Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 5fb6d5a7c2a572d1453131b92ed757359014852b
https://github.com/WebKit/WebKit/commit/5fb6d5a7c2a572d1453131b92ed757359014852b
Author: Rupin Mittal <[email protected]>
Date: 2024-11-06 (Wed, 06 Nov 2024)
Changed paths:
M Source/WebKit/NetworkProcess/storage/CacheStorageCache.cpp
M Source/WebKit/NetworkProcess/storage/CacheStorageDiskStore.cpp
M Source/WebKit/NetworkProcess/storage/CacheStorageDiskStore.h
M Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp
M Source/WebKit/NetworkProcess/storage/NetworkStorageManager.h
Log Message:
-----------
CrossThreadRecord allows you to control uint64_t responseBodySize
rdar://124960263
https://bugs.webkit.org/show_bug.cgi?id=278357
Reviewed by Sihui Liu.
There are two problems in this bug that we fix:
(1) In the function CacheStorageCache::putRecords, uint64_t responseBodySize
is added and subtracted from int64_t spaceRequested. We fix this mismatch
by changing the type of spaceRequested to CheckedUint64 and then checking
for overflow.
Some of the records being added already exist in the cache. We keep track
of whether the new version of that record needs more or less space than
the existing record and request additional space only if needed.
(2) When the client sends the records over IPC, they also send the record's
size--and this size is used to calculate and then allocate space. But
because the client is sending the size, it's possible an attacker sends
a false value for the size. This size is calculated on the client side
in CacheStorageConnection::computeRecordBodySize. It does not return the
exact size of the body, but rather a size that has a random padding added.
We do this for security concerns:
https://github.com/whatwg/storage/issues/31.
Since this size is random, we cannot check the size by re-calculating it.
What we can do is ensure that the size is greater than the actual size
because a smaller size would be a clear indication that the size has been
tampered with. So we add a check to at least ensure that the size is greater
since all the randomly padded sizes are indeed greater than the true sizes.
This check is done in NetworkStorageManager::cacheStoragePutRecords using
MESSAGE_CHECK so the WebContent process can be killed if the size is
invalid,
indicating that the process is compromised.
* Source/WebKit/NetworkProcess/storage/CacheStorageCache.cpp:
(WebKit::CacheStorageCache::putRecords):
* Source/WebKit/NetworkProcess/storage/CacheStorageDiskStore.cpp:
(WebKit::encodeRecordBody):
(WebKit::CacheStorageDiskStore::computeRealBodySizeForStorage):
(WebKit::CacheStorageDiskStore::writeRecords):
* Source/WebKit/NetworkProcess/storage/CacheStorageDiskStore.h:
* Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp:
(WebKit::NetworkStorageManager::cacheStoragePutRecords):
* Source/WebKit/NetworkProcess/storage/NetworkStorageManager.h:
Originally-landed-as: 280938.255@safari-7619-branch (8150063459d1).
rdar://138929915
Canonical link: https://commits.webkit.org/286232@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
