Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WebGPU] UAF in GPUBuffer::getMappedRange #28098

Merged
merged 1 commit into from
May 6, 2024
Merged

[WebGPU] UAF in GPUBuffer::getMappedRange #28098

merged 1 commit into from
May 6, 2024

Conversation

mwyrzykowski
Copy link
Contributor

@mwyrzykowski mwyrzykowski commented May 3, 2024
edited by webkit-early-warning-system
Loading

cf23d24

[WebGPU] UAF in GPUBuffer::getMappedRange
https://bugs.webkit.org/show_bug.cgi?id=273685
<radar://127490690>

Reviewed by Dan Glastonbury.

Fix UAF by using a callback and update test expectations to run
in Debug which would have likely caught this issue.

* LayoutTests/platform/mac-wk2/TestExpectations:
* Source/WebCore/Modules/WebGPU/GPUBuffer.cpp:
(WebCore::GPUBuffer::getMappedRange):
* Source/WebCore/Modules/WebGPU/Implementation/WebGPUBufferImpl.cpp:
(WebCore::WebGPU::BufferImpl::getMappedRange):
* Source/WebCore/Modules/WebGPU/Implementation/WebGPUBufferImpl.h:
* Source/WebCore/Modules/WebGPU/InternalAPI/WebGPUBuffer.h:
* Source/WebKit/WebProcess/GPU/graphics/WebGPU/RemoteBufferProxy.cpp:
(WebKit::WebGPU::RemoteBufferProxy::getMappedRange):
* Source/WebKit/WebProcess/GPU/graphics/WebGPU/RemoteBufferProxy.h:

Canonical link: https://commits.webkit.org/278392@main

1b482d5

Misc iOS, tvOS & watchOS macOS Linux Windows
βœ… πŸ§ͺ style βœ… πŸ›  ios βœ… πŸ›  mac βœ… πŸ›  wpe βœ… πŸ›  wincairo
βœ… πŸ§ͺ bindings βœ… πŸ›  ios-sim βœ… πŸ›  mac-AS-debug βœ… πŸ§ͺ wpe-wk2
βœ… πŸ§ͺ webkitperl βœ… πŸ§ͺ ios-wk2 βœ… πŸ§ͺ api-mac βœ… πŸ§ͺ api-wpe
βœ… πŸ§ͺ ios-wk2-wpt βœ… πŸ§ͺ mac-wk1 βœ… πŸ›  wpe-skia
βœ… πŸ§ͺ api-ios βœ… πŸ§ͺ mac-wk2 βœ… πŸ›  gtk
βœ… πŸ›  tv βœ… πŸ§ͺ mac-AS-debug-wk2 βœ… πŸ§ͺ gtk-wk2
βœ… πŸ›  tv-sim βœ… πŸ§ͺ mac-wk2-stress βœ… πŸ§ͺ api-gtk
βœ… πŸ›  πŸ§ͺ merge βœ… πŸ›  watch
βœ… πŸ›  watch-sim

@mwyrzykowski mwyrzykowski self-assigned this May 3, 2024
@mwyrzykowski mwyrzykowski added the WebGPU For bugs in WebGPU label May 3, 2024
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented May 3, 2024
edited
Loading

EWS run on previous version of this PR (hash e6ac5b1)

Misc iOS, tvOS & watchOS macOS Linux Windows
βœ… πŸ§ͺ style ❌ πŸ›  ios ❌ πŸ›  mac ❌ πŸ›  wpe ❌ πŸ›  wincairo
βœ… πŸ§ͺ bindings ❌ πŸ›  ios-sim loading-orange πŸ›  mac-AS-debug ❌ πŸ§ͺ wpe-wk2
βœ… πŸ§ͺ webkitperl ❌ πŸ§ͺ ios-wk2 ❌ πŸ§ͺ api-mac ❌ πŸ§ͺ api-wpe
❌ πŸ§ͺ ios-wk2-wpt ❌ πŸ§ͺ mac-wk1 ❌ πŸ›  wpe-skia
❌ πŸ§ͺ api-ios ❌ πŸ§ͺ mac-wk2   πŸ›  gtk
  πŸ›  tv loading-orange πŸ§ͺ mac-AS-debug-wk2   πŸ§ͺ gtk-wk2
❌ πŸ›  tv-sim ❌ πŸ§ͺ mac-wk2-stress   πŸ§ͺ api-gtk
❌ πŸ›  watch
❌ πŸ›  watch-sim

@mwyrzykowski mwyrzykowski mentioned this pull request May 3, 2024
Merged
@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label May 3, 2024
@mwyrzykowski mwyrzykowski removed the merging-blocked Applied to prevent a change from being merged label May 3, 2024
@mwyrzykowski mwyrzykowski force-pushed the eng/WebGPU-UAF-in-GPUBuffergetMappedRange branch from e6ac5b1 to b1de078 Compare May 3, 2024 14:50
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented May 3, 2024
edited
Loading

EWS run on previous version of this PR (hash b1de078)

Misc iOS, tvOS & watchOS macOS Linux Windows
βœ… πŸ§ͺ style ❌ πŸ›  ios ❌ πŸ›  mac ❌ πŸ›  wpe ❌ πŸ›  wincairo
βœ… πŸ§ͺ bindings ❌ πŸ›  ios-sim ❌ πŸ›  mac-AS-debug ❌ πŸ§ͺ wpe-wk2
βœ… πŸ§ͺ webkitperl ❌ πŸ§ͺ ios-wk2 ❌ πŸ§ͺ api-mac ❌ πŸ§ͺ api-wpe
❌ πŸ§ͺ ios-wk2-wpt ❌ πŸ§ͺ mac-wk1 ❌ πŸ›  wpe-skia
❌ πŸ§ͺ api-ios ❌ πŸ§ͺ mac-wk2 ❌ πŸ›  gtk
❌ πŸ›  tv ❌ πŸ§ͺ mac-AS-debug-wk2 ❌ πŸ§ͺ gtk-wk2
❌ πŸ›  tv-sim ❌ πŸ§ͺ mac-wk2-stress ❌ πŸ§ͺ api-gtk
❌ πŸ›  watch
❌ πŸ›  watch-sim

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label May 3, 2024
@mwyrzykowski mwyrzykowski removed the merging-blocked Applied to prevent a change from being merged label May 3, 2024
@mwyrzykowski mwyrzykowski force-pushed the eng/WebGPU-UAF-in-GPUBuffergetMappedRange branch from b1de078 to 27890cb Compare May 3, 2024 16:34
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented May 3, 2024
edited
Loading

EWS run on previous version of this PR (hash 27890cb)

Misc iOS, tvOS & watchOS macOS Linux Windows
βœ… πŸ§ͺ style ❌ πŸ›  ios   πŸ›  mac βœ… πŸ›  wpe   πŸ›  wincairo
βœ… πŸ§ͺ bindings   πŸ›  ios-sim   πŸ›  mac-AS-debug   πŸ§ͺ wpe-wk2
βœ… πŸ§ͺ webkitperl   πŸ§ͺ ios-wk2   πŸ§ͺ api-mac   πŸ§ͺ api-wpe
  πŸ§ͺ ios-wk2-wpt   πŸ§ͺ mac-wk1 βœ… πŸ›  wpe-skia
  πŸ§ͺ api-ios   πŸ§ͺ mac-wk2 βœ… πŸ›  gtk
  πŸ›  tv   πŸ§ͺ mac-AS-debug-wk2   πŸ§ͺ gtk-wk2
  πŸ›  tv-sim   πŸ§ͺ mac-wk2-stress βœ… πŸ§ͺ api-gtk
  πŸ›  watch
  πŸ›  watch-sim

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label May 3, 2024
@mwyrzykowski mwyrzykowski removed the merging-blocked Applied to prevent a change from being merged label May 3, 2024
@mwyrzykowski mwyrzykowski force-pushed the eng/WebGPU-UAF-in-GPUBuffergetMappedRange branch from 27890cb to 8628056 Compare May 3, 2024 16:47
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented May 3, 2024
edited
Loading

EWS run on previous version of this PR (hash 8628056)

Misc iOS, tvOS & watchOS macOS Linux Windows
βœ… πŸ§ͺ style βœ… πŸ›  ios βœ… πŸ›  mac βœ… πŸ›  wpe βœ… πŸ›  wincairo
βœ… πŸ§ͺ bindings βœ… πŸ›  ios-sim βœ… πŸ›  mac-AS-debug βœ… πŸ§ͺ wpe-wk2
βœ… πŸ§ͺ webkitperl βœ… πŸ§ͺ ios-wk2 βœ… πŸ§ͺ api-mac βœ… πŸ§ͺ api-wpe
βœ… πŸ§ͺ ios-wk2-wpt βœ… πŸ§ͺ mac-wk1 βœ… πŸ›  wpe-skia
βœ… πŸ§ͺ api-ios βœ… πŸ§ͺ mac-wk2 βœ… πŸ›  gtk
βœ… πŸ›  tv ❌ πŸ§ͺ mac-AS-debug-wk2 βœ… πŸ§ͺ gtk-wk2
βœ… πŸ›  tv-sim βœ… πŸ§ͺ mac-wk2-stress βœ… πŸ§ͺ api-gtk
βœ… πŸ›  watch
βœ… πŸ›  watch-sim

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label May 3, 2024
@mwyrzykowski mwyrzykowski removed the merging-blocked Applied to prevent a change from being merged label May 4, 2024
@mwyrzykowski mwyrzykowski force-pushed the eng/WebGPU-UAF-in-GPUBuffergetMappedRange branch from 8628056 to 1b482d5 Compare May 4, 2024 03:03
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented May 4, 2024
edited
Loading

EWS run on current version of this PR (hash 1b482d5)

Misc iOS, tvOS & watchOS macOS Linux Windows
βœ… πŸ§ͺ style βœ… πŸ›  ios βœ… πŸ›  mac βœ… πŸ›  wpe βœ… πŸ›  wincairo
βœ… πŸ§ͺ bindings βœ… πŸ›  ios-sim βœ… πŸ›  mac-AS-debug βœ… πŸ§ͺ wpe-wk2
βœ… πŸ§ͺ webkitperl βœ… πŸ§ͺ ios-wk2 βœ… πŸ§ͺ api-mac βœ… πŸ§ͺ api-wpe
βœ… πŸ§ͺ ios-wk2-wpt βœ… πŸ§ͺ mac-wk1 βœ… πŸ›  wpe-skia
βœ… πŸ§ͺ api-ios βœ… πŸ§ͺ mac-wk2 βœ… πŸ›  gtk
βœ… πŸ›  tv βœ… πŸ§ͺ mac-AS-debug-wk2 βœ… πŸ§ͺ gtk-wk2
βœ… πŸ›  tv-sim βœ… πŸ§ͺ mac-wk2-stress βœ… πŸ§ͺ api-gtk
βœ… πŸ›  πŸ§ͺ merge βœ… πŸ›  watch
βœ… πŸ›  watch-sim

djg
djg approved these changes May 6, 2024
View reviewed changes
Copy link
Contributor

@djg djg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@mwyrzykowski mwyrzykowski added the safe-merge-queue Applied to automatically send a pull-request to merge-queue after passing EWS checks label May 6, 2024
@webkit-ews-buildbot webkit-ews-buildbot removed the safe-merge-queue Applied to automatically send a pull-request to merge-queue after passing EWS checks label May 6, 2024
@webkit-ews-buildbot
Copy link
Collaborator

Safe-Merge-Queue: Build #19958.

@webkit-ews-buildbot webkit-ews-buildbot added the merge-queue Applied to send a pull request to merge-queue label May 6, 2024
@mwyrzykowski
[WebGPU] UAF in GPUBuffer::getMappedRange
cf23d24 
https://bugs.webkit.org/show_bug.cgi?id=273685
<radar://127490690>

Reviewed by Dan Glastonbury.

Fix UAF by using a callback and update test expectations to run
in Debug which would have likely caught this issue.

* LayoutTests/platform/mac-wk2/TestExpectations:
* Source/WebCore/Modules/WebGPU/GPUBuffer.cpp:
(WebCore::GPUBuffer::getMappedRange):
* Source/WebCore/Modules/WebGPU/Implementation/WebGPUBufferImpl.cpp:
(WebCore::WebGPU::BufferImpl::getMappedRange):
* Source/WebCore/Modules/WebGPU/Implementation/WebGPUBufferImpl.h:
* Source/WebCore/Modules/WebGPU/InternalAPI/WebGPUBuffer.h:
* Source/WebKit/WebProcess/GPU/graphics/WebGPU/RemoteBufferProxy.cpp:
(WebKit::WebGPU::RemoteBufferProxy::getMappedRange):
* Source/WebKit/WebProcess/GPU/graphics/WebGPU/RemoteBufferProxy.h:

Canonical link: https://commits.webkit.org/278392@main
@webkit-commit-queue webkit-commit-queue force-pushed the eng/WebGPU-UAF-in-GPUBuffergetMappedRange branch from 1b482d5 to cf23d24 Compare May 6, 2024 02:24
@webkit-commit-queue
Copy link
Collaborator

Committed 278392@main (cf23d24): https://commits.webkit.org/278392@main

Reviewed commits have been landed. Closing PR #28098 and removing active labels.

@webkit-commit-queue webkit-commit-queue merged commit cf23d24 into WebKit:main May 6, 2024
@webkit-commit-queue webkit-commit-queue removed the merge-queue Applied to send a pull request to merge-queue label May 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djg djg djg approved these changes

@tadeuzagallo tadeuzagallo Awaiting requested review from tadeuzagallo tadeuzagallo is a code owner

@kkinnunen-apple kkinnunen-apple Awaiting requested review from kkinnunen-apple

Assignees

@mwyrzykowski mwyrzykowski

Labels
WebGPU For bugs in WebGPU
Projects
None yet
Milestone
No milestone
5 participants
@mwyrzykowski @webkit-early-warning-system @webkit-ews-buildbot @webkit-commit-queue @djg