Changeset 224534 in webkit

Timestamp:

Nov 7, 2017 9:41:05 AM (6 years ago)

Author:

rniwa@webkit.org

Message:

Release-assert NoEventDispatchAssertion in canExecute, updateLayout, and updateStyle
​https://bugs.webkit.org/show_bug.cgi?id=179281
<rdar://problem/35008993>

Reviewed by Antti Koivisto.

Surgically enable NoEventDispatchAssertion::InMainThread::isEventAllowed() in release builds to prevent
against insecure execution of author scripts.

No new tests since there should be no behavioral changes (other than preventing potential security bugs
from being exploited).

• bindings/js/ScriptController.cpp:

(WebCore::ScriptController::canExecuteScripts): Use the release assert here. This function is consulted
whenever author scripts are executed in event handler, script element, etc... in the main thread so
enabling the release assert here should basically prevent all unwanted script executions protected by
NoEventDispatchAssertion.

• dom/ContainerNode.cpp:

(NoEventDispatchAssertion::s_count): Now always compiled.

• dom/Document.cpp:

(WebCore::Document::updateStyleIfNeeded): Use the release assert here. This assertion would prevent
unwanted style updating. This part of the change can be reverted if it turns out to be too crashy since
just updating the style would not directly introduce a security vulnerability.
(WebCore::Document::updateLayout): Ditto for updating the layout.

• dom/NoEventDispatchAssertion.h:

(WebCore::NoEventDispatchAssertion::NoEventDispatchAssertion): Enabled this in release builds.
(WebCore::NoEventDispatchAssertion::~NoEventDispatchAssertion): Ditto.
(WebCore::NoEventDispatchAssertion::isEventAllowedInMainThread): Ditto.
(WebCore::NoEventDispatchAssertion::InMainThread::InMainThread): Ditto.
(WebCore::NoEventDispatchAssertion::InMainThread::~InMainThread): Ditto.
(WebCore::NoEventDispatchAssertion::InMainThread::isEventDispatchAllowedInSubtree): We still don't enable
this assertion because this check requires O(n) operation. Added a comment to that end.
(WebCore::NoEventDispatchAssertion::InMainThread::isEventAllowed): Enabled this in release builds.
(WebCore::NoEventDispatchAssertion::DisableAssertionsInScope): Ditto.

• dom/ScriptElement.cpp:

(WebCore::ScriptElement::executeClassicScript): Use the release assert here. This is the function used by
the HTML parser to run scripts via HTMLScriptRunner::executePendingScriptAndDispatchEvent. Having a release
assertion here should prevent the rest of the unwanted script executions in the HTML parser not caught by
canExecuteScripts.

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• bindings/js/ScriptController.cpp (modified) (1 diff)
• dom/ContainerNode.cpp (modified) (1 diff)
• dom/Document.cpp (modified) (2 diffs)
• dom/NoEventDispatchAssertion.h (modified) (7 diffs)
• dom/ScriptElement.cpp (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-11-07  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Release-assert NoEventDispatchAssertion in canExecute, updateLayout, and updateStyle
+        https://bugs.webkit.org/show_bug.cgi?id=179281
+        <rdar://problem/35008993>
+
+        Reviewed by Antti Koivisto.
+
+        Surgically enable NoEventDispatchAssertion::InMainThread::isEventAllowed() in release builds to prevent
+        against insecure execution of author scripts.
+
+        No new tests since there should be no behavioral changes (other than preventing potential security bugs
+        from being exploited).
+
+        * bindings/js/ScriptController.cpp:
+        (WebCore::ScriptController::canExecuteScripts): Use the release assert here. This function is consulted
+        whenever author scripts are executed in event handler, script element, etc... in the main thread so
+        enabling the release assert here should basically prevent all unwanted script executions protected by
+        NoEventDispatchAssertion.
+        * dom/ContainerNode.cpp:
+        (NoEventDispatchAssertion::s_count): Now always compiled.
+        * dom/Document.cpp:
+        (WebCore::Document::updateStyleIfNeeded): Use the release assert here. This assertion would prevent
+        unwanted style updating. This part of the change can be reverted if it turns out to be too crashy since
+        just updating the style would not directly introduce a security vulnerability.
+        (WebCore::Document::updateLayout): Ditto for updating the layout.
+        * dom/NoEventDispatchAssertion.h:
+        (WebCore::NoEventDispatchAssertion::NoEventDispatchAssertion): Enabled this in release builds.
+        (WebCore::NoEventDispatchAssertion::~NoEventDispatchAssertion): Ditto.
+        (WebCore::NoEventDispatchAssertion::isEventAllowedInMainThread): Ditto.
+        (WebCore::NoEventDispatchAssertion::InMainThread::InMainThread): Ditto.
+        (WebCore::NoEventDispatchAssertion::InMainThread::~InMainThread): Ditto.
+        (WebCore::NoEventDispatchAssertion::InMainThread::isEventDispatchAllowedInSubtree): We still don't enable
+        this assertion because this check requires O(n) operation. Added a comment to that end.
+        (WebCore::NoEventDispatchAssertion::InMainThread::isEventAllowed): Enabled this in release builds.
+        (WebCore::NoEventDispatchAssertion::DisableAssertionsInScope): Ditto.
+        * dom/ScriptElement.cpp:
+        (WebCore::ScriptElement::executeClassicScript): Use the release assert here. This is the function used by
+        the HTML parser to run scripts via HTMLScriptRunner::executePendingScriptAndDispatchEvent. Having a release
+        assertion here should prevent the rest of the unwanted script executions in the HTML parser not caught by
+        canExecuteScripts.
+
 2017-11-07  Adrian Perez de Castro  <aperez@igalia.com>
 

trunk/Source/WebCore/bindings/js/ScriptController.cpp

@@ -679 +679 @@
 {
     if (reason == AboutToExecuteScript)
-        ASSERT_WITH_SECURITY_IMPLICATION(NoEventDispatchAssertion::InMainThread::isEventAllowed());
+        RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(NoEventDispatchAssertion::InMainThread::isEventAllowed());
 
     if (m_frame.document() && m_frame.document()->isSandboxed(SandboxScripts)) {

trunk/Source/WebCore/dom/ContainerNode.cpp

@@ -71 +71 @@
 ChildNodesLazySnapshot* ChildNodesLazySnapshot::latestSnapshot;
 
+unsigned NoEventDispatchAssertion::s_count = 0;
 #if !ASSERT_DISABLED
-unsigned NoEventDispatchAssertion::s_count = 0;
 NoEventDispatchAssertion::EventAllowedScope* NoEventDispatchAssertion::EventAllowedScope::s_currentScope = nullptr;
 #endif

trunk/Source/WebCore/dom/Document.cpp

@@ -1940 +1940 @@
 
     // The early exit for needsStyleRecalc() is needed when updateWidgetPositions() is called in runOrScheduleAsynchronousTasks().
-    ASSERT(NoEventDispatchAssertion::InMainThread::isEventAllowed() || (frameView && frameView->isInChildFrameWithFrameFlattening()));
+    RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(NoEventDispatchAssertion::InMainThread::isEventAllowed() || (frameView && frameView->isInChildFrameWithFrameFlattening()));
 
     resolveStyle();
@@ -1957 +1957 @@
         return;
     }
-    ASSERT(NoEventDispatchAssertion::InMainThread::isEventAllowed() || (frameView && frameView->isInChildFrameWithFrameFlattening()));
+    RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(NoEventDispatchAssertion::InMainThread::isEventAllowed() || (frameView && frameView->isInChildFrameWithFrameFlattening()));
 
 

trunk/Source/WebCore/dom/NoEventDispatchAssertion.h

@@ -31 +31 @@
 class NoEventDispatchAssertion {
 public:
+    // This variant is expensive. Use NoEventDispatchAssertion::InMainThread whenever possible.
     NoEventDispatchAssertion()
     {
-#if !ASSERT_DISABLED
         if (!isMainThread())
             return;
         ++s_count;
-#endif
     }
 
@@ -47 +46 @@
     ~NoEventDispatchAssertion()
     {
-#if !ASSERT_DISABLED
         if (!isMainThread())
             return;
         ASSERT(s_count);
         s_count--;
-#endif
     }
 
     static bool isEventAllowedInMainThread()
     {
-#if ASSERT_DISABLED
-        return true;
-#else
         return !isMainThread() || !s_count;
-#endif
     }
 
@@ -69 +62 @@
         {
             ASSERT(isMainThread());
-#if !ASSERT_DISABLED
             ++s_count;
-#endif
         }
 
@@ -77 +68 @@
         {
             ASSERT(isMainThread());
-#if !ASSERT_DISABLED
             ASSERT(s_count);
             --s_count;
-#endif
         }
 
+        // Don't enable this assertion in release since it's O(n).
+        // Release asserts in canExecuteScript should be sufficient for security defense purposes.
         static bool isEventDispatchAllowedInSubtree(Node& node)
         {
+#if !ASSERT_DISABLED || ENABLE(SECURITY_ASSERTIONS)
             return isEventAllowed() || EventAllowedScope::isAllowedNode(node);
+#else
+            UNUSED_PARAM(node);
+            return true;
+#endif
         }
 
@@ -91 +87 @@
         {
             ASSERT(isMainThread());
-#if !ASSERT_DISABLED
             return !s_count;
-#else
-            return true;
-#endif
         }
     };
@@ -138 +130 @@
 #endif
 
-#if !ASSERT_DISABLED
     // FIXME: Remove this class once the sync layout inside SVGImage::draw is removed.
     class DisableAssertionsInScope {
@@ -155 +146 @@
         unsigned m_originalCount { 0 };
     };
-#else
-    class DisableAssertionsInScope {
-    public:
-        DisableAssertionsInScope() { }
-    };
-#endif
 
-#if !ASSERT_DISABLED
 private:
     WEBCORE_EXPORT static unsigned s_count;
-#endif
 };
 

trunk/Source/WebCore/dom/ScriptElement.cpp

@@ -362 +362 @@
 void ScriptElement::executeClassicScript(const ScriptSourceCode& sourceCode)
 {
-    ASSERT_WITH_SECURITY_IMPLICATION(NoEventDispatchAssertion::isEventAllowedInMainThread());
+    RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(NoEventDispatchAssertion::InMainThread::isEventAllowed());
     ASSERT(m_alreadyStarted);