Bug 224984 - Remove decoder memory allocations based on untrusted data (sizes) in the stream; related changes
Summary: Remove decoder memory allocations based on untrusted data (sizes) in the stre...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Darin Adler
URL:
Keywords: InRadar
: 209270 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-04-23 10:05 PDT by Darin Adler
Modified: 2021-04-25 10:51 PDT (History)
11 users (show)

See Also:

Attachments
Patch (18.08 KB, patch)
2021-04-23 10:38 PDT, Darin Adler 		sam: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Darin Adler 2021-04-23 10:05:40 PDT 
Remove decoder memory allocations based on untrusted data (sizes) in the stream; related changes
Comment 1 Darin Adler 2021-04-23 10:38:05 PDT 
Created attachment 426923 [details]
Patch
Comment 2 Darin Adler 2021-04-23 10:46:12 PDT 
*** Bug 209270 has been marked as a duplicate of this bug. ***
Comment 3 Sam Weinig 2021-04-23 10:58:25 PDT 
Comment on attachment 426923 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=426923&action=review

> Source/WebKit/Platform/IPC/ArgumentCoders.h:-517
>          HashMapType hashMap;
> -        hashMap.reserveInitialCapacity(hashMapSize);

Should we consider doing the trick we do for Vector here where if the key and value are both fixed size we can check that the buffer is big enough to contain size * (sizeof(key type) + sizeof(value type)) and then reserve? I don't have a good feeling about what type of HashMaps/HashSets we use so I am not sure if that is a useful optimization.
Comment 4 Darin Adler 2021-04-23 11:01:09 PDT 
Comment on attachment 426923 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=426923&action=review

>> Source/WebKit/Platform/IPC/ArgumentCoders.h:-517
>> -        hashMap.reserveInitialCapacity(hashMapSize);
> 
> Should we consider doing the trick we do for Vector here where if the key and value are both fixed size we can check that the buffer is big enough to contain size * (sizeof(key type) + sizeof(value type)) and then reserve? I don't have a good feeling about what type of HashMaps/HashSets we use so I am not sure if that is a useful optimization.

Not sure what you suggest can be done, but I’m sure we can do some kind of reality check about the remaining size of the decoding stream and reserve if it passes that check.

But I don’t see this in VectorArgumentCoder. Where is the code for that trick you are referring to?
Comment 5 Darin Adler 2021-04-23 11:01:33 PDT 
Oh, I see now. That first bool in the template!
Comment 6 Darin Adler 2021-04-23 11:01:56 PDT 
(In reply to Darin Adler from comment #5)
> Oh, I see now. That first bool in the template!

That’s a surprisingly narrow optimization.
Comment 7 Darin Adler 2021-04-23 11:09:04 PDT 
(In reply to Darin Adler from comment #6)
> (In reply to Darin Adler from comment #5)
> > Oh, I see now. That first bool in the template!
> 
> That’s a surprisingly narrow optimization.

It’s a more specific optimization for a smaller set of types. It’s "treat this as a single buffer and read it all at once using decodeFixedLengthData" when it’s a simple scalar.

It does seem like there are conditions where we can sufficiently vet the size and use it to preallocate space in the hash table. Using the relationship between the size of the remaining data and the size that we pre-allocate.

But, like you, Sam, I don’t know how important and valuable this optimization is. It saves memory (very important) on hash tables that we send across IPC (wait, what?, why?).
Comment 8 Darin Adler 2021-04-23 12:06:34 PDT 
Committed r276510 (236967@main): <https://commits.webkit.org/236967@main>
Comment 9 Radar WebKit Bug Importer 2021-04-24 15:02:29 PDT 
<rdar://problem/77110020>