[6] GPU process dangling reference via MarkSurfacesVolatile during prepareBufferForDisplay
Severity: High | Component: GPU Process RemoteRenderingBackend | 325e4cb
Rated High because the observable effect is a dangling reference to a destroyed graphics context in the GPU process — which runs outside the WebContent sandbox — triggered by a reproducible IPC message sequence from a compromised WebProcess, with the attack scenario confirmed by the regression test.
The WebProcess can send MarkSurfacesVolatile while prepareBufferForDisplay is still active on the GPU Process. This calls releaseGraphicsContext() on each image buffer, destroying the graphics context that prepareBufferForDisplay is actively using through m_context.
Source/WebKit/GPUProcess/graphics/RemoteImageBufferSet.h
+ bool isPreparingForDisplay() const { return m_context.get(); }
Source/WebKit/GPUProcess/graphics/RemoteRenderingBackend.cpp
RefPtr<RemoteImageBufferSet> remoteImageBufferSet = m_remoteImageBufferSets.get(identifier.first);
MESSAGE_CHECK(remoteImageBufferSet, "BufferSet is being marked volatile before being created");
+ MESSAGE_CHECK(!remoteImageBufferSet->isPreparingForDisplay(), "BufferSet is being marked volatile while preparing for display");
OptionSet<BufferInSetType> volatileBuffers;
if (!remoteImageBufferSet->makeBuffersVolatile(identifier.second, volatileBuffers, forcePurge))
LayoutTests/ipc/mark-surfaces-volatile-during-prepare-for-display.html
+ remoteRenderingBackend.PrepareImageBufferSetsForDisplaySync({ ... });
+
+ remoteRenderingBackend.MarkSurfacesVolatile({
+ requestIdentifier: randomIPCID(),
+ renderingResourceIdentifiers: [[imageBufferSetIdentifier, 1]],
+ forcePurge: false,
+ });
+
+ remoteGraphicsContext.SetShouldAntialias({
+ shouldAntialias: true
+ });
Patch Details
The fix adds a MESSAGE_CHECK guard in RemoteRenderingBackend::markSurfacesVolatile that rejects the IPC message when the target RemoteImageBufferSet is currently preparing for display. The check uses a new isPreparingForDisplay() accessor which returns whether m_context is non-null. MESSAGE_CHECK terminates the offending WebContent process on failure.
Missing IPC message ordering validation allows a resource lifetime to be terminated while an operation consuming that resource is still in flight.
Background
WebKit's GPU process architecture separates rendering operations into a dedicated GPU process. The WebProcess communicates with the GPU process over IPC stream connections. RemoteImageBufferSet manages a set of image buffers (front/back) used for compositing. prepareBufferForDisplay initializes the front buffer's contents using a graphics context stored in m_context. makeBuffersVolatile marks buffers as reclaimable by the OS and calls releaseGraphicsContext() to destroy the associated context. MESSAGE_CHECK is WebKit's IPC validation macro — when a check fails, the GPU process terminates the offending WebContent process, enforcing IPC contracts between processes.
Analysis
Before the fix, RemoteRenderingBackend::markSurfacesVolatile did not check whether the target RemoteImageBufferSet was actively being used by prepareBufferForDisplay. When the WebProcess sends MarkSurfacesVolatile while prepareBufferForDisplay is still active, makeBuffersVolatile() calls releaseGraphicsContext(), destroying the graphics context held in m_context (as the commit message confirms: "MarkSurfacesVolatile calls makeBuffersVolatile, which calls releaseGraphicsContext() on each image buffer — destroying the graphics context that prepareBufferForDisplay is actively using through m_context"). The prepareBufferForDisplay code path continues to use m_context after this destruction, producing a dangling reference.
Aaa Aaaaaaaaaa Aaaa Aaaaaaaaaaaa Aaa Aaaaa Aaa Aaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaa Aa Aaa Aaaa Aaaaaa Aaaa Aaaaa Aaa Aaaaaaaa Aaaaaaa Aaaaaaaa Aaa Aaaaaaaa a Aaaaaaaaaaaaaaaaaaaa Aaaaaaa Aa Aaaaaaaaaa Aa Aaa Aaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaa Aa Aaaaa Aaaaaaa
Aaaaa Aaaaaaaaaaa Aa Aaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaa Aa Aaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aa Aaa Aaaaa Aaaaaa Aa Aaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaa Aaa Aaaaa Aaaaaaaaa Aa Aaaaa Aaaa Aaaaaaaa Aaaaaaaaa Aaaaa Aaaaaaa a Aaaaaaaaaaaaaa Aaaaaaaaaa Aaa Aaa Aaaaaaa Aaaa Aaaaaaa Aaa Aaaaaaaaaa Aaaaaaaa Aa Aaaaaaaaaa Aaaaaaaaaaaa Aaaa a Aaaaaaaaaaa Aaaaaaaaaa Aaaaa Aaaaaaaaaa a Aaaaaaa Aaaaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaaaaa Aaaaaaaaa Aaaaaaaa Aaaaaaa Aaa Aaaaaaaaaa Aaa Aaa Aaaaaaaa Aaa Aaa Aaaaaaa Aaaaaa Aaaa Aaa Aaaaaaaa Aaaa Aaa Aaaaaaaaaa Aaa Aaaaaaaaaaaa Aaaaaa Aaa a Aaaaaaaaaaa Aaaaaaaaaa Aa Aaa Aaaaa Aa Aaaa Aaaaaaaaaaa Aaa Aaa Aaaa Aaaaaaaaaaaaaaa Aaaaaa Aaaaaaaaaa Aaa Aaaaaaaaa Aaaaaaa Aa Aaaaaaaa Aaaaaa Aaaa a Aaaa Aaaaaaaaaa Aaaaaaaaaa Aaaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaa Aaaaaaaaaaa Aaaaaaaaaa
Aaaa Aaa Aaaaaaaaaa a Aaaaaaaaaaa Aaaaaaaaa Aa Aaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaa Aaa Aaaaaaa Aaaaaaaa Aa Aaaaaaaaaa Aaaaaaaaa Aaaa Aaaaaaaa Aaa Aaaa Aaaaaaaaaa Aaaaaaa Aaaaaaaaaa Aaa Aaaa Aaa Aaaaaaaa Aaaaaaaa Aaa Aaaaa Aaaaaaaaaaaaa Aa Aaaaaaa Aaaaaaaaaa
Aaaaaaaaa Aaaa Aaaaaaa Aaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaa a Aaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaa Aaa Aaa Aaaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaa Aaaa Aaa Aaaaaa Aaaaaaa Aaa Aaaa Aaaaaaaaaa Aaa Aaaa Aaaaaaaaaaaaaaaaaa Aaaaaaaaa Aa Aaaaaaaaaaaa Aaaaaaaaa Aa Aaa Aaaaaa
🔒Explores the cross-process exploitation potential and sandbox implications of this GPU process vulnerability
Subscribe to read more
Audit directions
a Aaaaa Aaaaaaa Aaaaaaaa Aa Aaaaaaaaaa Aaaaaaaaa Aaaa Aaaaaa Aa Aaaaaaa Aaaaaaaaa Aaaaaaa Aaaaaaaa Aaaaaaa Aaaaa Aaaaaaaaa Aaa Aa Aaaaaa Aaa Aa a Aaaaaaaaaa Aaaaaaaaaaaa Aaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaaa Aaaa Aaaa Aaaaaaaaaa Aa Aaaaaaaaa Aaaaaaa a Aa Aaaa Aaaaaaaa Aaaa Aaa Aaaaaa Aaaaaaaa Aa Aaa Aaaaaaaaaaaaaa Aaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa
a Aaaaaaaaaa Aaaaaaaa Aaaaaaaaaa Aaaaaa Aaa Aaaaaaaaaa Aaaaa Aaa Aaaaaaa Aaaaaaaaaaaaaaaaa a Aaaaaaaa Aaa Aaaaaaa Aaaaaaaa Aaa Aaaa Aa Aaaaaaaa Aaaaaaaaaaa Aaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaa Aaaaaa Aaa Aaa Aaaaaaa Aa Aaaa Aaaaa Aaaaa Aaaa Aaaaa Aaaaaaa Aaaaaaaa Aaaaa Aaaaaaaaaa Aaa Aa Aaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaa Aaaaaaaa
a Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aa Aaa Aaaaaaa Aaaaaaaaa Aaaa Aaaaaa Aaaaaaaaa Aa Aaaaaaaaaaaaa Aaaaaaaa Aa Aaa Aaa Aa Aaaaaaa Aa Aaa Aaa Aaaaaaa Aaaaa Aaaaaaa Aaaaaaa Aa Aaaaa Aaaaaaaaaa Aa Aaa Aaaaaaa Aaaaaaa Aaa Aaaa Aaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaaa Aaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa
a Aaaaaa Aaa Aaaaaaaa Aaaaaaaa Aaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaa Aaaaaaaaaaaa Aaaaaaaaaa Aaaaaaaa Aa Aaaaa Aaaaaaaa Aaaa Aaa Aaaaaa Aaaaaa Aaa Aaaaaaaaa Aaaaaaaaaaaa Aaaaaa Aaaaa Aaaaaaa a Aaaaa Aaaaaaa Aaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaaaa Aaaaaaaa
🔒Multiple audit patterns identified for IPC resource lifecycle vulnerabilities across GPU process handlers
Subscribe to read more