[8] GPU process IPC validation bypass in RemoteRenderingBackend
Severity: Medium | Component: WebKit GPU Process RemoteRenderingBackend | f9b5fa2
Rated Medium because the observable effect is reaching a disabled-by-default code path (DisplayList rendering) in the GPU process from a compromised WebContent process — attack surface expansion without a demonstrated memory corruption primitive, though the display list replay code is a plausible target for further exploitation.
This fixes the bug by aborting with MESSAGE_CHECK if remoteSnapshottingEnabled is not true when RenderingMode::DisplayList is requested.
Source/WebKit/GPUProcess/graphics/RemoteRenderingBackend.cpp
void RemoteRenderingBackend::createImageBuffer(const FloatSize& logicalSize, RenderingMode renderingMode, RenderingPurpose purpose, float resolutionScale, const DestinationColorSpace& colorSpace, ImageBufferFormat pixelFormat, RenderingResourceIdentifier identifier, RemoteGraphicsContextIdentifier contextIdentifier)
{
assertIsCurrent(workQueue());
+
+ // Verify DisplayList rendering mode is only used when RemoteSnapshotting is enabled
+ if (renderingMode == RenderingMode::DisplayList) {
+ auto prefs = sharedPreferencesForWebProcess();
+ MESSAGE_CHECK(prefs && prefs->remoteSnapshottingEnabled, "RemoteSnapshotting is not enabled");
+ }
+
RefPtr<ImageBuffer> imageBuffer = allocateImageBuffer(logicalSize, renderingMode, purpose, resolutionScale, colorSpace, pixelFormat, { });
Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
RemoteSnapshottingEnabled:
default: false
WebCore:
default: false
+ sharedPreferenceForWebProcess: true
Patch Details
The fix adds a MESSAGE_CHECK guard in createImageBuffer that terminates the WebContent process if it requests RenderingMode::DisplayList while RemoteSnapshottingEnabled is false. The preferences YAML change makes this preference queryable from the GPU process side.
Missing IPC parameter validation in the GPU process for a rendering mode that should only be reachable under a disabled-by-default feature gate.
Background
RemoteRenderingBackend runs in the GPU process and receives IPC messages from the WebContent process to create image buffers and manage rendering resources. RenderingMode::DisplayList is a rendering mode where drawing commands are recorded as a serialized display list rather than being rasterized immediately — associated with the RemoteSnapshotting feature, which is disabled by default. MESSAGE_CHECK is WebKit's IPC validation macro that terminates the offending process on failure.
Analysis
Before the fix, createImageBuffer accepted the renderingMode parameter directly from IPC without validating whether the requested mode was permitted by the current configuration. A WebContent process could request RenderingMode::DisplayList even when RemoteSnapshottingEnabled was false. The GPU process trusted the WebContent process to only send rendering modes consistent with active preferences, but the WebKit threat model assumes the WebContent process may be compromised — so client-side feature gates provide no security.
a Aaaaaaaaaaa Aaaaaaaaaa Aaaaaaa Aaaaa Aaa Aaaa Aa Aaaaa Aaaaaaa Aaaa Aaaaaaaaa Aaa Aaaaaa Aaaa Aa Aaa Aaa Aaaaaaa Aaaa Aaa Aaaaaaaa Aa Aa Aaaaaaaaaaaa Aaaaaaaaaaa Aaaaaaaaa Aaa Aaaaaa Aaaaaaa Aaa a Aaaaaaa Aaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaaa Aaaaa Aaaaaa Aaaaaaaaa a Aaa Aaaa Aa Aaaaaaa Aaaa Aaaaaaaaaaaaaaa Aa Aaaaaa Aaaa Aaaaaaa Aaaa Aaaaaaaaa Aa Aaaaaaa Aaaa Aaaa Aaaaaaaaa Aa Aaaaaaaa Aaaaaaaaaaa Aaaaa Aaaa Aaaa Aaaaaaaaaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaaaaa Aaaaa Aaaaaaaa Aaaaaaa Aaa Aaaaaaaaaa Aaa Aaa Aaaaaaaaaa Aaa Aaaaaaaa Aaaaa Aaaaaaa Aaa Aaa Aaaaaaa Aaaa Aaaaaaaaa Aaaa Aaaaa Aaaaaaaaaaaaa Aa Aaaaaaa Aaaaaaaaa Aaaaaa Aaa Aaaa Aaa Aaaaaaaaaa Aaaaaaa Aaaaa Aaaaa Aaa Aaa Aaaaaaa Aaaa a Aaaa Aaaa Aaaaaaaa Aa Aa Aaaaaaaaaaaa
Aaaa Aa a Aaaaaaa Aaaaa Aaaaaaaaaaaaa Aaaa Aaaaa Aaa Aaaa Aaaaa Aa Aaa Aaaaaa Aaaa Aaa Aaa Aaaaaaaaa Aa Aaa Aaaaaa Aaaa Aa Aaa Aaa Aaaaaaaaa
🔒Explores the cross-process trust boundary implications and what code paths in the GPU process could be reached through this bypass
Subscribe to read more
Audit directions
a Aaaaa Aaaaaaaa Aa Aaa Aaa Aaaaaaa Aaaa Aaaaaa Aaaaaaaaa Aaaa Aaaaaaaaaa Aaaa Aaaaaaaaaa Aaaaaaa Aaaaaaaaaa Aaaa Aaaaaaa Aaaaaaaaaaa Aaaaaaa Aaaaaaaa Aaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaa Aaaa Aaaaaa Aaaa Aaaaa Aaaaa Aa Aaaaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaa Aaaaa Aaaaaaa Aaaaaaaaaaaaa Aaaaaaaaaaaaaaa Aaaaaaa
a Aaaaaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaaa Aaaa Aaaaa Aaaaaa Aaaaaaaa Aaa Aaaaaaaaa Aa Aaaaaaaaaa Aaaaaaaaaaaa Aaaaa Aaaaa Aaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaa Aa Aaaaaaa Aaa Aaaa Aaaa Aaaaa Aa Aaa Aaa Aa Aaaaaaaaaa Aaaaaaaa Aaaaa Aaaaaaa Aaaaa Aaaaa Aaa Aaaaaaaa Aaaaaaaaaaaa
a Aaaaaaaa Aaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaaaaaa Aaaa Aaaa Aaaa Aaaa Aaaa Aaaaaaaaaaaaaaaaaa Aa Aaaaaaaa Aaaa Aaaa Aaaaaaa Aaaaaa Aaaaaaaa Aaaaaa Aa Aaa Aaa Aaaaaaa Aaaa Aaaaaaaaa Aa Aaaaaaa Aaaa Aaaa Aaaaaaaaa Aa Aaaaaaaa Aaaaaaaaaa Aaa Aaaaaaa Aaaaaaa Aaaaaa
🔒Multiple IPC validation audit patterns identified, applicable across GPU process message handlers and feature-gated code paths
Subscribe to read more