c670e38b4b
* chore: bump chromium in DEPS to 124.0.6361.0 * chore: bump chromium in DEPS to 124.0.6363.0 * chore: update patches Manually apply printing.patch w/no code changes due to upstream shear. Xref: https://chromium-review.googlesource.com/c/chromium/src/+/5349263 * chore: bump chromium in DEPS to 124.0.6365.0 * chore: bump chromium in DEPS to 124.0.6367.0 * update patches * 5371735: Rename SystemGeolocationSourceMac to SystemGeolocationSourceApple https://chromium-review.googlesource.com/c/chromium/src/+/5371735 * missed a MAS bit * chore: update windows toolchain 5350823: New toolchain for Windows 11 10.0.22621.2428 SDK | https://chromium-review.googlesource.com/c/chromium/src/+/5350823 * chore: bump chromium in DEPS to 125.0.6368.0 * fix patches * chore: update patches * 5232401: [PDF] Move generic utils from //chrome to //components/pdf (1/2) https://chromium-review.googlesource.com/c/chromium/src/+/5232401 * revert https://chromium-review.googlesource.com/c/chromium/src/+/5380898 * chore: bump chromium in DEPS to 125.0.6370.0 * build: use updated windows toolchain * fix patches * chore: update patches * more pdf_util to components * 5372414: [Extensions] Remove DispatcherDelegate https://chromium-review.googlesource.com/c/chromium/src/+/5372414 * fix accessibility_ui patch * chore: bump chromium in DEPS to 125.0.6372.0 * chore: bump chromium in DEPS to 125.0.6374.0 * chore: bump chromium in DEPS to 125.0.6376.0 * chore: bump chromium in DEPS to 125.0.6378.0 * chore: bump chromium in DEPS to 125.0.6379.3 * chore: update patches (+ MAS patch changes) * chore: update patches * 5381159: Cleanup media::KeySystemSupportObserver https://chromium-review.googlesource.com/c/chromium/src/+/5381159 * 5382233: Reland "Web `Speech to Text` with SODA backend" https://chromium-review.googlesource.com/c/chromium/src/+/5382233 * chore: update `exclusive_access` patch - 5367497: Add a metric for the website state when Fullscreen API is requested - https://chromium-review.googlesource.com/c/chromium/src/+/5367497 * chore: add build dependency 5367497: Add a metric for the website state when Fullscreen API is requested https://chromium-review.googlesource.com/c/chromium/src/+/5367497 * chore: bump chromium in DEPS to 125.0.6382.0 * chore: update libcxx filenames * chore: update patches * chore: bump chromium in DEPS to 125.0.6384.0 * chore: remove old patch * 5394039: [Extensions] Change "blessed" -> "privileged" in extension feature files https://chromium-review.googlesource.com/c/chromium/src/+/5394039 * fix: remove deprecated errno constants in node/libuv * 5362194: Return expected from ProcessMetrics CPU methods https://chromium-review.googlesource.com/c/chromium/src/+/5362194 * 5383927: Add new Pickle factory functions with explicit ownership https://chromium-review.googlesource.com/c/chromium/src/+/5383927 * 5373340: Simplify app-region/Draggable Region implementation https://chromium-review.googlesource.com/c/chromium/src/+/5373340 * 5386875: Cleanup printing preferences files https://chromium-review.googlesource.com/c/chromium/src/+/5386875 * chore: update libc++ filenames * fix: add enterprise buildflags dep * chore: bump chromium in DEPS to 125.0.6386.0 * chore: add build dep * chore: update patches * chore: bump chromium in DEPS to 125.0.6388.0 * chore: bump chromium in DEPS to 125.0.6390.0 * chore: update patches * 4918014: preloading: Add NewTabPagePageLoadMetricsObserver https://chromium-review.googlesource.com/c/chromium/src/+/4918014 * 5401234: [PDF] Remove `PDFDocumentHelperClient::FindPdfChildFrame` API https://chromium-review.googlesource.com/c/chromium/src/+/5401234 * 5116175: Relocate Windows XPS printing feature helper methods https://chromium-review.googlesource.com/c/chromium/src/+/5116175 * fixup! 5373340: Simplify app-region/Draggable Region implementation https://chromium-review.googlesource.com/c/chromium/src/+/5373340 * fixup! chore: add build dep * chore: remove dead code & dead patch Was dealing with https://chromium-review.googlesource.com/c/chromium/src/+/5402805 when I realized this code is no longer possible to call. It seems like this code became dead in the previous roll (#41514). The patch exposed a `DxdiagDx12VulkanRequested` method on Chromium's `GpuDataManagerImpl`, which we consumed only in our own `GPUInfoManager::NeedsCompleteGpuInfoCollection`. There are no other references to this method, so it and the patch can both be deleted. Yay! * chore: bump chromium in DEPS to 125.0.6392.0 * chore: bump chromium in DEPS to 125.0.6393.0 * chore: update patches * chore: bump chromium in DEPS to 125.0.6394.0 * chore: bump chromium in DEPS to 125.0.6396.0 * chore: bump chromium in DEPS to 125.0.6397.0 * chore: update printing.patch Xref: https://chromium-review.googlesource.com/c/chromium/src/+/5100842 No code changes, but had to apply patch manually due to upstream code shear * chore: update add_maximized_parameter_to_linuxui_getwindowframeprovider.patch No manual changes; patch applied with fuzz 1 * chore: update feat_allow_code_cache_in_custom_schemes.patch No manual changes; patch applied with fuzz 2 * chore: silence "space before tab in indent" git rebase-apply warning * chore: e patches all * build: update all.gn to avoid FTBFS when disabling raw_ptr Xref: https://chromium-review.googlesource.com/c/chromium/src/+/5371737 * Rename PdfService Mojo interface to PdfHost Xref: https://chromium-review.googlesource.com/c/chromium/src/+/5411957 * chore: bump chromium in DEPS to 125.0.6398.0 * chore: update patches * chore: bump chromium in DEPS to 125.0.6400.0 * chore: update patches * [media] Remove unused `GetSupportedKeySystems` from MediaClient Xref: https://chromium-review.googlesource.com/c/chromium/src/+/5420247 * chore: update JSInjection::New call to match upstream change Xref: https://chromium-review.googlesource.com/c/chromium/src/+/5403967 [Extensions] Wire up the renderer for multiple user script worlds * 5362362: Derive display ID from monitor adapter ID instead of szDevice. https://chromium-review.googlesource.com/c/chromium/src/+/5362362 * 5116175: Relocate Windows XPS printing feature helper methods https://chromium-review.googlesource.com/c/chromium/src/+/5116175 * chore: add v8-sandbox.h to electron-node * chore: update patches * chore: update patches * fixup! 5394039: [Extensions] Change blessed -> privileged in extension feature files * chore: bump chromium in DEPS to 125.0.6412.0 * chore: update patches * chore: node script/gen-libc++-filenames.js * [FPF] Create Fingerprinting Protection ruleset service. Refs https://chromium-review.googlesource.com/c/chromium/src/+/5420158 * Add ExclusiveAccessPermissionManager Refs https://chromium-review.googlesource.com/c/chromium/src/+/5273787 * Preserve the PNG colorspace when decoding into a SkBitmap. Refs https://chromium-review.googlesource.com/c/chromium/src/+/5421254 * chore: iwyu * fix: abstract-socket compilation * ci: bump container for node 20 support * fixup! abstract-socket compilation * fix: compiling nan specs * chore: revert winreg version bump accidental bump to 1.2.5 revealed failing app.setasdefaultprotocolclient test suite. Should be revisited separately. * ci: set node 20 for darwin x64 tests * fix: broken patch export * chore: cleanup mas_avoid_private_macos_api_usage.patch.patch Removed code that was inadvertently put back after https://chromium-review.googlesource.com/c/chromium/src/+/5348565 removed it --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: Charles Kerr <charles@charleskerr.com> Co-authored-by: Jeremy Rose <jeremya@chromium.org> Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org> Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com> Co-authored-by: clavin <clavin@electronjs.org> Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com> Co-authored-by: deepak1556 <hop2deep@gmail.com>
121 lines
5.4 KiB
Diff
121 lines
5.4 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: deepak1556 <hop2deep@gmail.com>
|
|
Date: Wed, 28 Jun 2023 21:11:40 +0900
|
|
Subject: fix: harden blink::ScriptState::MaybeFrom
|
|
|
|
This is needed as side effect of https://chromium-review.googlesource.com/c/chromium/src/+/4609446
|
|
which now gets blink::ExecutionContext from blink::ScriptState
|
|
and there are isolate callbacks which get entered from Node.js
|
|
environment that has v8::Context not associated with blink::ScriptState.
|
|
Some examples are ModifyCodeGenerationFromStrings in node_bindings.cc,
|
|
blink::UseCounterCallback etc.
|
|
|
|
Without this patch when blink::ScriptState::MaybeFrom tries to extract
|
|
blink::ScriptState from the provided v8::Context and since Node.js has context
|
|
embedder data fields with index greater than blink (see node_context_data.h)
|
|
leading to the following CHECK failure.
|
|
|
|
```
|
|
script_state.h(169)] Security Check Failed: script_state
|
|
```
|
|
|
|
This patch adds a new tag in the context associated with ScriptState
|
|
to uniquely identify. It is based on what Node.js does to identify the
|
|
context created by it in `node_context_data.h`.
|
|
|
|
PS: We are not performing a check like
|
|
|
|
```
|
|
ScriptState* script_state =
|
|
static_cast<ScriptState*>(context->GetAlignedPointerFromEmbedderData(
|
|
kV8ContextPerContextDataIndex));
|
|
if (!script_state) {
|
|
return nullptr;
|
|
}
|
|
```
|
|
|
|
since in 32-bit builds which does not have v8 sandbox enabled unlike 64-bit builds,
|
|
the embedder data slot will not lazy initialize indexes in the former. This means
|
|
accessing uninitialized lower indexes can return garbage values that cannot be null checked.
|
|
Refer to v8::EmbedderDataSlot::store_aligned_pointer for context.
|
|
|
|
diff --git a/gin/public/gin_embedders.h b/gin/public/gin_embedders.h
|
|
index 8d7c5631fd8f1499c67384286f0e3c4037673b32..99b2e2f63be8a46c5546dd53bc9b05e8c54e857c 100644
|
|
--- a/gin/public/gin_embedders.h
|
|
+++ b/gin/public/gin_embedders.h
|
|
@@ -18,6 +18,8 @@ namespace gin {
|
|
enum GinEmbedder : uint16_t {
|
|
kEmbedderNativeGin,
|
|
kEmbedderBlink,
|
|
+ kEmbedderElectron,
|
|
+ kEmbedderBlinkTag,
|
|
kEmbedderPDFium,
|
|
kEmbedderFuchsia,
|
|
};
|
|
diff --git a/third_party/blink/renderer/platform/bindings/script_state.cc b/third_party/blink/renderer/platform/bindings/script_state.cc
|
|
index e4a27a24c83dd1a478b2ada8b6c8220076790791..c76dc818f38a62fff63852dbecbc85e304ac731d 100644
|
|
--- a/third_party/blink/renderer/platform/bindings/script_state.cc
|
|
+++ b/third_party/blink/renderer/platform/bindings/script_state.cc
|
|
@@ -13,6 +13,10 @@ namespace blink {
|
|
|
|
ScriptState::CreateCallback ScriptState::s_create_callback_ = nullptr;
|
|
|
|
+int const ScriptState::kScriptStateTag = 0x6e6f64;
|
|
+void* const ScriptState::kScriptStateTagPtr = const_cast<void*>(
|
|
+ static_cast<const void*>(&ScriptState::kScriptStateTag));
|
|
+
|
|
// static
|
|
void ScriptState::SetCreateCallback(CreateCallback create_callback) {
|
|
DCHECK(create_callback);
|
|
@@ -37,6 +41,8 @@ ScriptState::ScriptState(v8::Local<v8::Context> context,
|
|
DCHECK(world_);
|
|
context_.SetWeak(this, &OnV8ContextCollectedCallback);
|
|
context->SetAlignedPointerInEmbedderData(kV8ContextPerContextDataIndex, this);
|
|
+ context->SetAlignedPointerInEmbedderData(
|
|
+ kV8ContextPerContextDataTagIndex, ScriptState::kScriptStateTagPtr);
|
|
RendererResourceCoordinator::Get()->OnScriptStateCreated(this,
|
|
execution_context);
|
|
}
|
|
@@ -79,6 +85,8 @@ void ScriptState::DissociateContext() {
|
|
// Cut the reference from V8 context to ScriptState.
|
|
GetContext()->SetAlignedPointerInEmbedderData(kV8ContextPerContextDataIndex,
|
|
nullptr);
|
|
+ GetContext()->SetAlignedPointerInEmbedderData(
|
|
+ kV8ContextPerContextDataTagIndex, nullptr);
|
|
reference_from_v8_context_.Clear();
|
|
|
|
// Cut the reference from ScriptState to V8 context.
|
|
diff --git a/third_party/blink/renderer/platform/bindings/script_state.h b/third_party/blink/renderer/platform/bindings/script_state.h
|
|
index 5dcd3515a6685d31cf5ecd89b37d7b850caf887e..1148f2012c4f93a4a4b41a7ef597fdbe09fc7a16 100644
|
|
--- a/third_party/blink/renderer/platform/bindings/script_state.h
|
|
+++ b/third_party/blink/renderer/platform/bindings/script_state.h
|
|
@@ -180,7 +180,12 @@ class PLATFORM_EXPORT ScriptState : public GarbageCollected<ScriptState> {
|
|
static ScriptState* MaybeFrom(v8::Local<v8::Context> context) {
|
|
DCHECK(!context.IsEmpty());
|
|
if (context->GetNumberOfEmbedderDataFields() <=
|
|
- kV8ContextPerContextDataIndex) {
|
|
+ kV8ContextPerContextDataTagIndex) {
|
|
+ return nullptr;
|
|
+ }
|
|
+ if (context->GetAlignedPointerFromEmbedderData(
|
|
+ kV8ContextPerContextDataTagIndex) !=
|
|
+ ScriptState::kScriptStateTagPtr) {
|
|
return nullptr;
|
|
}
|
|
ScriptState* script_state =
|
|
@@ -247,9 +252,15 @@ class PLATFORM_EXPORT ScriptState : public GarbageCollected<ScriptState> {
|
|
static void SetCreateCallback(CreateCallback);
|
|
friend class ScriptStateImpl;
|
|
|
|
+ static void* const kScriptStateTagPtr;
|
|
+ static int const kScriptStateTag;
|
|
static constexpr int kV8ContextPerContextDataIndex =
|
|
static_cast<int>(gin::kPerContextDataStartIndex) +
|
|
static_cast<int>(gin::kEmbedderBlink);
|
|
+ static constexpr int kV8ContextPerContextDataTagIndex =
|
|
+ static_cast<int>(gin::kPerContextDataStartIndex) +
|
|
+ static_cast<int>(gin::kEmbedderBlink) +
|
|
+ static_cast<int>(gin::kEmbedderBlinkTag);
|
|
};
|
|
|
|
// ScriptStateProtectingContext keeps the context associated with the
|