Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 48fc66a95fabd7a4b124a4bf8f3b13389a249823
https://github.com/WebKit/WebKit/commit/48fc66a95fabd7a4b124a4bf8f3b13389a249823
Author: Mike Wyrzykowski <[email protected]>
Date: 2026-03-11 (Wed, 11 Mar 2026)
Changed paths:
M Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp
M Source/WebKit/GPUProcess/graphics/WebGPU/RemoteQueue.cpp
M Source/WebKit/WebProcess/GPU/graphics/WebGPU/RemoteBufferProxy.cpp
Log Message:
-----------
TOCTOU issue in `RemoteQueue::WriteBuffer`, leading to shader's OOB accesses
https://bugs.webkit.org/show_bug.cgi?id=303927
rdar://166211636
Reviewed by Dan Glastonbury.
There is a race window from a compromised web process where it can
pass a shared memory handle, pass GPU process side CPU validation, and
then perform writes to the shmem from the compromised WCP.
Address this by ensuring GPU process shmem paths are only taken when the
shmem data size exceeds the expected amount, which is currently 16 MB.
No new test since issue relies on one process completing a data write
before a memcpy call completes, race window is small and original repro
is not consistently reproducible.
* Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp:
(WebKit::RemoteBuffer::copy):
* Source/WebKit/GPUProcess/graphics/WebGPU/RemoteQueue.cpp:
(WebKit::RemoteQueue::writeBuffer):
(WebKit::RemoteQueue::writeTexture):
Originally-landed-as: 301765.395@safari-7623-branch (30072d25bc76).
rdar://171556720
Canonical link: https://commits.webkit.org/309107@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
