create):
    - Use CheckedSize to compute the buffer size.

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@260229 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

• branches/safari-609-branch/Source/WebKit/ChangeLog
• branches/safari-609-branch/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm
• branches/safari-609-branch/Source/WebKit/Platform/IPC/cocoa/MachMessage.cpp

Diff

Modified: branches/safari-609-branch/Source/WebKit/ChangeLog (261514 => 261515)

--- branches/safari-609-branch/Source/WebKit/ChangeLog	2020-05-12 00:21:37 UTC (rev 261514)
+++ branches/safari-609-branch/Source/WebKit/ChangeLog	2020-05-12 00:21:39 UTC (rev 261515)
@@ -1,5 +1,41 @@
 2020-05-07  Russell Epstein  <repst...@apple.com>
 
+        Cherry-pick r260229. rdar://problem/62978244
+
+    Re-land: [IPC Hardening] MachMessage::create() should use checked arithmetic
+    <https://webkit.org/b/210572>
+    <rdar://problem/61729947>
+    
+    Reviewed by Chris Dumez.
+    
+    * Platform/IPC/cocoa/ConnectionCocoa.mm:
+    (IPC::Connection::sendOutgoingMessage):
+    - Add nullptr check since MachMessage::create() can return an
+      empty std::unique_ptr<> now.
+    * Platform/IPC/cocoa/MachMessage.cpp:
+    (IPC::MachMessage::create):
+    - Use CheckedSize to compute the buffer size.
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@260229 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2020-04-16  David Kilzer  <ddkil...@apple.com>
+
+            Re-land: [IPC Hardening] MachMessage::create() should use checked arithmetic
+            <https://webkit.org/b/210572>
+            <rdar://problem/61729947>
+
+            Reviewed by Chris Dumez.
+
+            * Platform/IPC/cocoa/ConnectionCocoa.mm:
+            (IPC::Connection::sendOutgoingMessage):
+            - Add nullptr check since MachMessage::create() can return an
+              empty std::unique_ptr<> now.
+            * Platform/IPC/cocoa/MachMessage.cpp:
+            (IPC::MachMessage::create):
+            - Use CheckedSize to compute the buffer size.
+
+2020-05-07  Russell Epstein  <repst...@apple.com>
+
         Apply patch. rdar://problem/62977667
 
     2020-05-07  Alex Christensen  <achristen...@webkit.org>

Modified: branches/safari-609-branch/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm (261514 => 261515)

--- branches/safari-609-branch/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm	2020-05-12 00:21:37 UTC (rev 261514)
+++ branches/safari-609-branch/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm	2020-05-12 00:21:39 UTC (rev 261515)
@@ -303,6 +303,8 @@
     }
 
     auto message = MachMessage::create(encoder->messageReceiverName().toString(), encoder->messageName().toString(), messageSize);
+    if (!message)
+        return false;
 
     auto* header = message->header();
     header->msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0);

Modified: branches/safari-609-branch/Source/WebKit/Platform/IPC/cocoa/MachMessage.cpp (261514 => 261515)

--- branches/safari-609-branch/Source/WebKit/Platform/IPC/cocoa/MachMessage.cpp	2020-05-12 00:21:37 UTC (rev 261514)
+++ branches/safari-609-branch/Source/WebKit/Platform/IPC/cocoa/MachMessage.cpp	2020-05-12 00:21:39 UTC (rev 261515)
@@ -34,7 +34,10 @@
 
 std::unique_ptr<MachMessage> MachMessage::create(CString&& messageReceiverName, CString&& messageName, size_t size)
 {
-    void* memory = WTF::fastZeroedMalloc(sizeof(MachMessage) + size);
+    auto bufferSize = CheckedSize(sizeof(MachMessage)) + size;
+    if (bufferSize.hasOverflowed())
+        return nullptr;
+    void* memory = WTF::fastZeroedMalloc(bufferSize.unsafeGet());
     return std::unique_ptr<MachMessage> { new (NotNull, memory) MachMessage { WTFMove(messageReceiverName), WTFMove(messageName), size } };
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes