Title: [258369] trunk/Source/WebKit
- Revision
- 258369
- Author
- cdu...@apple.com
- Date
- 2020-03-12 16:17:27 -0700 (Thu, 12 Mar 2020)
Log Message
Check for overflows in MachMessage::messageSize()
https://bugs.webkit.org/show_bug.cgi?id=209020
<rdar://problem/58264215>
Reviewed by Alex Christensen.
* Platform/IPC/cocoa/ConnectionCocoa.mm:
(IPC::Connection::sendOutgoingMessage):
* Platform/IPC/cocoa/MachMessage.cpp:
(IPC::MachMessage::messageSize):
* Platform/IPC/cocoa/MachMessage.h:
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (258368 => 258369)
--- trunk/Source/WebKit/ChangeLog 2020-03-12 23:14:25 UTC (rev 258368)
+++ trunk/Source/WebKit/ChangeLog 2020-03-12 23:17:27 UTC (rev 258369)
@@ -1,3 +1,17 @@
+2020-03-12 Chris Dumez <cdu...@apple.com>
+
+ Check for overflows in MachMessage::messageSize()
+ https://bugs.webkit.org/show_bug.cgi?id=209020
+ <rdar://problem/58264215>
+
+ Reviewed by Alex Christensen.
+
+ * Platform/IPC/cocoa/ConnectionCocoa.mm:
+ (IPC::Connection::sendOutgoingMessage):
+ * Platform/IPC/cocoa/MachMessage.cpp:
+ (IPC::MachMessage::messageSize):
+ * Platform/IPC/cocoa/MachMessage.h:
+
2020-03-12 Per Arne Vollan <pvol...@apple.com>
[macOS] _AXSApplicationAccessibilityEnabled should not be called
Modified: trunk/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm (258368 => 258369)
--- trunk/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm 2020-03-12 23:14:25 UTC (rev 258368)
+++ trunk/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm 2020-03-12 23:17:27 UTC (rev 258369)
@@ -297,16 +297,22 @@
bool messageBodyIsOOL = false;
auto messageSize = MachMessage::messageSize(encoder->bufferSize(), numberOfPortDescriptors, messageBodyIsOOL);
+ if (UNLIKELY(messageSize.hasOverflowed()))
+ return false;
+
if (messageSize > inlineMessageMaxSize) {
messageBodyIsOOL = true;
messageSize = MachMessage::messageSize(0, numberOfPortDescriptors, messageBodyIsOOL);
+ if (UNLIKELY(messageSize.hasOverflowed()))
+ return false;
}
- auto message = MachMessage::create(encoder->messageReceiverName().toString(), encoder->messageName().toString(), messageSize);
+ size_t safeMessageSize = messageSize.unsafeGet();
+ auto message = MachMessage::create(encoder->messageReceiverName().toString(), encoder->messageName().toString(), safeMessageSize);
auto* header = message->header();
header->msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0);
- header->msgh_size = messageSize;
+ header->msgh_size = safeMessageSize;
header->msgh_remote_port = m_sendPort;
header->msgh_local_port = MACH_PORT_NULL;
header->msgh_id = messageBodyIsOOL ? outOfLineBodyMessageID : inlineBodyMessageID;
Modified: trunk/Source/WebKit/Platform/IPC/cocoa/MachMessage.cpp (258368 => 258369)
--- trunk/Source/WebKit/Platform/IPC/cocoa/MachMessage.cpp 2020-03-12 23:14:25 UTC (rev 258368)
+++ trunk/Source/WebKit/Platform/IPC/cocoa/MachMessage.cpp 2020-03-12 23:17:27 UTC (rev 258369)
@@ -51,9 +51,10 @@
::mach_msg_destroy(header());
}
-size_t MachMessage::messageSize(size_t bodySize, size_t portDescriptorCount, size_t memoryDescriptorCount)
+Checked<size_t, RecordOverflow> MachMessage::messageSize(size_t bodySize, size_t portDescriptorCount, size_t memoryDescriptorCount)
{
- size_t messageSize = sizeof(mach_msg_header_t) + bodySize;
+ Checked<size_t, RecordOverflow> messageSize = sizeof(mach_msg_header_t);
+ messageSize += bodySize;
if (portDescriptorCount || memoryDescriptorCount) {
messageSize += sizeof(mach_msg_body_t);
@@ -61,7 +62,11 @@
messageSize += (memoryDescriptorCount * sizeof(mach_msg_ool_descriptor_t));
}
- return round_msg(messageSize);
+ size_t safeMessageSize;
+ if (UNLIKELY(messageSize.safeGet(safeMessageSize) == CheckedState::DidOverflow))
+ return messageSize;
+
+ return round_msg(safeMessageSize);
}
void MachMessage::leakDescriptors()
Modified: trunk/Source/WebKit/Platform/IPC/cocoa/MachMessage.h (258368 => 258369)
--- trunk/Source/WebKit/Platform/IPC/cocoa/MachMessage.h 2020-03-12 23:14:25 UTC (rev 258368)
+++ trunk/Source/WebKit/Platform/IPC/cocoa/MachMessage.h 2020-03-12 23:17:27 UTC (rev 258369)
@@ -29,6 +29,7 @@
#include <mach/message.h>
#include <memory>
+#include <wtf/CheckedArithmetic.h>
#include <wtf/text/CString.h>
namespace IPC {
@@ -39,7 +40,7 @@
static std::unique_ptr<MachMessage> create(CString&& messageReceiverName, CString&& messageName, size_t);
~MachMessage();
- static size_t messageSize(size_t bodySize, size_t portDescriptorCount, size_t memoryDescriptorCount);
+ static Checked<size_t, RecordOverflow> messageSize(size_t bodySize, size_t portDescriptorCount, size_t memoryDescriptorCount);
size_t size() const { return m_size; }
mach_msg_header_t* header() { return m_messageHeader; }
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes