[7] IndexedDB Connection/Transaction Identifier Confusion
Severity: High | Component: WebKit NetworkProcess | d854553
Rated High because the diff fixes broker-side IDB registries that dereferenced renderer-supplied identifiers without rebinding to the sender; the resulting primitive is cross-renderer (effectively cross-origin) read, write, and destroy of IndexedDB records.
NetworkStorageManager's IDB IPC handlers looked up IDBDatabaseConnectionIdentifier/IDBResourceIdentifier via IDBStorageRegistry keyed only by handle. Any WebContent process could submit another renderer's identifier and have the NetworkProcess act on it.
Source/WebKit/NetworkProcess/storage/IDBStorageRegistry.cpp
+bool IDBStorageRegistry::isValidConnectionForIPC(WebCore::IDBServer::UniqueIDBDatabaseConnection& databaseConnection, IPC::Connection& ipcConnection)
+{
+ auto connectionIdentifier = databaseConnection.connectionToClient().identifier();
+ auto it = m_connectionsToClient.find(connectionIdentifier);
+ if (it == m_connectionsToClient.end())
+ return true;
+ return it->value->ipcConnection() == ipcConnection.uniqueID();
+}
+SUPPRESS_NODELETE RefPtr<WebCore::IDBServer::UniqueIDBDatabaseConnection> IDBStorageRegistry::connection(WebCore::IDBDatabaseConnectionIdentifier identifier, IPC::Connection& ipcConnection)
+{
+ RefPtr databaseConnection = m_connections.get(identifier);
+ if (!databaseConnection)
+ return nullptr;
+ MESSAGE_CHECK_WITH_RETURN_VALUE(isValidConnectionForIPC(*databaseConnection, ipcConnection), ipcConnection, nullptr);
+ return databaseConnection;
+}
Patch Details
connection() and transaction() now take IPC::Connection& and call isValidConnectionForIPC(), which resolves the database connection's owning client and compares ipcConnection() against the sender's uniqueID(). Every IDB IPC handler (establishTransaction, commitTransaction, putOrAdd, getRecord, openCursor, iterateCursor, etc.) is updated to thread IPC::Connection& through.
Missing sender-to-resource binding at an IPC trust boundary, where opaque identifiers minted by the broker are dereferenced without verifying that the originating IPC connection owns them.
Background
IndexedDB splits into a renderer-side WebCore layer and a NetworkProcess broker. IDBStorageRegistry holds m_connectionsToClient (keyed by IDBConnectionIdentifier, value records the originating IPC::Connection::UniqueID), m_connections (keyed by IDBDatabaseConnectionIdentifier), and m_transactions (keyed by IDBResourceIdentifier). IDBResourceIdentifier::connectionIdentifier() links back to a client connection. MESSAGE_CHECK terminates the offending child process on failure.
Analysis
Identifiers handed back to a renderer are capabilities; the broker must rebind on every call. Before the fix, WebContent A could send establishTransaction / putOrAdd / getRecord carrying WebContent B's identifier and have NetworkProcess execute against B's connection.
Aaaa Aaaaa Aaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaa Aaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaa Aaa Aaaaaaa Aa a Aaa Aaa Aaaaaaaaaaaaaaaaaaaa Aaaaaaaaaa Aaaaaaaa Aa Aaa Aaaaaaaa Aaaaa Aaaaa Aaaaaaaaaaaa Aaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaa Aaaaaaaaaa Aaa Aaaaaaaaa Aa Aaaaaaaa Aaa Aaaaaaaaaaaaaa Aaa Aaaaaaaa Aaaaa Aaaaaaaaaa Aaa Aaa Aaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaaa Aa Aaaaaaa Aa Aaa Aa Aaaa Aaaaaaaaa a Aaa Aaaaaa Aa Aa Aaa Aaaaaaaaaaaaaaa Aaa Aaaaaaaaa Aaaaaa Aaaaaaaa Aaa Aaaaaa Aaaaaa Aaa Aaaaa Aaaa Aaaa Aaa Aaaaaa Aaaaaaaaaaa Aaaaaaaaaaaaa Aaa Aa Aaaaa Aaaaaa Aa Aaa Aaaa Aaaaaaaaaaaaa Aaaa Aaaaaaaaaaa Aaa Aaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaa Aaa Aaaaa Aaaaaaaa Aaaa Aaaaaaaa Aaa Aaaaaaaaaaaa Aaaaaaaaa Aaaaa Aaaa Aaaaaaaaa a a Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaa Aa Aaa Aaaaaaa Aaaaaa
🔒How a NetworkProcess-side registry of IndexedDB handles became a cross-renderer capability — and what classes of primitive the missing sender check exposed.
Subscribe to read more
Audit directions
a Aaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaa Aaaa Aaaaa Aaaaaaaaa Aaaaaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaa Aaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaa a Aaaaaaaa Aaaaa Aaaaa Aaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaa
a Aaaaa Aaaaaaaa Aaaa Aaaaaaaaaaa Aa Aaaaaaaaaa Aaa a Aaaaaaaa Aaaaaaa a Aaaaaaaaa Aaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaaaaa Aaaa Aaaa Aa Aaaaaaaaaaaaaaaaaa Aaaa Aa Aaaaaaaaaaa Aaaaa Aaaa Aaaaaaaaaa Aaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaa Aaaaaaaa Aaaaaaaaaaaa
a Aaaaaaaaaaaa Aaaaa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaa Aaaa Aaaa Aaaaaaaaaa Aaaaaaa Aaaaaaaa Aaaaaaa Aaa Aaaa Aaaaaaaaaaaaaaaaaaa
a Aaaaaaaa Aaaaaa Aaa Aaaa Aaaaaaaa Aa a Aaaaaaaa Aaaaaa Aaaaaaaa Aaa Aaaaaaaaaa a Aaa Aaa Aaaaaa Aa Aaaaa Aaaaaaa Aa a Aaaaaa Aaaaaaaaaaaa Aaaaa a Aaa Aaaaaaaaaaaa Aaa Aaa Aaaaaaaaaa Aa Aaaaaaaaa Aaa a Aaaaaaaaaa Aaaaaaaaa Aa Aaaaaaaaaaaaaa Aaaaaa Aaa Aaaaaaaaaaaaaaaaaaa Aaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa
🔒Multiple reusable broker-authorization audit patterns, with concrete starting points across NetworkProcess and GPUProcess registries.
Subscribe to read more