Modified: branches/safari-613-branch/Source/WebKit/ChangeLog (290945 => 290946)
--- branches/safari-613-branch/Source/WebKit/ChangeLog 2022-03-07 22:10:51 UTC (rev 290945)
+++ branches/safari-613-branch/Source/WebKit/ChangeLog 2022-03-07 22:10:54 UTC (rev 290946)
@@ -1,5 +1,54 @@
2022-03-07 Russell Epstein <[email protected]>
+ Cherry-pick r290629. rdar://problem/88903506
+
+ [IPC] Do more hardening in WebSWServerConnection's client registration / unregistration
+ https://bugs.webkit.org/show_bug.cgi?id=237290
+ <rdar://88903506>
+
+ Reviewed by Alex Christensen.
+
+ Validate client identifiers sent by the WebContent process via IPC to make sure that the
+ process identifier of the client actually matches the process identifier of the process
+ we're connected to.
+
+ Also validate the SecurityOriginData to make sure it is not empty. We support sending
+ empty SecurityOriginData objects over IPC. However, they cannot be used as keys in
+ HashMaps.
+
+ If validation fails, we assume the WebContent process is compromised and we terminate it.
+
+ * NetworkProcess/ServiceWorker/WebSWServerConnection.cpp:
+ (WebKit::WebSWServerConnection::registerServiceWorkerClient):
+ (WebKit::WebSWServerConnection::unregisterServiceWorkerClient):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@290629 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-02-28 Chris Dumez <[email protected]>
+
+ [IPC] Do more hardening in WebSWServerConnection's client registration / unregistration
+ https://bugs.webkit.org/show_bug.cgi?id=237290
+ <rdar://88903506>
+
+ Reviewed by Alex Christensen.
+
+ Validate client identifiers sent by the WebContent process via IPC to make sure that the
+ process identifier of the client actually matches the process identifier of the process
+ we're connected to.
+
+ Also validate the SecurityOriginData to make sure it is not empty. We support sending
+ empty SecurityOriginData objects over IPC. However, they cannot be used as keys in
+ HashMaps.
+
+ If validation fails, we assume the WebContent process is compromised and we terminate it.
+
+ * NetworkProcess/ServiceWorker/WebSWServerConnection.cpp:
+ (WebKit::WebSWServerConnection::registerServiceWorkerClient):
+ (WebKit::WebSWServerConnection::unregisterServiceWorkerClient):
+
+2022-03-07 Russell Epstein <[email protected]>
+
Cherry-pick r290343. rdar://problem/85811396
Further restrict received IPC boolean values to 0 or 1
Modified: branches/safari-613-branch/Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp (290945 => 290946)
--- branches/safari-613-branch/Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp 2022-03-07 22:10:51 UTC (rev 290945)
+++ branches/safari-613-branch/Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp 2022-03-07 22:10:54 UTC (rev 290946)
@@ -65,6 +65,16 @@
#define SWSERVERCONNECTION_RELEASE_LOG(fmt, ...) RELEASE_LOG(ServiceWorker, "%p - WebSWServerConnection::" fmt, this, ##__VA_ARGS__)
#define SWSERVERCONNECTION_RELEASE_LOG_ERROR(fmt, ...) RELEASE_LOG_ERROR(ServiceWorker, "%p - WebSWServerConnection::" fmt, this, ##__VA_ARGS__)
+#define CONNECTION_MESSAGE_CHECK(assertion) CONNECTION_MESSAGE_CHECK_COMPLETION(assertion, (void)0)
+#define CONNECTION_MESSAGE_CHECK_COMPLETION(assertion, completion) do { \
+ ASSERT(assertion); \
+ if (UNLIKELY(!(assertion))) { \
+ m_networkProcess->parentProcessConnection()->send(Messages::NetworkProcessProxy::TerminateWebProcess(identifier()), 0); \
+ { completion; } \
+ return; \
+ } \
+} while (0)
+
WebSWServerConnection::WebSWServerConnection(NetworkProcess& networkProcess, SWServer& server, IPC::Connection& connection, ProcessIdentifier processIdentifier)
: SWServer::Connection(server, processIdentifier)
, m_contentConnection(connection)
@@ -361,7 +371,12 @@
void WebSWServerConnection::registerServiceWorkerClient(SecurityOriginData&& topOrigin, ServiceWorkerClientData&& data, const std::optional<ServiceWorkerRegistrationIdentifier>& controllingServiceWorkerRegistrationIdentifier, String&& userAgent)
{
+ CONNECTION_MESSAGE_CHECK(data.identifier.processIdentifier() == identifier());
+ CONNECTION_MESSAGE_CHECK(!topOrigin.isEmpty());
+
auto contextOrigin = SecurityOriginData::fromURL(data.url);
+ CONNECTION_MESSAGE_CHECK(!contextOrigin.isEmpty());
+
bool isNewOrigin = WTF::allOf(m_clientOrigins.values(), [&contextOrigin](auto& origin) {
return contextOrigin != origin.clientOrigin;
});
@@ -382,6 +397,7 @@
void WebSWServerConnection::unregisterServiceWorkerClient(const ScriptExecutionContextIdentifier& clientIdentifier)
{
+ CONNECTION_MESSAGE_CHECK(clientIdentifier.processIdentifier() == identifier());
auto iterator = m_clientOrigins.find(clientIdentifier);
if (iterator == m_clientOrigins.end())
return;
@@ -568,6 +584,8 @@
} // namespace WebKit
+#undef CONNECTION_MESSAGE_CHECK_COMPLETION
+#undef CONNECTION_MESSAGE_CHECK
#undef SWSERVERCONNECTION_RELEASE_LOG
#undef SWSERVERCONNECTION_RELEASE_LOG_ERROR
