199372 – PACCage should first cage leaving PAC bits intact then authenticate

Bug 199372 - PACCage should first cage leaving PAC bits intact then authenticate

Summary: PACCage should first cage leaving PAC bits intact then authenticate

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Keith Miller

URL:
Keywords:	InRadar

Depends on:	199425
Blocks:
	Show dependency tree / graph

Reported:	2019-07-01 13:43 PDT by Keith Miller
Modified:	2019-07-03 13:25 PDT (History)
CC List:	11 users (show)

See Also:

Attachments
Patch (9.45 KB, patch) 2019-07-01 13:46 PDT, Keith Miller	no flags	Details \| Formatted Diff \| Diff
Patch (18.41 KB, patch) 2019-07-01 17:37 PDT, Keith Miller	no flags	Details \| Formatted Diff \| Diff
Patch (18.83 KB, patch) 2019-07-03 13:24 PDT, Keith Miller	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Keith Miller 2019-07-01 13:43:45 PDT

PACCage should first cage leaving PAC bits intact then authenticate

Comment 1 Keith Miller 2019-07-01 13:46:56 PDT

Created attachment 373254 [details]
Patch

Comment 2 Saam Barati 2019-07-01 15:36:59 PDT

Comment on attachment 373254 [details]
Patch

You need to change the LLint and WTF too. Otherwise, LGTM

Comment 3 Saam Barati 2019-07-01 15:37:32 PDT

Comment on attachment 373254 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=373254&action=review

> Source/JavaScriptCore/ChangeLog:11
> +        This ordering prevents someone from taking a signed pointer from
> +        outside the gigacage and using it in a struct that expects a caged
> +        pointer. Previously, the PACCaging just double checked that the PAC
> +        bits were valid for the original pointer.

Might be worth spending a few more sentences explaining why this is. It's kinda subtle. Maybe an example would help

Comment 4 Keith Miller 2019-07-01 17:37:47 PDT

Created attachment 373289 [details]
Patch

Comment 5 Keith Miller 2019-07-01 23:29:29 PDT

Comment on attachment 373289 [details]
Patch

gtk build failure seems unrelated.

Comment 6 WebKit Commit Bot 2019-07-02 00:00:20 PDT

Comment on attachment 373289 [details]
Patch

Clearing flags on attachment: 373289

Committed r247041: <https://trac.webkit.org/changeset/247041>

Comment 7 WebKit Commit Bot 2019-07-02 00:00:22 PDT

All reviewed patches have been landed.  Closing bug.

Comment 8 Radar WebKit Bug Importer 2019-07-02 00:01:18 PDT

<rdar://problem/52506922>

Comment 9 WebKit Commit Bot 2019-07-02 16:24:28 PDT

Re-opened since this is blocked by bug 199425

Comment 10 Keith Miller 2019-07-03 13:24:34 PDT

Created attachment 373409 [details]
Patch

Comment 11 Keith Miller 2019-07-03 13:25:21 PDT

Committed r247101: <https://trac.webkit.org/changeset/247101>