[webkit-changes] [WebKit/WebKit] cf7cd9: Use-after-free in WebCore::WaveShaperDSPKernel::pr...

Wed May 15 10:54:14 PDT 2024

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: cf7cd9dbde003ce941e1963570ee8aa9a4e9c531
      https://github.com/WebKit/WebKit/commit/cf7cd9dbde003ce941e1963570ee8aa9a4e9c531
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2024-05-15 (Wed, 15 May 2024)

  Changed paths:
    M Source/WebCore/Modules/webaudio/WaveShaperNode.cpp
    M Source/WebCore/Modules/webaudio/WaveShaperNode.h

  Log Message:
  -----------
  Use-after-free in WebCore::WaveShaperDSPKernel::processCurve()
https://bugs.webkit.org/show_bug.cgi?id=271654
rdar://123631199

Reviewed by Jer Noble.

Make sure WaveShaperNode::curveForBindings() clones our internal array
before returning it to JS. This is important so that the JS cannot
modify our internal array on the main thread while the audio thread is
using it for rendering.

* Source/WebCore/Modules/webaudio/WaveShaperNode.cpp:
(WebCore::WaveShaperNode::curveForBindings):
* Source/WebCore/Modules/webaudio/WaveShaperNode.h:

Originally-landed-as: 272448.781 at safari-7618-branch (bc1031419c11). rdar://128088238
Canonical link: https://commits.webkit.org/278813@main

  Commit: 7fc383d48e2c73be33e18f9734d158eb24847210
      https://github.com/WebKit/WebKit/commit/7fc383d48e2c73be33e18f9734d158eb24847210
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2024-05-15 (Wed, 15 May 2024)

  Changed paths:
    M Source/WebCore/bindings/js/SerializedScriptValue.cpp

  Log Message:
  -----------
  Verify range of ArrayBuffer when deserializing an ArrayBufferView
https://bugs.webkit.org/show_bug.cgi?id=270949
rdar://123906915

Reviewed by Chris Dumez.

byteOffset and length come from an untrusted source, and if out of bounds they
can lead to arbitrary reads.  If they are out of bounds, fail to deserialize.

* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::readArrayBufferViewImpl):

Originally-landed-as: 272448.733 at safari-7618-branch (7d7e9c948a3b). rdar://128088960
Canonical link: https://commits.webkit.org/278814@main

  Commit: 775bac300c8b006803ba1d5c2f7bf28a0f77bc69
      https://github.com/WebKit/WebKit/commit/775bac300c8b006803ba1d5c2f7bf28a0f77bc69
  Author: Wenson Hsieh <wenson_hsieh at apple.com>
  Date:   2024-05-15 (Wed, 15 May 2024)

  Changed paths:
    M Source/WebCore/Modules/webaudio/AudioBasicProcessorNode.h
    M Source/WebCore/Modules/webaudio/AudioBuffer.cpp
    M Source/WebCore/Modules/webaudio/AudioBuffer.h
    M Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
    M Source/WebCore/Modules/webaudio/AudioBufferSourceNode.h
    M Source/WebCore/Modules/webaudio/AudioNode.h
    M Source/WebCore/Modules/webaudio/AudioNodeOutput.cpp
    M Source/WebCore/Modules/webaudio/AudioNodeOutput.h
    M Source/WebCore/Modules/webaudio/AudioWorkletNode.cpp
    M Source/WebCore/Modules/webaudio/BaseAudioContext.h
    M Source/WebCore/Modules/webaudio/DynamicsCompressorNode.h
    M Source/WebCore/Modules/webaudio/OfflineAudioContext.cpp
    M Source/WebCore/Modules/webaudio/OfflineAudioContext.h
    M Source/WebCore/Modules/webaudio/OscillatorNode.h
    M Source/WebCore/platform/audio/AudioUtilities.cpp
    M Source/WebCore/platform/audio/AudioUtilities.h
    M Tools/TestWebKitAPI/Tests/WebKit/AdvancedPrivacyProtections.mm
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/audio-fingerprinting.html

  Log Message:
  -----------
  AudioBuffer noise injection in Private Browsing can be negated using a looping audio buffer source
https://bugs.webkit.org/show_bug.cgi?id=270767
rdar://124156971

Reviewed by Chris Dumez, Charlie Wolfe and Matthew Finkel.

Implement several mitigations to make it impractical to reverse noise injection by looping a single
audio sample many times in a single audio buffer and averaging the results.

1.  Adjust noise injection to use normally-distributed noise, instead of a uniform random
    distribution. This raises the bar for "averaging-style" attacks, which can currently converge on
    a stable result by averaging the min/max values in the random distribution. A similar attack
    will now require more iterations to converge on the original value.

2.  Store previously-generated random values while applying noise, and reapply these random values
    to the values that are encountered repeatedly. This ensures that an attacker does not gain more
    information about the original value, by causing it to be computed repeatedly in the same audio
    buffer.

3.  Instead of uniformly applying a fixed noise level (0.001) for all readback using
    `OfflineAudioContext`, allow certain node types that are known to expose hardware or OS
    differences (i.e. `DynamicsCompressorNode` and `OscillatorNode`) to increase the amount of
    injected noise beyond the baseline of 0.1%. `AudioBufferSourceNode`, in particular, will amplify
    the noise level more, depending on the number of times the audio buffer is looped.

* Source/WebCore/Modules/webaudio/AudioBasicProcessorNode.h:
* Source/WebCore/Modules/webaudio/AudioBuffer.cpp:
(WebCore::AudioBuffer::releaseMemory):

Replace the single boolean flag (`m_needsAdditionalNoise`) with a `m_noiseInjectionMultiplier`,
which indicates the magnitude of noise injection (the standard deviation of the normal distribution
used to inject noise).

(WebCore::AudioBuffer::copyToChannel):
(WebCore::AudioBuffer::zero):
(WebCore::AudioBuffer::copyTo const):
(WebCore::AudioBuffer::applyNoiseIfNeeded):
* Source/WebCore/Modules/webaudio/AudioBuffer.h:
(WebCore::AudioBuffer::increaseNoiseInjectionMultiplier):
(WebCore::AudioBuffer::noiseInjectionMultiplier const):
(WebCore::AudioBuffer::setNeedsAdditionalNoise): Deleted.
* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
(WebCore::AudioBufferSourceNode::noiseInjectionMultiplier const):

Increase the noise injection level for an audio buffer, if it's downstream from an
`AudioBufferSourceNode` that loops many times. For an audio buffer source that loops more than 200
times, this boosts the existing noise level for the audio buffer by a factor of 0.005 per loop,
leading to a massive amount of noise in the case where a tiny sample is looped back-to-back in a
large buffer.

* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.h:
* Source/WebCore/Modules/webaudio/AudioNode.h:
(WebCore::AudioNode::noiseInjectionMultiplier const):

Add a subclassing hook that allows each `AudioNode` subclass to inject additional noise when reading
back the final `AudioBuffer`. This allows us to selectively increase the amount of injected noise
when using specific types of audio nodes, which are known to expose larger differences w.r.t. the
underlying OS or CPU architecture.

* Source/WebCore/Modules/webaudio/AudioNodeOutput.cpp:
(WebCore::AudioNodeOutput::forEachInputNode const):

Add a helper method to iterate over each input node (i.e. the next destination in the processing
graph) that's attached to this output. Note that this must be called from underneath the context's
graph lock.

* Source/WebCore/Modules/webaudio/AudioNodeOutput.h:
* Source/WebCore/Modules/webaudio/AudioWorkletNode.cpp:
(WebCore::AudioWorkletNode::process):

Increase the noise level when passing raw data into worklets, to adjust for the new normally-
distributed noise injection.

* Source/WebCore/Modules/webaudio/BaseAudioContext.h:
(WebCore::BaseAudioContext::referencedSourceNodes const):

Add a helper method to iterate over all source nodes in the audio context; must be called only when
the context's graph lock is held.

* Source/WebCore/Modules/webaudio/DynamicsCompressorNode.h:

Add additional buffer readback noise when using certain audio node types.

* Source/WebCore/Modules/webaudio/OfflineAudioContext.cpp:
(WebCore::OfflineAudioContext::OfflineAudioContext):
(WebCore::OfflineAudioContext::lazyInitialize):
(WebCore::OfflineAudioContext::increaseNoiseMultiplierIfNeeded):

Upon initialization, traverse the audio processing graph in search for audio nodes that warrant
additional noise injection, and accumulate this extra noise on the target buffer.

* Source/WebCore/Modules/webaudio/OfflineAudioContext.h:
* Source/WebCore/Modules/webaudio/OscillatorNode.h:
* Source/WebCore/platform/audio/AudioUtilities.cpp:
(WebCore::AudioUtilities::applyNoise):

Switch to normally-distributed noise injection, rather than uniformally random noise. Additionally,
ensure that if a value appears again in the same buffer, it'll use the same, previously computed
noise multiplier value instead of a newly generated random value.

* Source/WebCore/platform/audio/AudioUtilities.h:
* Tools/TestWebKitAPI/Tests/WebKit/AdvancedPrivacyProtections.mm:
(TestWebKitAPI::TEST):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/audio-fingerprinting.html:

Add a new test case to exercise these mitigations.

Originally-landed-as: 272448.707 at safari-7618-branch (3c7dd1781475). rdar://128089250
Canonical link: https://commits.webkit.org/278815@main

  Commit: ef2e9b1c7fdb76cdc1ba094c5643c0cb0e4899e7
      https://github.com/WebKit/WebKit/commit/ef2e9b1c7fdb76cdc1ba094c5643c0cb0e4899e7
  Author: Aditya Keerthi <akeerthi at apple.com>
  Date:   2024-05-15 (Wed, 15 May 2024)

  Changed paths:
    A LayoutTests/fast/forms/ios/file-upload-panel-dismiss-when-view-removed-from-window-expected.txt
    A LayoutTests/fast/forms/ios/file-upload-panel-dismiss-when-view-removed-from-window.html
    M Source/WebKit/UIProcess/Cocoa/WKContactPicker.h
    M Source/WebKit/UIProcess/Cocoa/WKContactPicker.mm
    M Source/WebKit/UIProcess/ios/WKContentView.mm
    M Source/WebKit/UIProcess/ios/WKContentViewInteraction.h
    M Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm

  Log Message:
  -----------
  [iOS] File picker dialog remains after opening a new tab in 3rd-party browsers
https://bugs.webkit.org/show_bug.cgi?id=265602
rdar://119001046

Reviewed by Abrar Rahman Protyasha.

The file upload panel does not dismiss itself after a new tab is opened, and can
end up displayed over a site that's unrelated to the one requesting the upload.

The panel itself is a modal view controller that is presented from an appropriate
view controller containing the `WKWebView`. Safari has explicit logic to dismiss
presented modal view controllers on tab switch, but it is not reasonable to expect
other clients to guarantee this behavior.

Fix by dismissing all pickers if the `WKWebView` is removed from the hierarchy.

* LayoutTests/fast/forms/ios/file-upload-panel-dismiss-when-view-removed-from-window-expected.txt: Added.
* LayoutTests/fast/forms/ios/file-upload-panel-dismiss-when-view-removed-from-window.html: Added.
* Source/WebKit/UIProcess/Cocoa/WKContactPicker.h:
* Source/WebKit/UIProcess/Cocoa/WKContactPicker.mm:
(-[WKContactPicker dismiss]):

Add a new hook to dismiss the contact picker.

* Source/WebKit/UIProcess/ios/WKContentView.mm:
(-[WKContentView willMoveToWindow:]):

If the content view has moved to a `nil` window, it has been removed from the
view hierarchy, and presented pickers should be dismissed.

* Source/WebKit/UIProcess/ios/WKContentViewInteraction.h:
* Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm:
(-[WKContentView cleanUpInteraction]):

Factor out logic into `-[WKContentView dismissPickers]`.

(-[WKContentView dismissPickers]):

Dismiss all pickers that the content view is aware of.

Originally-landed-as: 272448.703 at safari-7618-branch (a3524e350ec9). rdar://128089287
Canonical link: https://commits.webkit.org/278816@main

Compare: https://github.com/WebKit/WebKit/compare/9088dd28c889...ef2e9b1c7fdb

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications