Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: a3c2559f0df096e9e3b66bed4f49fbd6713b52c7
      
https://github.com/WebKit/WebKit/commit/a3c2559f0df096e9e3b66bed4f49fbd6713b52c7
  Author: Youenn Fablet <[email protected]>
  Date:   2026-07-01 (Wed, 01 Jul 2026)

  Changed paths:
    A 
LayoutTests/http/tests/workers/service/resources/service-worker-download-task-uaf-worker.js
    A 
LayoutTests/http/tests/workers/service/service-worker-download-task-uaf.https-expected.txt
    A 
LayoutTests/http/tests/workers/service/service-worker-download-task-uaf.https.html
    M Source/WebCore/workers/service/server/SWServer.h
    M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp

  Log Message:
  -----------
  [WebKit] Use-after-free in ServiceWorkerDownloadTask via stale 
FunctionDispatcherQueue after second EstablishSWContextConnection
rdar://176481482

Reviewed by Chris Dumez.

WebContent process could at any time try to establish a new service worker 
context connection.
In that case, NetworkConnectionToWebProcess would destroy any existing service 
worker context connection without closing it.
While this should not happen in practice, a compromised WebContent process can 
trigger this code path.

To prevent this, NetworkConnectionToWebProcess is now message checking whether 
service worker has a pending connection for that domain.
This prevents logic failures further in networking process and UI process which 
might not expect the creation of a new connection.

As a further defense, we are closing any existing service worker context 
connection that is pre-existing.
A future patch should MESSAGE_CHECK that there is no pre-existing service 
worker context connection.

Test: http/tests/workers/service/service-worker-download-task-uaf.https.html

* 
LayoutTests/http/tests/workers/service/resources/service-worker-download-task-uaf-worker.js:
 Added.
(event.const.stream.new.ReadableStream.start):
* 
LayoutTests/http/tests/workers/service/service-worker-download-task-uaf.https-expected.txt:
 Added.
* 
LayoutTests/http/tests/workers/service/service-worker-download-task-uaf.https.html:
 Added.
* Source/WebCore/workers/service/server/SWServer.h:
(WebCore::SWServer::hasPendingConnectionDomain const):
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::establishSWContextConnection):
(WebKit::NetworkConnectionToWebProcess::serviceWorkerServerToContextConnectionNoLongerNeeded):

Originally-landed-as: 305413.893@safari-7624-branch (e4baf2c41a05). 
rdar://180437431
Canonical link: https://commits.webkit.org/316362@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to