Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: a3c2559f0df096e9e3b66bed4f49fbd6713b52c7
https://github.com/WebKit/WebKit/commit/a3c2559f0df096e9e3b66bed4f49fbd6713b52c7
Author: Youenn Fablet <[email protected]>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
A
LayoutTests/http/tests/workers/service/resources/service-worker-download-task-uaf-worker.js
A
LayoutTests/http/tests/workers/service/service-worker-download-task-uaf.https-expected.txt
A
LayoutTests/http/tests/workers/service/service-worker-download-task-uaf.https.html
M Source/WebCore/workers/service/server/SWServer.h
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
Log Message:
-----------
[WebKit] Use-after-free in ServiceWorkerDownloadTask via stale
FunctionDispatcherQueue after second EstablishSWContextConnection
rdar://176481482
Reviewed by Chris Dumez.
WebContent process could at any time try to establish a new service worker
context connection.
In that case, NetworkConnectionToWebProcess would destroy any existing service
worker context connection without closing it.
While this should not happen in practice, a compromised WebContent process can
trigger this code path.
To prevent this, NetworkConnectionToWebProcess is now message checking whether
service worker has a pending connection for that domain.
This prevents logic failures further in networking process and UI process which
might not expect the creation of a new connection.
As a further defense, we are closing any existing service worker context
connection that is pre-existing.
A future patch should MESSAGE_CHECK that there is no pre-existing service
worker context connection.
Test: http/tests/workers/service/service-worker-download-task-uaf.https.html
*
LayoutTests/http/tests/workers/service/resources/service-worker-download-task-uaf-worker.js:
Added.
(event.const.stream.new.ReadableStream.start):
*
LayoutTests/http/tests/workers/service/service-worker-download-task-uaf.https-expected.txt:
Added.
*
LayoutTests/http/tests/workers/service/service-worker-download-task-uaf.https.html:
Added.
* Source/WebCore/workers/service/server/SWServer.h:
(WebCore::SWServer::hasPendingConnectionDomain const):
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::establishSWContextConnection):
(WebKit::NetworkConnectionToWebProcess::serviceWorkerServerToContextConnectionNoLongerNeeded):
Originally-landed-as: 305413.893@safari-7624-branch (e4baf2c41a05).
rdar://180437431
Canonical link: https://commits.webkit.org/316362@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications