[webkit-changes] [258369] trunk/Source/WebKit

Thu, 12 Mar 2020 16:18:29 -0700

Title: [258369] trunk/Source/WebKit
Revision
258369
Author
cdu...@apple.com
Date
2020-03-12 16:17:27 -0700 (Thu, 12 Mar 2020)

Log Message

Check for overflows in MachMessage::messageSize()
https://bugs.webkit.org/show_bug.cgi?id=209020
<rdar://problem/58264215>

Reviewed by Alex Christensen.

* Platform/IPC/cocoa/ConnectionCocoa.mm:
(IPC::Connection::sendOutgoingMessage):
* Platform/IPC/cocoa/MachMessage.cpp:
(IPC::MachMessage::messageSize):
* Platform/IPC/cocoa/MachMessage.h:

Modified Paths

Diff

Modified: trunk/Source/WebKit/ChangeLog (258368 => 258369)


--- trunk/Source/WebKit/ChangeLog	2020-03-12 23:14:25 UTC (rev 258368)
+++ trunk/Source/WebKit/ChangeLog	2020-03-12 23:17:27 UTC (rev 258369)
@@ -1,3 +1,17 @@
+2020-03-12  Chris Dumez  <cdu...@apple.com>
+
+        Check for overflows in MachMessage::messageSize()
+        https://bugs.webkit.org/show_bug.cgi?id=209020
+        <rdar://problem/58264215>
+
+        Reviewed by Alex Christensen.
+
+        * Platform/IPC/cocoa/ConnectionCocoa.mm:
+        (IPC::Connection::sendOutgoingMessage):
+        * Platform/IPC/cocoa/MachMessage.cpp:
+        (IPC::MachMessage::messageSize):
+        * Platform/IPC/cocoa/MachMessage.h:
+
 2020-03-12  Per Arne Vollan  <pvol...@apple.com>
 
         [macOS] _AXSApplicationAccessibilityEnabled should not be called

Modified: trunk/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm (258368 => 258369)


--- trunk/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm	2020-03-12 23:14:25 UTC (rev 258368)
+++ trunk/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm	2020-03-12 23:17:27 UTC (rev 258369)
@@ -297,16 +297,22 @@
 
     bool messageBodyIsOOL = false;
     auto messageSize = MachMessage::messageSize(encoder->bufferSize(), numberOfPortDescriptors, messageBodyIsOOL);
+    if (UNLIKELY(messageSize.hasOverflowed()))
+        return false;
+
     if (messageSize > inlineMessageMaxSize) {
         messageBodyIsOOL = true;
         messageSize = MachMessage::messageSize(0, numberOfPortDescriptors, messageBodyIsOOL);
+        if (UNLIKELY(messageSize.hasOverflowed()))
+            return false;
     }
 
-    auto message = MachMessage::create(encoder->messageReceiverName().toString(), encoder->messageName().toString(), messageSize);
+    size_t safeMessageSize = messageSize.unsafeGet();
+    auto message = MachMessage::create(encoder->messageReceiverName().toString(), encoder->messageName().toString(), safeMessageSize);
 
     auto* header = message->header();
     header->msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0);
-    header->msgh_size = messageSize;
+    header->msgh_size = safeMessageSize;
     header->msgh_remote_port = m_sendPort;
     header->msgh_local_port = MACH_PORT_NULL;
     header->msgh_id = messageBodyIsOOL ? outOfLineBodyMessageID : inlineBodyMessageID;

Modified: trunk/Source/WebKit/Platform/IPC/cocoa/MachMessage.cpp (258368 => 258369)


--- trunk/Source/WebKit/Platform/IPC/cocoa/MachMessage.cpp	2020-03-12 23:14:25 UTC (rev 258368)
+++ trunk/Source/WebKit/Platform/IPC/cocoa/MachMessage.cpp	2020-03-12 23:17:27 UTC (rev 258369)
@@ -51,9 +51,10 @@
         ::mach_msg_destroy(header());
 }
 
-size_t MachMessage::messageSize(size_t bodySize, size_t portDescriptorCount, size_t memoryDescriptorCount)
+Checked<size_t, RecordOverflow> MachMessage::messageSize(size_t bodySize, size_t portDescriptorCount, size_t memoryDescriptorCount)
 {
-    size_t messageSize = sizeof(mach_msg_header_t) + bodySize;
+    Checked<size_t, RecordOverflow> messageSize = sizeof(mach_msg_header_t);
+    messageSize += bodySize;
 
     if (portDescriptorCount || memoryDescriptorCount) {
         messageSize += sizeof(mach_msg_body_t);
@@ -61,7 +62,11 @@
         messageSize += (memoryDescriptorCount * sizeof(mach_msg_ool_descriptor_t));
     }
 
-    return round_msg(messageSize);
+    size_t safeMessageSize;
+    if (UNLIKELY(messageSize.safeGet(safeMessageSize) == CheckedState::DidOverflow))
+        return messageSize;
+
+    return round_msg(safeMessageSize);
 }
 
 void MachMessage::leakDescriptors()

Modified: trunk/Source/WebKit/Platform/IPC/cocoa/MachMessage.h (258368 => 258369)


--- trunk/Source/WebKit/Platform/IPC/cocoa/MachMessage.h	2020-03-12 23:14:25 UTC (rev 258368)
+++ trunk/Source/WebKit/Platform/IPC/cocoa/MachMessage.h	2020-03-12 23:17:27 UTC (rev 258369)
@@ -29,6 +29,7 @@
 
 #include <mach/message.h>
 #include <memory>
+#include <wtf/CheckedArithmetic.h>
 #include <wtf/text/CString.h>
 
 namespace IPC {
@@ -39,7 +40,7 @@
     static std::unique_ptr<MachMessage> create(CString&& messageReceiverName, CString&& messageName, size_t);
     ~MachMessage();
 
-    static size_t messageSize(size_t bodySize, size_t portDescriptorCount, size_t memoryDescriptorCount);
+    static Checked<size_t, RecordOverflow> messageSize(size_t bodySize, size_t portDescriptorCount, size_t memoryDescriptorCount);
 
     size_t size() const { return m_size; }
     mach_msg_header_t* header() { return m_messageHeader; }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to