Diff
Modified: branches/safari-609-branch/Source/WebKit/ChangeLog (261518 => 261519)
--- branches/safari-609-branch/Source/WebKit/ChangeLog 2020-05-12 00:21:50 UTC (rev 261518)
+++ branches/safari-609-branch/Source/WebKit/ChangeLog 2020-05-12 00:21:53 UTC (rev 261519)
@@ -1,5 +1,52 @@
2020-05-07 Russell Epstein <repst...@apple.com>
+ Cherry-pick r260666. rdar://problem/62978264
+
+ IPC::Decoder should use create() pattern
+ <https://webkit.org/b/210949>
+ <rdar://problem/62144409>
+
+ Reviewed by Geoffrey Garen.
+
+ * Platform/IPC/Decoder.cpp:
+ (IPC::Decoder::create): Add implementation. Returns nullptr if
+ Decoder constructor returns an invalid object.
+ (IPC::Decoder::Decoder): Mark invalid if m_buffer is not 64-bit
+ aligned.
+ (IPC::Decoder::unwrapForTesting): Switch to Decoder::create().
+ * Platform/IPC/Decoder.h:
+ (IPC::Decoder::create): Add declaration.
+ (IPC::Decoder::Decoder): Make explicit. (Can't be made private
+ since we use std::unique_ptr<Decoder>.)
+ * Platform/IPC/cocoa/ConnectionCocoa.mm:
+ (IPC::createMessageDecoder): Switch to Decoder::create().
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@260666 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-04-24 David Kilzer <ddkil...@apple.com>
+
+ IPC::Decoder should use create() pattern
+ <https://webkit.org/b/210949>
+ <rdar://problem/62144409>
+
+ Reviewed by Geoffrey Garen.
+
+ * Platform/IPC/Decoder.cpp:
+ (IPC::Decoder::create): Add implementation. Returns nullptr if
+ Decoder constructor returns an invalid object.
+ (IPC::Decoder::Decoder): Mark invalid if m_buffer is not 64-bit
+ aligned.
+ (IPC::Decoder::unwrapForTesting): Switch to Decoder::create().
+ * Platform/IPC/Decoder.h:
+ (IPC::Decoder::create): Add declaration.
+ (IPC::Decoder::Decoder): Make explicit. (Can't be made private
+ since we use std::unique_ptr<Decoder>.)
+ * Platform/IPC/cocoa/ConnectionCocoa.mm:
+ (IPC::createMessageDecoder): Switch to Decoder::create().
+
+2020-05-07 Russell Epstein <repst...@apple.com>
+
Cherry-pick r260229. rdar://problem/62978244
Re-land: [IPC Hardening] MachMessage::create() should use checked arithmetic
Modified: branches/safari-609-branch/Source/WebKit/Platform/IPC/Decoder.cpp (261518 => 261519)
--- branches/safari-609-branch/Source/WebKit/Platform/IPC/Decoder.cpp 2020-05-12 00:21:50 UTC (rev 261518)
+++ branches/safari-609-branch/Source/WebKit/Platform/IPC/Decoder.cpp 2020-05-12 00:21:53 UTC (rev 261519)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -29,6 +29,7 @@
#include "DataReference.h"
#include "MessageFlags.h"
#include <stdio.h>
+#include <wtf/StdLibExtras.h>
#if PLATFORM(MAC)
#include "ImportanceAssertion.h"
@@ -44,6 +45,12 @@
return bufferCopy;
}
+std::unique_ptr<Decoder> Decoder::create(const uint8_t* buffer, size_t bufferSize, void (*bufferDeallocator)(const uint8_t*, size_t), Vector<Attachment>&& attachments)
+{
+ auto decoder = makeUnique<Decoder>(buffer, bufferSize, bufferDeallocator, WTFMove(attachments));
+ return decoder->isInvalid() ? nullptr : WTFMove(decoder);
+}
+
Decoder::Decoder(const uint8_t* buffer, size_t bufferSize, void (*bufferDeallocator)(const uint8_t*, size_t), Vector<Attachment>&& attachments)
: m_buffer { bufferDeallocator ? buffer : copyBuffer(buffer, bufferSize) }
, m_bufferPos { m_buffer }
@@ -51,7 +58,10 @@
, m_bufferDeallocator { bufferDeallocator }
, m_attachments { WTFMove(attachments) }
{
- ASSERT(!(reinterpret_cast<uintptr_t>(m_buffer) % alignof(uint64_t)));
+ if (reinterpret_cast<uintptr_t>(m_buffer) % alignof(uint64_t)) {
+ markInvalid();
+ return;
+ }
if (!decode(m_messageFlags))
return;
@@ -123,7 +133,7 @@
if (!decoder.decode(wrappedMessage))
return nullptr;
- return makeUnique<Decoder>(wrappedMessage.data(), wrappedMessage.size(), nullptr, WTFMove(attachments));
+ return Decoder::create(wrappedMessage.data(), wrappedMessage.size(), nullptr, WTFMove(attachments));
}
static inline const uint8_t* roundUpToAlignment(const uint8_t* ptr, unsigned alignment)
Modified: branches/safari-609-branch/Source/WebKit/Platform/IPC/Decoder.h (261518 => 261519)
--- branches/safari-609-branch/Source/WebKit/Platform/IPC/Decoder.h 2020-05-12 00:21:50 UTC (rev 261518)
+++ branches/safari-609-branch/Source/WebKit/Platform/IPC/Decoder.h 2020-05-12 00:21:53 UTC (rev 261519)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -44,7 +44,8 @@
class Decoder {
WTF_MAKE_FAST_ALLOCATED;
public:
- Decoder(const uint8_t* buffer, size_t bufferSize, void (*bufferDeallocator)(const uint8_t*, size_t), Vector<Attachment>&&);
+ static std::unique_ptr<Decoder> create(const uint8_t* buffer, size_t bufferSize, void (*bufferDeallocator)(const uint8_t*, size_t), Vector<Attachment>&&);
+ explicit Decoder(const uint8_t* buffer, size_t bufferSize, void (*bufferDeallocator)(const uint8_t*, size_t), Vector<Attachment>&&);
~Decoder();
Decoder(const Decoder&) = delete;
Modified: branches/safari-609-branch/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm (261518 => 261519)
--- branches/safari-609-branch/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm 2020-05-12 00:21:50 UTC (rev 261518)
+++ branches/safari-609-branch/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm 2020-05-12 00:21:53 UTC (rev 261519)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -409,7 +409,7 @@
uint8_t* body = reinterpret_cast<uint8_t*>(header + 1);
size_t bodySize = header->msgh_size - sizeof(mach_msg_header_t);
- return makeUnique<Decoder>(body, bodySize, nullptr, Vector<Attachment> { });
+ return Decoder::create(body, bodySize, nullptr, Vector<Attachment> { });
}
bool messageBodyIsOOL = header->msgh_id == outOfLineBodyMessageID;
@@ -447,7 +447,7 @@
uint8_t* messageBody = static_cast<uint8_t*>(descriptor->out_of_line.address);
size_t messageBodySize = descriptor->out_of_line.size;
- return makeUnique<Decoder>(messageBody, messageBodySize, [](const uint8_t* buffer, size_t length) {
+ return Decoder::create(messageBody, messageBodySize, [](const uint8_t* buffer, size_t length) {
vm_deallocate(mach_task_self(), reinterpret_cast<vm_address_t>(buffer), length);
}, WTFMove(attachments));
}
@@ -455,7 +455,7 @@
uint8_t* messageBody = descriptorData;
size_t messageBodySize = header->msgh_size - (descriptorData - reinterpret_cast<uint8_t*>(header));
- return makeUnique<Decoder>(messageBody, messageBodySize, nullptr, WTFMove(attachments));
+ return Decoder::create(messageBody, messageBodySize, nullptr, WTFMove(attachments));
}
// The receive buffer size should always include the maximum trailer size.
