Modified: branches/safari-612-branch/Source/WebKit/ChangeLog (286397 => 286398)
--- branches/safari-612-branch/Source/WebKit/ChangeLog 2021-12-02 00:18:08 UTC (rev 286397)
+++ branches/safari-612-branch/Source/WebKit/ChangeLog 2021-12-02 00:18:12 UTC (rev 286398)
@@ -1,5 +1,50 @@
2021-12-01 Alan Coon <[email protected]>
+ Cherry-pick r285865. rdar://problem/75139294
+
+ Do some hardening in IPC::createMessageDecoder()
+ https://bugs.webkit.org/show_bug.cgi?id=233148
+ <rdar://75139294>
+
+ Reviewed by Darin Adler.
+
+ Do more bound validation insde createMessageDecoder() to make sure we stay within
+ the bounds of our ReceiveBuffer.
+
+ Also, when the body is out of line, set `out_of_line.deallocate` to false since
+ we are taking ownership of the memory and will vm_deallocate() it ourselves.
+ Normally the sender (Connection::sendOutgoingMessage) sets that flag to false but
+ it is better not to rely on the sender setting a particular flag.
+
+ * Platform/IPC/cocoa/ConnectionCocoa.mm:
+ (IPC::createMessageDecoder):
+ (IPC::Connection::receiveSourceEventHandler):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@285865 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-11-16 Chris Dumez <[email protected]>
+
+ Do some hardening in IPC::createMessageDecoder()
+ https://bugs.webkit.org/show_bug.cgi?id=233148
+ <rdar://75139294>
+
+ Reviewed by Darin Adler.
+
+ Do more bound validation insde createMessageDecoder() to make sure we stay within
+ the bounds of our ReceiveBuffer.
+
+ Also, when the body is out of line, set `out_of_line.deallocate` to false since
+ we are taking ownership of the memory and will vm_deallocate() it ourselves.
+ Normally the sender (Connection::sendOutgoingMessage) sets that flag to false but
+ it is better not to rely on the sender setting a particular flag.
+
+ * Platform/IPC/cocoa/ConnectionCocoa.mm:
+ (IPC::createMessageDecoder):
+ (IPC::Connection::receiveSourceEventHandler):
+
+2021-12-01 Alan Coon <[email protected]>
+
Cherry-pick r285720. rdar://problem/83941760
WebKit is unable to recover if a WebProcess gets terminated while it is launching
Modified: branches/safari-612-branch/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm (286397 => 286398)
--- branches/safari-612-branch/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm 2021-12-02 00:18:08 UTC (rev 286397)
+++ branches/safari-612-branch/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm 2021-12-02 00:18:12 UTC (rev 286398)
@@ -411,8 +411,14 @@
sendOutgoingMessages();
}
-static std::unique_ptr<Decoder> createMessageDecoder(mach_msg_header_t* header)
+static std::unique_ptr<Decoder> createMessageDecoder(mach_msg_header_t* header, size_t bufferSize)
{
+ if (UNLIKELY(header->msgh_size > bufferSize)) {
+ RELEASE_LOG_FAULT(IPC, "createMessageDecoder: msgh_size is greater than bufferSize (header->msgh_size: %lu, bufferSize: %lu)", static_cast<unsigned long>(header->msgh_size), bufferSize);
+ ASSERT_NOT_REACHED();
+ return nullptr;
+ }
+
if (!(header->msgh_bits & MACH_MSGH_BITS_COMPLEX)) {
// We have a simple message.
uint8_t* body = reinterpret_cast<uint8_t*>(header + 1);
@@ -429,9 +435,16 @@
mach_msg_body_t* body = reinterpret_cast<mach_msg_body_t*>(header + 1);
mach_msg_size_t numberOfPortDescriptors = body->msgh_descriptor_count;
ASSERT(numberOfPortDescriptors);
- if (!numberOfPortDescriptors)
+ if (UNLIKELY(!numberOfPortDescriptors))
return nullptr;
+ auto sizeWithPortDescriptors = CheckedSize { sizeof(mach_msg_header_t) + sizeof(mach_msg_body_t) } + CheckedSize { numberOfPortDescriptors } * sizeof(mach_msg_port_descriptor_t);
+ if (UNLIKELY(sizeWithPortDescriptors.hasOverflowed() || sizeWithPortDescriptors.value() > bufferSize)) {
+ RELEASE_LOG_FAULT(IPC, "createMessageDecoder: Overflow when computing sizeWithPortDescriptors (numberOfPortDescriptors: %lu)", static_cast<unsigned long>(numberOfPortDescriptors));
+ ASSERT_NOT_REACHED();
+ return nullptr;
+ }
+
uint8_t* descriptorData = reinterpret_cast<uint8_t*>(body + 1);
// If the message body was sent out-of-line, don't treat the last descriptor
@@ -448,7 +461,7 @@
if (descriptor->type.type != MACH_MSG_PORT_DESCRIPTOR)
return nullptr;
- attachments[numberOfAttachments - i - 1] = Attachment(descriptor->port.name, descriptor->port.disposition);
+ attachments[numberOfAttachments - i - 1] = Attachment { descriptor->port.name, descriptor->port.disposition };
descriptorData += sizeof(mach_msg_port_descriptor_t);
}
@@ -460,6 +473,7 @@
uint8_t* messageBody = static_cast<uint8_t*>(descriptor->out_of_line.address);
size_t messageBodySize = descriptor->out_of_line.size;
+ descriptor->out_of_line.deallocate = false; // We are taking ownership of the memory.
return Decoder::create(messageBody, messageBodySize, [](const uint8_t* buffer, size_t length) {
// FIXME: <rdar://problem/62086358> bufferDeallocator block ignores mach_msg_ool_descriptor_t->deallocate
@@ -468,10 +482,10 @@
}
uint8_t* messageBody = descriptorData;
- ASSERT(descriptorData >= reinterpret_cast<uint8_t*>(header));
- auto messageBodySize = CheckedSize { header->msgh_size } - static_cast<size_t>(descriptorData - reinterpret_cast<uint8_t*>(header));
+ ASSERT((reinterpret_cast<uint8_t*>(header) + sizeWithPortDescriptors.value()) == messageBody);
+ auto messageBodySize = header->msgh_size - sizeWithPortDescriptors;
if (UNLIKELY(messageBodySize.hasOverflowed())) {
- RELEASE_LOG_FAULT(IPC, "createMessageDecoder: Overflow when computing bodySize (header->msgh_size: %lu, (descriptorData - reinterpret_cast<uint8_t*>(header)): %lu)", static_cast<unsigned long>(header->msgh_size), static_cast<unsigned long>(descriptorData - reinterpret_cast<uint8_t*>(header)));
+ RELEASE_LOG_FAULT(IPC, "createMessageDecoder: Overflow when computing bodySize (header->msgh_size: %lu, sizeWithPortDescriptors: %lu)", static_cast<unsigned long>(header->msgh_size), static_cast<unsigned long>(sizeWithPortDescriptors.value()));
ASSERT_NOT_REACHED();
return nullptr;
}
@@ -540,7 +554,7 @@
return;
}
- std::unique_ptr<Decoder> decoder = createMessageDecoder(header);
+ std::unique_ptr<Decoder> decoder = createMessageDecoder(header, buffer.size());
if (!decoder)
return;
