[17] [WebKit] Validate Permissions Query identifier/source combination
Severity: Medium | Component: WebKit UIProcess Permissions | e118db0
Rated Medium because the diff adds a MESSAGE_CHECK_COMPLETION to WebPermissionControllerProxy::query() so that an IPC with identifier == nullopt and a source outside SharedWorker/ServiceWorker no longer reaches mostReasonableWebPageProxy()'s RELEASE_ASSERT_NOT_REACHED(); pre-fix a compromised renderer could abort the UI process.
query() validates that either identifier is set or source is one of the worker sources before falling through to mostReasonableWebPageProxy.
Source/WebKit/UIProcess/WebPermissionControllerProxy.cpp
Renderer-reachable UI-process abort: missing IPC argument validation reached an unreachable-asserted code path under attacker-shaped inputs.
Patch Details
MESSAGE_CHECK_COMPLETION lifts the implicit invariant (identifier set OR source is a worker) into an explicit check. Violation routes to the kill-the-sender path.
Background
WebPermissionControllerProxy::query services navigator.permissions.query() and its worker equivalents. mostReasonableWebPageProxy() is invoked when no specific page identifier is supplied; its prologue asserts source == SharedWorker || source == ServiceWorker and its switch ends with RELEASE_ASSERT_NOT_REACHED() on the default arm.
Analysis
Pre-fix, a WebProcess that sent Query with identifier == nullopt and any source other than SharedWorker/ServiceWorker (for example Window) caused the RELEASE_ASSERT to fire in the UI process.