From a visual inspection of http://trac.webkit.org/browser/releases/WebKitGTK/webkit-2.0/Source/WebKit2/Platform/unix/SharedMemoryUnix.cpp#L110 The call to shm_open lacks O_EXCL, meaning on a multiuser machine another user can create the shm object first. Iterating in a loop of random numbers is not sufficient to prevent this. They could in theory even create all possible names. And then webkit will be sharing memory with someone who is not the user running webkit.
Created attachment 195596 [details] Patch
Also, it looks like there's a race condition in SharedMemory::createHandle(), by using dup() and then fcntl(fd, F_SETFD, FD_CLOEXEC). This could be avoided by using fcntl(fd, F_DUPFD_CLOEXEC, 0) to atomically dup the file descriptor with FD_CLOEXEC set already. Let me know if I should create a new bug for this or just include it in this patch.
Any WK2 reviewers able to look at this? Should be a simple review. Thanks! :)
Makes sense. I think it's better to do do the dup thing in another patch.
Comment on attachment 195596 [details] Patch There's no rationale for why we'd want to do this.