Title: [279106] trunk/Source/WebKit
- Revision
- 279106
- Author
- [email protected]
- Date
- 2021-06-22 00:42:05 -0700 (Tue, 22 Jun 2021)
Log Message
[Cocoa] Force a copy of font data when receiving it from the untrusted web process
https://bugs.webkit.org/show_bug.cgi?id=227247
<rdar://problem/70825675>
Reviewed by Maciej Stachowiak.
Sending a SharedBuffer across IPC is implemented by having the receiver map a shmem into its address space. On
the sender's side, the shmem still exists, and a compromised web process could scribble data into it after
sending it. So, when the GPU process receives the font data, we need to make a copy of it locally to make sure
the data can't change out from under us.
No new tests because there is no behavior change.
* Shared/Cocoa/WebCoreArgumentCodersCocoa.mm:
(IPC::ArgumentCoder<Ref<WebCore::Font>>::decodePlatformData):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (279105 => 279106)
--- trunk/Source/WebKit/ChangeLog 2021-06-22 06:41:14 UTC (rev 279105)
+++ trunk/Source/WebKit/ChangeLog 2021-06-22 07:42:05 UTC (rev 279106)
@@ -1,3 +1,21 @@
+2021-06-22 Myles C. Maxfield <[email protected]>
+
+ [Cocoa] Force a copy of font data when receiving it from the untrusted web process
+ https://bugs.webkit.org/show_bug.cgi?id=227247
+ <rdar://problem/70825675>
+
+ Reviewed by Maciej Stachowiak.
+
+ Sending a SharedBuffer across IPC is implemented by having the receiver map a shmem into its address space. On
+ the sender's side, the shmem still exists, and a compromised web process could scribble data into it after
+ sending it. So, when the GPU process receives the font data, we need to make a copy of it locally to make sure
+ the data can't change out from under us.
+
+ No new tests because there is no behavior change.
+
+ * Shared/Cocoa/WebCoreArgumentCodersCocoa.mm:
+ (IPC::ArgumentCoder<Ref<WebCore::Font>>::decodePlatformData):
+
2021-06-21 Said Abou-Hallawa <[email protected]>
[GPU Process] RELEASE_ASSERT in RemoteResourceCacheProxy::didFinalizeRenderingUpdate() may fire if GPUP is relaunched
Modified: trunk/Source/WebKit/Shared/Cocoa/WebCoreArgumentCodersCocoa.mm (279105 => 279106)
--- trunk/Source/WebKit/Shared/Cocoa/WebCoreArgumentCodersCocoa.mm 2021-06-22 06:41:14 UTC (rev 279105)
+++ trunk/Source/WebKit/Shared/Cocoa/WebCoreArgumentCodersCocoa.mm 2021-06-22 07:42:05 UTC (rev 279106)
@@ -541,12 +541,15 @@
if (!fontFaceData)
return std::nullopt;
+ // Upon receipt, copy the data for security, so the sender can't scribble over it while we're using it.
+ auto localFontFaceData = WebCore::SharedBuffer::create(fontFaceData.value()->data(), fontFaceData.value()->size());
+
std::optional<String> itemInCollection;
decoder >> itemInCollection;
if (!itemInCollection)
return std::nullopt;
- auto fontCustomPlatformData = createFontCustomPlatformData(*fontFaceData, *itemInCollection);
+ auto fontCustomPlatformData = createFontCustomPlatformData(localFontFaceData, *itemInCollection);
if (!fontCustomPlatformData)
return std::nullopt;
auto baseFontDescriptor = fontCustomPlatformData->fontDescriptor.get();
@@ -555,7 +558,7 @@
auto fontDescriptor = adoptCF(CTFontDescriptorCreateCopyWithAttributes(baseFontDescriptor, attributes->get()));
auto ctFont = adoptCF(CTFontCreateWithFontDescriptor(fontDescriptor.get(), *size, nullptr));
- auto creationData = WebCore::FontPlatformData::CreationData { *fontFaceData, *itemInCollection };
+ auto creationData = WebCore::FontPlatformData::CreationData { localFontFaceData, *itemInCollection };
return WebCore::FontPlatformData(ctFont.get(), *size, *syntheticBold, *syntheticOblique, *orientation, *widthVariant, *textRenderingMode, &creationData);
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
