AbstractView doesn't actually do anything with them anyway, but they
would get swallowed by the cursor logic and not bubble up the widget
parent chain.
This makes the shortcuts actually work since unparented actions are
considered application-global, and we disable application-global
shortcuts while a modal dialog (like FilePicker) is up. This is pretty
counter-intuitive so I think there's room for API improvement here
but let's at least make Alt+Up work in FilePicker for now. :^)
The overhead from spawning a new ImageDecoder for every decoding job is
way too large and causing other problems as well (#5421)
Let's keep the same decoder open and reuse it as long as it's working.
If the ImageDecoder service crashes while decoding an image for us,
we now recover gracefully and simply return null.
This shields the browser from bugs in our image decoders.
Instead of asserting that the peer responds successfully, this API
allows for the peer to die/crash/whatever happens on the other side
while handling a synchronous request.
This will be useful when using process separation to parse untrusted
data from the web.
There's a little bit of template magic involved here to make it work,
but this seems alright. Very cool! :^)
Co-authored-by: AnotherTest <ali.mpfard@gmail.com>
Much like AK::Result this carries either a DOM::DOMException or regular
return value and will be used by DOM functions for exceptions that
should be thrown.
There's no real system here, I just added it to various functions
that I don't believe we ever want to call after initialization
has finished.
With these changes, we're able to unmap 60 KiB of kernel text
after init. :^)
You can now declare functions with UNMAP_AFTER_INIT and they'll get
segregated into a separate kernel section that gets completely
unmapped at the end of initialization.
This can be used for anything we don't need to call once we've booted
into userspace.
There are two nice things about this mechanism:
- It allows us to free up entire pages of memory for other use.
(Note that this patch does not actually make use of the freed
pages yet, but in the future we totally could!)
- It allows us to get rid of obviously dangerous gadgets like
write-to-CR0 and write-to-CR4 which are very useful for an attacker
trying to disable SMAP/SMEP/etc.
I've also made sure to include a helpful panic message in case you
hit a kernel crash because of this protection. :^)
This was needlessly expecting the first backtrace entry function name to
start with '__assertion_failed', which is no longer the case - it's now
something from libsystem.so. Let's just check whether we have an
'assertion' key in the coredump's metadata, just like we do for pledge
violations.
Our TLS implementation relies on the TLS model being "initial-exec".
We previously enforced this by adding the '-ftls-model=initial-exec'
flag in the root CmakeLists file, but that did not affect ports - So
now we put that flag in the gcc spec files.
Closes#5366
If we have a tracer process waiting for us to exec, we need to release
the ptrace lock before stopping ourselves, since otherwise the tracer
will block forever on the lock.
Fixes#5409.
This enabled trivial ASLR bypass for non-dumpable programs by simply
opening /proc/PID/vm before exec'ing.
We now hold the target process's ptrace lock across the refresh/write
operations, and deny access if the process is non-dumpable. The lock
is necessary to prevent a TOCTOU race on Process::is_dumpable() while
the target is exec'ing.
Fixes#5270.
This option causes GCC to generate code to prevent "stack clash" style
attacks where a very large stack allocation is used in to jump over the
stack guard page and into whatever's next to it.
Tweak the PLT trampoline to avoid generating textrels in LibC.
This allows us to share all the LibC mappings, reducing per-process
memory consumption by ~200 KB. :^)
Patch originally by @nico.
To support this, I had to reorganize the "load_elf" function into two
passes. First we map all the dynamic objects, to get their symbols
into the global lookup table. Then we link all the dynamic objects.
So many read-only GOT's! :^)
The dynamic loader will now mark RELRO segments read-only after
performing relocations. This is pretty cool!
Note that this only applies to main executables so far,.
RELRO support for shared libraries will require some reorganizing
of the dynamic loader.
For a data segment that starts at a non-zero offset into a 4KB page and
crosses a 4KB page boundary, we were failing to pad the VM allocation,
which would cause the memcpy() to fail.
Make sure we round the segment bases down, and segment ends up, and the
issue goes away.
