[GTK][WPE] Fix seccomp rule for blacklisting TIOCSTI
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 1 Apr 2019 13:02:39 +0000 (13:02 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 1 Apr 2019 13:02:39 +0000 (13:02 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196297

Patch by Patrick Griffis <pgriffis@igalia.com> on 2019-04-01
Reviewed by Michael Catanzaro.

More information can be found here: https://www.exploit-db.com/exploits/46594

Note that this sandbox never made it into production so does not
warrant any CVE specific to WebKit.

* UIProcess/Launcher/glib/BubblewrapLauncher.cpp:
(WebKit::setupSeccomp):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243692 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp

index 6e93883..18467f0 100644 (file)
@@ -1,3 +1,18 @@
+2019-04-01  Patrick Griffis  <pgriffis@igalia.com>
+
+        [GTK][WPE] Fix seccomp rule for blacklisting TIOCSTI
+        https://bugs.webkit.org/show_bug.cgi?id=196297
+
+        Reviewed by Michael Catanzaro.
+
+        More information can be found here: https://www.exploit-db.com/exploits/46594
+
+        Note that this sandbox never made it into production so does not
+        warrant any CVE specific to WebKit.
+
+        * UIProcess/Launcher/glib/BubblewrapLauncher.cpp:
+        (WebKit::setupSeccomp):
+
 2019-03-31  Wenson Hsieh  <wenson_hsieh@apple.com>
 
         [iOS] Crash when changing inputmode for certain types of focusable elements
index 61d733b..989e6a6 100644 (file)
@@ -555,7 +555,7 @@ static int setupSeccomp()
     //  https://git.gnome.org/browse/linux-user-chroot
     //    in src/setup-seccomp.c
     struct scmp_arg_cmp cloneArg = SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER);
-    struct scmp_arg_cmp ttyArg = SCMP_A1(SCMP_CMP_EQ, static_cast<scmp_datum_t>(TIOCSTI), static_cast<scmp_datum_t>(0));
+    struct scmp_arg_cmp ttyArg = SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, TIOCSTI);
     struct {
         int scall;
         struct scmp_arg_cmp* arg;