[7] GPU process dangling span in RemoteGraphicsContext::drawGlyphs
Severity: High | Component: GPU Process graphics layer — RemoteGraphicsContext | 6aacf62
Rated High because the observable effect is a dangling span read in the GPU process — which operates outside the WebContent sandbox — where glyph data from IPC message backing storage is passed to a rendering call without ownership transfer, and the asymmetry (one span copied, one not) confirms an oversight rather than a design choice.
Copy the glyph buffer in RemoteGraphicsContext::drawGlyphs to avoid a dangling span from IPC message backing storage.
Source/WebKit/GPUProcess/graphics/RemoteGraphicsContext.cpp
- context().drawGlyphs(*font, glyphsAdvances.span<0>(), Vector<GlyphBufferAdvance>(glyphsAdvances.span<1>()), localAnchor, fontSmoothingMode);
+ Vector<GlyphBufferGlyph, 128> glyphs { glyphsAdvances.span<0>() };
+ Vector<GlyphBufferAdvance, 128> advances { glyphsAdvances.span<1>() };
+ context().drawGlyphs(*font, glyphs.span(), advances.span(), localAnchor, fontSmoothingMode);
Patch Details
The fix copies both glyph and advance spans from the IPC-deserialized glyphsAdvances parameter into local Vector objects before passing them to context().drawGlyphs(). The inline capacity of 128 keeps small glyph buffers on the stack. Before the fix, span<0>() (the glyphs) was passed directly as a span reference while span<1>() (the advances) was already copied into a temporary Vector — an asymmetry that highlights the oversight.
Use of a non-owning span reference to IPC message data across a call boundary where the backing buffer's lifetime is not guaranteed.
Background
WebKit's GPU process architecture offloads graphics operations (including text rendering) from the sandboxed WebContent process to a separate GPU process via IPC. RemoteGraphicsContext receives serialized drawing commands over IPC and replays them against a real GraphicsContext. Parameters like glyph buffers arrive as serialized data in IPC message buffers; spans obtained from the deserialized message point directly into this backing storage. GlyphBufferGlyph and GlyphBufferAdvance are the per-glyph data types used by WebCore's text rendering pipeline.
Analysis
Before the fix, RemoteGraphicsContext::drawGlyphs passed glyphsAdvances.span<0>() directly to context().drawGlyphs() as a span reference. This span points into the IPC message's backing storage (if the IPC deserialization model produces non-owning views, as the fix pattern strongly implies). If the IPC buffer's lifetime does not extend through the entire execution of context().drawGlyphs() — for example, if the message buffer is freed or recycled during glyph rendering — the span becomes dangling, and the GPU process reads freed or stale memory. Only the glyphs span was vulnerable; the advances span was already copied.
a Aaaaaaaaaaa Aaaaaaaaaa Aaaaaaa Aaaaa Aaaa Aaa Aaaaaa Aaaaa Aa Aaaa Aaaaaaaaaa Aaaa Aaaaaaa Aaa Aaaaaaaa Aaaaa Aaaaa Aaa Aaaa Aaaaaa Aa Aaaaaaaaaaaaaaaaaaa Aaaaaaa Aa Aaaaaa Aa Aaa Aaa Aaaaaaaaa Aa Aaa Aaaaa Aaa Aaaaaa Aa Aaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaaaaaaa Aaaaa Aaaaaaa Aaaaa Aa Aaa Aa Aaa Aaaa Aaaaaaaaa Aaaaaaa Aaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaa Aaaaaaaa Aa Aaaa Aaaaa Aaaaaa Aa Aaaaa Aaaaaaaaaa Aaaaaaaaa Aaaa Aaaaaaaaaaa Aaaaa Aaa Aaa Aaaaaaa Aaaaaaaa Aaaaaaa Aaa Aaaaaaaaaa Aaaaaaaa Aaaaaa Aaaaaaaaaa Aaaa Aaaaa Aaaaaa Aaaaaaa Aaaaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaaaaa Aaaaaa Aaaaaa Aaa Aaa Aaaaaaaa a Aaaaaaaa Aaaa Aa Aaaaa Aaaa Aaaaa Aaaaa Aa Aaaaaaaa Aaa Aaaaaaaa Aaaa Aaaaaaaaa Aa Aaaa Aaaaa Aa Aaaaaaaaaaaaaaaaaaa Aaaaaa Aa Aaa Aaa Aaaaaaaa Aaaaaaaaa Aaaaaaaaaaaaa Aaaaaaaaaa
Aaa Aaaaaaaaa Aa Aaa Aaaaaaaa Aaaa Aa Aaaaaaaa Aaa Aaaaaaaa Aaaa Aaaaaa Aaa Aaa Aaaaaa Aaaa Aaaa Aaaaaaaaaa Aaa Aaaa Aaa Aaaaa Aaaaaaaaa Aa Aaa Aaaa Aaa Aaaaaa Aaaaaa Aa Aaaaaaa Aaaaaaaaa Aaa Aaaaaa Aaaaaaa Aaaaaaaaaa Aaaaaaaa Aaaaaaa Aaaaaaaaaa Aaaaaaaaaaaaa Aaaaaa Aaaaaaaaaa Aaa Aaaaaa
Aaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaaaa Aaaaa Aaaaa Aaaaaaaa Aaaa Aaa Aaaaaaa Aaaaaaa Aaaaaaa Aaa Aaaaaaa Aaa Aaaaaa Aaaaaaaa Aaa Aaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaa Aaa Aaaaaaaa Aaaa Aaa Aaa Aaaaaaaa Aaa Aaaa Aaaaa a Aaaaaaaaaa Aaaa Aaaaaa a Aaaa Aaaaaaaa a Aa Aaaaaaaa Aaaaaaaa
🔒Explores the IPC buffer lifetime model and whether the dangling span could be weaponized for controlled reads in the GPU process
Subscribe to read more
Audit directions
a Aaaaaaaaaaaa Aaaaa Aa Aaaaaaaaaa Aa Aaa Aaaaaaa Aaaaaaa Aaaaaaa Aaaaaa Aaaaaa Aaaaaaaa Aaaa Aaaaaaaaaa Aa Aaa Aaa Aaaaaaaaaa Aa Aaa Aaaaaa Aaaaaaaa Aaaaaaaa Aaa Aaaaaaaaa Aaaa Aaaaa Aaaa Aa Aaaaaaa Aaa Aaa Aaaaaaa Aaa Aaaa Aaaaaaa Aaaaaaaaa Aaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaa Aaaa Aaaaaaaaaaaa Aaaaa Aaaaaaaa Aa Aaaaaaaaaaaaa Aaaaa Aaaaaaa Aaaaaaaa Aaaa Aaa Aaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
a Aaaaaaaaaaaaaa Aaaa Aaaaaaaaa Aaa Aaaaaaaaaaa Aaa Aaaaaaaaaaaaa Aa Aaaa Aaaa Aaa Aaaa Aaa Aaaaaa Aaa Aaaaaaa Aaa Aaaa Aaaaa Aaa Aaaaaaa Aaaaaaaaa Aaaa Aaaaaaaaaaa Aaaaaaaa Aaaaaaaaaa Aaaaaaaa Aaaaaa Aaaaaaa Aaaa Aaaaaaaa Aaaaaaaaaa Aaaaaaa a Aaaaa Aaaaaaa Aaa Aaaaaaaaa Aaaaaa Aaa Aaaaaa Aa Aaaaaaa Aaaa Aaa Aaaaaa Aaaaaaa Aa Aaa Aaaaaaaaaaa
a Aaaaa Aaaaaa Aaaaaaaa Aaaaa Aa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaa Aa Aaaa Aaaaa Aa Aaa Aaaaaaa Aa Aaaa Aaa Aaaaaaa Aaaaaaa Aaaaaaa Aa Aaaaa Aaaaaaaa Aa Aaaaaaa Aaaaaaaaaa Aa Aaa Aaaaaa Aaa Aa Aaaaa Aaaaaa a Aaaaaa Aaaaaaa Aaaaaaaa Aa Aaaa Aaaaaaa Aaaaaa Aaaaa Aaaaaaaaaa Aaaa Aa Aaaaa Aa Aaaaaaa Aaa Aaaaaaaaaaaa Aaaaaaaa Aaa Aaaaaaaaaaa Aaaaaaaaaaa
🔒Multiple audit patterns identified for IPC span handling across the GPU process boundary, with concrete search targets
Subscribe to read more