chore: reconcile Chrome roll patches (#46314)

chore: reconcile chrome roll patches
2025-03-26 19:46:31 -07:00 · 2025-03-26 19:46:31 -07:00 · 39cbd0c27c
commit 39cbd0c27c
parent cd5da1b933
2 changed files with 0 additions and 175 deletions
--- a/patches/chromium/.patches
+++ b/patches/chromium/.patches
@ -146,4 +146,3 @@ fix_drag_and_drop_icons_on_windows.patch
 chore_remove_conflicting_allow_unsafe_libc_calls.patch
 fix_take_snapped_status_into_account_when_showing_a_window.patch
 chore_modify_chromium_handling_of_mouse_events.patch
 cherry-pick-b8f80176b163.patch
--- a/patches/chromium/cherry-pick-b8f80176b163.patch
+++ b/patches/chromium/cherry-pick-b8f80176b163.patch
@ -1,174 +0,0 @@
 From b8f80176b1636154c6bfc85a607b05cc3aec50cb Mon Sep 17 00:00:00 2001
 From: Alex Gough <ajgo@chromium.org>
 Date: Mon, 24 Mar 2025 09:04:37 -0700
 Subject: [PATCH] Avoid receiving or sending sentinel handle values
 These values can be misinterpreted by OS functions, so
 avoid sending or receiving them over IPCZ.
 (cherry picked from commit 36dbbf38697dd1e23ef8944bb9e57f6e0b3d41ec)
 Bug: 405143032
 Change-Id: Ib578fb4727e78e2697c60c42005daa97e08695e9
 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6380193
 Reviewed-by: Will Harris <wfh@chromium.org>
 Commit-Queue: Alex Gough <ajgo@chromium.org>
 Reviewed-by: Daniel Cheng <dcheng@chromium.org>
 Cr-Original-Commit-Position: refs/heads/main@{#1436135}
 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6383569
 Owners-Override: Srinivas Sista <srinivassista@chromium.org>
 Commit-Queue: Srinivas Sista <srinivassista@chromium.org>
 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
 Cr-Commit-Position: refs/branch-heads/6998@{#2315}
 Cr-Branched-From: de9c6fafd8ae5c6ea0438764076ca7d04a0b165d-refs/heads/main@{#1415337}
 ---
 diff --git a/base/win/win_util.h b/base/win/win_util.h
 index c10538d..0bc93a25 100644
 --- a/base/win/win_util.h
 +++ b/base/win/win_util.h
@@ -49,6 +49,25 @@
 namespace win {
 +inline bool IsPseudoHandle(HANDLE h) {
 +  // Note that there appears to be no official documentation covering the
 +  // existence of specific pseudo handle values. In practice it's clear that
 +  // e.g. -1 is the current process, -2 is the current thread, etc. The largest
 +  // negative value known to be an issue with DuplicateHandle in fuzzers is
 +  // -12.
 +  //
 +  // Note that there is virtually no risk of a real handle value falling within
 +  // this range and being misclassified as a pseudo handle.
 +  //
 +  // Cast through uintptr_t and then unsigned int to make the truncation to
 +  // 32 bits explicit. Handles are size of-pointer but are always 32-bit values.
 +  // https://msdn.microsoft.com/en-us/library/aa384203(VS.85).aspx says:
 +  // 64-bit versions of Windows use 32-bit handles for interoperability.
 +  constexpr int kMinimumKnownPseudoHandleValue = -12;
 +  const auto value = static_cast<int32_t>(reinterpret_cast<uintptr_t>(h));
 +  return value < 0 && value >= kMinimumKnownPseudoHandleValue;
 +}
 +
 inline uint32_t HandleToUint32(HANDLE h) {
   // Cast through uintptr_t and then unsigned int to make the truncation to
   // 32 bits explicit. Handles are size of-pointer but are always 32-bit values.
 diff --git a/base/win/win_util_unittest.cc b/base/win/win_util_unittest.cc
 index 70eedf10..f8bbc0b 100644
 --- a/base/win/win_util_unittest.cc
 +++ b/base/win/win_util_unittest.cc
@@ -91,6 +91,12 @@
   EXPECT_EQ(INVALID_HANDLE_VALUE, Uint32ToHandle(invalid_handle));
 }
 +TEST(BaseWinUtilTest, PseudoHandles) {
 +  EXPECT_TRUE(IsPseudoHandle(::GetCurrentProcess()));
 +  EXPECT_TRUE(IsPseudoHandle(::GetCurrentThread()));
 +  EXPECT_FALSE(IsPseudoHandle(nullptr));
 +}
 +
 TEST(BaseWinUtilTest, WStringFromGUID) {
   const GUID kGuid = {0x7698f759,
                       0xf5b0,
 diff --git a/mojo/core/ipcz_driver/transport.cc b/mojo/core/ipcz_driver/transport.cc
 index 96918f8..d1e3286 100644
 --- a/mojo/core/ipcz_driver/transport.cc
 +++ b/mojo/core/ipcz_driver/transport.cc
@@ -34,6 +34,7 @@
 #include "third_party/ipcz/include/ipcz/ipcz.h"
 #if BUILDFLAG(IS_WIN)
 +#include "base/win/win_util.h"
 #include "mojo/public/cpp/platform/platform_handle_security_util_win.h"
 #endif
@@ -135,10 +136,12 @@
                   HandleOwner handle_owner,
                   HandleData& out_handle_data,
                   bool is_remote_process_untrusted) {
 +  CHECK(handle.is_valid());
   // Duplicating INVALID_HANDLE_VALUE passes a process handle. If you intend to
   // do this, you must open a valid process handle, not pass the result of
 -  // GetCurrentProcess(). e.g. https://crbug.com/243339.
 -  CHECK(handle.is_valid());
 +  // GetCurrentProcess() or GetCurrentThread(). e.g. https://crbug.com/243339.
 +  CHECK(!handle.is_pseudo_handle());
 +
   if (handle_owner == HandleOwner::kSender) {
     // Nothing to do when sending handles that belong to us. The recipient must
     // be sufficiently privileged and equipped to duplicate such handles to
@@ -178,6 +181,10 @@
                             HandleOwner handle_owner,
                             Transport& from_transport) {
   const HANDLE handle = DataToHandle(data);
 +  // Do not decode sentinel values used by Windows (INVALID_HANDLE_VALUE &
 +  // GetCurrentThread()).
 +  CHECK(!base::win::IsPseudoHandle(handle));
 +
   if (handle_owner == HandleOwner::kRecipient) {
     if (from_transport.destination_type() != Transport::kBroker &&
         !from_transport.is_peer_trusted() && !remote_process.is_current()) {
 diff --git a/mojo/core/platform_handle_in_transit.cc b/mojo/core/platform_handle_in_transit.cc
 index 44330d2..670dca4 100644
 --- a/mojo/core/platform_handle_in_transit.cc
 +++ b/mojo/core/platform_handle_in_transit.cc
@@ -18,6 +18,7 @@
 #include "base/win/nt_status.h"
 #include "base/win/scoped_handle.h"
 +#include "base/win/win_util.h"
 #include "mojo/public/cpp/platform/platform_handle_security_util_win.h"
 #endif
@@ -37,8 +38,8 @@
   // Duplicating INVALID_HANDLE_VALUE passes a process handle. If you intend to
   // do this, you must open a valid process handle, not pass the result of
 -  // GetCurrentProcess(). e.g. https://crbug.com/243339.
 -  CHECK(handle != INVALID_HANDLE_VALUE);
 +  // GetCurrentProcess() or GetCurrentThread(). e.g. https://crbug.com/243339.
 +  CHECK(!base::win::IsPseudoHandle(handle));
   HANDLE out_handle;
   BOOL result =
@@ -164,17 +165,7 @@
 #if BUILDFLAG(IS_WIN)
 // static
 bool PlatformHandleInTransit::IsPseudoHandle(HANDLE handle) {
 -  // Note that there appears to be no official documentation covering the
 -  // existence of specific pseudo handle values. In practice it's clear that
 -  // e.g. -1 is the current process, -2 is the current thread, etc. The largest
 -  // negative value known to be an issue with DuplicateHandle in the fuzzer is
 -  // -12.
 -  //
 -  // Note that there is virtually no risk of a real handle value falling within
 -  // this range and being misclassified as a pseudo handle.
 -  constexpr int kMinimumKnownPseudoHandleValue = -12;
 -  const auto value = static_cast<int32_t>(reinterpret_cast<uintptr_t>(handle));
 -  return value < 0 && value >= kMinimumKnownPseudoHandleValue;
 +  return base::win::IsPseudoHandle(handle);
 }
 // static
 diff --git a/mojo/public/cpp/platform/platform_handle.h b/mojo/public/cpp/platform/platform_handle.h
 index 7154aeb..3390540d 100644
 --- a/mojo/public/cpp/platform/platform_handle.h
 +++ b/mojo/public/cpp/platform/platform_handle.h
@@ -13,6 +13,7 @@
 #if BUILDFLAG(IS_WIN)
 #include "base/win/scoped_handle.h"
 +#include "base/win/win_util.h"
 #elif BUILDFLAG(IS_FUCHSIA)
 #include <lib/zx/handle.h>
 #elif BUILDFLAG(IS_APPLE)
@@ -117,6 +118,9 @@
   bool is_valid() const { return is_valid_handle(); }
   bool is_valid_handle() const { return handle_.IsValid(); }
   bool is_handle() const { return type_ == Type::kHandle; }
 +  bool is_pseudo_handle() const {
 +    return base::win::IsPseudoHandle(handle_.get());
 +  }
   const base::win::ScopedHandle& GetHandle() const { return handle_; }
   base::win::ScopedHandle TakeHandle() {
     DCHECK_EQ(type_, Type::kHandle);