Changeset 244721 in webkit
- Timestamp:
- Apr 27, 2019 10:09:24 AM (5 years ago)
- Location:
- trunk/Source/WebKit
- Files:
-
- 4 edited
-
ChangeLog (modified) (1 diff)
-
Platform/IPC/mac/ConnectionMac.mm (modified) (5 diffs)
-
Platform/IPC/mac/MachMessage.cpp (modified) (2 diffs)
-
Platform/IPC/mac/MachMessage.h (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebKit/ChangeLog
r244717 r244721 1 2019-04-27 Chris Dumez <cdumez@apple.com> 2 3 Improve safety of MachMessage class 4 https://bugs.webkit.org/show_bug.cgi?id=197323 5 <rdar://problem/44291920> 6 7 Reviewed by Darin Adler. 8 9 Improve safety of MachMessage class and clean things up a bit. 10 11 * Platform/IPC/mac/ConnectionMac.mm: 12 (IPC::Connection::sendOutgoingMessage): 13 - Pass MessageReceiverName / MessageName when constructing the MachMessage rather 14 than setting them afterwards since they never change for a given MachMessage. 15 - Set header->msgh_id to the right value right away instead of setting it first 16 to inlineBodyMessageID and then later fixing it to be outOfLineBodyMessageID 17 when the body is out of line. 18 - When messageBodyIsOOL was true, we would call getDescriptorAndSkip() which 19 would advance the pointer by sizeof(mach_msg_port_descriptor_t), even though 20 the descriptor type is mach_msg_ool_descriptor_t. This would not matter in 21 the end because we would not use the messageData pointer after this but 22 still. 23 24 * Platform/IPC/mac/MachMessage.cpp: 25 (IPC::MachMessage::create): 26 Use fastZeroedMalloc() instead of fastMalloc() for safety, given that this class 27 has a mach_msg_header_t flexible array member. This is what is recommended by the 28 mach documentation. It is much safer because it otherwize relies on the user 29 (Connection::sendOutgoingMessage()) to initialize ALL the message members 30 correctly. I suspect this was the cause of <rdar://problem/44291920> because 31 Connection::sendOutgoingMessage() would fail to initialize header->msgh_voucher_port 32 and the MachMessage destructor would then call mach_msg_destroy(header()), which 33 would mach_msg_destroy_port(header->msgh_voucher_port). 34 35 (IPC::MachMessage::MachMessage): 36 Pass MessageReceiverName / MessageName when constructing the MachMessage rather 37 than setting them afterwards since they never change for a given MachMessage. 38 39 (IPC::MachMessage::messageSize): 40 Drop if checks for portDescriptorCount and memoryDescriptorCount since the logic 41 will do the right thing even if they are 0. 42 43 * Platform/IPC/mac/MachMessage.h: 44 (IPC::MachMessage::header): 45 (IPC::MachMessage::messageReceiverName const): 46 (IPC::MachMessage::messageName const): 47 1 48 2019-04-26 Wenson Hsieh <wenson_hsieh@apple.com> 2 49 -
trunk/Source/WebKit/Platform/IPC/mac/ConnectionMac.mm
r242610 r244721 307 307 } 308 308 309 auto message = MachMessage::create(messageSize); 310 message->setMessageReceiverName(encoder->messageReceiverName().toString()); 311 message->setMessageName(encoder->messageName().toString()); 309 auto message = MachMessage::create(encoder->messageReceiverName().toString(), encoder->messageName().toString(), messageSize); 312 310 313 311 auto* header = message->header(); … … 316 314 header->msgh_remote_port = m_sendPort; 317 315 header->msgh_local_port = MACH_PORT_NULL; 318 header->msgh_id = inlineBodyMessageID;316 header->msgh_id = messageBodyIsOOL ? outOfLineBodyMessageID : inlineBodyMessageID; 319 317 320 318 auto* messageData = reinterpret_cast<uint8_t*>(header + 1); … … 328 326 messageData = reinterpret_cast<uint8_t*>(body + 1); 329 327 330 auto getDescriptorAnd Skip = [](uint8_t*& data) {331 return reinterpret_cast<mach_msg_descriptor_t*>(std::exchange(data, data + sizeof(mach_msg_port_descriptor_t)));328 auto getDescriptorAndAdvance = [](uint8_t*& data, std::size_t toAdvance) { 329 return reinterpret_cast<mach_msg_descriptor_t*>(std::exchange(data, data + toAdvance)); 332 330 }; 333 331 … … 335 333 ASSERT(attachment.type() == Attachment::MachPortType); 336 334 if (attachment.type() == Attachment::MachPortType) { 337 auto* descriptor = getDescriptorAnd Skip(messageData);335 auto* descriptor = getDescriptorAndAdvance(messageData, sizeof(mach_msg_port_descriptor_t)); 338 336 descriptor->port.name = attachment.port(); 339 337 descriptor->port.disposition = attachment.disposition(); … … 343 341 344 342 if (messageBodyIsOOL) { 345 header->msgh_id = outOfLineBodyMessageID; 346 347 auto* descriptor = getDescriptorAndSkip(messageData); 343 auto* descriptor = getDescriptorAndAdvance(messageData, sizeof(mach_msg_ool_descriptor_t)); 348 344 descriptor->out_of_line.address = encoder->buffer(); 349 345 descriptor->out_of_line.size = encoder->bufferSize(); -
trunk/Source/WebKit/Platform/IPC/mac/MachMessage.cpp
r224779 r244721 33 33 namespace IPC { 34 34 35 std::unique_ptr<MachMessage> MachMessage::create( size_t size)35 std::unique_ptr<MachMessage> MachMessage::create(CString&& messageReceiverName, CString&& messageName, size_t size) 36 36 { 37 void* memory = WTF::fast Malloc(sizeof(MachMessage) + size);38 return std::unique_ptr<MachMessage> { new (NotNull, memory) MachMessage { size } };37 void* memory = WTF::fastZeroedMalloc(sizeof(MachMessage) + size); 38 return std::unique_ptr<MachMessage> { new (NotNull, memory) MachMessage { WTFMove(messageReceiverName), WTFMove(messageName), size } }; 39 39 } 40 40 41 MachMessage::MachMessage(size_t size) 42 : m_size { size } 43 , m_shouldFreeDescriptors { true } 41 MachMessage::MachMessage(CString&& messageReceiverName, CString&& messageName, size_t size) 42 : m_messageReceiverName(WTFMove(messageReceiverName)) 43 , m_messageName(WTFMove(messageName)) 44 , m_size { size } 44 45 { 45 46 } … … 57 58 if (portDescriptorCount || memoryDescriptorCount) { 58 59 messageSize += sizeof(mach_msg_body_t); 59 60 if (portDescriptorCount) 61 messageSize += (portDescriptorCount * sizeof(mach_msg_port_descriptor_t)); 62 if (memoryDescriptorCount) 63 messageSize += (memoryDescriptorCount * sizeof(mach_msg_ool_descriptor_t)); 60 messageSize += (portDescriptorCount * sizeof(mach_msg_port_descriptor_t)); 61 messageSize += (memoryDescriptorCount * sizeof(mach_msg_ool_descriptor_t)); 64 62 } 65 63 66 64 return round_msg(messageSize); 67 }68 69 mach_msg_header_t* MachMessage::header()70 {71 return m_messageHeader;72 65 } 73 66 -
trunk/Source/WebKit/Platform/IPC/mac/MachMessage.h
r224782 r244721 37 37 WTF_MAKE_FAST_ALLOCATED; 38 38 public: 39 static std::unique_ptr<MachMessage> create( size_t);39 static std::unique_ptr<MachMessage> create(CString&& messageReceiverName, CString&& messageName, size_t); 40 40 ~MachMessage(); 41 41 … … 43 43 44 44 size_t size() const { return m_size; } 45 mach_msg_header_t* header() ;45 mach_msg_header_t* header() { return m_messageHeader; } 46 46 47 47 void leakDescriptors(); 48 48 49 49 const CString& messageReceiverName() const { return m_messageReceiverName; } 50 void setMessageReceiverName(CString&& messageReceiverName) { m_messageReceiverName = WTFMove(messageReceiverName); }51 52 50 const CString& messageName() const { return m_messageName; } 53 void setMessageName(CString&& messageName) { m_messageName = WTFMove(messageName); }54 51 55 52 private: 56 explicit MachMessage(size_t);53 MachMessage(CString&& messageReceiverName, CString&& messageName, size_t); 57 54 58 55 CString m_messageReceiverName; 59 56 CString m_messageName; 60 57 size_t m_size; 61 bool m_shouldFreeDescriptors ;62 mach_msg_header_t m_messageHeader[ 0];58 bool m_shouldFreeDescriptors { true }; 59 mach_msg_header_t m_messageHeader[]; 63 60 }; 64 61
Note: See TracChangeset
for help on using the changeset viewer.
