[14] SWServer Invalid Iterator Dereference on Desynchronized Maps
Severity: Low | Component: Service Workers (SWServer) | 09f4248
Rated Low because the observable effect is a crash via dereferencing an end() iterator (Network process DoS), with no evidence of escalation to memory corruption — the iterator dereference target is determined by HashMap internals, not attacker-controlled data.
Patch Details
Adds iterator end() guards in two locations within SWServer::unregisterServiceWorkerClientInternal(), preventing dereference of invalid iterators when map lookups fail due to race-induced desynchronization.
Source/WebCore/workers/service/server/SWServer.cpp
auto clientsByRegistrableDomainIterator = m_clientsByRegistrableDomain.find(clientRegistrableDomain);
ASSERT(clientsByRegistrableDomainIterator != m_clientsByRegistrableDomain.end());
- auto& clientsForRegistrableDomain = clientsByRegistrableDomainIterator->value;
- clientsForRegistrableDomain.remove(clientIdentifier);
- if (clientsForRegistrableDomain.isEmpty())
- m_clientsByRegistrableDomain.remove(clientsByRegistrableDomainIterator);
+ if (clientsByRegistrableDomainIterator != m_clientsByRegistrableDomain.end()) {
+ auto& clientsForRegistrableDomain = clientsByRegistrableDomainIterator->value;
+ clientsForRegistrableDomain.remove(clientIdentifier);
+ if (clientsForRegistrableDomain.isEmpty())
+ m_clientsByRegistrableDomain.remove(clientsByRegistrableDomainIterator);
+ }
auto iterator = protectedThis->m_clientIdentifiersPerOrigin.find(clientOrigin);
ASSERT(iterator != protectedThis->m_clientIdentifiersPerOrigin.end());
- iterator->value.terminateServiceWorkersTimer->startOneShot(protectedThis->m_isProcessTerminationDelayEnabled ? defaultTerminationDelay : defaultFunctionalEventDuration);
+ if (iterator != protectedThis->m_clientIdentifiersPerOrigin.end())
+ iterator->value.terminateServiceWorkersTimer->startOneShot(protectedThis->m_isProcessTerminationDelayEnabled ? defaultTerminationDelay : defaultFunctionalEventDuration);
Missing iterator validity check before dereference in a race-prone map lookup path.
Background
Service Workers are background scripts registered by web pages that intercept network requests. SWServer is the server-side component running in WebKit's Network process that tracks registered clients. It maintains multiple HashMaps (m_clientsByRegistrableDomain, m_clientIdentifiersPerOrigin, m_clientsById) that must remain synchronized. When a client disconnects, unregisterServiceWorkerClient() removes entries from these maps. A race condition occurs when the same client is unregistered more than once before map state is reconciled — the commit message confirms this is reproducible by calling unregisterServiceWorkerClient() twice.
Analysis
Before the fix, unregisterServiceWorkerClientInternal() unconditionally dereferenced iterators from HashMap::find() without checking for end(). Due to race conditions where the internal maps could get out of sync — for example, a client being unregistered twice — the find() call could return end(), and the subsequent dereference would access invalid memory or crash.
Aaaa Aa a Aaaaa Aaa Aaaaaaaaaaaaa Aa Aaaaaaa Aaaaaaaa Aa a Aaaaaaaaaa Aaaaa Aaaaaaaaa Aa Aaaaaaa Aaaa Aa Aaaaaaa Aaaaaa Aaaaaaaaa Aaa Aaaaaa Aaaaaaa Aaaaa Aaaa Aaaaaaaaaaaaaa Aaaaaaaa Aaaa Aaa Aaaaaaa Aaaaaa Aaaaaaaaaaa Aa Aaaaaa Aaaaaaaaaaa Aaaa a a Aaaaaaaaa Aaaaaaaa Aa a Aaaaaaaaaaaaa Aaaa Aaaaaaaaa Aaaaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaaaaaa Aaaaaaa Aaaaaaaaaaaaa a Aaaaa Aaaa Aaaaaaaa Aaaaaaa Aaaaaaaaaaaa Aaa Aaa Aaaaaa Aaaaaaa Aaaaaaaa
Aaaaaaa Aaaaaa Aaa Aaaaaaaaaa Aa Aaaaaaaa Aaaa Aaaaaaaa Aaaaaaaa Aaaa Aaaaaaaaaa Aaaa Aaaa Aaaaaa Aaaaaaaaaaaaa Aaa Aaa Aaaaaaa Aaaaa Aaaa Aaa Aaa Aaa Aa Aaaa Aaaaa Aaaa Aaaaaaaaaaa Aaa Aaa Aaaa Aaa Aaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaaaaaa Aaaa Aaaaaaa a Aaaaaaaa Aaaa Aaaaaaaa Aaa Aaaa Aaaaaaa Aaaaaa Aaaaaaa Aaaaaaaaaaaaa Aaaaaaaaaaa a Aa a Aaaaaaaaa Aaaaaa Aa Aaaaaaa Aa Aaaaaaaa Aaaaaaaaaaaaa Aaaaaaaaaaaaa
Audit directions
a Aaaaaaaaa Aaaaaaa Aaaaaaaa Aa Aaaaaaaaaaaaa Aaaaaaaa Aaaaaaaaaaa Aa Aaaa Aaaaa Aaaaaaaaa Aaaa Aaa Aa Aaaaa Aaaaaaaaaaaa Aaaaa Aaaaaaaa Aaa Aaaaa Aaaaaaaaaaaaaaaaa Aaaaa Aaaa Aaaaaaaaaaa Aaaaaaa Aaaaaaa Aaaaaa a Aaaa Aaa Aaaaaaaaa Aaaaaaaa Aa Aaaaaaa Aa Aaaaaaaaaaaaaa Aaa Aaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaa
a Aaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaa Aaaaaaaaa Aaaaaaaaaaaaa Aaa Aaaaaaa Aaaaaa Aa Aaaaaaaaaa Aaaaaa Aaaaaaaa Aaaa Aaaa Aaaaaaa Aaaa Aaaa Aa Aaaaaaaa Aa Aaa Aaaaaaaa Aa Aaaaaaaaaa Aa Aaa Aaaa Aaaaaaa Aaaaaaa Aaaaaa Aaaaa Aaaaaaaaaaaaaa Aaa Aaaaaaaa Aaaa Aaaa Aaaaaaaaaaaaaaaaa Aaaaaaaaaa Aaa Aaaaaa Aaaaaaa Aaa Aaaaaa Aaaaaaa Aaaaa Aaaaaaa
🔒Multiple reusable audit patterns identified, with concrete starting points for variant discovery across WebKit's multi-process client tracking
Subscribe to read more