[7] IndexedDB Connection/Transaction Identifier Confusion
Severity: High | Component: WebKit NetworkProcess | d854553
Broker 측 IDB registry가 renderer로부터 제공받은 identifier를 sender에 재바인딩하지 않고 직접 역참조하는 문제를 수정하기 때문에 High로 평가됩니다. 확보 가능한 primitive는 cross-renderer(사실상 cross-origin) 수준의 IndexedDB 레코드 읽기, 쓰기, 삭제입니다.
NetworkStorageManager의 IDB IPC handler는 IDBStorageRegistry를 통해 handle만으로 IDBDatabaseConnectionIdentifier/IDBResourceIdentifier를 조회했습니다. 이 구조에서는 임의의 WebContent process가 다른 renderer의 identifier를 제출하여, NetworkProcess가 해당 요청을 그대로 처리하도록 만들 수 있었습니다.
Source/WebKit/NetworkProcess/storage/IDBStorageRegistry.cpp
+bool IDBStorageRegistry::isValidConnectionForIPC(WebCore::IDBServer::UniqueIDBDatabaseConnection& databaseConnection, IPC::Connection& ipcConnection)
+{
+ auto connectionIdentifier = databaseConnection.connectionToClient().identifier();
+ auto it = m_connectionsToClient.find(connectionIdentifier);
+ if (it == m_connectionsToClient.end())
+ return true;
+ return it->value->ipcConnection() == ipcConnection.uniqueID();
+}
+SUPPRESS_NODELETE RefPtr<WebCore::IDBServer::UniqueIDBDatabaseConnection> IDBStorageRegistry::connection(WebCore::IDBDatabaseConnectionIdentifier identifier, IPC::Connection& ipcConnection)
+{
+ RefPtr databaseConnection = m_connections.get(identifier);
+ if (!databaseConnection)
+ return nullptr;
+ MESSAGE_CHECK_WITH_RETURN_VALUE(isValidConnectionForIPC(*databaseConnection, ipcConnection), ipcConnection, nullptr);
+ return databaseConnection;
+}
Patch Details
connection()과 transaction()이 이제 IPC::Connection&을 인자로 받아 isValidConnectionForIPC()를 호출합니다. 이 함수는 database connection의 소유 client를 확인하고, ipcConnection()과 sender의 uniqueID()를 비교합니다. establishTransaction, commitTransaction, putOrAdd, getRecord, openCursor, iterateCursor 등 모든 IDB IPC handler가 IPC::Connection&을 전달받도록 수정되었습니다.
IPC trust boundary에서 broker가 발급한 opaque identifier를 역참조할 때, originating IPC connection의 소유권 검증이 누락된 sender-resource 바인딩 패턴.
Background
IndexedDB는 renderer 측의 WebCore layer와 NetworkProcess broker로 분리되며, IDBStorageRegistry가 이 사이의 상태를 관리합니다. Registry가 보유하는 자료구조는 세 가지입니다. m_connectionsToClient는 IDBConnectionIdentifier를 key로 하며 originating IPC::Connection::UniqueID를 value로 기록하고, m_connections는 IDBDatabaseConnectionIdentifier를 key로, m_transactions는 IDBResourceIdentifier를 key로 삼습니다. IDBResourceIdentifier::connectionIdentifier()는 client connection으로의 역참조 링크를 제공하며, 검증에 실패하면 MESSAGE_CHECK가 해당 child process를 종료합니다.
Analysis
Renderer에 전달된 identifier는 capability입니다. 따라서 broker는 매 호출마다 이를 재바인딩해야 합니다. 패치 이전에는 WebContent A가 WebContent B의 identifier를 담아 establishTransaction / putOrAdd / getRecord를 전송하면, NetworkProcess가 B의 connection을 대상으로 해당 요청을 그대로 처리하는 구조였습니다.
Aaaa Aaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaa Aaaaaaaaaaaaa Aaaaaaaaaaaaaaaaa Aaa Aaa Aaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaa Aa Aa Aaaa Aa Aaaaaa Aaaaa Aaaaaaaaaaaaaa Aaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaa Aaaaaa Aaaaaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaa Aaaaaaaaaa Aaaa Aaa Aaaa
a Aaaa Aaaaaaaaaa Aaa Aaa Aaa Aaa Aaa Aaa Aaaaaa Aaaaaaaaa Aaaaaaaaaa Aaaa Aaa Aaa Aaa Aaa Aaa Aaaa Aaaa Aaaaaaaaaa Aaa Aaa Aaaaa Aaa Aaaa Aaa Aaa Aaaaaa Aaa Aa Aaaaaaa Aaaaaa Aaaaaa Aaaaaaaaaaa Aaa Aaaaa Aa Aa Aaa Aaaaa Aaaa Aaaa Aaa a Aaaaaaaaaaaaaa Aaaa Aaaa Aaa Aaa Aaa Aa Aa Aaaa Aaaaaa
a Aaaa Aaaaaaaaaa a Aaaaaaaaa Aaa Aaaa Aaa Aaaaa Aaaaaaaaa Aaaaaaa Aaaaaaa Aaaaa Aaaa Aaaaaaaaaaa Aa a Aaaaaa Aaaaaaaaaaaaa Aaa a Aa Aaaaaaa
🔒How a NetworkProcess-side registry of IndexedDB handles became a cross-renderer capability — and what classes of primitive the missing sender check exposed.
더 확인하려면 구독해 주세요
Audit directions
a Aaaaaa Aaaaa Aa Aaaaaa a Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa a Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaaaaaa a Aaaaaaaa Aaa Aaaaa Aaaaaaaaaaaaaaaaaaa Aaa Aaa Aaaa Aaaa
a Aaaaaaaaaaaaaaaaa Aa Aaaaaaaaa Aa Aaaaaaaaaaa Aaaaa Aaa Aaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaaaaaaa Aa Aa Aaaaaaa Aaaa Aaaaaa Aaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaa Aaaaaaaa Aaaaaaaaaaaa Aaaa Aa Aaaaa
a Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaa Aa Aaa Aaaaa Aaaa Aaaaaaaaaaaaaaaaaa Aa Aa Aaa Aa Aaa Aaa Aaaa
a Aaaaaa Aaaaa Aaa Aaaaaaaaa Aaaaaaaaaa Aa Aa Aaaaaaaa Aaa Aaa Aaa Aa Aaa Aa Aaaaaaaaaaa Aaaa Aaa Aa Aa Aaaaaaaaaaaaa a Aaa Aaaaaaa Aa Aaa Aa Aaa Aaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaa Aaa Aaaa Aaaa
🔒Multiple reusable broker-authorization audit patterns, with concrete starting points across NetworkProcess and GPUProcess registries.
더 확인하려면 구독해 주세요