[8] GPU process IPC validation bypass in RemoteRenderingBackend
Severity: Medium | Component: WebKit GPU Process RemoteRenderingBackend | f9b5fa2
이 취약점의 영향은 침해된 WebContent process에서 GPU process 내의 기본 비활성화 code path(DisplayList rendering)에 도달하는 것에 그칩니다. 직접적인 memory corruption primitive가 확인된 것은 아니지만, display list replay 코드는 추가적인 exploit의 가능한 대상이 될 수 있으므로 Medium으로 평가했습니다.
RenderingMode::DisplayList가 요청된 시점에 remoteSnapshottingEnabled가 활성화되어 있지 않으면 MESSAGE_CHECK로 프로세스를 종료하는 방식으로 수정되었습니다.
Source/WebKit/GPUProcess/graphics/RemoteRenderingBackend.cpp
void RemoteRenderingBackend::createImageBuffer(const FloatSize& logicalSize, RenderingMode renderingMode, RenderingPurpose purpose, float resolutionScale, const DestinationColorSpace& colorSpace, ImageBufferFormat pixelFormat, RenderingResourceIdentifier identifier, RemoteGraphicsContextIdentifier contextIdentifier)
{
assertIsCurrent(workQueue());
+
+ // RemoteSnapshotting이 활성화된 경우에만 DisplayList rendering mode를 허용
+ if (renderingMode == RenderingMode::DisplayList) {
+ auto prefs = sharedPreferencesForWebProcess();
+ MESSAGE_CHECK(prefs && prefs->remoteSnapshottingEnabled, "RemoteSnapshotting is not enabled");
+ }
+
RefPtr<ImageBuffer> imageBuffer = allocateImageBuffer(logicalSize, renderingMode, purpose, resolutionScale, colorSpace, pixelFormat, { });
Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
RemoteSnapshottingEnabled:
default: false
WebCore:
default: false
+ sharedPreferenceForWebProcess: true
Patch Details
createImageBuffer에 MESSAGE_CHECK guard가 추가되었습니다. RemoteSnapshottingEnabled가 false인 상태에서 RenderingMode::DisplayList를 요청하면 WebContent process가 종료됩니다. 한편 preferences YAML에도 변경이 적용되어, 해당 설정값을 GPU process 측에서도 조회할 수 있게 되었습니다.
기본 비활성화 feature gate 조건에서만 도달 가능해야 하는 rendering mode에 대해 GPU process의 IPC parameter validation이 누락된 패턴.
Background
RemoteRenderingBackend는 GPU process에서 실행되며, WebContent process로부터 IPC 메시지를 수신하여 image buffer를 생성하고 rendering 리소스를 관리합니다. RenderingMode::DisplayList는 drawing 명령을 즉시 rasterize하는 대신 직렬화된 display list 형태로 기록하는 rendering mode입니다. RemoteSnapshotting 기능과 연계되어 있으며, 이 기능은 기본적으로 비활성화되어 있습니다. MESSAGE_CHECK는 WebKit의 IPC validation macro로, 검증 실패 시 해당 process를 종료합니다.
Analysis
수정 이전에는 createImageBuffer가 IPC로 전달된 renderingMode 파라미터를 그대로 수용했습니다. 요청된 mode가 현재 설정에서 허용 가능한지 검증하는 과정이 없었습니다. 결과적으로 RemoteSnapshottingEnabled가 false인 상태에서도 WebContent process가 RenderingMode::DisplayList를 요청할 수 있었습니다.
GPU process는 WebContent process가 활성화된 설정과 일관된 rendering mode만 전송할 것이라고 신뢰하는 구조였습니다. 그러나 WebKit의 threat model은 WebContent process가 침해될 수 있다고 가정합니다. 따라서 client 측의 feature gate는 보안상 의미가 없습니다.
Aaa Aaaaaaaaaa Aaaaaaaa Aa Aaa Aaa Aaaaaaa Aa Aaaaaaa Aaaa Aaaaaaaaa a Aaaaaa Aaa Aaaa Aa Aaaaa Aaaaaa a Aaa Aa Aa Aaaaaa Aaa Aaaaa Aaaaaaa Aaaaaaa Aa Aaaaaa Aaaaaaaa Aaa Aaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaa Aa Aaa Aaa Aaa Aaaaaaa Aaaa Aaaaaaaaaaaaaaa Aa Aaaaaa Aaa Aaaa Aaaaaa Aaaaaaa Aaaaaaa Aaaa Aaaa Aaaaaaaaaaa Aaaa Aaaaaaaaaa Aaaaaaaa Aaaaaaaaaa Aaa Aaaaaaa Aaa Aaaaaaa
a Aaaaaaaaaaaaaa Aaaaaaaaaa Aaaaaaaa Aaa Aaaaaaa Aa Aaaaaaaaaaaaa Aaaaa Aaaaaaaaa Aaaaaaa Aa Aaaaa Aaa Aaaaaaaa Aaaa Aaa Aaaa Aaaa Aaaaa Aaaaa Aaaaaa Aa Aaaa Aaaaaaaaaa Aaaaaaaa Aaa Aaaaaaaa Aa Aaaaaa Aaa Aaaa Aaaaa Aa Aaaa a Aaaaaa
Aa Aaaaaaa Aaaaa Aaaaaa Aaa Aaaa Aaa Aaaaaaaaa Aaaaaa Aaaa Aaaa Aa Aaa Aaaaaa
🔒Explores the cross-process trust boundary implications and what code paths in the GPU process could be reached through this bypass
더 확인하려면 구독해 주세요
Audit directions
a Aaaaaaaaaaaaa Aaaaaaa Aaaa Aa Aa Aaaaaaaaaaaaa Aaaaaaaaa Aaaa Aaaaa Aaaa Aaa Aaaaaaaa Aaa Aaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaaa Aaaa Aaaaa Aaaa Aaaaa Aaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaa a Aaaaaaaaaaaaaaaaaa Aa Aaa Aaaa Aaaa Aaaaaaaaaaaaaaa Aaaaaa Aa Aaa Aaaa Aaaa
a Aaaa Aaaa Aa a Aaaa Aaaaa Aaaaa Aaaaaaaaaa Aaaaaaaaa Aaa Aa Aaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaaaa Aaa Aaaaaaa Aa Aaaaaaaaaa Aaaaaaaa Aaaa Aaaaa Aaaa Aa Aaaa Aaaa Aaaa Aa Aaaaa Aaaaaa Aaa Aa Aaaaa Aaaa Aaaa
a Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaa Aaaaaa Aaaaaaaaa Aa Aa Aaaa Aaaaaaaaaaaaaaaaaaa Aaaa Aaaaa a Aaa Aaaaaa Aaaaaaaa Aaaa Aaa Aaaaaaa Aaaaaaa Aaaa Aaaa Aaaaaaaaaaa Aaaa Aaaaaaaaaa Aaa Aaaaaaa Aaaaa Aa Aaaaaaaa Aaaaaaaaaa Aa Aaaa Aaa Aaa Aaaaa
🔒Multiple IPC validation audit patterns identified, applicable across GPU process message handlers and feature-gated code paths
더 확인하려면 구독해 주세요