[Webkit-unassigned] [Bug 239154] [CoreIPC][WebGL] Heap Buffer Overflow from CoreIPC WebGL MultiDraw* due to discarded firsts/counts length in favour of attacker controlled drawcount
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Apr 21 22:49:29 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=239154
--- Comment #14 from Kimmo Kinnunen <kkinnunen at apple.com> ---
(In reply to Kenneth Russell from comment #11)
> Comment on attachment 457590 [details]
> Patch
>
> Would it be more straightforward to send the spans over IPC as specified by
> the web app, and verify that their size is >= drawcount in
> GraphicsContextGLANGLE in the GPU process?
The web app does not specify spans, it specifies
(list, offset), (list, offset), drawcount.
We don't want to send the list as-is, naturally due to the case of big list, small drawcount.
So we anyway don't send anything as specified by the web app, at the moment.
I think it's better to use the type system to enforce that we send
size_that_is_equal_to_data0size_and_data1size_and_drawcount, data0, data1
instead of
drawcount, data0size, data0, data1size, data1
where we ensure drawcount == data0size == data1size on the receiving side.
The API could change if we have the ability to do persistent no-copy client-side buffers in the IPC sometime in the future, though.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220422/85ae1b80/attachment-0001.htm>
More information about the webkit-unassigned
mailing list