[webkit-changes] [WebKit/WebKit] 8da8cd: Remove SecKeychainItemRef from CFTypeRef serializa...

Alex Christensen noreply at github.com
Mon May 27 13:21:05 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 8da8cdb10ac1e7f81579589d658e8359a236d427
      https://github.com/WebKit/WebKit/commit/8da8cdb10ac1e7f81579589d658e8359a236d427
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2024-05-27 (Mon, 27 May 2024)

  Changed paths:
    M Source/WebKit/NetworkProcess/mac/SecItemShim.cpp
    M Source/WebKit/Shared/Cocoa/ArgumentCodersCocoa.h
    M Source/WebKit/Shared/Cocoa/CoreIPCCFType.h
    M Source/WebKit/Shared/Cocoa/CoreIPCCFType.mm
    M Source/WebKit/Shared/Cocoa/CoreIPCCFType.serialization.in
    M Source/WebKit/Shared/mac/SecItemResponseData.h
    M Source/WebKit/Shared/mac/SecItemResponseData.serialization.in
    M Source/WebKit/UIProcess/mac/SecItemShimProxy.cpp

  Log Message:
  -----------
  Remove SecKeychainItemRef from CFTypeRef serialization
https://bugs.webkit.org/show_bug.cgi?id=274670
rdar://126271015

Reviewed by Brady Eidson.

SecKeychainItemRef is one of several types that can be returned from a call to SecItemCopyMatching.
Because we have SecItemShim and SecItemShimProxy which proxy calls to the UI process from the network
process, SecKeychainItemRef needs to be serialized across IPC.  Historically, the only way to express
that multiple types can be sent across IPC at one endpoint was to send a RetainPtr<CFTypeRef>, which
required adding SecKeychainItemRef to the list of CFTypeRefs that can be serialized.  The problem with
that is that everywhere we send or receive a CFDictionaryRef or a CFArrayRef we also use a
RetainPtr<CFTypeRef> to serialize their contents, which can be of many types.  We don't need all the
dictionaries and arrays to be able to serialize a SecKeychainItemRef, and we have historically prevented
this from being the cause of IPC-reachable exploits by adding this release assertion:
RELEASE_ASSERT(hasProcessPrivilege(ProcessPrivilege::CanAccessCredentials));
This worked well, but that assertion is often hit by IPC fuzzers.  To properly solve this, in this PR
I remove SecKeychainItemRef from the list of things that can be contained by CFDictionaryRef and
CFArrayRef and add a new variant of types that allows it only where needed: in SecItemResponseData.

* Source/WebKit/NetworkProcess/mac/SecItemShim.cpp:
(WebKit::webSecItemCopyMatching):
* Source/WebKit/Shared/Cocoa/ArgumentCodersCocoa.h:
* Source/WebKit/Shared/Cocoa/CoreIPCCFType.h:
* Source/WebKit/Shared/Cocoa/CoreIPCCFType.mm:
(WebKit::variantFromCFType):
(WebKit::CoreIPCCFType::toCFType const):
(IPC::typeFromCFTypeRef):
* Source/WebKit/Shared/Cocoa/CoreIPCCFType.serialization.in:
* Source/WebKit/Shared/mac/SecItemResponseData.h:
(WebKit::SecItemResponseData::SecItemResponseData):
(WebKit::SecItemResponseData::resultObject):
(WebKit::SecItemResponseData::resultObject const):
* Source/WebKit/Shared/mac/SecItemResponseData.serialization.in:
* Source/WebKit/UIProcess/mac/SecItemShimProxy.cpp:
(WebKit::SecItemShimProxy::secItemRequest):

Canonical link: https://commits.webkit.org/279354@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list