[17] SpeechRecognition ASSERT instead of MESSAGE_CHECK for duplicate client
Severity: Medium | Component: WebKit UIProcess | 5db4d93
IPC로 공급된 identifier에 걸린 assertion이 release 빌드에서 제거되는 문제를 MESSAGE_CHECK로 교체하여 해결합니다. 패치 이전 release 빌드에서는 충돌 시 HashMap::add가 기존 항목을 반환하면서 attacker가 공급한 파라미터가 무시됩니다. 이로 인해 requestPermissionForRequest가 잘못된 origin context를 대상으로 실행되는 상태 divergence가 조용히 발생합니다.
SpeechRecognitionServer::start는 identifier 고유성을 ASSERT로 검증했으나, 이 코드는 release 빌드에서 제거됩니다. m_requests.add는 insert-if-absent 방식으로 동작합니다. 충돌이 발생하면 기존 항목이 반환되면서 attacker가 공급한 lang, continuous, origin, mainFrameIdentifier 등이 모두 무시됩니다.
Source/WebKit/UIProcess/SpeechRecognitionServer.cpp
- ASSERT(!m_requests.contains(clientIdentifier));
+ MESSAGE_CHECK(!m_requests.contains(clientIdentifier));
Release 빌드에서도 반드시 유지되어야 하는 attacker 제어 IPC invariant에 debug-only ASSERT가 사용된 패턴.
Web Speech Recognition API는 마이크 기반의 speech-to-text 기능을 web content에 제공합니다. 접근은 origin별 권한 요청을 통해 제어됩니다. SpeechRecognitionServer는 UIProcess에서 실행되며, m_requests는 SpeechRecognitionConnectionClientIdentifier를 key로 사용하는 HashMap입니다.
Aaa Aaaaaaaaa Aa Aaaa Aaaaaaaaaaaaaaaaaaa Aa Aaa a Aaaaa a Aa Aaaaaaaaaaaaaaaaa Aa Aaa Aaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaa a Aa Aaaaaa Aaaaaaaaa Aaaaaaaaaaaaaaaaa Aaaaaa Aaaa Aaaaaa Aaaaa a Aa Aaa Aa Aa Aaaaaaaa Aaaaaaaa Aaa Aaaa Aaaaaa Aaa Aaa Aaaaaa
a Aaaaaaaaaaaaaa Aaaaaa Aaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaa Aaa Aa Aaa Aaaaaaa Aaaaaaaaaaaaaa Aaa Aaa Aaaaaaa Aaaa Aaa Aaaaaaaa Aaaaa Aaaa Aaa Aaaaaa
🔒The state-confusion implications of dropping a debug-only invariant on an attacker-controlled IPC entry point are explored in depth, including the subtle HashMap semantics that turn a missing check into something other than a crash.
더 확인하려면 구독해 주세요
Audit directions
a Aaaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaa Aaa Aaa Aaaa Aaaaaaaaaa Aaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aa Aaaaaaaaaaa Aaaa Aaa Aaaaa Aaaaaa
a Aaaaaaaaaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaa a Aaaa Aaa Aa Aaa Aaaa Aaaaaa
a Aaaaaaaaaaaaaaaaaaa Aaaaaaaaaa Aaaaa Aaaaa Aa Aaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaaaaa Aaaaaa Aa Aa Aa Aaaa Aaa Aaaaaa
🔒Three reusable audit patterns identified for finding the same class of IPC-validation gap across other UI-process subsystems, with concrete starting points and grep targets.
더 확인하려면 구독해 주세요