Bug 199372

Summary: PACCage should first cage leaving PAC bits intact then authenticate
Product: WebKit Reporter: Keith Miller <keith_miller>
Component: New BugsAssignee: Keith Miller <keith_miller>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, cdumez, cmarcelo, commit-queue, dbates, ews-watchlist, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 199425    
Bug Blocks:    
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Keith Miller
Reported 2019-07-01 13:43:45 PDT
PACCage should first cage leaving PAC bits intact then authenticate
Attachments
Patch (9.45 KB, patch)
2019-07-01 13:46 PDT, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch (18.41 KB, patch)
2019-07-01 17:37 PDT, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch (18.83 KB, patch)
2019-07-03 13:24 PDT, Keith Miller 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Keith Miller
Comment 1 2019-07-01 13:46:56 PDT
Created attachment 373254 [details] Patch
Saam Barati
Comment 2 2019-07-01 15:36:59 PDT
Comment on attachment 373254 [details] Patch You need to change the LLint and WTF too. Otherwise, LGTM
Saam Barati
Comment 3 2019-07-01 15:37:32 PDT
Comment on attachment 373254 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=373254&action=review > Source/JavaScriptCore/ChangeLog:11 > + This ordering prevents someone from taking a signed pointer from > + outside the gigacage and using it in a struct that expects a caged > + pointer. Previously, the PACCaging just double checked that the PAC > + bits were valid for the original pointer. Might be worth spending a few more sentences explaining why this is. It's kinda subtle. Maybe an example would help
Keith Miller
Comment 4 2019-07-01 17:37:47 PDT
Created attachment 373289 [details] Patch
Keith Miller
Comment 5 2019-07-01 23:29:29 PDT
Comment on attachment 373289 [details] Patch gtk build failure seems unrelated.
WebKit Commit Bot
Comment 6 2019-07-02 00:00:20 PDT
Comment on attachment 373289 [details] Patch Clearing flags on attachment: 373289 Committed r247041: <https://trac.webkit.org/changeset/247041>
WebKit Commit Bot
Comment 7 2019-07-02 00:00:22 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 8 2019-07-02 00:01:18 PDT
<rdar://problem/52506922>
WebKit Commit Bot
Comment 9 2019-07-02 16:24:28 PDT
Re-opened since this is blocked by bug 199425
Keith Miller
Comment 10 2019-07-03 13:24:34 PDT
Created attachment 373409 [details] Patch
Keith Miller
Comment 11 2019-07-03 13:25:21 PDT
Committed r247101: <https://trac.webkit.org/changeset/247101>
Note You need to log in before you can comment on or make changes to this bug.