[5] NetworkProcess null-deref on a BroadcastChannel message with a null name

Severity: Low | Component: WebKit NetworkProcess IPC surface | e85a1ea

diff가 수정하는 대상은 위조된 IPC 메시지로 유발되는 NetworkProcess의 null-StringImpl dereference입니다. fault 주소에 공격자가 제어하는 데이터는 포함되지 않으므로, 관찰되는 영향은 crash(가용성)에 한정됩니다. memory corruption으로 이어지는 경로는 존재하지 않으며, 이 취약점에 도달하려면 WebProcess가 이미 침해된 상태여야 합니다. 이러한 점들을 종합해 Low로 평가됩니다.

NetworkBroadcastChannelRegistry는 IPC로 전달받은 채널 이름을 HashMap<String, ...>의 key로 사용합니다. registerChannel()에서는 ensure()를 통해, unregisterChannel()과 postMessage()에서는 find()를 통해 각각 조회합니다. 침해되었거나 비정상적인 WebProcess는 name으로 null String을 전송할 수 있습니다. null String을 key로 조회하면 hashing 과정에서 null StringImpl이 역참조됩니다. StringHash::hash()는 key.impl()->hash()를 호출하는데, null String의 경우 impl()이 nullptr를 반환하기 때문입니다. 결과적으로 HashTable::validateKey()가 실행되기 전에 network process가 crash합니다. 이번 fix는 세 endpoint 모두에 MESSAGE_CHECK를 추가하여 null name을 거부하며, 기존의 origin 검증과 동일한 방식으로 처리합니다.

Source/WebKit/NetworkProcess/NetworkBroadcastChannelRegistry.cpp

 void NetworkBroadcastChannelRegistry::registerChannel(IPC::Connection& connection, const WebCore::ClientOrigin& origin, const String& name)
 {
     MESSAGE_CHECK(isValidClientOrigin(origin), connection);
+    MESSAGE_CHECK(!name.isNull(), connection);
 
     auto& channelsForOrigin = m_broadcastChannels.ensure(origin, [] { return NameToConnectionIdentifiersMap { }; }).iterator->value;
     auto& connectionIdentifiersForName = channelsForOrigin.ensure(name, [] { return Vector<IPC::Connection::UniqueID> { }; }).iterator->value;
 ...
 void NetworkBroadcastChannelRegistry::unregisterChannel(...) {
     MESSAGE_CHECK(isValidClientOrigin(origin), connection);
+    MESSAGE_CHECK(!name.isNull(), connection);
 ...
 void NetworkBroadcastChannelRegistry::postMessage(...) {
     MESSAGE_CHECK_COMPLETION(isValidClientOrigin(origin), connection, completionHandler());
+    MESSAGE_CHECK_COMPLETION(!name.isNull(), connection, completionHandler());

LayoutTests/ipc/coreipc.js

             case 'String':
+                if (argument === null)
+                    return {value: null, type: 'String'};

Patch Details

registerChannel()과 unregisterChannel()에는 MESSAGE_CHECK(!name.isNull(), connection)이 추가되었습니다. postMessage()에는 MESSAGE_CHECK_COMPLETION(!name.isNull(), connection, completionHandler())가 추가되었습니다. 두 경우 모두 기존의 isValidClientOrigin(origin) 검증 직후, String name이 HashMap key로 사용되기 전에 위치합니다. 나머지 diff는 부수적인 변경입니다. IPC testing API를 통해 버그를 재현하는 새 layout test와, null String 인자를 직렬화할 수 있도록 coreipc.js의 ArgumentSerializer에 추가된 한 줄 변경이 포함됩니다.

Hash-map key로 사용되기 전, 공격자 제어 IPC 입력에 대한 null 검증 누락 — hashing 과정에서 backing StringImpl 역참조 발생.

Background

BroadcastChannel은 동일 origin의 browsing context 간에 메시지를 주고받을 수 있는 Web API입니다. NetworkProcess는 WebProcess 간 메시지 라우팅을 위해 중앙 registry를 관리합니다. MESSAGE_CHECK는 WebKit IPC 매크로로, 수신 메시지에 대한 조건을 검증합니다. 검증 실패 시 처리를 계속하지 않고 해당 connection을 종료합니다. WTF String은 refcount 기반의 StringImpl을 감싸는 wrapper입니다. null String의 경우 impl()은 null을 반환하며, StringHash::hash()는 key.impl()->hash()를 호출하여 key의 hash를 계산합니다. HashMap의 삽입 및 조회 시에는 먼저 key를 hashing한 뒤 HashTable::validateKey()를 실행합니다. IPCTestingAPI는 테스트 전용 기능으로, layout test에서 대상 process로 raw IPC 메시지를 직접 합성할 수 있습니다. 여기서는 침해된 WebProcess가 전송할 수 있는 메시지를 재현하는 데 활용되었습니다.

Analysis

검증되지 않은 IPC 입력으로 인한 null pointer dereference입니다. fix 이전에는 NetworkBroadcastChannelRegistry가 IPC로 전달된 채널 name을 null 여부 확인 없이 그대로 HashMap<String, ...> key로 사용했습니다. 각 endpoint는 isValidClientOrigin을 통해 ClientOrigin을 검증했지만, name에 대해서는 동일한 검증을 수행하지 않았습니다.

null String이 key로 사용되면, hash table은 HashTable::validateKey()에 도달하기 전에 key의 hash를 먼저 계산합니다. 이 과정에서 StringHash::hash()가 key.impl()->hash()를 호출합니다. null String의 경우 impl()은 nullptr를 반환하므로, null StringImpl이 역참조됩니다.

Aa Aaa Aaaa Aaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaaaa Aaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaaaaaaa Aaa Aa Aaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaa Aaaa Aaaaaaaaaa Aaaaaa Aaaaaa Aaa Aaaaaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaa Aa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaa Aa Aaaaaaaaaaaaaaa Aaa Aaaa Aaaaaaa Aaaaa Aaaaaa Aaaaaaaaaaaaaaa Aaaaaa Aaa Aaa a Aaaa Aaaaaaa Aaaaaaaaaa Aaaaaaaaa Aaaaa Aaa Aaaa Aaaa Aaaa Aaaaa Aaa Aaaaaaaaa Aaa Aaaaa Aaaa Aaa Aaaa Aaaaa

a Aaaa Aaaaa Aaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaa Aaaaaaaaa Aaaa Aaaaaaa Aaaaaaaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaa Aaaaa Aaaaaaaa Aaaaaaaaaaa Aaaaaa Aa Aaaaa Aaaaaa Aaa Aaaaaaaaaaa Aaaa Aaaaa Aaaa a Aaa Aaaaa Aaaaa Aaaa Aa Aaaaaaaaaaaaaaa Aaaaaaa Aa Aaaaaaaa Aaaaaaaa Aaaa Aaa Aaaaaa Aaaa Aaa Aaa Aaaaaa Aa Aaaaaaaa Aaaaaa Aaaaaa Aaaaaaa Aaaaaa Aaa Aa Aaaaa Aaaa Aaaaa

Aaaaa Aa Aaa Aaa Aaa Aaaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aa Aaaa Aaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaa Aaa Aaaa Aaaaa Aaa Aaa Aaa Aa Aaaaaa Aaaa Aaaa Aaaaaaaaa Aaaaaaaaa Aaaa Aaa Aa Aaa Aaa Aaaa Aaaaaaaaaa Aaa Aaaa Aaaa a Aaa Aaaaaaaaaa Aaaaa a Aaaa

Aaaaaaaaa Aaa Aaaaaaaa Aaa Aa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaa Aa Aaaa Aaaaaaaaaaaaa Aa Aaaaaa Aaaa Aaaaa Aaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaa Aaaaa Aaa Aaaaa Aaa Aaaa Aaaaa a Aaa Aaaaaaaaaa Aa Aaa Aaaaaa Aa Aaaa Aaa Aaa a Aaaaaaa Aa Aa Aaaa Aaaaaa Aa Aa Aaaaaa

🔒

Where exactly does the null-name crash occur, and why does the hash table's own validation never get a chance to catch it? The cross-process impact is assessed in depth.

더 확인하려면 구독해 주세요

Audit directions Analysis

a Aaaaaaaaa a Aaa Aaaaa Aaaaaaa Aaa Aaaa Aa Aa Aaaaaaa Aaaa Aaaa Aaa Aaaaaaaaaa Aaaa Aaa Aaaaaaaaa Aaa Aaaa Aaaa Aa Aaaaaaaaaaaaaa Aaaaaaaaa Aaa Aaa Aaaaa Aaaaaaaaaaaaaa Aaaaaaaa Aaaaa Aaaa Aaaaa Aaaaaaa Aaaaa Aaaaaaaaa Aaaa Aa Aaaaaaaa Aaa Aaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaa Aaaaaaaa Aaa Aaaaa Aaaa Aaaa Aaa Aaaaaa Aaaaaaaaa Aa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaaaa Aaaaaaa
a Aaaaaa Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aa Aaaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaaaaaaa Aaaaaa Aaa Aa Aaaaaaaaa Aaa Aaa Aaa Aaa Aaa Aa Aaa Aaaa Aaa Aaa Aaaaaaa Aaaaaaaaaaaaa Aa Aaa Aaaaa Aaa Aaaa Aa Aaaa Aaaa Aaaaa Aaaaaaa
a Aaaa Aaaaaaaa a Aa Aaaaaa Aaa Aaa Aaaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaa Aaaaa Aa Aaaa Aaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaa Aaaa Aa Aa Aaa Aaa Aa Aaa Aaaaa Aaaaaaa Aaa Aaaaa Aa Aaa Aaaa Aa Aaaaa Aaa Aaa a Aa Aaaaaa

Aaaaaaaaaaaaaaaaaaaaaa Aaa Aa Aaaaaaaaaaa Aaaaaaa Aaaaa a Aaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaaaaa Aaaaaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaa Aaaa a Aaaaa Aaa Aaaaaaaaaaaaaaaaaa Aaaaaaa Aaaa Aa Aaaaaa Aaaaaa Aaa Aaaaaaa Aaaaaa

a Aaaa Aaaaa Aaaaaaa Aaaaaaaaaaaaaa Aaaaaaa Aaaaaa Aaa Aaaaaaaaaaa Aaaaaa Aaaaaaaaa Aaaaa Aaaaaa Aaaaaa Aaaa Aaaaaa Aa Aaaa Aaaaaaaaaaaaaaaaa Aaa Aaaaaaaaa Aa Aaa Aaa Aaaaaaaa Aaaaaa Aaa Aaaaaaa Aaaaaaa Aaaa Aaaaaa Aaaaa Aaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaa Aaaaaa Aaa Aaaaaa Aaa Aaaaa Aaa Aa Aaa Aa Aaaaaa Aaaaaaaa a Aaaa Aa Aaaaaa

🔒

Several reusable audit directions for IPC-keyed map handlers across the NetworkProcess, with concrete grep targets for finding sibling-field validation gaps.

더 확인하려면 구독해 주세요

Aaaa Aaaaaaaaaaa Aaaaaa Aa Aaa Aaa Aaaaaaaaaaaaa Aaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaa Aaaaaaa Aa Aaaaaa Aaaaaa Aaaaaaa Aaa Aaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaa Aaaaaaaaa Aaaa Aaaaaaaaa Aaaaaaaaaa Aaaaaaaaaaa Aaaaaaa Aaaa Aa Aaaaaaa Aaaaaa Aaaaa Aaaaaaaaaa Aaaaaaa Aaaa a Aaaaaaa Aaa Aaaaaaaa Aaa Aaaaaa Aaaaa Aaa a Aaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaa Aaaaaaa Aaaaa Aaaaaaaa Aaaaaaaaaaaa Aaaaaaaaaa Aa Aaaaaaa Aaaa Aaa Aa Aaaa Aaaaaa Aa Aaaaa Aaaaa Aaaaaaaaa Aaa Aaaaa Aa Aaaaaaa Aaaaaaaaaaa Aaaaaaa Aaaaaa Aa Aaaaaaaaaaaaaaaaa Aa Aaaaaaaa Aaaaaaaaaaaa Aaaaaaaaaaaa Aaaa Aaaaaaaaaaa Aaaaaa Aaaaaaaaa Aaaa Aaaaa Aa Aaaa Aaaaaaaaaa Aaa Aaaaaaa Aaa a Aaaaaaaaaaaa Aaaaaaaaa Aaaaaaaa a Aaaaaaaaa Aaa Aaaaaaa Aaa Aaaaaaaaaa a Aaaaaaaa Aaa Aaaa Aa Aaaaaa

a Aaaa Aaaaaa Aaaaaaa Aaa Aaa Aaaaaaaaaaa Aaaaaa Aaaaaaaaa Aaaa Aaaaaaa Aaa Aaaaaaa Aaa Aa Aaaa Aaaaaaaaaaa Aaaaaa Aaaaaaaaa Aaaaa Aaaa Aa Aaaaaaaa Aaa Aaaaaaaaaaaa Aaaaaaaaaa Aaaaaaaaaaa Aaaaaaa Aaaa Aaa Aaa Aaaaa Aa Aaaa Aaaaaaaaaaaaaaa Aaaaaa Aaaa a Aaa Aaaaaa Aaaaaaaaaaaaaaa Aaaaaaaaa Aaaaaaaaaaaa Aaaa Aaaa Aaaaa Aaaaaaaaaa Aaaaaaaa a Aaaaaaaa Aaa Aaaaaaa Aaaa Aaaaaaaaaaa Aaaaaaaaaaaa Aaaaaa Aaaaa Aaaa Aaaaa

Aaaaaaaa Aaaaaaa a Aaaaaaaa Aaaaaaa Aa Aa Aaaaaaaa Aa Aaaaaaaaa Aa Aaaaaaaaaaaa Aa Aaaaaaaaaaaa Aaa Aaaaaaaa Aa Aaaaaa Aa Aaaaaaaaaaaaaa Aaaa Aa Aaaaa Aaaa Aaa Aaaaa a Aaa Aaa Aaaa Aaaaaaa Aaaaaaa Aa Aaa Aa Aaa Aa Aaaaa Aaa Aaa Aaa Aa Aaa Aaa Aaaaaa

Aaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aa Aaaaa Aa Aaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaa Aaaaaa Aaaa Aaaaaa Aaa Aaaaa Aaaaaaaa Aaa Aaaaa Aaaaaa Aaaaaaaa Aaa Aaa Aaa Aa Aaaaa Aaaaa Aaaaa Aaa Aaa Aa Aaa Aaaaa Aaa Aa Aaaa Aaaaaaa

🔒

Where exactly does the null-name crash occur, and why does the hash table's own validation never get a chance to catch it? The cross-process impact is assessed in depth.

더 확인하려면 구독해 주세요

Audit directions

a Aaaaa Aa Aaaaaaaaaaaa Aaaaa Aa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaa Aaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaa Aaa Aaa Aa Aa Aaa Aaa Aaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaa a Aaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaa Aaaaaaaaaaaaaaa Aaaaaa Aa Aaaa Aaaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaa Aaaaaa Aaa Aaaaaa Aaa Aaaaaaaaaaaaa Aa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaa
a Aaaaaaaaaaaaaaaa a Aaaaaaaaaaaaaaaaaaaaa Aa Aa Aaaaa a Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaa Aaa Aaa Aa Aa Aaa Aaaaaa a Aaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaa a Aa Aaaa Aaaaaaaaaaaa Aaaaaa Aaa Aaaaaaaaaa Aaaaa Aaaa Aaaaa Aaaaaa
a Aaaa Aa Aaa Aaaaa Aaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaa Aaaaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaa Aaaaaa Aaaaaa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaa Aaaaaaaaaaaaaaaaaa Aaaaa Aaaaaaaaaaaa Aaaaaaa Aaaaaa Aa Aaaaa Aaaaa Aaa a Aa Aaaa Aaaaaaaa Aaaa Aaaaa Aaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaa a Aaa Aaaaaa Aaaa Aaaaa Aaaaa

🔒

Several reusable audit directions for IPC-keyed map handlers across the NetworkProcess, with concrete grep targets for finding sibling-field validation gaps.

더 확인하려면 구독해 주세요