[webkit-changes] [WebKit/WebKit] acac64: Versioning.
Charlie Wolfe
noreply at github.com
Wed Dec 11 11:11:05 PST 2024
Branch: refs/heads/safari-7620.1.16.13-branch
Home: https://github.com/WebKit/WebKit
Commit: acac640a757f5f8ab84aeaf9a4c7a5d6a04d9b43
https://github.com/WebKit/WebKit/commit/acac640a757f5f8ab84aeaf9a4c7a5d6a04d9b43
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-06 (Wed, 06 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.13.1
Canonical link: https://commits.webkit.org/283286.442@safari-7620.1.16.13-branch
Commit: 7480f652706b4d4dc75af0a8d9b39cbae2780ddd
https://github.com/WebKit/WebKit/commit/7480f652706b4d4dc75af0a8d9b39cbae2780ddd
Author: Kiet Ho <kiet.ho at apple.com>
Date: 2024-11-07 (Thu, 07 Nov 2024)
Changed paths:
A LayoutTests/fast/dom/view-transition-lifetime-crash-expected.txt
A LayoutTests/fast/dom/view-transition-lifetime-crash.html
M Source/WebCore/Modules/screen-wake-lock/WakeLockManager.cpp
M Source/WebCore/Modules/screen-wake-lock/WakeLockManager.h
M Source/WebCore/Modules/screen-wake-lock/WakeLockSentinel.cpp
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/ViewTransition.cpp
M Source/WebCore/dom/ViewTransition.h
M Source/WebCore/dom/VisibilityChangeClient.h
Log Message:
-----------
Cherry-pick 430e2dd31ad1. rdar://138799302
Cherry-pick c8d323b1851e. rdar://139301982
REGRESSION (283084 at main): Document::visibilityStateChanged does not hold reference to callback clients
rdar://138799302
https://bugs.webkit.org/show_bug.cgi?id=282360
Reviewed by Tim Nguyen, Ryosuke Niwa, and Chris Dumez.
Document::visibilityStateChanged() invokes visibility state callback clients, but does not
hold a reference to them before invoking. The client could then accidentally free itself
and cause an UAF. One possible route that leads to an UAF is through ViewTransition,
which the test case demonstrates:
* The ViewTransition C++ objects are allocated by document.startViewTransition().
After the call, each object has a ref count of at least 2 (one in the JS wrapper
that wraps the C++ object, one in Document::m_activeViewTransition)
* The GC is invoked, which releases the JS wrappers and decreases the ref count to 1
* The document visibility state is changed. This invokes ViewTransition::visibilityStateChanged
on each object, which calls ::skipViewTransition, which calls ::clearViewTransition.
::clearViewTransition sets Document::m_activeViewTransition to null, so the object ref
count is 0 and it's deallocated. ::clearViewTransition then continues to modify the
(already deallocated) object, leading to an UAF.
Fix this by holding a reference to the callback clients before invoking it. This involves
making VisibilityChangeClient ref counted. Then Document::visibilityStateChanged()
would hold a reference to the client before invoking it. As WakeLockManager
(which inherits VisibilityChangeClient) wasn't ref counted, this patch also makes it
ref counted.
It's also observed that the JS wrapper should not be deallocated by the GC before the
view transition has completed. This commit fixes this by implementing
ViewTransition::virtualHasPendingActivity(), which the GC consults to determine whether
to deallocate the wrapper or not.
* LayoutTests/fast/dom/view-transition-lifetime-crash-expected.txt: Added.
* LayoutTests/fast/dom/view-transition-lifetime-crash.html: Added.
* Source/WebCore/Modules/screen-wake-lock/WakeLockManager.cpp:
(WebCore::WakeLockManager::ref const): Delegated ref() to the document.
(WebCore::WakeLockManager::deref const): Delegated deref() to the document.
* Source/WebCore/Modules/screen-wake-lock/WakeLockManager.h: Made WakeLockManager ref counted by declaring ref() and deref().
* Source/WebCore/Modules/screen-wake-lock/WakeLockSentinel.cpp:
(WebCore::WakeLockSentinel::release): Hold a reference to the document's WakeLockManager before using it.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::visibilityStateChanged): Hold a reference to the visibility state callback client before calling it.
(WebCore::Document::wakeLockManager): Used makeUniqueWithoutRefCountedCheck to create new WakeLockManager.
* Source/WebCore/dom/ViewTransition.cpp:
(WebCore::ViewTransition::virtualHasPendingActivity const): Added implementation.
* Source/WebCore/dom/ViewTransition.h:
* Source/WebCore/dom/VisibilityChangeClient.h: Made VisibilityChangeClient ref counted.
Canonical link: https://commits.webkit.org/286136@main
Canonical link: https://commits.webkit.org/283286.444@safari-7620-branch
Commit: d334932fb4891e09e138a822e89735cead005bdd
https://github.com/WebKit/WebKit/commit/d334932fb4891e09e138a822e89735cead005bdd
Author: Keith Miller <keith_miller at apple.com>
Date: 2024-11-11 (Mon, 11 Nov 2024)
Changed paths:
M Source/WTF/wtf/LockAlgorithm.h
Log Message:
-----------
Cherry-pick 4d456933d70e. rdar://139645285
LockAlgorithm::unlockFast is too fast
https://bugs.webkit.org/show_bug.cgi?id=282865
rdar://139548123
Reviewed by Yusuke Suzuki.
Right now it has relaxed ordering but that's not correct since it means writes to the critical section
could happen after the lock is unlocked. This could lead to arbitrary crashes or other general badness.
* Source/WTF/wtf/LockAlgorithm.h:
(WTF::LockAlgorithm::unlockFast):
Canonical link: https://commits.webkit.org/283286.466@safari-7620-branch
Commit: 795028c18ad0f711a9a3889e2e0f26ae9d266b3d
https://github.com/WebKit/WebKit/commit/795028c18ad0f711a9a3889e2e0f26ae9d266b3d
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-11 (Mon, 11 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.13.2
Canonical link: https://commits.webkit.org/283286.445@safari-7620.1.16.13-branch
Commit: 9d572c7081524ad52155002c3ca47377ea4a3429
https://github.com/WebKit/WebKit/commit/9d572c7081524ad52155002c3ca47377ea4a3429
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-11 (Mon, 11 Nov 2024)
Changed paths:
M Source/WTF/wtf/LockAlgorithm.h
Log Message:
-----------
Revert 4d456933d70e. rdar://139645285
This reverts commit d334932fb4891e09e138a822e89735cead005bdd.
Commit: 00fd4c2c48544977d10e2d21dda5f019d8042e61
https://github.com/WebKit/WebKit/commit/00fd4c2c48544977d10e2d21dda5f019d8042e61
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-14 (Thu, 14 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.13.3
Canonical link: https://commits.webkit.org/283286.447@safari-7620.1.16.13-branch
Commit: a8f918c3058da727c54a85903b37b82366071d4b
https://github.com/WebKit/WebKit/commit/a8f918c3058da727c54a85903b37b82366071d4b
Author: Charlie Wolfe <charliew at apple.com>
Date: 2024-11-14 (Thu, 14 Nov 2024)
Changed paths:
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Source/WebKit/NetworkProcess/NetworkProcess.cpp
M Source/WebKit/NetworkProcess/NetworkProcess.h
M Source/WebKit/NetworkProcess/NetworkSession.cpp
M Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp
M Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServerConnection.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm
Log Message:
-----------
Cherry-pick 2815b4e29829. rdar://139887841
Data Isolation bypass via attacker controlled firstPartyForCookies
https://bugs.webkit.org/show_bug.cgi?id=283095
rdar://139818629
Reviewed by Matthew Finkel and Alex Christensen.
`NetworkProcess::allowsFirstPartyForCookies` unconditionally allows cookie access for about:blank or
empty firstPartyForCookies URLs. We tried to remove this in rdar://105733798 and rdar://107270673, but
we needed to revert both because there were rare and subtle bugs where certain requests would incorrectly
have about:blank set as their firstPartyForCookies, causing us to kill the WCP.
This patch is a lower risk change that removes the unconditional cookie access for requests that have an
empty firstPartyForCookies, but will not kill the WCP that is incorrectly sending an empty
firstPartyForCookies.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::createSocketChannel):
(WebKit::NetworkConnectionToWebProcess::scheduleResourceLoad):
(WebKit::NetworkConnectionToWebProcess::cookiesForDOM):
(WebKit::NetworkConnectionToWebProcess::setCookiesFromDOM):
(WebKit::NetworkConnectionToWebProcess::cookiesEnabled):
(WebKit::NetworkConnectionToWebProcess::cookieRequestHeaderFieldValue):
(WebKit::NetworkConnectionToWebProcess::getRawCookies):
(WebKit::NetworkConnectionToWebProcess::cookiesForDOMAsync):
(WebKit::NetworkConnectionToWebProcess::setCookieFromDOMAsync):
(WebKit::NetworkConnectionToWebProcess::domCookiesForHost):
(WebKit::NetworkConnectionToWebProcess::establishSWContextConnection):
* Source/WebKit/NetworkProcess/NetworkProcess.cpp:
(WebKit::NetworkProcess::allowsFirstPartyForCookies):
* Source/WebKit/NetworkProcess/NetworkProcess.h:
* Source/WebKit/NetworkProcess/NetworkSession.cpp:
(WebKit::NetworkSession::addAllowedFirstPartyForCookies):
* Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp:
(WebKit::WebSWServerConnection::scheduleJobInServer):
* Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServerConnection.cpp:
(WebKit::WebSharedWorkerServerConnection::requestSharedWorker):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm:
(EmptyFirstPartyForCookiesCookieRequestHeaderFieldValue)):
Canonical link: https://commits.webkit.org/283286.477@safari-7620-branch
Compare: https://github.com/WebKit/WebKit/compare/acac640a757f%5E...a8f918c3058d
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list