Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: Chromium backports M87-1 (#26932)
* chore: chromium backports M87-1 Contains applicable backports from M87-1 release CVE-2020-16037 CVE-2020-16041 CVE-2020-16042 * chore: cherry-pick 381c4b5679 from chromium. (#26832) * fix: message box missing an "OK" button in GTK (#26915) Co-authored-by: Mimi <1119186082@qq.com> * chore: cherry-pick d8d64b7cd244 from chromium (#26892) * chore: cherry-pick 290fe9c6e245 from v8 (#26896) * docs: add missing deprecated systemPreferences APIs to breaking-changes (#26934) Co-authored-by: Milan Burda <milan.burda@gmail.com> * chore: cherry-pick 3abc372c9c00 from chromium (#26894) * chore: cherry-pick 3abc372c9c00 from chromium * resolve conflict * fix: Avoid crashing in NativeViewHost::SetParentAccessible on Windows 10 (#26949) * fix: Avoid crashing in NativeViewHost::SetParentAccessible on Windows This fixes #26905. The patch was obtained from @deepak1556, who in turn got it from the Microsoft Teams folks. I believe the crash started happening due to the changes in https://chromium.googlesource.com/chromium/src.git/+/5c6c8e994bce2bfb867279ae5068e9f9134e70c3%5E!/#F15 This affects Electron 9 and later. Notes: Fix occasional crash on Windows * Update .patches * update patches Co-authored-by: Biru Mohanathas <birunthan@mohanathas.com> Co-authored-by: Jeremy Rose <jeremya@chromium.org> Co-authored-by: Electron Bot <electron@github.com> * fix: Upload all *.dll.pdb to symbol server (#26964) Fixes #26961. Notes: Add Electron DLLs like libGLESv2.dll to symbol server Co-authored-by: Biru Mohanathas <birunthan@mohanathas.com> * fix: restrict sendToFrame to same-process frames by default (#26875) (#26927) * fix: restrict sendToFrame to same-process frames by default (#26875) * missed a conflict * fix build * fix build again * fix usage of defer * Bump v10.2.0 * chore: cherry-pick 6763a713f957 from skia (#26956) * chore: chromium backports M87-1 PR feedback: add links to changes in the upstream Co-authored-by: Andrey Belenko <anbelen@microsoft.com> Co-authored-by: Pedro Pontes <pepontes@microsoft.com> Co-authored-by: trop[bot] <37223003+trop[bot]@users.noreply.github.com> Co-authored-by: Mimi <1119186082@qq.com> Co-authored-by: Jeremy Rose <jeremya@chromium.org> Co-authored-by: Milan Burda <milan.burda@gmail.com> Co-authored-by: Biru Mohanathas <birunthan@mohanathas.com> Co-authored-by: Electron Bot <electron@github.com> Co-authored-by: Michaela Laurencin <35157522+mlaurencin@users.noreply.github.com>
- Loading branch information
1 parent
8baf1dc
commit ee86f02
Showing
5 changed files
with
190 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,141 @@ | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Andrey Belenko <anbelen@microsoft.com> | ||
Date: Thu, 10 Dec 2020 18:04:03 +0100 | ||
Subject: Chromium backport: crbug.com/1142331 | ||
|
||
M87-1 | ||
Clipboard: Fix UaP in ClipboardWriter/FileReaderLoader | ||
https://chromium-review.googlesource.com/c/chromium/src/+/2536946 | ||
CVE-2020-16037 | ||
|
||
diff --git a/third_party/blink/renderer/modules/clipboard/clipboard_promise.cc b/third_party/blink/renderer/modules/clipboard/clipboard_promise.cc | ||
index fc5f32d86fd2cc4aeeaadddc94da6ce5e8e7990a..9c72fb55426f685045418947427406016d947589 100644 | ||
--- a/third_party/blink/renderer/modules/clipboard/clipboard_promise.cc | ||
+++ b/third_party/blink/renderer/modules/clipboard/clipboard_promise.cc | ||
@@ -104,7 +104,7 @@ ScriptPromise ClipboardPromise::CreateForWriteText(ExecutionContext* context, | ||
|
||
ClipboardPromise::ClipboardPromise(ExecutionContext* context, | ||
ScriptState* script_state) | ||
- : ExecutionContextClient(context), | ||
+ : ExecutionContextLifecycleObserver(context), | ||
script_state_(script_state), | ||
script_promise_resolver_( | ||
MakeGarbageCollected<ScriptPromiseResolver>(script_state)), | ||
@@ -483,13 +483,20 @@ scoped_refptr<base::SingleThreadTaskRunner> ClipboardPromise::GetTaskRunner() { | ||
return GetExecutionContext()->GetTaskRunner(TaskType::kUserInteraction); | ||
} | ||
|
||
+// ExecutionContextLifecycleObserver implementation. | ||
+void ClipboardPromise::ContextDestroyed() { | ||
+ script_promise_resolver_->Reject(MakeGarbageCollected<DOMException>( | ||
+ DOMExceptionCode::kNotAllowedError, "Document detached.")); | ||
+ clipboard_writer_.Clear(); | ||
+} | ||
+ | ||
void ClipboardPromise::Trace(Visitor* visitor) const { | ||
visitor->Trace(script_state_); | ||
visitor->Trace(script_promise_resolver_); | ||
visitor->Trace(clipboard_writer_); | ||
visitor->Trace(permission_service_); | ||
visitor->Trace(clipboard_item_data_); | ||
- ExecutionContextClient::Trace(visitor); | ||
+ ExecutionContextLifecycleObserver::Trace(visitor); | ||
} | ||
|
||
} // namespace blink | ||
diff --git a/third_party/blink/renderer/modules/clipboard/clipboard_promise.h b/third_party/blink/renderer/modules/clipboard/clipboard_promise.h | ||
index 18efbc8c632dd7061fb31437529f1b14a25beb3a..307ce3b51a7c75b60301885685f5c0d780997250 100644 | ||
--- a/third_party/blink/renderer/modules/clipboard/clipboard_promise.h | ||
+++ b/third_party/blink/renderer/modules/clipboard/clipboard_promise.h | ||
@@ -26,7 +26,7 @@ class ExecutionContext; | ||
class ClipboardItemOptions; | ||
|
||
class ClipboardPromise final : public GarbageCollected<ClipboardPromise>, | ||
- public ExecutionContextClient { | ||
+ public ExecutionContextLifecycleObserver { | ||
USING_GARBAGE_COLLECTED_MIXIN(ClipboardPromise); | ||
|
||
public: | ||
@@ -83,6 +83,9 @@ class ClipboardPromise final : public GarbageCollected<ClipboardPromise>, | ||
LocalFrame* GetLocalFrame() const; | ||
scoped_refptr<base::SingleThreadTaskRunner> GetTaskRunner(); | ||
|
||
+ // ExecutionContextLifecycleObserver | ||
+ void ContextDestroyed() override; | ||
+ | ||
Member<ScriptState> script_state_; | ||
Member<ScriptPromiseResolver> script_promise_resolver_; | ||
|
||
diff --git a/third_party/blink/renderer/modules/clipboard/clipboard_writer.cc b/third_party/blink/renderer/modules/clipboard/clipboard_writer.cc | ||
index 2891db58d47b30575efd782ae1c7cf8ee7558cc4..4b224c9679ca51c01328479685970235f35a32fd 100644 | ||
--- a/third_party/blink/renderer/modules/clipboard/clipboard_writer.cc | ||
+++ b/third_party/blink/renderer/modules/clipboard/clipboard_writer.cc | ||
@@ -188,9 +188,12 @@ ClipboardWriter::ClipboardWriter(SystemClipboard* system_clipboard, | ||
file_reading_task_runner_(promise->GetExecutionContext()->GetTaskRunner( | ||
TaskType::kFileReading)), | ||
system_clipboard_(system_clipboard), | ||
- raw_system_clipboard_(raw_system_clipboard) {} | ||
+ raw_system_clipboard_(raw_system_clipboard), | ||
+ self_keep_alive_(PERSISTENT_FROM_HERE, this) {} | ||
|
||
-ClipboardWriter::~ClipboardWriter() = default; | ||
+ClipboardWriter::~ClipboardWriter() { | ||
+ DCHECK(!file_reader_); | ||
+} | ||
|
||
// static | ||
bool ClipboardWriter::IsValidType(const String& type, bool is_raw) { | ||
@@ -220,7 +223,9 @@ void ClipboardWriter::DidFinishLoading() { | ||
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); | ||
DOMArrayBuffer* array_buffer = file_reader_->ArrayBufferResult(); | ||
DCHECK(array_buffer); | ||
+ | ||
file_reader_.reset(); | ||
+ self_keep_alive_.Clear(); | ||
|
||
worker_pool::PostTask( | ||
FROM_HERE, CrossThreadBindOnce(&ClipboardWriter::DecodeOnBackgroundThread, | ||
@@ -230,6 +235,8 @@ void ClipboardWriter::DidFinishLoading() { | ||
} | ||
|
||
void ClipboardWriter::DidFail(FileErrorCode error_code) { | ||
+ file_reader_.reset(); | ||
+ self_keep_alive_.Clear(); | ||
promise_->RejectFromReadOrDecodeFailure(); | ||
} | ||
|
||
diff --git a/third_party/blink/renderer/modules/clipboard/clipboard_writer.h b/third_party/blink/renderer/modules/clipboard/clipboard_writer.h | ||
index 527b063cd20900653dc37027bef8d24af31fb6de..3de3f5ad34b8ebf378421c64c917e3091e5343c6 100644 | ||
--- a/third_party/blink/renderer/modules/clipboard/clipboard_writer.h | ||
+++ b/third_party/blink/renderer/modules/clipboard/clipboard_writer.h | ||
@@ -9,6 +9,7 @@ | ||
#include "third_party/blink/renderer/core/fileapi/blob.h" | ||
#include "third_party/blink/renderer/core/fileapi/file_reader_loader_client.h" | ||
#include "third_party/blink/renderer/platform/heap/heap.h" | ||
+#include "third_party/blink/renderer/platform/heap/self_keep_alive.h" | ||
#include "third_party/skia/include/core/SkImage.h" | ||
|
||
namespace blink { | ||
@@ -27,6 +28,11 @@ class RawSystemClipboard; | ||
// take advantage of vulnerabilities in their decoders. In | ||
// ClipboardRawDataWriter, this decoding is skipped. | ||
// (3) Writing the blob's decoded contents to the system clipboard. | ||
+// | ||
+// ClipboardWriter is owned only by itself and ClipboardPromise. It keeps | ||
+// itself alive for the duration of FileReaderLoader's async operations using | ||
+// SelfKeepAlive, and keeps itself alive afterwards during cross-thread | ||
+// operations by using WrapCrossThreadPersistent. | ||
class ClipboardWriter : public GarbageCollected<ClipboardWriter>, | ||
public FileReaderLoaderClient { | ||
public: | ||
@@ -80,6 +86,10 @@ class ClipboardWriter : public GarbageCollected<ClipboardWriter>, | ||
Member<SystemClipboard> system_clipboard_; | ||
// Access to the global unsanitized system clipboard. | ||
Member<RawSystemClipboard> raw_system_clipboard_; | ||
+ | ||
+ // Oilpan: ClipboardWriter must remain alive until Member<T>::Clear() is | ||
+ // called, to keep the FileReaderLoader alive and avoid unexpected UaPs. | ||
+ SelfKeepAlive<ClipboardWriter> self_keep_alive_; | ||
}; | ||
|
||
} // namespace blink |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Andrey Belenko <anbelen@microsoft.com> | ||
Date: Thu, 10 Dec 2020 22:16:48 +0100 | ||
Subject: Chromium backport: crbug.com/1151865 | ||
|
||
M87-1 | ||
Reject mojom::DataElement serialization if array size read failed | ||
https://chromium-review.googlesource.com/c/chromium/src/+/2567130 | ||
CVE-2020-16041 | ||
|
||
diff --git a/services/network/public/cpp/url_request_mojom_traits.cc b/services/network/public/cpp/url_request_mojom_traits.cc | ||
index ce1478f6df691d5b1f7862a45ac3989a43e2d814..881bcb23ab3291e61088458f46c446fe9e7fb7cf 100644 | ||
--- a/services/network/public/cpp/url_request_mojom_traits.cc | ||
+++ b/services/network/public/cpp/url_request_mojom_traits.cc | ||
@@ -286,6 +286,8 @@ bool StructTraits<network::mojom::DataElementDataView, network::DataElement>:: | ||
if (data.type() == network::mojom::DataElementType::kBytes) { | ||
if (!data.ReadBuf(&out->buf_)) | ||
return false; | ||
+ if (data.length() != out->buf_.size()) | ||
+ return false; | ||
} | ||
out->type_ = data.type(); | ||
out->data_pipe_getter_ = data.TakeDataPipeGetter< |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Andrey Belenko <anbelen@microsoft.com> | ||
Date: Thu, 10 Dec 2020 22:08:54 +0100 | ||
Subject: Chromium backport: crbug.com/1151890 | ||
|
||
M87-1 | ||
Fix possibly-uninitialized leading digit on right shift | ||
https://chromium-review.googlesource.com/c/v8/v8/+/2565245 | ||
CVE-2020-16042 | ||
|
||
diff --git a/src/objects/bigint.cc b/src/objects/bigint.cc | ||
index 2f8337db979d767dd421b5cf02ded59061ac64f4..d62e4cc00c8459adecaada32599ca25c7d1ad9e4 100644 | ||
--- a/src/objects/bigint.cc | ||
+++ b/src/objects/bigint.cc | ||
@@ -1862,6 +1862,8 @@ Handle<BigInt> MutableBigInt::RightShiftByAbsolute(Isolate* isolate, | ||
DCHECK_LE(result_length, length); | ||
Handle<MutableBigInt> result = New(isolate, result_length).ToHandleChecked(); | ||
if (bits_shift == 0) { | ||
+ // Zero out any overflow digit (see "rounding_can_overflow" above). | ||
+ result->set_digit(result_length - 1, 0); | ||
for (int i = digit_shift; i < length; i++) { | ||
result->set_digit(i - digit_shift, x->digit(i)); | ||
} |