Closed Bug 1610017 Opened 6 years ago Closed 5 years ago

Generated calls to IPC Recv methods that pass Tainted data

Categories

(Core :: IPC, enhancement)

Product:
Core
Component:
IPC
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla75
Tracking Flags:
Tracking Status
firefox75 --- fixed

People

(Reporter: tjr, Assigned: tjr)

References

(Blocks 1 open bug)

Details

Attachments

(3 files, 3 obsolete files)

Bug 1610017 - Actually taint data when tainted is specified for IPC methods r?nika
47 bytes, text/x-phabricator-request
Details | Review
Codegen change on a regular ipdl
8.32 KB, text/plain
Details
Codegen change on a ipl in VIRTUAL_CALL_CLASSES
7.93 KB, patch
Details | Diff | Splinter Review

After Bug 1610007, this is for actually doing something with the tainted keyword.

Attached patch Codegen change on regular a ipdl (obsolete) — Splinter Review

re: https://bugzilla.mozilla.org/attachment.cgi?id=9122448&action=diff, could you also include the corresponding .cpp changes? I don't think the signature you declared there will be compatible with the generated code which you're passing in.

re: https://bugzilla.mozilla.org/attachment.cgi?id=9122450&action=diff, is this the code you are wanting to create? It seems surprising to me that you'd want to move each argument into a Tainted temporary as you're passing them into the method.

Giving feedback on the exact code will be easier with the actual code for the Tainted template, as right now I don't know how it behaves with certain types, such as references, used as a type parameter.

Flags: needinfo?(tom)

(In reply to :Nika Layzell (ni? for response) from comment #4)

re: https://bugzilla.mozilla.org/attachment.cgi?id=9122448&action=diff, could you also include the corresponding .cpp changes? I don't think the signature you declared there will be compatible with the generated code which you're passing in.

Yes, I think you're right. I will fiddle some more. (My environment just broke so I have to fix it first.)

re: https://bugzilla.mozilla.org/attachment.cgi?id=9122450&action=diff, is this the code you are wanting to create? It seems surprising to me that you'd want to move each argument into a Tainted temporary as you're passing them into the method.

I am less familiar with the nuances of stuff like std::move and std::forward and rrvalues. I thought it was, but if it surprised you then it probably isn't. If we taint stuff I can omit a move (if it was going to be present) if that's the correct course of action.

Giving feedback on the exact code will be easier with the actual code for the Tainted template, as right now I don't know how it behaves with certain types, such as references, used as a type parameter.

Bug 1610039 has the template

Flags: needinfo?(tom)

Attached is the codegen change on the cpp file, as well as the edits I made to the in-tree subclass.

Note that this code doesn't work. The .cpp call to RecvProgressChange is passing a long; while the RecvProgressChange declaration expects a const long&. The type of the argument being passed is known to the codegen as a long, so we generate a Tainted<long> which cannot be implicitly cast to a Tainted<const long&>.

I'm not sure what the correct solution to this is, but it seems related to the move into the temporary, so I'm going to await feedback.

Attachment #9122448 - Attachment is obsolete: true
Attachment #9122450 - Attachment is obsolete: true
Attachment #9122728 - Attachment is obsolete: true
Pushed by tritter@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6850a80bf162 Actually taint data when tainted is specified for IPC methods r=nika

https://hg.mozilla.org/mozilla-central/rev/6850a80bf162

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox75: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: