[14] [WebKit] Add MessagePort entanglement check to takeAllMessagesForPort IPC

Severity: High | Component: WebKit Network process | da44cdb

Rated High because the diff adds a MESSAGE_CHECK_COMPLETION that rejects TakeAllMessagesForPort IPCs naming a port not in m_processEntangledPorts; pre-fix, any WebContent process could harvest pending messages destined for a port owned by an unrelated process, given the port identifier.

NetworkConnectionToWebProcess::takeAllMessagesForPort checks the supplied MessagePortIdentifier against m_processEntangledPorts and routes mismatches to the kill-the-sender path.

Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp

+ MESSAGE_CHECK_COMPLETION(m_processEntangledPorts.contains(identifier), completionHandler({ }, false));

m_networkProcess->messagePortChannelRegistry().takeAllMessagesForPort(identifier, WTFMove(completionHandler));

IPC authorization bypass: a compromised renderer harvested queued cross-process MessagePort messages using a forged identifier.

Patch Details

The IPC entry point now checks port ownership before consulting the global registry. The completion handler returns empty/false on rejection.

Background

The Network process is the trusted broker for cross-process MessagePort delivery. When a port is transferred between WebContent processes (e.g., via a SharedWorker handoff), pending messages queue in the Network process until the receiver drains them via TakeAllMessagesForPort. m_processEntangledPorts tracks which ports this connection legitimately owns.

Analysis

Pre-fix, the Network process accepted any MessagePortIdentifier (a pair of ProcessIdentifier + PortIdentifier, both uint64_ts) and forwarded it to the global registry. A compromised or hostile WebContent process that obtained or guessed an identifier could issue the IPC and harvest the queue.

Aaa Aaaaaaaaaa Aaaa Aaaa Aaaaaaaaaaaaaaaaa Aaa

Aaa
Aaaaaaa a Aaaaaa Aaaaaaa a Aaaaaaaaaaaaaaaaaaaaaaaaaaa a Aaaaaaaaa Aaa Aaaaaaa Aaaa Aaaa Aa
Aaaaaaa a Aaaa a Aaaaaaaa
Aaaaaaa a Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa
Aaaaaaaa Aaaaaaa a Aaaaaaaa a Aaaaaaaaaaaaa Aaa Aaaaaaa
Aaaaaaaaa Aaaaaaa a a Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa
Aaa

Aaa Aaaaaaaaa Aa Aaaaaaaaaaaaa Aaaaaaaaaaa Aaaaaaaaaa Aaaaaa Aa Aaaaaaaaaaa Aaaaaaa Aaaaaaaaa Aaaa Aa Aaa Aaaaaa Aaaaaaaaaa a Aa Aa a Aaaaa Aaa Aa Aaa Aaa Aaaaa Aaaaaaaaa

Aaaa Aaaaaaa Aaa Aaaaaaaaaaa Aaaaaaaaa Aaaaaaaaa Aa Aaaaaaaaaaaaa Aaaa Aaaaaaa

🔒

The cross-process MessagePort delivery model and the conditions that make stolen identifiers usable are unpacked, along with what an attacker actually gains beyond simple message reads.

Subscribe to read more

Audit directions

a Aaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaa Aaaaaaaa Aaa Aaaaaa Aaaaaaaa Aaaaaaa a Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaa Aaaaaa Aaa Aaaaaaaaa Aaaaaaaaaaaaa Aaa Aaaaaaaaaaa
a Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaa Aa Aaaaaaaaaaaa Aaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaa Aaaaaa Aaa Aaaaaaaaaa
a Aaaaaaa Aaaaaaaaaaaaaaa Aaa Aaaaaaaaa Aaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaa Aaaaaaaaaaaaa Aaaaaaaaaaaaa Aaa Aaa Aaaa Aaaaaaaa

🔒

Four reusable audit patterns identified for IPC-authorization bugs of this shape, with concrete starting points across multiple WebKit broker subsystems.

Subscribe to read more