Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 8da8cdb10ac1e7f81579589d658e8359a236d427
https://github.com/WebKit/WebKit/commit/8da8cdb10ac1e7f81579589d658e8359a236d427
Author: Alex Christensen <[email protected]>
Date: 2024-05-27 (Mon, 27 May 2024)
Changed paths:
M Source/WebKit/NetworkProcess/mac/SecItemShim.cpp
M Source/WebKit/Shared/Cocoa/ArgumentCodersCocoa.h
M Source/WebKit/Shared/Cocoa/CoreIPCCFType.h
M Source/WebKit/Shared/Cocoa/CoreIPCCFType.mm
M Source/WebKit/Shared/Cocoa/CoreIPCCFType.serialization.in
M Source/WebKit/Shared/mac/SecItemResponseData.h
M Source/WebKit/Shared/mac/SecItemResponseData.serialization.in
M Source/WebKit/UIProcess/mac/SecItemShimProxy.cpp
Log Message:
-----------
Remove SecKeychainItemRef from CFTypeRef serialization
https://bugs.webkit.org/show_bug.cgi?id=274670
rdar://126271015
Reviewed by Brady Eidson.
SecKeychainItemRef is one of several types that can be returned from a call to
SecItemCopyMatching.
Because we have SecItemShim and SecItemShimProxy which proxy calls to the UI
process from the network
process, SecKeychainItemRef needs to be serialized across IPC. Historically,
the only way to express
that multiple types can be sent across IPC at one endpoint was to send a
RetainPtr<CFTypeRef>, which
required adding SecKeychainItemRef to the list of CFTypeRefs that can be
serialized. The problem with
that is that everywhere we send or receive a CFDictionaryRef or a CFArrayRef we
also use a
RetainPtr<CFTypeRef> to serialize their contents, which can be of many types.
We don't need all the
dictionaries and arrays to be able to serialize a SecKeychainItemRef, and we
have historically prevented
this from being the cause of IPC-reachable exploits by adding this release
assertion:
RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
This worked well, but that assertion is often hit by IPC fuzzers. To properly
solve this, in this PR
I remove SecKeychainItemRef from the list of things that can be contained by
CFDictionaryRef and
CFArrayRef and add a new variant of types that allows it only where needed: in
SecItemResponseData.
* Source/WebKit/NetworkProcess/mac/SecItemShim.cpp:
(WebKit::webSecItemCopyMatching):
* Source/WebKit/Shared/Cocoa/ArgumentCodersCocoa.h:
* Source/WebKit/Shared/Cocoa/CoreIPCCFType.h:
* Source/WebKit/Shared/Cocoa/CoreIPCCFType.mm:
(WebKit::variantFromCFType):
(WebKit::CoreIPCCFType::toCFType const):
(IPC::typeFromCFTypeRef):
* Source/WebKit/Shared/Cocoa/CoreIPCCFType.serialization.in:
* Source/WebKit/Shared/mac/SecItemResponseData.h:
(WebKit::SecItemResponseData::SecItemResponseData):
(WebKit::SecItemResponseData::resultObject):
(WebKit::SecItemResponseData::resultObject const):
* Source/WebKit/Shared/mac/SecItemResponseData.serialization.in:
* Source/WebKit/UIProcess/mac/SecItemShimProxy.cpp:
(WebKit::SecItemShimProxy::secItemRequest):
Canonical link: https://commits.webkit.org/279354@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
