Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WGSL] UAF in GlobalVariableRewriter #16283

Merged
merged 1 commit into from
Aug 3, 2023
Merged

[WGSL] UAF in GlobalVariableRewriter #16283

merged 1 commit into from
Aug 3, 2023

Conversation

tadeuzagallo
Copy link
Member

@tadeuzagallo tadeuzagallo commented Aug 1, 2023
edited by webkit-early-warning-system
Loading

f047d0a

[WGSL] UAF in GlobalVariableRewriter
https://bugs.webkit.org/show_bug.cgi?id=259696
rdar://113215682

Reviewed by Dan Glastonbury.

The GlobalVariableRewriter kept pointers to globals, which are values in the HashMap,
but those pointers result in a UAF once the HashMap gets resized. To fix it, instead
of storing the pointers, we just store the keys we perform another lookup. This shouldn't
be an issue since we only look it up once.

No test added because it reproduces on the existing tests with ASAN enabled.

* Source/WebGPU/WGSL/GlobalVariableRewriter.cpp:
(WGSL::RewriteGlobalVariables::collectGlobals):
(WGSL::RewriteGlobalVariables::insertStructs):

Canonical link: https://commits.webkit.org/266546@main

13301b5

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 wincairo
✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🛠 gtk
✅ 🧪 ios-wk2-wpt ✅ 🧪 gtk-wk2
✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🧪 api-gtk
✅ 🛠 tv ✅ 🧪 mac-AS-debug-wk2
✅ 🛠 tv-sim
✅ 🛠 🧪 merge ✅ 🛠 watch
✅ 🛠 watch-sim

@tadeuzagallo tadeuzagallo self-assigned this Aug 1, 2023
@tadeuzagallo tadeuzagallo added the WebGPU For bugs in WebGPU label Aug 1, 2023
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Aug 1, 2023
edited
Loading

EWS run on previous version of this PR (hash 19b191c)

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ❌ 🛠 ios ❌ 🛠 mac ✅ 🛠 wpe ✅ 🛠 wincairo
❌ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2
✅ 🧪 webkitperl ❌ 🧪 ios-wk2 ❌ 🧪 api-mac 💥 🛠 gtk
❌ 🧪 ios-wk2-wpt ❌ 🧪 mac-wk1 💥 🧪 gtk-wk2
❌ 🧪 api-ios ❌ 🧪 mac-wk2 💥 🧪 api-gtk
❌ 🛠 tv ✅ 🧪 mac-AS-debug-wk2
❌ 🛠 tv-sim ❌ 🧪 mac-wk2-stress
❌ 🛠 watch
❌ 🛠 watch-sim

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Aug 1, 2023
@tadeuzagallo tadeuzagallo force-pushed the eng/WGSL-UAF-in-GlobalVariableRewriter branch from 19b191c to 13301b5 Compare August 2, 2023 09:04
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Aug 2, 2023
edited
Loading

EWS run on current version of this PR (hash 13301b5)

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 wincairo
✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🛠 gtk
✅ 🧪 ios-wk2-wpt ✅ 🧪 gtk-wk2
✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🧪 api-gtk
✅ 🛠 tv ✅ 🧪 mac-AS-debug-wk2
✅ 🛠 tv-sim
✅ 🛠 🧪 merge ✅ 🛠 watch
✅ 🛠 watch-sim

djg
djg approved these changes Aug 3, 2023
View reviewed changes
Copy link
Contributor

@djg djg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@tadeuzagallo tadeuzagallo added merge-queue Applied to send a pull request to merge-queue and removed merging-blocked Applied to prevent a change from being merged labels Aug 3, 2023
@tadeuzagallo
[WGSL] UAF in GlobalVariableRewriter
f047d0a 
https://bugs.webkit.org/show_bug.cgi?id=259696
rdar://113215682

Reviewed by Dan Glastonbury.

The GlobalVariableRewriter kept pointers to globals, which are values in the HashMap,
but those pointers result in a UAF once the HashMap gets resized. To fix it, instead
of storing the pointers, we just store the keys we perform another lookup. This shouldn't
be an issue since we only look it up once.

No test added because it reproduces on the existing tests with ASAN enabled.

* Source/WebGPU/WGSL/GlobalVariableRewriter.cpp:
(WGSL::RewriteGlobalVariables::collectGlobals):
(WGSL::RewriteGlobalVariables::insertStructs):

Canonical link: https://commits.webkit.org/266546@main
@webkit-commit-queue webkit-commit-queue force-pushed the eng/WGSL-UAF-in-GlobalVariableRewriter branch from 13301b5 to f047d0a Compare August 3, 2023 19:15
@webkit-commit-queue
Copy link
Collaborator

Committed 266546@main (f047d0a): https://commits.webkit.org/266546@main

Reviewed commits have been landed. Closing PR #16283 and removing active labels.

@webkit-commit-queue webkit-commit-queue merged commit f047d0a into WebKit:main Aug 3, 2023
@webkit-commit-queue webkit-commit-queue removed the merge-queue Applied to send a pull request to merge-queue label Aug 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djg djg djg approved these changes

@litherum litherum Awaiting requested review from litherum

Assignees

@tadeuzagallo tadeuzagallo

Labels
WebGPU For bugs in WebGPU
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tadeuzagallo @webkit-early-warning-system @webkit-commit-queue @djg @webkit-ews-buildbot