RESOLVED FIXED 184106
Protect against invalid mach ports returned by mach_port_request_notification 
https://bugs.webkit.org/show_bug.cgi?id=184106
Summary Protect against invalid mach ports returned by mach_port_request_notification
Brent Fulgham
Reported 2018-03-28 12:28:01 PDT
If mach_port_request_notification returns an error, the returned previous notification port may be uninitialized. We need to make sure we check error codes returned by this call, and make sure the returned port is always used safely.
Attachments
Patch (9.31 KB, patch)
2018-03-28 12:35 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (9.31 KB, patch)
2018-03-28 12:53 PDT, Brent Fulgham 		cdumez: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2018-03-28 12:28:18 PDT
<rdar://problem/37865316>
Brent Fulgham
Comment 2 2018-03-28 12:35:30 PDT
Created attachment 336693 [details] Patch
Chris Dumez
Comment 3 2018-03-28 12:52:42 PDT
Comment on attachment 336693 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=336693&action=review > Source/WebKit/Platform/IPC/mac/ConnectionMac.mm:539 > + // If mach_port_request_notification fails, 'previousNotificationPort' will be uninitialized. I do not get it. previousNotificationPort is initialized to MACH_PORT_NULL before the mach_port_request_notification(). Are we really worried about mach_port_request_notification() failing and STILL setting our previousNotificationPort to something else than MACH_PORT_NULL?
Brent Fulgham
Comment 4 2018-03-28 12:53:55 PDT
Created attachment 336699 [details] Patch
Chris Dumez
Comment 5 2018-03-28 13:10:52 PDT
Comment on attachment 336699 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=336699&action=review > Source/WebKit/UIProcess/Launcher/mac/ProcessLauncherMac.mm:163 > + mach_port_t previousNotificationPort = MACH_PORT_NULL; I understand the need to initialize the variable before the call to mach_port_request_notification(). > Source/WebKit/UIProcess/Launcher/mac/ProcessLauncherMac.mm:170 > + previousNotificationPort = MACH_PORT_NULL; I do not understand the need to reset it to NULL if the calls to mach_port_request_notification fails. if mach_port_request_notification() fails and somehow still sets our previousNotificationPort to something else than NULL. Then why wouldn't we want to deallocate it?
Chris Dumez
Comment 6 2018-03-28 13:13:33 PDT
Comment on attachment 336699 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=336699&action=review >> Source/WebKit/UIProcess/Launcher/mac/ProcessLauncherMac.mm:163 >> + mach_port_t previousNotificationPort = MACH_PORT_NULL; > > I understand the need to initialize the variable before the call to mach_port_request_notification(). Looking at rdar://problem/37865316, I think this line change should be the only change we need to make. Please let me know why you think the rest is needed.
Chris Dumez
Comment 7 2018-03-28 13:15:28 PDT
Comment on attachment 336699 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=336699&action=review >>> Source/WebKit/UIProcess/Launcher/mac/ProcessLauncherMac.mm:163 >>> + mach_port_t previousNotificationPort = MACH_PORT_NULL; >> >> I understand the need to initialize the variable before the call to mach_port_request_notification(). > > Looking at rdar://problem/37865316, I think this line change should be the only change we need to make. Please let me know why you think the rest is needed. To be clear, I am also fine with the extra assertions and the extra LOG_ERROR(). I do not understand resetting previousNotificationPort to MACH_PORT_NULL in case of error though.
Brent Fulgham
Comment 8 2018-03-28 13:20:52 PDT
Comment on attachment 336699 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=336699&action=review >>>> Source/WebKit/UIProcess/Launcher/mac/ProcessLauncherMac.mm:163 >>>> + mach_port_t previousNotificationPort = MACH_PORT_NULL; >>> >>> I understand the need to initialize the variable before the call to mach_port_request_notification(). >> >> Looking at rdar://problem/37865316, I think this line change should be the only change we need to make. Please let me know why you think the rest is needed. > > To be clear, I am also fine with the extra assertions and the extra LOG_ERROR(). I do not understand resetting previousNotificationPort to MACH_PORT_NULL in case of error though. I spoke with an engineer responsible for MiG stuff. He said that it would be unwise, since the contract of 'mach_port_request_notification' is meant to imply that you don't do ANYTHING with the return values if it gives you an error. So, we definitely don't want to call 'mach_port_deallocate' or something with its output value if it generated an error. However, previousNotificationPort is never used again in this method, so I'm find removing the assignment. >> Source/WebKit/UIProcess/Launcher/mac/ProcessLauncherMac.mm:170 >> + previousNotificationPort = MACH_PORT_NULL; > > I do not understand the need to reset it to NULL if the calls to mach_port_request_notification fails. > > if mach_port_request_notification() fails and somehow still sets our previousNotificationPort to something else than NULL. Then why wouldn't we want to deallocate it? We don't deallocate this port in this method, so I'm fine just removing the assignment here.
Chris Dumez
Comment 9 2018-03-28 13:30:30 PDT
Comment on attachment 336699 [details] Patch Ok then,
Brent Fulgham
Comment 10 2018-03-28 13:43:13 PDT
Committed r230045: <https://trac.webkit.org/changeset/230045>
Brent Fulgham
Comment 11 2018-03-28 14:06:12 PDT
Follow-up build fix: Committed r230047: <https://trac.webkit.org/changeset/230047>
Note You need to log in before you can comment on or make changes to this bug.