Skip to site navigation (Press enter)

[webkit-changes] [256084] trunk/Source/WebKit

cdumez Fri, 07 Feb 2020 16:53:55 -0800

Title: [256084] trunk/Source/WebKit

Revision: 256084
Author: cdu...@apple.com
Date: 2020-02-07 16:52:41 -0800 (Fri, 07 Feb 2020)

Log Message

[IPC Hardening] Protect against bad parameters in WebProcessProxy::getPluginProcessConnection()
https://bugs.webkit.org/show_bug.cgi?id=207416
<rdar://problem/58617244>


Reviewed by David Kilzer.

* UIProcess/Plugins/PluginProcessManager.cpp:
(WebKit::PluginProcessManager::getPluginProcessConnection):
* UIProcess/Plugins/PluginProcessManager.h:
* UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::getPluginProcessConnection):

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/UIProcess/Plugins/PluginProcessManager.cpp
trunk/Source/WebKit/UIProcess/Plugins/PluginProcessManager.h
trunk/Source/WebKit/UIProcess/WebProcessProxy.cpp

Diff

Modified: trunk/Source/WebKit/ChangeLog (256083 => 256084)


--- trunk/Source/WebKit/ChangeLog	2020-02-08 00:51:40 UTC (rev 256083)
+++ trunk/Source/WebKit/ChangeLog	2020-02-08 00:52:41 UTC (rev 256084)
@@ -1,5 +1,19 @@
 2020-02-07  Chris Dumez  <cdu...@apple.com>
 
+        [IPC Hardening] Protect against bad parameters in WebProcessProxy::getPluginProcessConnection()
+        https://bugs.webkit.org/show_bug.cgi?id=207416
+        <rdar://problem/58617244>
+
+        Reviewed by David Kilzer.
+
+        * UIProcess/Plugins/PluginProcessManager.cpp:
+        (WebKit::PluginProcessManager::getPluginProcessConnection):
+        * UIProcess/Plugins/PluginProcessManager.h:
+        * UIProcess/WebProcessProxy.cpp:
+        (WebKit::WebProcessProxy::getPluginProcessConnection):
+
+2020-02-07  Chris Dumez  <cdu...@apple.com>
+
         [IPC Hardening] Convert some debug assertions into MESSAGE_CHECKs in WebPaymentCoordinatorProxy
         https://bugs.webkit.org/show_bug.cgi?id=207414
         <rdar://problem/58507177>

Modified: trunk/Source/WebKit/UIProcess/Plugins/PluginProcessManager.cpp (256083 => 256084)


--- trunk/Source/WebKit/UIProcess/Plugins/PluginProcessManager.cpp	2020-02-08 00:51:40 UTC (rev 256083)
+++ trunk/Source/WebKit/UIProcess/Plugins/PluginProcessManager.cpp	2020-02-08 00:52:41 UTC (rev 256084)
@@ -82,12 +82,17 @@
     return token;
 }
 
-void PluginProcessManager::getPluginProcessConnection(uint64_t pluginProcessToken, Messages::WebProcessProxy::GetPluginProcessConnection::DelayedReply&& reply)
+bool PluginProcessManager::getPluginProcessConnection(uint64_t pluginProcessToken, Messages::WebProcessProxy::GetPluginProcessConnection::DelayedReply&& reply)
 {
     ASSERT(pluginProcessToken);
 
-    PluginProcessProxy* pluginProcess = getOrCreatePluginProcess(pluginProcessToken);
+    auto* pluginProcess = getOrCreatePluginProcess(pluginProcessToken);
+    ASSERT(pluginProcess);
+    if (!pluginProcess)
+        return false;
+
     pluginProcess->getPluginProcessConnection(WTFMove(reply));
+    return true;
 }
 
 void PluginProcessManager::removePluginProcessProxy(PluginProcessProxy* pluginProcessProxy)

Modified: trunk/Source/WebKit/UIProcess/Plugins/PluginProcessManager.h (256083 => 256084)


--- trunk/Source/WebKit/UIProcess/Plugins/PluginProcessManager.h	2020-02-08 00:51:40 UTC (rev 256083)
+++ trunk/Source/WebKit/UIProcess/Plugins/PluginProcessManager.h	2020-02-08 00:52:41 UTC (rev 256084)
@@ -57,7 +57,7 @@
 
     uint64_t pluginProcessToken(const PluginModuleInfo&, PluginProcessType, PluginProcessSandboxPolicy);
 
-    void getPluginProcessConnection(uint64_t pluginProcessToken, Messages::WebProcessProxy::GetPluginProcessConnectionDelayedReply&&);
+    bool getPluginProcessConnection(uint64_t pluginProcessToken, Messages::WebProcessProxy::GetPluginProcessConnectionDelayedReply&&);
     void removePluginProcessProxy(PluginProcessProxy*);
 
     void fetchWebsiteData(const PluginModuleInfo&, OptionSet<WebsiteDataFetchOption>, WTF::Function<void (Vector<String>)>&& completionHandler);

Modified: trunk/Source/WebKit/UIProcess/WebProcessProxy.cpp (256083 => 256084)


--- trunk/Source/WebKit/UIProcess/WebProcessProxy.cpp	2020-02-08 00:51:40 UTC (rev 256083)
+++ trunk/Source/WebKit/UIProcess/WebProcessProxy.cpp	2020-02-08 00:52:41 UTC (rev 256084)
@@ -688,7 +688,9 @@
 #if ENABLE(NETSCAPE_PLUGIN_API)
 void WebProcessProxy::getPluginProcessConnection(uint64_t pluginProcessToken, Messages::WebProcessProxy::GetPluginProcessConnection::DelayedReply&& reply)
 {
-    PluginProcessManager::singleton().getPluginProcessConnection(pluginProcessToken, WTFMove(reply));
+    MESSAGE_CHECK(HashSet<uint64_t>::isValidValue(pluginProcessToken));
+    bool success = PluginProcessManager::singleton().getPluginProcessConnection(pluginProcessToken, WTFMove(reply));
+    MESSAGE_CHECK(success);
 }
 #endif

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes