Make sure that the fencePort received over IPC has the expected disposition (SEND)
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 3 Jun 2018 18:28:07 +0000 (18:28 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 3 Jun 2018 18:28:07 +0000 (18:28 +0000)
https://bugs.webkit.org/show_bug.cgi?id=186211
<rdar://problem/37814171>

Reviewed by Geoffrey Garen.

It is possible (though very unlikely) for a message to be recevied that has the wrong mach port disposition.
If this happens, we shouldn't manipulate the passed mach_port_t or pass it on to other API. We already
drop messages that violate this expectation in the IPC layer, but code handling IPC::Attachment data types
are not checking this value.

* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::setTopContentInsetFenced):
* WebProcess/cocoa/VideoFullscreenManager.mm:
(WebKit::VideoFullscreenManager::setVideoLayerFrameFenced):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@232451 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/WebProcess/WebPage/WebPage.cpp
Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm

index e106272..eaa082c 100644 (file)
@@ -1,3 +1,21 @@
+2018-06-03  Brent Fulgham  <bfulgham@apple.com>
+
+        Make sure that the fencePort received over IPC has the expected disposition (SEND)
+        https://bugs.webkit.org/show_bug.cgi?id=186211
+        <rdar://problem/37814171>
+
+        Reviewed by Geoffrey Garen.
+
+        It is possible (though very unlikely) for a message to be recevied that has the wrong mach port disposition.
+        If this happens, we shouldn't manipulate the passed mach_port_t or pass it on to other API. We already
+        drop messages that violate this expectation in the IPC layer, but code handling IPC::Attachment data types
+        are not checking this value.
+
+        * WebProcess/WebPage/WebPage.cpp:
+        (WebKit::WebPage::setTopContentInsetFenced):
+        * WebProcess/cocoa/VideoFullscreenManager.mm:
+        (WebKit::VideoFullscreenManager::setVideoLayerFrameFenced):
+
 2018-06-02  Chris Dumez  <cdumez@apple.com>
 
         Unreviewed, rolling out r232275.
index e3bfe5d..b57f66f 100644 (file)
@@ -2665,6 +2665,11 @@ void WebPage::setDrawsBackground(bool drawsBackground)
 #if PLATFORM(COCOA)
 void WebPage::setTopContentInsetFenced(float contentInset, IPC::Attachment fencePort)
 {
+    if (fencePort.disposition() != MACH_MSG_TYPE_MOVE_SEND) {
+        LOG(Layers, "WebPage::setTopContentInsetFenced(%g, fencePort) Received an invalid fence port: %d, disposition: %d", contentInset, fencePort.port(), fencePort.disposition());
+        return;
+    }
+
     m_drawingArea->addFence(MachSendRight::create(fencePort.port()));
 
     setTopContentInset(contentInset);
index a80883a..f9fd6af 100644 (file)
@@ -564,6 +564,11 @@ void VideoFullscreenManager::setVideoLayerFrameFenced(uint64_t contextId, WebCor
 {
     LOG(Fullscreen, "VideoFullscreenManager::setVideoLayerFrameFenced(%p, %x)", this, contextId);
 
+    if (fencePort.disposition() != MACH_MSG_TYPE_MOVE_SEND) {
+        LOG(Fullscreen, "VideoFullscreenManager::setVideoLayerFrameFenced(%p, %x) Received an invalid fence port: %d, disposition: %d", this, contextId, fencePort.port(), fencePort.disposition());
+        return;
+    }
+
     RefPtr<VideoFullscreenModelVideoElement> model;
     RefPtr<VideoFullscreenInterfaceContext> interface;
     std::tie(model, interface) = ensureModelAndInterface(contextId);
@@ -573,8 +578,8 @@ void VideoFullscreenManager::setVideoLayerFrameFenced(uint64_t contextId, WebCor
         bounds = FloatRect(0, 0, videoRect.width(), videoRect.height());
     }
     
-    if (interface->layerHostingContext())
-        interface->layerHostingContext()->setFencePort(fencePort.port());
+    if (auto* context = interface->layerHostingContext())
+        context->setFencePort(fencePort.port());
     model->setVideoLayerFrame(bounds);
     deallocateSendRightSafely(fencePort.port());
 }