[webkit-changes] [WebKit/WebKit] ca1cd5: [CoreIPC] TOCTOU in `logOnBehalfOfWebContent` lead...

Sun, 14 Jun 2026 20:58:08 -0700 


Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: ca1cd5760139b73bcfad80ea6fb597edc18a8ac0
      
https://github.com/WebKit/WebKit/commit/ca1cd5760139b73bcfad80ea6fb597edc18a8ac0
  Author: Chris Dumez <[email protected]>
  Date:   2026-06-14 (Sun, 14 Jun 2026)

  Changed paths:
    M Source/JavaScriptCore/dfg/DFGGraph.cpp
    M Source/WTF/wtf/text/CString.cpp
    M Source/WTF/wtf/text/CString.h
    M Source/WTF/wtf/text/StringCommon.h
    M Source/WebCore/accessibility/atspi/AccessibilityAtspi.cpp
    M Source/WebKit/Shared/LogStream.mm
    M Source/WebKit/UIProcess/API/glib/WebKitSecurityOrigin.cpp
    M Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm
    M Tools/TestWebKitAPI/Tests/WTF/Vector.cpp

  Log Message:
  -----------
  [CoreIPC] TOCTOU in `logOnBehalfOfWebContent` leads to logging of OOB memory
https://bugs.webkit.org/show_bug.cgi?id=309665
rdar://170280919

Reviewed by Per Arne Vollan.

LogOnBehalfOfWebContent is IPC
using Streaming IPC from the WebContent
process to the UIProcess. Some of the parameters are std::span<uint8_t>
which point to SharedMemory since this is what Streaming IPC is using.
This can cause trouble as a compromise WebProcess could modify the
string after sending it over IPC and remove the null terminator for
example. This can result in TOCTOU bugs since the recipient code relies
on the strings being null terminated.

To address the issue, we now:
1. Send regular spans over IPC, instead of null terminated spans
2. Upon receipt, we copy them into CStrings right away, which makes them
   null terminated.
3. The recipient code only uses the CStrings from then on, not the
   original spans.

This is slightly less efficient but I don't not see a way to address the
TOCTOU bugs without doing an extra copy of these strings.

* Source/JavaScriptCore/dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::dumpBlockHeader):
*
Source/WTF/wtf/text/CString.cpp:
(WTF::operator==):
* Source/WTF/wtf/text/CString.h:
* Source/WTF/wtf/text/StringCommon.h:
(WTF::operator==):
* Source/WebKit/Shared/LogStream.cpp:
(WebKit::LogStream::logOnBehalfOfWebContent):
* Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm:
(WebKit::WebProcess::accessibilityFocusedUIElement):
* Tools/TestWebKitAPI/Tests/WTF/Vector.cpp:
(TestWebKitAPI::TEST(WTF_Vector, RemoveAll)):

Originally-landed-as: 305413.450@rapid/safari-7624.2.5.110-branch 
(8f90147d2654). rdar://176065216
Canonical link: 
https://flagged.apple.com:443/proxy?t2=DF8p8g0nC5&o=aHR0cHM6Ly9jb21taXRzLndlYmtpdC5vcmcvMzE1MjAxQG1haW4=&emid=9cb9a5b5-741b-4807-b588-baee6188a358&c=11



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to