Title: [265762] branches/safari-610.1-branch/Source/WebKit
- Revision
- 265762
- Author
- [email protected]
- Date
- 2020-08-17 12:00:05 -0700 (Mon, 17 Aug 2020)
Log Message
Cherry-pick r265638. rdar://problem/67260815
Create SharedMemory::IPCHandle object to validate the size of SharedMemory::Handle objects sent over IPC
https://bugs.webkit.org/show_bug.cgi?id=215288
<rdar://problem/60870795>
Reviewed by David Kilzer.
Part 1 of a multi-patch plan to convert all SharedMemory::Handle
objects being sent over IPC to use SharedMemory::IPCHandle objects instead.
* Platform/SharedMemory.h:
(WebKit::SharedMemory::IPCHandle::IPCHandle):
* Platform/cocoa/SharedMemoryCocoa.cpp:
(WebKit::SharedMemory::IPCHandle::encode const):
(WebKit::SharedMemory::IPCHandle::decode):
Validate the size of the data sent in the IPCHandle::decode()
function.
* Platform/unix/SharedMemoryUnix.cpp:
(WebKit::SharedMemory::IPCHandle::encode const):
(WebKit::SharedMemory::IPCHandle::decode):
* Platform/win/SharedMemoryWin.cpp:
Implement IPCHandle encode and decode for all platforms for when we remove
SharedMemory::Handle encode/decode functions.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@265638 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-610.1-branch/Source/WebKit/ChangeLog (265761 => 265762)
--- branches/safari-610.1-branch/Source/WebKit/ChangeLog 2020-08-17 17:51:50 UTC (rev 265761)
+++ branches/safari-610.1-branch/Source/WebKit/ChangeLog 2020-08-17 19:00:05 UTC (rev 265762)
@@ -1,3 +1,58 @@
+2020-08-17 Russell Epstein <[email protected]>
+
+ Cherry-pick r265638. rdar://problem/67260815
+
+ Create SharedMemory::IPCHandle object to validate the size of SharedMemory::Handle objects sent over IPC
+ https://bugs.webkit.org/show_bug.cgi?id=215288
+ <rdar://problem/60870795>
+
+ Reviewed by David Kilzer.
+
+ Part 1 of a multi-patch plan to convert all SharedMemory::Handle
+ objects being sent over IPC to use SharedMemory::IPCHandle objects instead.
+
+ * Platform/SharedMemory.h:
+ (WebKit::SharedMemory::IPCHandle::IPCHandle):
+ * Platform/cocoa/SharedMemoryCocoa.cpp:
+ (WebKit::SharedMemory::IPCHandle::encode const):
+ (WebKit::SharedMemory::IPCHandle::decode):
+ Validate the size of the data sent in the IPCHandle::decode()
+ function.
+ * Platform/unix/SharedMemoryUnix.cpp:
+ (WebKit::SharedMemory::IPCHandle::encode const):
+ (WebKit::SharedMemory::IPCHandle::decode):
+ * Platform/win/SharedMemoryWin.cpp:
+ Implement IPCHandle encode and decode for all platforms for when we remove
+ SharedMemory::Handle encode/decode functions.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@265638 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-08-13 Kate Cheney <[email protected]>
+
+ Create SharedMemory::IPCHandle object to validate the size of SharedMemory::Handle objects sent over IPC
+ https://bugs.webkit.org/show_bug.cgi?id=215288
+ <rdar://problem/60870795>
+
+ Reviewed by David Kilzer.
+
+ Part 1 of a multi-patch plan to convert all SharedMemory::Handle
+ objects being sent over IPC to use SharedMemory::IPCHandle objects instead.
+
+ * Platform/SharedMemory.h:
+ (WebKit::SharedMemory::IPCHandle::IPCHandle):
+ * Platform/cocoa/SharedMemoryCocoa.cpp:
+ (WebKit::SharedMemory::IPCHandle::encode const):
+ (WebKit::SharedMemory::IPCHandle::decode):
+ Validate the size of the data sent in the IPCHandle::decode()
+ function.
+ * Platform/unix/SharedMemoryUnix.cpp:
+ (WebKit::SharedMemory::IPCHandle::encode const):
+ (WebKit::SharedMemory::IPCHandle::decode):
+ * Platform/win/SharedMemoryWin.cpp:
+ Implement IPCHandle encode and decode for all platforms for when we remove
+ SharedMemory::Handle encode/decode functions.
+
2020-08-14 Alan Coon <[email protected]>
Cherry-pick r265702. rdar://problem/67106079
Modified: branches/safari-610.1-branch/Source/WebKit/Platform/SharedMemory.h (265761 => 265762)
--- branches/safari-610.1-branch/Source/WebKit/Platform/SharedMemory.h 2020-08-17 17:51:50 UTC (rev 265761)
+++ branches/safari-610.1-branch/Source/WebKit/Platform/SharedMemory.h 2020-08-17 19:00:05 UTC (rev 265762)
@@ -103,6 +103,20 @@
#endif
};
+ struct IPCHandle {
+ IPCHandle() = default;
+ IPCHandle(Handle&& handle, uint64_t dataSize)
+ : handle(WTFMove(handle))
+ , dataSize(dataSize)
+ {
+ }
+ void encode(IPC::Encoder&) const;
+ static WARN_UNUSED_RETURN bool decode(IPC::Decoder&, IPCHandle&);
+
+ Handle handle;
+ uint64_t dataSize { 0 };
+ };
+
static RefPtr<SharedMemory> allocate(size_t);
static RefPtr<SharedMemory> create(void*, size_t, Protection);
static RefPtr<SharedMemory> copyBuffer(const WebCore::SharedBuffer&);
Modified: branches/safari-610.1-branch/Source/WebKit/Platform/cocoa/SharedMemoryCocoa.cpp (265761 => 265762)
--- branches/safari-610.1-branch/Source/WebKit/Platform/cocoa/SharedMemoryCocoa.cpp 2020-08-17 17:51:50 UTC (rev 265761)
+++ branches/safari-610.1-branch/Source/WebKit/Platform/cocoa/SharedMemoryCocoa.cpp 2020-08-17 19:00:05 UTC (rev 265762)
@@ -113,6 +113,44 @@
return true;
}
+void SharedMemory::IPCHandle::encode(IPC::Encoder& encoder) const
+{
+ encoder << static_cast<uint64_t>(handle.m_size);
+ encoder << dataSize;
+ encoder << IPC::MachPort(handle.m_port, MACH_MSG_TYPE_MOVE_SEND);
+ handle.m_port = MACH_PORT_NULL;
+}
+
+bool SharedMemory::IPCHandle::decode(IPC::Decoder& decoder, IPCHandle& ipcHandle)
+{
+ ASSERT(!ipcHandle.handle.m_port);
+ ASSERT(!ipcHandle.handle.m_size);
+
+ SharedMemory::Handle handle;
+
+ uint64_t bufferSize;
+ if (!decoder.decode(bufferSize))
+ return false;
+
+ uint64_t dataLength;
+ if (!decoder.decode(dataLength))
+ return false;
+
+ // SharedMemory::Handle::size() is rounded up to the nearest page.
+ if (dataLength > bufferSize)
+ return false;
+
+ IPC::MachPort machPort;
+ if (!decoder.decode(machPort))
+ return false;
+
+ handle.m_size = bufferSize;
+ handle.m_port = machPort.port();
+ ipcHandle.handle = WTFMove(handle);
+ ipcHandle.dataSize = dataLength;
+ return true;
+}
+
static inline void* toPointer(mach_vm_address_t address)
{
return reinterpret_cast<void*>(static_cast<uintptr_t>(address));
Modified: branches/safari-610.1-branch/Source/WebKit/Platform/unix/SharedMemoryUnix.cpp (265761 => 265762)
--- branches/safari-610.1-branch/Source/WebKit/Platform/unix/SharedMemoryUnix.cpp 2020-08-17 17:51:50 UTC (rev 265761)
+++ branches/safari-610.1-branch/Source/WebKit/Platform/unix/SharedMemoryUnix.cpp 2020-08-17 19:00:05 UTC (rev 265762)
@@ -72,6 +72,22 @@
return m_attachment.fileDescriptor() == -1;
}
+void SharedMemory::IPCHandle::encode(IPC::Encoder& encoder) const
+{
+ encoder << handle.releaseAttachment();
+}
+
+bool SharedMemory::IPCHandle::decode(IPC::Decoder& decoder, IPCHandle& ipcHandle)
+{
+ ASSERT_ARG(ipcHandle.handle, ipcHandle.handle.isNull());
+ IPC::Attachment attachment;
+ if (!decoder.decode(attachment))
+ return false;
+
+ ipcHandle.handle.adoptAttachment(WTFMove(attachment));
+ return true;
+}
+
void SharedMemory::Handle::encode(IPC::Encoder& encoder) const
{
encoder << releaseAttachment();
Modified: branches/safari-610.1-branch/Source/WebKit/Platform/win/SharedMemoryWin.cpp (265761 => 265762)
--- branches/safari-610.1-branch/Source/WebKit/Platform/win/SharedMemoryWin.cpp 2020-08-17 17:51:50 UTC (rev 265761)
+++ branches/safari-610.1-branch/Source/WebKit/Platform/win/SharedMemoryWin.cpp 2020-08-17 19:00:05 UTC (rev 265762)
@@ -62,6 +62,47 @@
return !m_handle;
}
+void SharedMemory::IPCHandle::encode(IPC::Encoder& encoder) const
+{
+ encoder << static_cast<uint64_t>(handle.m_size);
+ encoder << dataSize;
+ handle.encodeHandle(encoder, handle.m_handle);
+
+ // Hand off ownership of our HANDLE to the receiving process. It will close it for us.
+ // FIXME: If the receiving process crashes before it receives the memory, the memory will be
+ // leaked. See <http://webkit.org/b/47502>.
+ handle.m_handle = 0;
+}
+
+bool SharedMemory::IPCHandle::decode(IPC::Decoder& decoder, IPCHandle& ipcHandle)
+{
+ ASSERT_ARG(ipcHandle, !ipcHandle.handle.m_handle);
+ ASSERT_ARG(ipcHandle, !ipcHandle.handle.m_size);
+
+ SharedMemory::Handle handle;
+
+ uint64_t bufferSize;
+ if (!decoder.decode(bufferSize))
+ return false;
+
+ uint64_t dataLength;
+ if (!decoder.decode(dataLength))
+ return false;
+
+ if (dataLength != bufferSize)
+ return false;
+
+ auto processSpecificHandle = handle.decodeHandle(decoder);
+ if (!processSpecificHandle)
+ return false;
+
+ handle.m_handle = processSpecificHandle.value();
+ handle.m_size = bufferSize;
+ ipcHandle.handle = WTFMove(handle);
+ ipcHandle.dataSize = dataLength;
+ return true;
+}
+
void SharedMemory::Handle::encode(IPC::Encoder& encoder) const
{
encoder << static_cast<uint64_t>(m_size);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
