Closed Bug 1550037 Opened 5 years ago Closed 4 years ago

Shared memory blocks used by the font list should be impossible for content processes to map with write access

Categories

(Core :: Layout: Text and Fonts, enhancement, P3)

Product:
Core
Component:
Layout: Text and Fonts
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla77
Project Flags:
Fission Milestone Future
Tracking Flags:
Tracking Status
firefox77 --- fixed

People

(Reporter: jfkthame, Assigned: jfkthame)

References

Details

(Whiteboard: [layout:backlog:77])

Attachments

(3 files)

Bug 1550037 - patch 1 - Migrate shared font-list code from mozilla::ipc::SharedMemoryBasic to base::SharedMemory APIs. r=jwatt
47 bytes, text/x-phabricator-request
Details | Review
Bug 1550037 - patch 2 - Ensure the font-list memory blocks passed to content processes are shared as readonly copies. r=jwatt
47 bytes, text/x-phabricator-request
Details | Review
Bug 1550037 - patch 3 - Remove mAddr from the ShmBlock struct, as mShmem->memory() is now a trivial inline accessor. r=jwatt
47 bytes, text/x-phabricator-request
Details | Review

To make the font list more robust against a potential rogue content process, we'd like to "freeze" the shared memory blocks once support for this (bug 1479960) is available.

As the initial version of the shared font list code relies on incrementally updating the shared data, we'll need to refactor the allocation strategy a bit in order to freeze each piece of data as it's added.

Depends on: 1550900
No longer depends on: 1479960
Blocks: 1533462

Currently, when shmem blocks are shared to the content process, they're mapped there as read-only, but AFAIK there's nothing in principle that prevents a rogue content process re-mapping the block with write access. Once bug 1550900 is done, we should configure these blocks such that they cannot ever be made writable from the content process.

Summary: "freeze" shared memory blocks used by the font list before sharing them to content processes → Shared memory blocks used by the font list should be impossible for content processes to map with write access

I'm about to punt bug 1533462 which was targeted at M4 because we can't land without this. I'm guessing this should also be targeting a milestone given that.

Fission Milestone: --- → ?

Probably bug 1550900 should also have the same target, given that this is dependent on it.

Fission Milestone: ? → Future
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Whiteboard: [layout:backlog:77]
Pushed by jkew@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/71fdead8eecb
patch 1 - Migrate shared font-list code from mozilla::ipc::SharedMemoryBasic to base::SharedMemory APIs. r=jwatt
https://hg.mozilla.org/integration/autoland/rev/7571e5bc19e7
patch 2 - Ensure the font-list memory blocks passed to content processes are shared as readonly copies. r=jwatt
https://hg.mozilla.org/integration/autoland/rev/34ebd6260867
patch 3 - Remove mAddr from the ShmBlock struct, as mShmem->memory() is now a trivial inline accessor. r=jwatt
Pushed by jkew@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/005a8977f8fc
patch 1 - Migrate shared font-list code from mozilla::ipc::SharedMemoryBasic to base::SharedMemory APIs. r=jwatt
https://hg.mozilla.org/integration/autoland/rev/0e5c6a1e1bee
patch 2 - Ensure the font-list memory blocks passed to content processes are shared as readonly copies. r=jwatt
https://hg.mozilla.org/integration/autoland/rev/1394bc3c6261
patch 3 - Remove mAddr from the ShmBlock struct, as mShmem->memory() is now a trivial inline accessor. r=jwatt

https://hg.mozilla.org/mozilla-central/rev/005a8977f8fc
https://hg.mozilla.org/mozilla-central/rev/0e5c6a1e1bee
https://hg.mozilla.org/mozilla-central/rev/1394bc3c6261

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox77: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla77
Flags: needinfo?(jfkthame)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: