Changeset 230045 in webkit

Timestamp:

Mar 28, 2018 1:43:10 PM (6 years ago)

Author:

Brent Fulgham

Message:

Protect against invalid mach ports returned by mach_port_request_notification
​https://bugs.webkit.org/show_bug.cgi?id=184106
<rdar://problem/37865316>

Reviewed by Chris Dumez.

Source/WebKit:

• Platform/IPC/Connection.h:

(IPC::Connection::Identifier::Identifier): Use default initializer syntax.

• Platform/IPC/mac/ConnectionMac.mm:

(IPC::Connection::open): Drive-by-fix: Include formatted mach error message in logging.
(IPC::Connection::receiveSourceEventHandler): Check return value from 'mach_port_request_notification'
and clean up if it experienced an error.

• UIProcess/Launcher/mac/ProcessLauncherMac.mm:

(WebKit::ProcessLauncher::launchProcess): Ditto.

Source/WebKitLegacy/mac:

• Plugins/Hosted/NetscapePluginHostProxy.mm:

(WebKit::NetscapePluginHostProxy::NetscapePluginHostProxy): Check return value from 'mach_port_request_notification'
and clean up if it experienced an error.
(WebKit::NetscapePluginHostProxy::processRequests): Drive-by-fix: Include formatted mach error message in logging.

Location:

trunk/Source

Files:

• WebKit/ChangeLog (modified) (1 diff)
• WebKit/Platform/IPC/Connection.h (modified) (3 diffs)
• WebKit/Platform/IPC/mac/ConnectionMac.mm (modified) (2 diffs)
• WebKit/UIProcess/Launcher/mac/ProcessLauncherMac.mm (modified) (2 diffs)
• WebKitLegacy/mac/ChangeLog (modified) (1 diff)
• WebKitLegacy/mac/Plugins/Hosted/NetscapePluginHostProxy.mm (modified) (4 diffs)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2018-03-28  Brent Fulgham  <bfulgham@apple.com>
+
+        Protect against invalid mach ports returned by mach_port_request_notification
+        https://bugs.webkit.org/show_bug.cgi?id=184106
+        <rdar://problem/37865316>
+
+        Reviewed by Chris Dumez.
+
+        * Platform/IPC/Connection.h:
+        (IPC::Connection::Identifier::Identifier): Use default initializer syntax.
+        * Platform/IPC/mac/ConnectionMac.mm:
+        (IPC::Connection::open): Drive-by-fix: Include formatted mach error message in logging.
+        (IPC::Connection::receiveSourceEventHandler): Check return value from 'mach_port_request_notification'
+        and clean up if it experienced an error.
+        * UIProcess/Launcher/mac/ProcessLauncherMac.mm:
+        (WebKit::ProcessLauncher::launchProcess): Ditto.
+
 2018-03-28  Dean Jackson  <dino@apple.com>
 

trunk/Source/WebKit/Platform/IPC/Connection.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2010-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2018 Apple Inc. All rights reserved.
  * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)
  * Portions Copyright (c) 2010 Motorola Mobility, Inc.  All rights reserved.
@@ -117 +117 @@
     struct Identifier {
         Identifier()
-            : port(MACH_PORT_NULL)
         {
         }
@@ -132 +131 @@
         }
 
-        mach_port_t port;
+        mach_port_t port { MACH_PORT_NULL };
         OSObjectPtr<xpc_connection_t> xpcConnection;
     };

trunk/Source/WebKit/Platform/IPC/mac/ConnectionMac.mm

@@ -187 +187 @@
         auto kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &m_receivePort);
         if (kr != KERN_SUCCESS) {
-            LOG_ERROR("Could not allocate mach port, error %x", kr);
+            LOG_ERROR("Could not allocate mach port, error %x: %s", kr, mach_error_string(kr));
             CRASH();
         }
@@ -534 +534 @@
         if (m_sendPort) {
             mach_port_t previousNotificationPort = MACH_PORT_NULL;
-            mach_port_request_notification(mach_task_self(), m_receivePort, MACH_NOTIFY_NO_SENDERS, 0, MACH_PORT_NULL, MACH_MSG_TYPE_MOVE_SEND_ONCE, &previousNotificationPort);
+            auto kr = mach_port_request_notification(mach_task_self(), m_receivePort, MACH_NOTIFY_NO_SENDERS, 0, MACH_PORT_NULL, MACH_MSG_TYPE_MOVE_SEND_ONCE, &previousNotificationPort);
+            ASSERT(kr == KERN_SUCCESS);
+            if (kr != KERN_SUCCESS) {
+                // If mach_port_request_notification fails, 'previousNotificationPort' will be uninitialized.
+                LOG_ERROR("mach_port_request_notification failed: (%x) %s", kr, mach_error_string(kr));
+                previousNotificationPort = MACH_PORT_NULL;
+            }
 
             if (previousNotificationPort != MACH_PORT_NULL)

trunk/Source/WebKit/UIProcess/Launcher/mac/ProcessLauncherMac.mm

@@ -154 +154 @@
     auto kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &listeningPort);
     if (kr != KERN_SUCCESS) {
-        LOG_ERROR("Could not allocate mach port, error %x", kr);
+        LOG_ERROR("Could not allocate mach port, error %x: %s", kr, mach_error_string(kr));
         CRASH();
     }
@@ -161 +161 @@
     mach_port_insert_right(mach_task_self(), listeningPort, listeningPort, MACH_MSG_TYPE_MAKE_SEND);
 
-    mach_port_t previousNotificationPort;
-    mach_port_request_notification(mach_task_self(), listeningPort, MACH_NOTIFY_NO_SENDERS, 0, listeningPort, MACH_MSG_TYPE_MAKE_SEND_ONCE, &previousNotificationPort);
+    mach_port_t previousNotificationPort = MACH_PORT_NULL;
+    auto mc = mach_port_request_notification(mach_task_self(), listeningPort, MACH_NOTIFY_NO_SENDERS, 0, listeningPort, MACH_MSG_TYPE_MAKE_SEND_ONCE, &previousNotificationPort);
     ASSERT(!previousNotificationPort);
+    ASSERT(mc == KERN_SUCCESS);
+    if (mc != KERN_SUCCESS) {
+        // If mach_port_request_notification fails, 'previousNotificationPort' will be uninitialized.
+        LOG_ERROR("mach_port_request_notification failed: (%x) %s", mc, mach_error_string(mc));
+    }
 
     String clientIdentifier;

trunk/Source/WebKitLegacy/mac/ChangeLog

@@ +1 @@
+2018-03-28  Brent Fulgham  <bfulgham@apple.com>
+
+        Protect against invalid mach ports returned by mach_port_request_notification
+        https://bugs.webkit.org/show_bug.cgi?id=184106
+        <rdar://problem/37865316>
+
+        Reviewed by Chris Dumez.
+
+        * Plugins/Hosted/NetscapePluginHostProxy.mm:
+        (WebKit::NetscapePluginHostProxy::NetscapePluginHostProxy): Check return value from 'mach_port_request_notification'
+        and clean up if it experienced an error.
+        (WebKit::NetscapePluginHostProxy::processRequests): Drive-by-fix: Include formatted mach error message in logging.
+
 2018-03-28  Brent Fulgham  <bfulgham@apple.com>
 

trunk/Source/WebKitLegacy/mac/Plugins/Hosted/NetscapePluginHostProxy.mm

@@ -112 +112 @@
 
     mach_port_t previous = MACH_PORT_NULL;
-    mach_port_request_notification(mach_task_self(), pluginHostPort, MACH_NOTIFY_DEAD_NAME, 0, 
-                                   CFMachPortGetPort(m_deadNameNotificationPort.get()), MACH_MSG_TYPE_MAKE_SEND_ONCE, &previous);
+    auto kr = mach_port_request_notification(mach_task_self(), pluginHostPort, MACH_NOTIFY_DEAD_NAME, 0,
+        CFMachPortGetPort(m_deadNameNotificationPort.get()), MACH_MSG_TYPE_MAKE_SEND_ONCE, &previous);
     ASSERT(previous == MACH_PORT_NULL);
-    
+    ASSERT(kr == KERN_SUCCESS);
+    if (kr != KERN_SUCCESS) {
+        // If mach_port_request_notification fails, 'previous' will be uninitialized.
+        LOG_ERROR("mach_port_request_notification failed: (%x) %s", kr, mach_error_string(kr));
+        previous = MACH_PORT_NULL;
+    }
+
     RetainPtr<CFRunLoopSourceRef> deathPortSource = adoptCF(CFMachPortCreateRunLoopSource(0, m_deadNameNotificationPort.get(), 0));
     
@@ -285 +291 @@
         auto kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_PORT_SET, &m_portSet);
         if (kr != KERN_SUCCESS) {
-            LOG_ERROR("Could not allocate mach port, error %x", kr);
+            LOG_ERROR("Could not allocate mach port, error %x: %s", kr, mach_error_string(kr));
             CRASH();
         }
@@ -299 +305 @@
     
     if (kr != KERN_SUCCESS) {
-        LOG_ERROR("Could not receive mach message, error %x", kr);
+        LOG_ERROR("Could not receive mach message, error %x: %s", kr, mach_error_string(kr));
         s_processingRequests--;
         return false;
@@ -312 +318 @@
             
             if (kr != KERN_SUCCESS) {
-                LOG_ERROR("Could not send mach message, error %x", kr);
+                LOG_ERROR("Could not send mach message, error %x: %s", kr, mach_error_string(kr));
                 s_processingRequests--;
                 return false;