[gnome-sdk-images/gnome-3-24] Include mitigations for Spectre/Meltdown vulnerabilities in WebKitGTK
- From: Mario Sanchez Prada <msanchez src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-sdk-images/gnome-3-24] Include mitigations for Spectre/Meltdown vulnerabilities in WebKitGTK
- Date: Tue, 9 Jan 2018 11:44:57 +0000 (UTC)
commit 9ddf7237788d0f7e0ec5ecf51c76ada5a38cdccb
Author: Mario Sanchez Prada <mario endlessm com>
Date: Tue Jan 9 11:24:12 2018 +0000
Include mitigations for Spectre/Meltdown vulnerabilities in WebKitGTK
Disabling SharedArrayBuffer and reducing timer precision are the two main
mitigations implemented upstream (see [1]), so backport them.
[1] https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/
org.gnome.Sdk.json.in | 8 ++
webkitgtk-disable-SharedArrayBuffers.patch | 143 ++++++++++++++++++++++++++++
webkitgtk-reduce-timer-precision.patch | 71 ++++++++++++++
3 files changed, 222 insertions(+), 0 deletions(-)
---
diff --git a/org.gnome.Sdk.json.in b/org.gnome.Sdk.json.in
index 107e54a..7eddf60 100644
--- a/org.gnome.Sdk.json.in
+++ b/org.gnome.Sdk.json.in
@@ -563,6 +563,14 @@
{
"type": "patch",
"path": "webkitgtk-cmake-buildapi.patch"
+ },
+ {
+ "type": "patch",
+ "path": "webkitgtk-disable-SharedArrayBuffers.patch"
+ },
+ {
+ "type": "patch",
+ "path": "webkitgtk-reduce-timer-precision.patch"
}
]
},
diff --git a/webkitgtk-disable-SharedArrayBuffers.patch b/webkitgtk-disable-SharedArrayBuffers.patch
new file mode 100644
index 0000000..130bdf7
--- /dev/null
+++ b/webkitgtk-disable-SharedArrayBuffers.patch
@@ -0,0 +1,143 @@
+From c42fc82666ef82dccc8353722f08a8dba3ab0ce0 Mon Sep 17 00:00:00 2001
+From: Michael Saboff <msaboff apple com>
+Date: Thu, 4 Jan 2018 01:53:41 +0000
+Subject: [PATCH 1/2] Disable SharedArrayBuffers from Web API
+
+https://bugs.webkit.org/show_bug.cgi?id=181266
+
+Reviewed by Saam Barati.
+
+Source/JavaScriptCore:
+
+Removed SharedArrayBuffer prototype and structure from GlobalObject creation
+to disable.
+
+* runtime/JSGlobalObject.cpp:
+(JSC::JSGlobalObject::init):
+(JSC::JSGlobalObject::visitChildren):
+* runtime/JSGlobalObject.h:
+(JSC::JSGlobalObject::arrayBufferPrototype const):
+(JSC::JSGlobalObject::arrayBufferStructure const):
+
+Source/WTF:
+
+Turn off SharedArrayBuffers using a compile time flag ENABLE_SHARED_ARRAY_BUFFER.
+
+* wtf/Platform.h:
+
+git-svn-id: http://svn.webkit.org/repository/webkit/trunk@226386 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+---
+ Source/JavaScriptCore/runtime/JSGlobalObject.cpp | 9 ++++++++-
+ Source/JavaScriptCore/runtime/JSGlobalObject.h | 12 ++++++++++++
+ Source/WTF/wtf/Platform.h | 3 +++
+ 3 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
b/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
+index 2137b41..a3c18d0 100644
+--- a/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
++++ b/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
+@@ -574,8 +574,10 @@ void JSGlobalObject::init(VM& vm)
+
+ m_arrayBufferPrototype.set(vm, this, JSArrayBufferPrototype::create(vm, this,
JSArrayBufferPrototype::createStructure(vm, this, m_objectPrototype.get()), ArrayBufferSharingMode::Default));
+ m_arrayBufferStructure.set(vm, this, JSArrayBuffer::createStructure(vm, this,
m_arrayBufferPrototype.get()));
++#if ENABLE(SHARED_ARRAY_BUFFER)
+ m_sharedArrayBufferPrototype.set(vm, this, JSArrayBufferPrototype::create(vm, this,
JSArrayBufferPrototype::createStructure(vm, this, m_objectPrototype.get()), ArrayBufferSharingMode::Shared));
+ m_sharedArrayBufferStructure.set(vm, this, JSArrayBuffer::createStructure(vm, this,
m_sharedArrayBufferPrototype.get()));
++#endif
+
+ m_iteratorPrototype.set(vm, this, IteratorPrototype::create(vm, this,
IteratorPrototype::createStructure(vm, this, m_objectPrototype.get())));
+ m_generatorPrototype.set(vm, this, GeneratorPrototype::create(vm, this,
GeneratorPrototype::createStructure(vm, this, m_iteratorPrototype.get())));
+@@ -620,10 +622,11 @@ m_ ## properName ## Structure.set(vm, this, instanceType::createStructure(vm, th
+
+ JSArrayBufferConstructor* arrayBufferConstructor = JSArrayBufferConstructor::create(vm,
JSArrayBufferConstructor::createStructure(vm, this, m_functionPrototype.get()), m_arrayBufferPrototype.get(),
m_speciesGetterSetter.get(), ArrayBufferSharingMode::Default);
+ m_arrayBufferPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor,
arrayBufferConstructor, DontEnum);
++#if ENABLE(SHARED_ARRAY_BUFFER)
+ JSArrayBufferConstructor* sharedArrayBufferConstructor = nullptr;
+ sharedArrayBufferConstructor = JSArrayBufferConstructor::create(vm,
JSArrayBufferConstructor::createStructure(vm, this, m_functionPrototype.get()),
m_sharedArrayBufferPrototype.get(), m_speciesGetterSetter.get(), ArrayBufferSharingMode::Shared);
+ m_sharedArrayBufferPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor,
sharedArrayBufferConstructor, DontEnum);
+-
++#endif
+ #define CREATE_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName,
prototypeBase) \
+ capitalName ## Constructor* lowerName ## Constructor = capitalName ## Constructor::create(vm, capitalName
## Constructor::createStructure(vm, this, m_functionPrototype.get()), m_ ## lowerName ## Prototype.get(),
m_speciesGetterSetter.get()); \
+ m_ ## lowerName ## Prototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, lowerName ##
Constructor, DontEnum); \
+@@ -686,7 +689,9 @@ m_ ## lowerName ## Prototype->putDirectWithoutTransition(vm, vm.propertyNames->c
+ putDirectWithoutTransition(vm, vm.propertyNames->builtinNames().ArrayPrivateName(), arrayConstructor,
DontEnum | DontDelete | ReadOnly);
+
+ putDirectWithoutTransition(vm, vm.propertyNames->ArrayBuffer, arrayBufferConstructor, DontEnum);
++#if ENABLE(SHARED_ARRAY_BUFFER)
+ putDirectWithoutTransition(vm, vm.propertyNames->SharedArrayBuffer, sharedArrayBufferConstructor,
DontEnum);
++#endif
+
+ #define PUT_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName,
prototypeBase) \
+ putDirectWithoutTransition(vm, vm.propertyNames-> jsName, lowerName ## Constructor, DontEnum); \
+@@ -1288,8 +1293,10 @@ void JSGlobalObject::visitChildren(JSCell* cell, SlotVisitor& visitor)
+
+ visitor.append(thisObject->m_arrayBufferPrototype);
+ visitor.append(thisObject->m_arrayBufferStructure);
++#if ENABLE(SHARED_ARRAY_BUFFER)
+ visitor.append(thisObject->m_sharedArrayBufferPrototype);
+ visitor.append(thisObject->m_sharedArrayBufferStructure);
++#endif
+
+ #define VISIT_SIMPLE_TYPE(CapitalName, lowerName, properName, instanceType, jsName, prototypeBase) \
+ visitor.append(thisObject->m_ ## lowerName ## Prototype); \
+diff --git a/Source/JavaScriptCore/runtime/JSGlobalObject.h b/Source/JavaScriptCore/runtime/JSGlobalObject.h
+index 7730362..0c756c4 100644
+--- a/Source/JavaScriptCore/runtime/JSGlobalObject.h
++++ b/Source/JavaScriptCore/runtime/JSGlobalObject.h
+@@ -338,8 +338,10 @@ public:
+ WriteBarrier<Structure> m_moduleLoaderStructure;
+ WriteBarrier<JSArrayBufferPrototype> m_arrayBufferPrototype;
+ WriteBarrier<Structure> m_arrayBufferStructure;
++#if ENABLE(SHARED_ARRAY_BUFFER)
+ WriteBarrier<JSArrayBufferPrototype> m_sharedArrayBufferPrototype;
+ WriteBarrier<Structure> m_sharedArrayBufferStructure;
++#endif
+
+ #define DEFINE_STORAGE_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName,
prototypeBase) \
+ WriteBarrier<capitalName ## Prototype> m_ ## lowerName ## Prototype; \
+@@ -670,8 +672,13 @@ public:
+ switch (sharingMode) {
+ case ArrayBufferSharingMode::Default:
+ return m_arrayBufferPrototype.get();
++#if ENABLE(SHARED_ARRAY_BUFFER)
+ case ArrayBufferSharingMode::Shared:
+ return m_sharedArrayBufferPrototype.get();
++#else
++ default:
++ return m_arrayBufferPrototype.get();
++#endif
+ }
+ }
+ Structure* arrayBufferStructure(ArrayBufferSharingMode sharingMode) const
+@@ -679,8 +686,13 @@ public:
+ switch (sharingMode) {
+ case ArrayBufferSharingMode::Default:
+ return m_arrayBufferStructure.get();
++#if ENABLE(SHARED_ARRAY_BUFFER)
+ case ArrayBufferSharingMode::Shared:
+ return m_sharedArrayBufferStructure.get();
++#else
++ default:
++ return m_arrayBufferStructure.get();
++#endif
+ }
+ RELEASE_ASSERT_NOT_REACHED();
+ return nullptr;
+diff --git a/Source/WTF/wtf/Platform.h b/Source/WTF/wtf/Platform.h
+index 1c1b9a6..6947c20 100644
+--- a/Source/WTF/wtf/Platform.h
++++ b/Source/WTF/wtf/Platform.h
+@@ -1190,6 +1190,9 @@
+ #define HAVE_NS_ACTIVITY 1
+ #endif
+
++/* Disable SharedArrayBuffers until Spectre security concerns are mitigated. */
++#define ENABLE_SHARED_ARRAY_BUFFER 0
++
+ #if (OS(DARWIN) && USE(CG)) || (USE(FREETYPE) && !PLATFORM(GTK)) || (PLATFORM(WIN) && (USE(CG) ||
USE(CAIRO)))
+ #undef ENABLE_OPENTYPE_MATH
+ #define ENABLE_OPENTYPE_MATH 1
+--
+2.14.3
+
diff --git a/webkitgtk-reduce-timer-precision.patch b/webkitgtk-reduce-timer-precision.patch
new file mode 100644
index 0000000..4a64d97
--- /dev/null
+++ b/webkitgtk-reduce-timer-precision.patch
@@ -0,0 +1,71 @@
+From c217d730763e76332247655a0f69ee76c4bfd223 Mon Sep 17 00:00:00 2001
+From: Ryosuke Niwa <rniwa webkit org>
+Date: Mon, 8 Jan 2018 01:22:20 +0000
+Subject: [PATCH 2/2] Reduce the precision of "high" resolution time to 1ms
+
+https://bugs.webkit.org/show_bug.cgi?id=180910 <rdar://problem/36085943>
+
+Reviewed by Saam Barati.
+
+Source/WebCore:
+
+Reduced the high prevision time's resolution to 1ms, the same precision as Date.now().
+
+Also fixed the bug in fillRTCStats that we weren't reducing the time resolution in RTCStats dictionaries.
+
+* Modules/mediastream/libwebrtc/LibWebRTCMediaEndpoint.cpp:
+(WebCore::fillRTCStats):
+* page/Performance.cpp:
+(WebCore::Performance::reduceTimeResolution):
+
+git-svn-id: http://svn.webkit.org/repository/webkit/trunk@226495 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+---
+ .../WebCore/Modules/mediastream/libwebrtc/LibWebRTCMediaEndpoint.cpp | 4 +++-
+ Source/WebCore/page/Performance.cpp | 2 +-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCMediaEndpoint.cpp
b/Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCMediaEndpoint.cpp
+index 8679805..8a18b38 100644
+--- a/Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCMediaEndpoint.cpp
++++ b/Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCMediaEndpoint.cpp
+@@ -35,6 +35,7 @@
+ #include "Logging.h"
+ #include "MediaStreamEvent.h"
+ #include "NotImplemented.h"
++#include "Performance.h"
+ #include "PlatformStrategies.h"
+ #include "RTCDataChannel.h"
+ #include "RTCDataChannelEvent.h"
+@@ -50,6 +51,7 @@
+ #include <webrtc/p2p/base/basicpacketsocketfactory.h>
+ #include <webrtc/p2p/client/basicportallocator.h>
+ #include <webrtc/pc/peerconnectionfactory.h>
++#include <wtf/CurrentTime.h>
+ #include <wtf/MainThread.h>
+
+ #include "CoreMediaSoftLink.h"
+@@ -303,7 +305,7 @@ static inline String fromStdString(const std::string& value)
+
+ static inline void fillRTCStats(RTCStatsReport::Stats& stats, const webrtc::RTCStats& rtcStats)
+ {
+- stats.timestamp = rtcStats.timestamp_us() / 1000.0;
++ stats.timestamp =
Performance::reduceTimeResolution(Seconds::fromMicroseconds(rtcStats.timestamp_us())).milliseconds();
+ stats.id = fromStdString(rtcStats.id());
+ }
+
+diff --git a/Source/WebCore/page/Performance.cpp b/Source/WebCore/page/Performance.cpp
+index 1afa364..d90b5e4 100644
+--- a/Source/WebCore/page/Performance.cpp
++++ b/Source/WebCore/page/Performance.cpp
+@@ -77,7 +77,7 @@ double Performance::now() const
+
+ Seconds Performance::reduceTimeResolution(Seconds seconds)
+ {
+- double resolution = (100_us).seconds();
++ double resolution = (1000_us).seconds();
+ double reduced = std::floor(seconds.seconds() / resolution) * resolution;
+ return Seconds(reduced);
+ }
+--
+2.14.3
+
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
