Modified: trunk/Source/WebKit/ChangeLog (290628 => 290629)
--- trunk/Source/WebKit/ChangeLog 2022-03-01 04:54:13 UTC (rev 290628)
+++ trunk/Source/WebKit/ChangeLog 2022-03-01 06:12:27 UTC (rev 290629)
@@ -1,3 +1,25 @@
+2022-02-28 Chris Dumez <[email protected]>
+
+ [IPC] Do more hardening in WebSWServerConnection's client registration / unregistration
+ https://bugs.webkit.org/show_bug.cgi?id=237290
+ <rdar://88903506>
+
+ Reviewed by Alex Christensen.
+
+ Validate client identifiers sent by the WebContent process via IPC to make sure that the
+ process identifier of the client actually matches the process identifier of the process
+ we're connected to.
+
+ Also validate the SecurityOriginData to make sure it is not empty. We support sending
+ empty SecurityOriginData objects over IPC. However, they cannot be used as keys in
+ HashMaps.
+
+ If validation fails, we assume the WebContent process is compromised and we terminate it.
+
+ * NetworkProcess/ServiceWorker/WebSWServerConnection.cpp:
+ (WebKit::WebSWServerConnection::registerServiceWorkerClient):
+ (WebKit::WebSWServerConnection::unregisterServiceWorkerClient):
+
2022-02-28 Alex Christensen <[email protected]>
Fix use-after-move bug in NetworkResourceLoader
Modified: trunk/Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp (290628 => 290629)
--- trunk/Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp 2022-03-01 04:54:13 UTC (rev 290628)
+++ trunk/Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp 2022-03-01 06:12:27 UTC (rev 290629)
@@ -67,6 +67,16 @@
#define SWSERVERCONNECTION_RELEASE_LOG(fmt, ...) RELEASE_LOG(ServiceWorker, "%p - WebSWServerConnection::" fmt, this, ##__VA_ARGS__)
#define SWSERVERCONNECTION_RELEASE_LOG_ERROR(fmt, ...) RELEASE_LOG_ERROR(ServiceWorker, "%p - WebSWServerConnection::" fmt, this, ##__VA_ARGS__)
+#define CONNECTION_MESSAGE_CHECK(assertion) CONNECTION_MESSAGE_CHECK_COMPLETION(assertion, (void)0)
+#define CONNECTION_MESSAGE_CHECK_COMPLETION(assertion, completion) do { \
+ ASSERT(assertion); \
+ if (UNLIKELY(!(assertion))) { \
+ m_networkProcess->parentProcessConnection()->send(Messages::NetworkProcessProxy::TerminateWebProcess(identifier()), 0); \
+ { completion; } \
+ return; \
+ } \
+} while (0)
+
WebSWServerConnection::WebSWServerConnection(NetworkProcess& networkProcess, SWServer& server, IPC::Connection& connection, ProcessIdentifier processIdentifier)
: SWServer::Connection(server, processIdentifier)
, m_contentConnection(connection)
@@ -364,7 +374,12 @@
void WebSWServerConnection::registerServiceWorkerClient(SecurityOriginData&& topOrigin, ServiceWorkerClientData&& data, const std::optional<ServiceWorkerRegistrationIdentifier>& controllingServiceWorkerRegistrationIdentifier, String&& userAgent)
{
+ CONNECTION_MESSAGE_CHECK(data.identifier.processIdentifier() == identifier());
+ CONNECTION_MESSAGE_CHECK(!topOrigin.isEmpty());
+
auto contextOrigin = SecurityOriginData::fromURL(data.url);
+ CONNECTION_MESSAGE_CHECK(!contextOrigin.isEmpty());
+
bool isNewOrigin = WTF::allOf(m_clientOrigins.values(), [&contextOrigin](auto& origin) {
return contextOrigin != origin.clientOrigin;
});
@@ -385,6 +400,7 @@
void WebSWServerConnection::unregisterServiceWorkerClient(const ScriptExecutionContextIdentifier& clientIdentifier)
{
+ CONNECTION_MESSAGE_CHECK(clientIdentifier.processIdentifier() == identifier());
auto iterator = m_clientOrigins.find(clientIdentifier);
if (iterator == m_clientOrigins.end())
return;
@@ -631,6 +647,8 @@
} // namespace WebKit
+#undef CONNECTION_MESSAGE_CHECK_COMPLETION
+#undef CONNECTION_MESSAGE_CHECK
#undef SWSERVERCONNECTION_RELEASE_LOG
#undef SWSERVERCONNECTION_RELEASE_LOG_ERROR
