Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0338ad61ac9cb2d535e701ef9dace731b182237c
https://github.com/WebKit/WebKit/commit/0338ad61ac9cb2d535e701ef9dace731b182237c
Author: Qianlang Chen <[email protected]>
Date: 2025-01-29 (Wed, 29 Jan 2025)
Changed paths:
M Source/WebCore/inspector/agents/InspectorWorkerAgent.cpp
M Source/WebCore/inspector/agents/InspectorWorkerAgent.h
M Source/WebCore/inspector/agents/page/PageWorkerAgent.cpp
M Source/WebCore/inspector/agents/page/PageWorkerAgent.h
M Source/WebCore/inspector/agents/worker/WorkerWorkerAgent.cpp
M Source/WebCore/inspector/agents/worker/WorkerWorkerAgent.h
M Source/WebCore/workers/WorkerInspectorProxy.cpp
M Source/WebCore/workers/WorkerInspectorProxy.h
Log Message:
-----------
UAF may occur in WorkerInspectorProxy::sendMessageFromWorkerToFrontend
https://bugs.webkit.org/show_bug.cgi?id=284327
rdar://140133704
Reviewed by Chris Dumez.
WorkerInspectorProxy::m_pageChannel is a raw pointer and is prone to
being UAF. However, making the PageChannel class ref-counted is not
straightforward as WorkerInspectorController uses an array of
`std::unique_ptr`s to record that PageChannel and other agent objects
(https://github.com/WebKit/WebKit/blob/3fa7ffbf74469b65cf23a05c1780319954860f3c/Source/WebCore/inspector/WorkerInspectorController.cpp#L217,
where WorkerWorkerAgent subclasses InspectorWorkerAgent and PageChannel).
My solution is to make PageChannel ref-counted but also make the class
pointed to by a std::unique_ptr own a PageChannel rather than inheriting
from PageChannel. That way, we can maintain unique_ptrs to
InspectorWorkerAgent and still have RefPtrs to PageChannel.
* Source/WebCore/inspector/agents/InspectorWorkerAgent.h:
* Source/WebCore/inspector/agents/InspectorWorkerAgent.cpp:
(WebCore::InspectorWorkerAgent::InspectorWorkerAgent):
(WebCore::InspectorWorkerAgent::~InspectorWorkerAgent):
(WebCore::InspectorWorkerAgent::connectToWorkerInspectorProxy):
(WebCore::InspectorWorkerAgent::PageChannel::create):
(WebCore::InspectorWorkerAgent::PageChannel::PageChannel):
(WebCore::InspectorWorkerAgent::PageChannel::detachFromParentAgent):
- Make the PageChannel class ref-counted.
(WebCore::InspectorWorkerAgent::frontendDispatcher):
(WebCore::InspectorWorkerAgent::sendMessageFromWorkerToFrontend): Deleted.
(WebCore::InspectorWorkerAgent::PageChannel::sendMessageFromWorkerToFrontend):
- Reroute the sendMessageFromWorkerToFrontend method since now
InspectorWorkerAgent owns the page channel instead of being one.
* Source/WebCore/workers/WorkerInspectorProxy.h:
* Source/WebCore/workers/WorkerInspectorProxy.cpp:
(WebCore::WorkerInspectorProxy::sendMessageFromWorkerToFrontend):
* Source/WebCore/inspector/agents/page/PageWorkerAgent.cpp:
* Source/WebCore/inspector/agents/page/PageWorkerAgent.h:
* Source/WebCore/inspector/agents/worker/WorkerWorkerAgent.cpp:
* Source/WebCore/inspector/agents/worker/WorkerWorkerAgent.h:
- Enable the InspectorWorkerAgent::PageChannel class to be
ref-counted.
Originally-landed-as: 283286.596@safari-7620-branch (e57de05ab1d3).
rdar://143592608
Canonical link: https://commits.webkit.org/289536@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
