Title: [256084] trunk/Source/WebKit
- Revision
- 256084
- Author
- cdu...@apple.com
- Date
- 2020-02-07 16:52:41 -0800 (Fri, 07 Feb 2020)
Log Message
[IPC Hardening] Protect against bad parameters in WebProcessProxy::getPluginProcessConnection()
https://bugs.webkit.org/show_bug.cgi?id=207416
<rdar://problem/58617244>
Reviewed by David Kilzer.
* UIProcess/Plugins/PluginProcessManager.cpp:
(WebKit::PluginProcessManager::getPluginProcessConnection):
* UIProcess/Plugins/PluginProcessManager.h:
* UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::getPluginProcessConnection):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (256083 => 256084)
--- trunk/Source/WebKit/ChangeLog 2020-02-08 00:51:40 UTC (rev 256083)
+++ trunk/Source/WebKit/ChangeLog 2020-02-08 00:52:41 UTC (rev 256084)
@@ -1,5 +1,19 @@
2020-02-07 Chris Dumez <cdu...@apple.com>
+ [IPC Hardening] Protect against bad parameters in WebProcessProxy::getPluginProcessConnection()
+ https://bugs.webkit.org/show_bug.cgi?id=207416
+ <rdar://problem/58617244>
+
+ Reviewed by David Kilzer.
+
+ * UIProcess/Plugins/PluginProcessManager.cpp:
+ (WebKit::PluginProcessManager::getPluginProcessConnection):
+ * UIProcess/Plugins/PluginProcessManager.h:
+ * UIProcess/WebProcessProxy.cpp:
+ (WebKit::WebProcessProxy::getPluginProcessConnection):
+
+2020-02-07 Chris Dumez <cdu...@apple.com>
+
[IPC Hardening] Convert some debug assertions into MESSAGE_CHECKs in WebPaymentCoordinatorProxy
https://bugs.webkit.org/show_bug.cgi?id=207414
<rdar://problem/58507177>
Modified: trunk/Source/WebKit/UIProcess/Plugins/PluginProcessManager.cpp (256083 => 256084)
--- trunk/Source/WebKit/UIProcess/Plugins/PluginProcessManager.cpp 2020-02-08 00:51:40 UTC (rev 256083)
+++ trunk/Source/WebKit/UIProcess/Plugins/PluginProcessManager.cpp 2020-02-08 00:52:41 UTC (rev 256084)
@@ -82,12 +82,17 @@
return token;
}
-void PluginProcessManager::getPluginProcessConnection(uint64_t pluginProcessToken, Messages::WebProcessProxy::GetPluginProcessConnection::DelayedReply&& reply)
+bool PluginProcessManager::getPluginProcessConnection(uint64_t pluginProcessToken, Messages::WebProcessProxy::GetPluginProcessConnection::DelayedReply&& reply)
{
ASSERT(pluginProcessToken);
- PluginProcessProxy* pluginProcess = getOrCreatePluginProcess(pluginProcessToken);
+ auto* pluginProcess = getOrCreatePluginProcess(pluginProcessToken);
+ ASSERT(pluginProcess);
+ if (!pluginProcess)
+ return false;
+
pluginProcess->getPluginProcessConnection(WTFMove(reply));
+ return true;
}
void PluginProcessManager::removePluginProcessProxy(PluginProcessProxy* pluginProcessProxy)
Modified: trunk/Source/WebKit/UIProcess/Plugins/PluginProcessManager.h (256083 => 256084)
--- trunk/Source/WebKit/UIProcess/Plugins/PluginProcessManager.h 2020-02-08 00:51:40 UTC (rev 256083)
+++ trunk/Source/WebKit/UIProcess/Plugins/PluginProcessManager.h 2020-02-08 00:52:41 UTC (rev 256084)
@@ -57,7 +57,7 @@
uint64_t pluginProcessToken(const PluginModuleInfo&, PluginProcessType, PluginProcessSandboxPolicy);
- void getPluginProcessConnection(uint64_t pluginProcessToken, Messages::WebProcessProxy::GetPluginProcessConnectionDelayedReply&&);
+ bool getPluginProcessConnection(uint64_t pluginProcessToken, Messages::WebProcessProxy::GetPluginProcessConnectionDelayedReply&&);
void removePluginProcessProxy(PluginProcessProxy*);
void fetchWebsiteData(const PluginModuleInfo&, OptionSet<WebsiteDataFetchOption>, WTF::Function<void (Vector<String>)>&& completionHandler);
Modified: trunk/Source/WebKit/UIProcess/WebProcessProxy.cpp (256083 => 256084)
--- trunk/Source/WebKit/UIProcess/WebProcessProxy.cpp 2020-02-08 00:51:40 UTC (rev 256083)
+++ trunk/Source/WebKit/UIProcess/WebProcessProxy.cpp 2020-02-08 00:52:41 UTC (rev 256084)
@@ -688,7 +688,9 @@
#if ENABLE(NETSCAPE_PLUGIN_API)
void WebProcessProxy::getPluginProcessConnection(uint64_t pluginProcessToken, Messages::WebProcessProxy::GetPluginProcessConnection::DelayedReply&& reply)
{
- PluginProcessManager::singleton().getPluginProcessConnection(pluginProcessToken, WTFMove(reply));
+ MESSAGE_CHECK(HashSet<uint64_t>::isValidValue(pluginProcessToken));
+ bool success = PluginProcessManager::singleton().getPluginProcessConnection(pluginProcessToken, WTFMove(reply));
+ MESSAGE_CHECK(success);
}
#endif
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes