2783f76f1f* chore: bump chromium in DEPS to 139.0.7258.6 * chore: bump chromium in DEPS to 139.0.7258.5 * chore: bump chromium in DEPS to 140.0.7270.1 * chore: bump chromium in DEPS to 140.0.7271.1 * chore: bump chromium in DEPS to 140.0.7273.0 * chore: bump chromium in DEPS to 140.0.7273.1 * chore: bump chromium in DEPS to 140.0.7275.1 * chore: bump chromium in DEPS to 140.0.7275.4 * chore: bump chromium in DEPS to 140.0.7277.1 * chore: bump chromium in DEPS to 140.0.7279.1 * chore: bump chromium in DEPS to 140.0.7281.1 * chore: bump chromium in DEPS to 140.0.7283.1 * chore: bump chromium in DEPS to 140.0.7285.1 * chore: bump chromium in DEPS to 140.0.7287.1 * chore: bump chromium in DEPS to 140.0.7289.0 * chore: bump chromium in DEPS to 140.0.7289.1 * chore: bump chromium in DEPS to 140.0.7291.1 * chore: bump chromium in DEPS to 140.0.7293.1 * chore: bump chromium in DEPS to 140.0.7295.1 * chore: bump chromium in DEPS to 140.0.7296.0 * chore: bump chromium to 140.0.7281.0 (main) (#47616) cherry picked from603cafad7e* chore: bump chromium in DEPS to 140.0.7269.2 * chore: bump chromium in DEPS to 140.0.7270.0 * chore: bump chromium in DEPS to 140.0.7271.0 * chore: bump chromium in DEPS to 140.0.7273.0 * 6516731: [ExclusiveAccessForAndroid] remove unneeded includes & deps | https://chromium-review.googlesource.com/c/chromium/src/+/6516731 * 6694809: dbus: Ensure systemd scope is started before using any portal services | https://chromium-review.googlesource.com/c/chromium/src/+/6694809 * chore: patch chromium * chore: export patches * chore: bump chromium in DEPS to 140.0.7275.0 * 6677511: [pepper] More pepper removal | https://chromium-review.googlesource.com/c/chromium/src/+/6677511 * 6513641: [gin] Rename gin::Wrappable to gin::DeprecatedWrappable | https://chromium-review.googlesource.com/c/chromium/src/+/6513641 * chore: export chromium patches * 6513641: [gin] Rename gin::Wrappable to gin::DeprecatedWrappable | https://chromium-review.googlesource.com/c/chromium/src/+/6513641 * chore: bump chromium in DEPS to 140.0.7277.0 * chore: bump chromium in DEPS to 140.0.7279.0 * chore: bump chromium in DEPS to 140.0.7281.0 * 6677314: Plumb enabled client hints in the network requestion to network layer https://chromium-review.googlesource.com/c/chromium/src/+/6677314 * 6351556: [source-phase-imports] Support Wasm Source Phase Imports https://chromium-review.googlesource.com/c/chromium/src/+/6351556 * 6700077: [renderer] Avoid calls to deprecated GetIsolate methods https://chromium-review.googlesource.com/c/chromium/src/+/6700077 * 6692873: Reland "Reland "FSA: Only normalize the hardcoded rules once during initialization"" https://chromium-review.googlesource.com/c/chromium/src/+/6692873 * 6686234: [gin] Cleanup NamedPropertyInterceptor for Wrappable https://chromium-review.googlesource.com/c/chromium/src/+/6686234 * chore: export patches * 6667723: Remove content_enable_legacy_ipc GN arg. https://chromium-review.googlesource.com/c/chromium/src/+/6667723 * 6646566: ui: Move NativeWindowTracker to its own directory https://chromium-review.googlesource.com/c/chromium/src/+/6646566 * fix: add missing includes * 6580522: [WAR, DNR] Fix unsafe redirect error to web accessible resource https://chromium-review.googlesource.com/c/chromium/src/+/6580522 * 6680477: Implement `completeCode` endpoint and expose to DevTools https://chromium-review.googlesource.com/c/chromium/src/+/6680477 * 6677511: [pepper] More pepper removal https://chromium-review.googlesource.com/c/chromium/src/+/6677511 * 6696689: Rename views::WidgetFocusManager -> NativeViewFocusManager https://chromium-review.googlesource.com/c/chromium/src/+/6696689 * 6702812: Move wtf/text/string_impl*.* to "blink" namespace https://chromium-review.googlesource.com/c/chromium/src/+/6702812 * chore: fix dialog patch * 6702431: [animation-trigger] Parse timeline-trigger-name https://chromium-review.googlesource.com/c/chromium/src/+/6702431 * chore: fixup patch indices * feat: replace webFrame.routingId with webFrame.frameToken * feat: WebFrameMain.prototype.frameToken * test: refactor to use replacement APIs * chore: fixup pip patch * test: adjust webFrame tests for frameToken changes * 6703757: Reland "Enable -fsanitize=array-bounds in non-UBSan builds" https://chromium-review.googlesource.com/c/chromium/src/+/6703757 * test: switch to frameTokens * test: routingId is fine to test in the main process * docs: add routingId to breaking changes * docs: update plugin-crashed event * chore: fixup linux dialog patch --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: alice <alice@makenotion.com> Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com> Co-authored-by: Samuel Maddock <smaddock@slack-corp.com> (cherry picked from commit603cafad7e) --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org> Co-authored-by: alice <alice@makenotion.com> Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com> Co-authored-by: Samuel Maddock <smaddock@slack-corp.com>
125 lines
5.5 KiB
Diff
125 lines
5.5 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: deepak1556 <hop2deep@gmail.com>
|
|
Date: Wed, 28 Jun 2023 21:11:40 +0900
|
|
Subject: fix: harden blink::ScriptState::MaybeFrom
|
|
|
|
This is needed as side effect of https://chromium-review.googlesource.com/c/chromium/src/+/4609446
|
|
which now gets blink::ExecutionContext from blink::ScriptState
|
|
and there are isolate callbacks which get entered from Node.js
|
|
environment that has v8::Context not associated with blink::ScriptState.
|
|
Some examples are ModifyCodeGenerationFromStrings in node_bindings.cc,
|
|
blink::UseCounterCallback etc.
|
|
|
|
Without this patch when blink::ScriptState::MaybeFrom tries to extract
|
|
blink::ScriptState from the provided v8::Context and since Node.js has context
|
|
embedder data fields with index greater than blink (see node_context_data.h)
|
|
leading to the following CHECK failure.
|
|
|
|
```
|
|
script_state.h(169)] Security Check Failed: script_state
|
|
```
|
|
|
|
This patch adds a new tag in the context associated with ScriptState
|
|
to uniquely identify. It is based on what Node.js does to identify the
|
|
context created by it in `node_context_data.h`.
|
|
|
|
PS: We are not performing a check like
|
|
|
|
```
|
|
ScriptState* script_state =
|
|
static_cast<ScriptState*>(context->GetAlignedPointerFromEmbedderData(
|
|
kV8ContextPerContextDataIndex));
|
|
if (!script_state) {
|
|
return nullptr;
|
|
}
|
|
```
|
|
|
|
since in 32-bit builds which does not have v8 sandbox enabled unlike 64-bit builds,
|
|
the embedder data slot will not lazy initialize indexes in the former. This means
|
|
accessing uninitialized lower indexes can return garbage values that cannot be null checked.
|
|
Refer to v8::EmbedderDataSlot::store_aligned_pointer for context.
|
|
|
|
diff --git a/gin/public/gin_embedders.h b/gin/public/gin_embedders.h
|
|
index 8d7c5631fd8f1499c67384286f0e3c4037673b32..2b7bdfbac06a42e6bc51eb65e023c3673e6eb885 100644
|
|
--- a/gin/public/gin_embedders.h
|
|
+++ b/gin/public/gin_embedders.h
|
|
@@ -20,6 +20,8 @@ enum GinEmbedder : uint16_t {
|
|
kEmbedderBlink,
|
|
kEmbedderPDFium,
|
|
kEmbedderFuchsia,
|
|
+ kEmbedderElectron,
|
|
+ kEmbedderBlinkTag,
|
|
};
|
|
|
|
} // namespace gin
|
|
diff --git a/third_party/blink/renderer/platform/bindings/script_state.cc b/third_party/blink/renderer/platform/bindings/script_state.cc
|
|
index 2d5df763b6ebb2333ae4aef909865213fb9ad4df..2370f00a3f5ee70604c93a0999ea5cee3c9898f9 100644
|
|
--- a/third_party/blink/renderer/platform/bindings/script_state.cc
|
|
+++ b/third_party/blink/renderer/platform/bindings/script_state.cc
|
|
@@ -13,6 +13,10 @@ namespace blink {
|
|
|
|
ScriptState::CreateCallback ScriptState::s_create_callback_ = nullptr;
|
|
|
|
+int const ScriptState::kScriptStateTag = 0x6e6f64;
|
|
+void* const ScriptState::kScriptStateTagPtr = const_cast<void*>(
|
|
+ static_cast<const void*>(&ScriptState::kScriptStateTag));
|
|
+
|
|
// static
|
|
void ScriptState::SetCreateCallback(CreateCallback create_callback) {
|
|
DCHECK(create_callback);
|
|
@@ -37,6 +41,8 @@ ScriptState::ScriptState(v8::Local<v8::Context> context,
|
|
DCHECK(world_);
|
|
context_.SetWeak(this, &OnV8ContextCollectedCallback);
|
|
context->SetAlignedPointerInEmbedderData(kV8ContextPerContextDataIndex, this);
|
|
+ context->SetAlignedPointerInEmbedderData(
|
|
+ kV8ContextPerContextDataTagIndex, ScriptState::kScriptStateTagPtr);
|
|
RendererResourceCoordinator::Get()->OnScriptStateCreated(this,
|
|
execution_context);
|
|
}
|
|
@@ -80,6 +86,8 @@ void ScriptState::DissociateContext() {
|
|
// Cut the reference from V8 context to ScriptState.
|
|
GetContext()->SetAlignedPointerInEmbedderData(kV8ContextPerContextDataIndex,
|
|
nullptr);
|
|
+ GetContext()->SetAlignedPointerInEmbedderData(
|
|
+ kV8ContextPerContextDataTagIndex, nullptr);
|
|
reference_from_v8_context_.Clear();
|
|
|
|
// Cut the reference from ScriptState to V8 context.
|
|
diff --git a/third_party/blink/renderer/platform/bindings/script_state.h b/third_party/blink/renderer/platform/bindings/script_state.h
|
|
index b3cc8d819b06108386aed9465cab4f27a28b675f..9c8818f10de59fdd2a3fd44d9cd23d40a93b53a7 100644
|
|
--- a/third_party/blink/renderer/platform/bindings/script_state.h
|
|
+++ b/third_party/blink/renderer/platform/bindings/script_state.h
|
|
@@ -185,7 +185,12 @@ class PLATFORM_EXPORT ScriptState : public GarbageCollected<ScriptState> {
|
|
v8::Local<v8::Context> context) {
|
|
DCHECK(!context.IsEmpty());
|
|
if (context->GetNumberOfEmbedderDataFields() <=
|
|
- kV8ContextPerContextDataIndex) {
|
|
+ kV8ContextPerContextDataTagIndex) {
|
|
+ return nullptr;
|
|
+ }
|
|
+ if (context->GetAlignedPointerFromEmbedderData(
|
|
+ kV8ContextPerContextDataTagIndex) !=
|
|
+ ScriptState::kScriptStateTagPtr) {
|
|
return nullptr;
|
|
}
|
|
ScriptState* script_state =
|
|
@@ -263,6 +268,8 @@ class PLATFORM_EXPORT ScriptState : public GarbageCollected<ScriptState> {
|
|
static void SetCreateCallback(CreateCallback);
|
|
friend class ScriptStateImpl;
|
|
|
|
+ static void* const kScriptStateTagPtr;
|
|
+ static int const kScriptStateTag;
|
|
static constexpr int kV8ContextPerContextDataIndex =
|
|
static_cast<int>(gin::kPerContextDataStartIndex) +
|
|
static_cast<int>(gin::kEmbedderBlink);
|
|
@@ -271,6 +278,10 @@ class PLATFORM_EXPORT ScriptState : public GarbageCollected<ScriptState> {
|
|
// internals.idl.
|
|
String last_compiled_script_file_name_;
|
|
bool last_compiled_script_used_code_cache_ = false;
|
|
+
|
|
+ static constexpr int kV8ContextPerContextDataTagIndex =
|
|
+ static_cast<int>(gin::kPerContextDataStartIndex) +
|
|
+ static_cast<int>(gin::kEmbedderBlinkTag);
|
|
};
|
|
|
|
// ScriptStateProtectingContext keeps the context associated with the
|