[webkit-changes] [WebKit/WebKit] cfe389: Race condition in CloneSerializer::dumpIfTerminal ...

Commit Queue noreply at github.com
Thu Oct 31 09:58:31 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: cfe38930db92bdf1fecc71b3c014c861bf4033df
      https://github.com/WebKit/WebKit/commit/cfe38930db92bdf1fecc71b3c014c861bf4033df
  Author: Basuke Suzuki <basuke at apple.com>
  Date:   2024-10-31 (Thu, 31 Oct 2024)

  Changed paths:
    A LayoutTests/js/structuredClone/structured-clone-of-ResizableSharedArrayBuffer-expected.txt
    A LayoutTests/js/structuredClone/structured-clone-of-ResizableSharedArrayBuffer.html
    M Source/WebCore/bindings/js/SerializedScriptValue.cpp

  Log Message:
  -----------
  Race condition in CloneSerializer::dumpIfTerminal allows for injecting arbitrary deserialization data
https://bugs.webkit.org/show_bug.cgi?id=278657
rdar://132388209

Reviewed by Chris Dumez and Geoffrey Garen.

Fix the exploit by using consistent byteLength fetched from the array buffer.

This is part 1 of security fix. In part 2, we'll introduce a new write method for std::span and consistently use that in all cases of std::span<const uint8_t>. This requires for changing the byte format and need more code.

* LayoutTests/js/structuredClone/structured-clone-of-ResizableSharedArrayBuffer-expected.txt: Added.
* LayoutTests/js/structuredClone/structured-clone-of-ResizableSharedArrayBuffer.html: Added.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneSerializer::dumpIfTerminal):
(WebCore::CloneSerializer::writeResizableArrayBuffer):

Originally-landed-as: 280938.277 at safari-7619-branch (22e102ecb215). rdar://138933194
Canonical link: https://commits.webkit.org/285959@main


  Commit: aaa488b390797c343e905ba494ba8a7592e96b3e
      https://github.com/WebKit/WebKit/commit/aaa488b390797c343e905ba494ba8a7592e96b3e
  Author: Youenn Fablet <youenn at apple.com>
  Date:   2024-10-31 (Thu, 31 Oct 2024)

  Changed paths:
    M Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_ratectrl.c

  Log Message:
  -----------
  Cherry-pick libvpx 634e1f8fb196f0e04c0dceae7043e8a12a0d31f9
rdar://133438454

Reviewed by Brent Fulgham.

We cherry-pick this overflow change after resolving a small conflict.

* Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_ratectrl.c:
(vp9_calc_iframe_target_size_one_pass_cbr):

Originally-landed-as: 280938.279 at safari-7619-branch (e52aabe54a9b). rdar://138933397
Canonical link: https://commits.webkit.org/285960@main


  Commit: 8b4839b1659b79ac1713978a9a94b24340a64935
      https://github.com/WebKit/WebKit/commit/8b4839b1659b79ac1713978a9a94b24340a64935
  Author: Kiet Ho <tho22 at apple.com>
  Date:   2024-10-31 (Thu, 31 Oct 2024)

  Changed paths:
    A LayoutTests/compositing/tiling/crash-when-unapplying-mask-border-expected.txt
    A LayoutTests/compositing/tiling/crash-when-unapplying-mask-border.html
    M Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp

  Log Message:
  -----------
  GraphicsLayerCA: when changing layer type, disown the old layer after copying to new layer
rdar://132717696
https://bugs.webkit.org/show_bug.cgi?id=278567

Reviewed by Simon Fraser.

In GraphicsLayerCA::changeLayerTypeTo, after copying from the current (old)
layer to the new layer, we neglect to set the owner of the old layer to nullptr.
Even if the owner (a GraphicsLayerCA) later gets destroyed, the old layer still keeps a
reference to the dead owner, and accessing the owner leads to a use-after-free.
Fix this by setting the owner of the old layer to nullptr, once we've done using it.

* LayoutTests/compositing/tiling/crash-when-unapplying-mask-border-expected.txt: Added.
* LayoutTests/compositing/tiling/crash-when-unapplying-mask-border.html: Added.
* Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp:
(WebCore::GraphicsLayerCA::changeLayerTypeTo):

Originally-landed-as: 280938.281 at safari-7619-branch (294250ca449f). rdar://138933594
Canonical link: https://commits.webkit.org/285961@main


  Commit: 4729b99658a7b2befac1a317971bee4d0bc16066
      https://github.com/WebKit/WebKit/commit/4729b99658a7b2befac1a317971bee4d0bc16066
  Author: Nitin Mahendru <nitinmahendru at apple.com>
  Date:   2024-10-31 (Thu, 31 Oct 2024)

  Changed paths:
    A LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-ping-allowed-expected.txt
    A LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-ping-allowed.html
    A LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-ping-blocked-expected.txt
    A LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-ping-blocked.html
    A LayoutTests/http/tests/security/contentSecurityPolicy/resources/sample.html
    M Source/WebCore/loader/PingLoader.cpp

  Log Message:
  -----------
  Honor the connect-src value for <a ping="">
https://bugs.webkit.org/show_bug.cgi?id=278765
rdar://131054895

Reviewed by Chris Dumez.

At the moment, even though connect-src is set to one origin, cross origin pings
originating from the ping attribute of HTMLAnchorElement are not blocked. They should be.
This adds that check using CSP and adds a +/- tests to validate the same.

* LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-ping-allowed-expected.txt: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-ping-allowed.html: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-ping-blocked-expected.txt: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-ping-blocked.html: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/resources/sample.html: Added.
* Source/WebCore/loader/PingLoader.cpp:
(WebCore::PingLoader::sendPing):

Originally-landed-as: 280938.286 at safari-7619-branch (03fe2d2f0fa8). rdar://138934062
Canonical link: https://commits.webkit.org/285962@main


  Commit: 11494e67729152123b351f836d98b94eb6f8bd65
      https://github.com/WebKit/WebKit/commit/11494e67729152123b351f836d98b94eb6f8bd65
  Author: Matthew Finkel <m_finkel at apple.com>
  Date:   2024-10-31 (Thu, 31 Oct 2024)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp

  Log Message:
  -----------
  Improve matching webarchive file extension when loading in ephemeral datastore
https://bugs.webkit.org/show_bug.cgi?id=279226
rdar://135302982

Reviewed by Darin Adler.

This change ensures we only look at the file path instead of the entire URL
string.

* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::receivedNavigationActionPolicyDecision):

Originally-landed-as: 280938.309 at safari-7619-branch (61f89b532694). rdar://138934659
Canonical link: https://commits.webkit.org/285963@main


Compare: https://github.com/WebKit/WebKit/compare/6595fcf60a8d...11494e677291

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list