[gnome-sdk-images] Include mitigations for Spectre/Meltdown vulnerabilities in WebKitGTK
- From: Mario Sanchez Prada <msanchez src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-sdk-images] Include mitigations for Spectre/Meltdown vulnerabilities in WebKitGTK
- Date: Tue, 9 Jan 2018 11:45:07 +0000 (UTC)
commit de641f5bd72ae284a72da199760b26aa5042d0e3
Author: Mario Sanchez Prada <mario endlessm com>
Date: Tue Jan 9 11:04:55 2018 +0000
Include mitigations for Spectre/Meltdown vulnerabilities in WebKitGTK
Disabling SharedArrayBuffer and reducing timer precision are the two main
mitigations implemented upstream (see [1]), so backport them.
[1] https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/
org.gnome.Sdk.json.in | 8 ++
webkitgtk-disable-SharedArrayBuffers.patch | 139 ++++++++++++++++++++++++++++
webkitgtk-reduce-timer-precision.patch | 68 ++++++++++++++
3 files changed, 215 insertions(+), 0 deletions(-)
---
diff --git a/org.gnome.Sdk.json.in b/org.gnome.Sdk.json.in
index 2c94291..fd0c2b1 100644
--- a/org.gnome.Sdk.json.in
+++ b/org.gnome.Sdk.json.in
@@ -800,6 +800,14 @@
"type": "archive",
"url": "https://webkitgtk.org/releases/webkitgtk-2.19.3.tar.xz";,
"sha256": "dc6ab3bddbfffbab5a5ec14d81cfe263e0a11cc07c0b0e4aeb70afc46c06f752"
+ },
+ {
+ "type": "patch",
+ "path": "webkitgtk-disable-SharedArrayBuffers.patch"
+ },
+ {
+ "type": "patch",
+ "path": "webkitgtk-reduce-timer-precision.patch"
}
]
},
diff --git a/webkitgtk-disable-SharedArrayBuffers.patch b/webkitgtk-disable-SharedArrayBuffers.patch
new file mode 100644
index 0000000..0d14fd3
--- /dev/null
+++ b/webkitgtk-disable-SharedArrayBuffers.patch
@@ -0,0 +1,139 @@
+From 7bdc19420386ef14bdff8a02095105cffd7e71c3 Mon Sep 17 00:00:00 2001
+From: "msaboff apple com"
+ <msaboff apple com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
+Date: Thu, 4 Jan 2018 01:53:41 +0000
+Subject: [PATCH] Disable SharedArrayBuffers from Web API
+ https://bugs.webkit.org/show_bug.cgi?id=181266
+
+Reviewed by Saam Barati.
+
+Source/JavaScriptCore:
+
+Removed SharedArrayBuffer prototype and structure from GlobalObject creation
+to disable.
+
+* runtime/JSGlobalObject.cpp:
+(JSC::JSGlobalObject::init):
+(JSC::JSGlobalObject::visitChildren):
+* runtime/JSGlobalObject.h:
+(JSC::JSGlobalObject::arrayBufferPrototype const):
+(JSC::JSGlobalObject::arrayBufferStructure const):
+
+Source/WTF:
+
+Turn off SharedArrayBuffers using a compile time flag ENABLE_SHARED_ARRAY_BUFFER.
+
+* wtf/Platform.h:
+
+git-svn-id: http://svn.webkit.org/repository/webkit/trunk@226386 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+---
+
+diff --git a/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
b/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
+index b6c2e94cda8..cb8ae65aa48 100644
+--- a/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
++++ b/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
+@@ -609,8 +609,10 @@ void JSGlobalObject::init(VM& vm)
+
+ m_arrayBufferPrototype.set(vm, this, JSArrayBufferPrototype::create(vm, this,
JSArrayBufferPrototype::createStructure(vm, this, m_objectPrototype.get()), ArrayBufferSharingMode::Default));
+ m_arrayBufferStructure.set(vm, this, JSArrayBuffer::createStructure(vm, this,
m_arrayBufferPrototype.get()));
++#if ENABLE(SHARED_ARRAY_BUFFER)
+ m_sharedArrayBufferPrototype.set(vm, this, JSArrayBufferPrototype::create(vm, this,
JSArrayBufferPrototype::createStructure(vm, this, m_objectPrototype.get()), ArrayBufferSharingMode::Shared));
+ m_sharedArrayBufferStructure.set(vm, this, JSArrayBuffer::createStructure(vm, this,
m_sharedArrayBufferPrototype.get()));
++#endif
+
+ m_iteratorPrototype.set(vm, this, IteratorPrototype::create(vm, this,
IteratorPrototype::createStructure(vm, this, m_objectPrototype.get())));
+ m_asyncIteratorPrototype.set(vm, this, AsyncIteratorPrototype::create(vm, this,
AsyncIteratorPrototype::createStructure(vm, this, m_objectPrototype.get())));
+@@ -662,10 +664,11 @@ m_ ## properName ## Structure.set(vm, this, instanceType::createStructure(vm, th
+
+ JSArrayBufferConstructor* arrayBufferConstructor = JSArrayBufferConstructor::create(vm,
JSArrayBufferConstructor::createStructure(vm, this, m_functionPrototype.get()), m_arrayBufferPrototype.get(),
m_speciesGetterSetter.get(), ArrayBufferSharingMode::Default);
+ m_arrayBufferPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor,
arrayBufferConstructor, static_cast<unsigned>(PropertyAttribute::DontEnum));
++#if ENABLE(SHARED_ARRAY_BUFFER)
+ JSArrayBufferConstructor* sharedArrayBufferConstructor = nullptr;
+ sharedArrayBufferConstructor = JSArrayBufferConstructor::create(vm,
JSArrayBufferConstructor::createStructure(vm, this, m_functionPrototype.get()),
m_sharedArrayBufferPrototype.get(), m_speciesGetterSetter.get(), ArrayBufferSharingMode::Shared);
+ m_sharedArrayBufferPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor,
sharedArrayBufferConstructor, static_cast<unsigned>(PropertyAttribute::DontEnum));
+-
++#endif
+ #define CREATE_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName,
prototypeBase) \
+ capitalName ## Constructor* lowerName ## Constructor = capitalName ## Constructor::create(vm, capitalName
## Constructor::createStructure(vm, this, m_functionPrototype.get()), m_ ## lowerName ## Prototype.get(),
m_speciesGetterSetter.get()); \
+ m_ ## lowerName ## Prototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, lowerName ##
Constructor, static_cast<unsigned>(PropertyAttribute::DontEnum)); \
+@@ -742,7 +745,9 @@ m_ ## lowerName ## Prototype->putDirectWithoutTransition(vm, vm.propertyNames->c
+ putDirectWithoutTransition(vm, vm.propertyNames->builtinNames().ArrayPrivateName(), arrayConstructor,
PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly);
+
+ putDirectWithoutTransition(vm, vm.propertyNames->ArrayBuffer, arrayBufferConstructor,
static_cast<unsigned>(PropertyAttribute::DontEnum));
++#if ENABLE(SHARED_ARRAY_BUFFER)
+ putDirectWithoutTransition(vm, vm.propertyNames->SharedArrayBuffer, sharedArrayBufferConstructor,
static_cast<unsigned>(PropertyAttribute::DontEnum));
++#endif
+
+ #define PUT_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName,
prototypeBase) \
+ putDirectWithoutTransition(vm, vm.propertyNames-> jsName, lowerName ## Constructor,
static_cast<unsigned>(PropertyAttribute::DontEnum)); \
+@@ -1385,8 +1390,10 @@ void JSGlobalObject::visitChildren(JSCell* cell, SlotVisitor& visitor)
+
+ visitor.append(thisObject->m_arrayBufferPrototype);
+ visitor.append(thisObject->m_arrayBufferStructure);
++#if ENABLE(SHARED_ARRAY_BUFFER)
+ visitor.append(thisObject->m_sharedArrayBufferPrototype);
+ visitor.append(thisObject->m_sharedArrayBufferStructure);
++#endif
+
+ #define VISIT_SIMPLE_TYPE(CapitalName, lowerName, properName, instanceType, jsName, prototypeBase) \
+ visitor.append(thisObject->m_ ## lowerName ## Prototype); \
+diff --git a/Source/JavaScriptCore/runtime/JSGlobalObject.h b/Source/JavaScriptCore/runtime/JSGlobalObject.h
+index de4b6a91856..f21a0480f81 100644
+--- a/Source/JavaScriptCore/runtime/JSGlobalObject.h
++++ b/Source/JavaScriptCore/runtime/JSGlobalObject.h
+@@ -352,8 +352,10 @@ public:
+ WriteBarrier<Structure> m_moduleLoaderStructure;
+ WriteBarrier<JSArrayBufferPrototype> m_arrayBufferPrototype;
+ WriteBarrier<Structure> m_arrayBufferStructure;
++#if ENABLE(SHARED_ARRAY_BUFFER)
+ WriteBarrier<JSArrayBufferPrototype> m_sharedArrayBufferPrototype;
+ WriteBarrier<Structure> m_sharedArrayBufferStructure;
++#endif
+
+ #define DEFINE_STORAGE_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName,
prototypeBase) \
+ WriteBarrier<capitalName ## Prototype> m_ ## lowerName ## Prototype; \
+@@ -696,8 +698,13 @@ public:
+ switch (sharingMode) {
+ case ArrayBufferSharingMode::Default:
+ return m_arrayBufferPrototype.get();
++#if ENABLE(SHARED_ARRAY_BUFFER)
+ case ArrayBufferSharingMode::Shared:
+ return m_sharedArrayBufferPrototype.get();
++#else
++ default:
++ return m_arrayBufferPrototype.get();
++#endif
+ }
+ }
+ Structure* arrayBufferStructure(ArrayBufferSharingMode sharingMode) const
+@@ -705,8 +712,13 @@ public:
+ switch (sharingMode) {
+ case ArrayBufferSharingMode::Default:
+ return m_arrayBufferStructure.get();
++#if ENABLE(SHARED_ARRAY_BUFFER)
+ case ArrayBufferSharingMode::Shared:
+ return m_sharedArrayBufferStructure.get();
++#else
++ default:
++ return m_arrayBufferStructure.get();
++#endif
+ }
+ RELEASE_ASSERT_NOT_REACHED();
+ return nullptr;
+diff --git a/Source/WTF/wtf/Platform.h b/Source/WTF/wtf/Platform.h
+index a938cf8058a..c315ee25fc0 100644
+--- a/Source/WTF/wtf/Platform.h
++++ b/Source/WTF/wtf/Platform.h
+@@ -1217,6 +1217,9 @@
+ #define HAVE_NS_ACTIVITY 1
+ #endif
+
++/* Disable SharedArrayBuffers until Spectre security concerns are mitigated. */
++#define ENABLE_SHARED_ARRAY_BUFFER 0
++
+ #if (OS(DARWIN) && USE(CG)) || (USE(FREETYPE) && !PLATFORM(GTK)) || (PLATFORM(WIN) && (USE(CG) ||
USE(CAIRO)))
+ #undef ENABLE_OPENTYPE_MATH
+ #define ENABLE_OPENTYPE_MATH 1
+--
+2.14.3
+
diff --git a/webkitgtk-reduce-timer-precision.patch b/webkitgtk-reduce-timer-precision.patch
new file mode 100644
index 0000000..e89c86f
--- /dev/null
+++ b/webkitgtk-reduce-timer-precision.patch
@@ -0,0 +1,68 @@
+From 8985cd963e5345fd34205ae13d2da2022e297e30 Mon Sep 17 00:00:00 2001
+From: "rniwa webkit org"
+ <rniwa webkit org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
+Date: Mon, 8 Jan 2018 01:22:20 +0000
+Subject: [PATCH] Reduce the precision of "high" resolution time to 1ms
+ https://bugs.webkit.org/show_bug.cgi?id=180910 <rdar://problem/36085943>
+
+Reviewed by Saam Barati.
+
+Source/WebCore:
+
+Reduced the high prevision time's resolution to 1ms, the same precision as Date.now().
+
+Also fixed the bug in fillRTCStats that we weren't reducing the time resolution in RTCStats dictionaries.
+
+* Modules/mediastream/libwebrtc/LibWebRTCMediaEndpoint.cpp:
+(WebCore::fillRTCStats):
+* page/Performance.cpp:
+(WebCore::Performance::reduceTimeResolution):
+
+git-svn-id: http://svn.webkit.org/repository/webkit/trunk@226495 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+---
+
+diff --git a/Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCMediaEndpoint.cpp
b/Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCMediaEndpoint.cpp
+index 59eea21a655..205210a0598 100644
+--- a/Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCMediaEndpoint.cpp
++++ b/Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCMediaEndpoint.cpp
+@@ -35,6 +35,7 @@
+ #include "Logging.h"
+ #include "MediaStreamEvent.h"
+ #include "NotImplemented.h"
++#include "Performance.h"
+ #include "PlatformStrategies.h"
+ #include "RTCDataChannel.h"
+ #include "RTCDataChannelEvent.h"
+@@ -50,6 +51,7 @@
+ #include <webrtc/p2p/base/basicpacketsocketfactory.h>
+ #include <webrtc/p2p/client/basicportallocator.h>
+ #include <webrtc/pc/peerconnectionfactory.h>
++#include <wtf/CurrentTime.h>
+ #include <wtf/MainThread.h>
+
+ #include <pal/cf/CoreMediaSoftLink.h>
+@@ -310,7 +312,7 @@ static inline String fromStdString(const std::string& value)
+
+ static inline void fillRTCStats(RTCStatsReport::Stats& stats, const webrtc::RTCStats& rtcStats)
+ {
+- stats.timestamp = rtcStats.timestamp_us() / 1000.0;
++ stats.timestamp =
Performance::reduceTimeResolution(Seconds::fromMicroseconds(rtcStats.timestamp_us())).milliseconds();
+ stats.id = fromStdString(rtcStats.id());
+ }
+
+diff --git a/Source/WebCore/page/Performance.cpp b/Source/WebCore/page/Performance.cpp
+index 9b0a51ef3ac..81665510686 100644
+--- a/Source/WebCore/page/Performance.cpp
++++ b/Source/WebCore/page/Performance.cpp
+@@ -75,7 +75,7 @@ DOMHighResTimeStamp Performance::now() const
+
+ Seconds Performance::reduceTimeResolution(Seconds seconds)
+ {
+- double resolution = (100_us).seconds();
++ double resolution = (1000_us).seconds();
+ double reduced = std::floor(seconds.seconds() / resolution) * resolution;
+ return Seconds(reduced);
+ }
+--
+2.14.3
+
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
