[6] GPU process dangling reference via MarkSurfacesVolatile during prepareBufferForDisplay
Severity: High | Component: GPU Process RemoteRenderingBackend | 325e4cb
WebContent sandbox 외부에서 실행되는 GPU process 내의 소멸된 graphics context에 대한 dangling reference가 직접 관찰됩니다. 이는 침해된 WebProcess에서 재현 가능한 IPC 메시지 시퀀스로 유발되며, 공격 시나리오는 regression test를 통해 확인되었습니다. 이러한 이유로 High로 평가되었습니다.
prepareBufferForDisplay가 GPU Process에서 아직 실행 중인 상태에서 WebProcess는 MarkSurfacesVolatile을 전송할 수 있습니다. 이 경우 각 image buffer에 대해 releaseGraphicsContext()가 호출되어, prepareBufferForDisplay가 m_context를 통해 사용 중인 graphics context가 소멸됩니다.
Source/WebKit/GPUProcess/graphics/RemoteImageBufferSet.h
+ bool isPreparingForDisplay() const { return m_context.get(); }
Source/WebKit/GPUProcess/graphics/RemoteRenderingBackend.cpp
RefPtr<RemoteImageBufferSet> remoteImageBufferSet = m_remoteImageBufferSets.get(identifier.first);
MESSAGE_CHECK(remoteImageBufferSet, "BufferSet is being marked volatile before being created");
+ MESSAGE_CHECK(!remoteImageBufferSet->isPreparingForDisplay(), "BufferSet is being marked volatile while preparing for display");
OptionSet<BufferInSetType> volatileBuffers;
if (!remoteImageBufferSet->makeBuffersVolatile(identifier.second, volatileBuffers, forcePurge))
LayoutTests/ipc/mark-surfaces-volatile-during-prepare-for-display.html
+ remoteRenderingBackend.PrepareImageBufferSetsForDisplaySync({ ... });
+
+ remoteRenderingBackend.MarkSurfacesVolatile({
+ requestIdentifier: randomIPCID(),
+ renderingResourceIdentifiers: [[imageBufferSetIdentifier, 1]],
+ forcePurge: false,
+ });
+
+ remoteGraphicsContext.SetShouldAntialias({
+ shouldAntialias: true
+ });
Patch Details
RemoteRenderingBackend::markSurfacesVolatile에 MESSAGE_CHECK 가드가 추가되었습니다. 대상 RemoteImageBufferSet이 현재 display를 준비 중인 경우 IPC 메시지를 거부합니다. 이 check는 새롭게 추가된 isPreparingForDisplay() accessor를 활용하며, m_context가 non-null인지 여부를 반환합니다. MESSAGE_CHECK 조건이 충족되지 않으면 해당 WebContent process가 종료됩니다.
IPC 메시지 순서 검증이 누락되어, 리소스를 사용 중인 작업이 진행 중임에도 해당 리소스의 수명이 종료될 수 있습니다.
Background
WebKit의 GPU process 아키텍처는 렌더링 연산을 별도의 GPU process로 분리합니다. WebProcess는 IPC stream connection을 통해 GPU process와 통신합니다. RemoteImageBufferSet은 compositing에 사용되는 image buffer 집합(front/back)을 관리합니다. prepareBufferForDisplay는 m_context에 저장된 graphics context를 사용해 front buffer의 내용을 초기화합니다. 한편 makeBuffersVolatile은 buffer를 OS가 회수 가능한 상태로 표시하고, releaseGraphicsContext()를 호출해 연관된 context를 소멸시킵니다. MESSAGE_CHECK는 WebKit의 IPC 검증 매크로입니다. 조건이 충족되지 않으면 GPU process가 해당 WebContent process를 종료시켜 process 간 IPC 계약을 강제합니다.
Analysis
패치 이전에는 RemoteRenderingBackend::markSurfacesVolatile이 대상 RemoteImageBufferSet이 prepareBufferForDisplay에 의해 사용 중인지 확인하지 않았습니다. prepareBufferForDisplay가 아직 실행 중인 상태에서 WebProcess가 MarkSurfacesVolatile을 전송하면, makeBuffersVolatile()이 releaseGraphicsContext()를 호출해 m_context가 보유하던 graphics context를 소멸시킵니다. commit 메시지에서 확인되는 바와 같이, "MarkSurfacesVolatile calls makeBuffersVolatile, which calls releaseGraphicsContext() on each image buffer — destroying the graphics context that prepareBufferForDisplay is actively using through m_context"입니다. 이후 prepareBufferForDisplay의 코드 경로는 이미 소멸된 m_context를 계속 참조하게 되어 dangling reference가 발생합니다.
Aaaaaaaaaa Aaaaa Aaa Aaa Aaaa Aaaaaa Aaa Aaaaaa Aaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaaaaaaa Aaaa Aaaaaaaa Aaa Aa Aa Aaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaa Aaaa Aaaa Aaa Aaaa Aaaa Aaaa
Aaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaa Aa Aaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaa Aaaaa Aaaaaaaaaa Aaaa Aa Aaaa Aaa Aaaa Aaaa Aaaa Aaaa a Aa Aaa a Aaaaaaaa Aaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaaa Aaa Aaaa Aaaaa Aaa Aaaaaaaa Aaaaaaaaaa Aaaaaaa Aaaa Aaaaaa Aaa Aaaaaaaaaaaa Aaaaaaaa Aaaa Aaaaaaa Aaaaaaa Aaaaaa
a Aaaaaaaaaaaaaa Aaaaaaaaaaa Aaa Aaaaaaa Aa Aaaaaaaaaaaaa Aa Aaa Aaaaaaa Aaa Aaaaaaaa Aaaaaaaaaaaaaa Aaa Aaaa Aaaaa Aaaaa Aaaaaa Aa Aaa Aaaaaaaaaaa a Aaa Aaaa Aaaaa Aaa Aaaa Aaaaaaaaa Aa Aaaaaaaaaaaaaaaa Aaaaaa Aa Aaa a Aa Aaaaaaaa Aaaa Aaaaa Aaa Aaaaaaaaa Aa Aaaaaaa Aaaaaaaaaaaaaaaa Aaa Aaaaaa
a Aaa Aaaaaaaaaaaaa Aaaa Aaaaa Aaaa Aaa Aaaaaa Aa Aa Aaaaaaaa Aaa Aaa Aaaa Aa Aaa Aaaaaa Aaaa Aaa Aaaa Aaa Aaa Aa Aa Aaaa Aaaa Aaaa
Aaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaa a Aaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaa Aa Aa Aaa Aaaaaa Aaaa Aaa Aaa Aaaa Aaa Aaaaa Aaaaaaaa Aaaaaaaaa Aaaaa Aaa Aaa Aa Aaaa Aaaaaa
🔒Explores the cross-process exploitation potential and sandbox implications of this GPU process vulnerability
더 확인하려면 구독해 주세요
Audit directions
a Aaaaaa Aa Aaa Aa Aa Aaa Aaaa Aa Aaaa Aaaaa Aaaaa Aa Aa Aaaaaaaa Aaa Aaa Aaaaaa Aaaaaaaaaa Aa Aaaaaaaaa Aaaa Aaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaa Aaaa Aaaa Aa Aaaa Aa Aa Aaaa Aaaaa Aaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa
a Aaa Aaaa Aaaa Aaaaaaaa Aa Aaaa Aa Aaaaaa Aaa Aaaa Aa Aaa Aaaaa Aaa Aa Aaaaa Aaa Aaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aa Aaa Aaaaa Aaa Aa Aa Aaaa Aaaaaaaa Aaaa a Aa Aa Aaa Aaa Aaaa Aaa Aaaa Aaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaa
a Aaaaa Aa Aaa Aaa Aaaa Aaa Aaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aa Aaa Aaa Aaaa Aaaaaa a Aa Aaaa Aa Aaaa Aa Aa Aaa Aaaa Aa Aa Aaa Aaaaaaaa Aaaaaaaaa Aaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaa
a Aaaaa Aaa Aaaa Aaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaa Aaa Aaa Aa Aa Aa Aaa a Aa Aaaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaa a Aaaaa Aaa Aaa Aaa Aaaaaa Aaaaaaa Aaa Aaaa Aaaa
🔒Multiple audit patterns identified for IPC resource lifecycle vulnerabilities across GPU process handlers
더 확인하려면 구독해 주세요