be44a2c5b7
* chore: bump chromium in DEPS to 120.0.6049.0 * chore: update patches * chore: bump chromium in DEPS to 120.0.6050.0 * chore: update patches * 4910494: Reland "[autopip] Show autopip UI for video pip" https://chromium-review.googlesource.com/c/chromium/src/+/4910494 * 4812338: Move partition_alloc into a "partition_alloc" dir. https://chromium-review.googlesource.com/c/chromium/src/+/4812338 * [Extensions Cleanup] Remove mojom ViewType::kExtensionDialog https://chromium-review.googlesource.com/c/chromium/src/+/4909897 * 4894923: Force enable raw_ptrs pointer arithmetic check. https://chromium-review.googlesource.com/c/chromium/src/+/4894923 * gin: Prevent wrappables from being constructed from author code. https://chromium-review.googlesource.com/c/chromium/src/+/4905829 * chore: update patches * chore: bump chromium in DEPS to 120.0.6052.0 * chore: bump chromium in DEPS to 120.0.6054.0 * chore: bump chromium in DEPS to 120.0.6056.0 * chore: fix patches * 4918545: Reland "[autopip] Add permissions embargo" https://chromium-review.googlesource.com/c/chromium/src/+/4918545 * 4881761: UI bindings for visual logging with structured metrics. https://chromium-review.googlesource.com/c/chromium/src/+/4881761 * chore: bump chromium in DEPS to 120.0.6058.0 * chore: update patches * chore: bump chromium in DEPS to 120.0.6060.0 * chore: bump chromium in DEPS to 120.0.6061.0 * chore: bump chromium in DEPS to 120.0.6062.0 * chore: gen libc++ filenames * chore: update patches * 4911894: Move //c/b/ui/views/eye_dropper to //components https://chromium-review.googlesource.com/c/chromium/src/+/4911894 * chore: bump chromium in DEPS to 120.0.6064.0 * chore: bump chromium in DEPS to 120.0.6066.0 * chore: bump chromium in DEPS to 120.0.6068.0 * chore: bump chromium in DEPS to 120.0.6070.0 * chore: remove temp_prevent_unused_function_error.patch Xref: https://chromium-review.googlesource.com/c/chromium/src/+/4931270 * chore: add TransferDragSecurityInfo() Xref: https://chromium-review.googlesource.com/c/chromium/src/+/4928028 * mark TransferDragSecurityInfo() as NOTREACHED A follow-up to previous commit. I think this is commit is correct (i.e. that this function shouldn't get called) but am not positive, so I'm including it in a standalone commit in case we need to revert. * chore: update signature of OnPrivateNetworkAccessPermissionRequired() Xref: https://chromium-review.googlesource.com/c/chromium/src/+/4919478 Our impl is a no-op, so updating the signature is the only change. * chore: rebuild patches * chore: bump chromium in DEPS to 120.0.6072.0 * chore: update patches * chore: sync ParseMatchPattern() param order with upstream change Xref: https://chromium-review.googlesource.com/c/chromium/src/+/4944243 * chore: update fix_crash_loading_non-standard_schemes_in_iframes.patch Xref: https://chromium-review.googlesource.com/c/chromium/src/+/4939602 * chore: rebuild patches * chore: bump chromium in DEPS to 120.0.6073.0 * chore: update patches * chore: bump chromium in DEPS to 120.0.6074.0 * chore: update disable_color_correct_rendering.patch Xref: https://chromium-review.googlesource.com/c/chromium/src/+/4908053 no manual changes; patch applied with fuzz 1 * chore: update fix_handle_no_top_level_aura_window_in_webcontentsimpl.patch Xref: https://chromium-review.googlesource.com/c/chromium/src/+/4936315 minor manual sync to upstream code shear * chore: rebuild patches * chore: update ClearHttpAuthCache arguments Xref: https://chromium-review.googlesource.com/c/chromium/src/+/4937937 adding ClearDataFilterPtr arg. Upstream added this arg, which is already present in other NetworkContext methods. Our code uses `nullptr` there. * chore: bump chromium in DEPS to 120.0.6076.0 * chore: update mas_disable_remote_accessibility.patch Xref: https://chromium-review.googlesource.com/c/chromium/src/+/4865412 minor manual sync to upstream code shear * chore: update disable_color_correct_rendering.patch Xref: https://chromium-review.googlesource.com/c/chromium/src/+/4942936 minor manual sync to upstream code shear * fix: move x11_util.h include to top of source file This is a short-term fix to unblock the roll. I will follow up a better fix in a standalone PR. * chore: rebuild patches * chore: bump chromium in DEPS to 120.0.6077.0 * chore: update patches * chore: bump chromium in DEPS to 120.0.6078.0 * chore: update patches * refactor: add BrowserProcessImpl::os_crypt_async() Xref: https://chromium-review.googlesource.com/c/chromium/src/+/4455776 This is one to keep an eye on. This commit copies the upstream impl, which appears to be an interim step with more upstream code changes still forthcoming. Xref: https://bugs.chromium.org/p/chromium/issues/detail?id=1373092 * fixup! refactor: add BrowserProcessImpl::os_crypt_async() chore: make 'gn check' happy * chore: remove ensure_messageports_get_gced_when_not_referenced.patch Xref: ensure_messageports_get_gced_when_not_referenced.patch no longer needed because upstreamed * chore: remove webrtc/pipewire_capturer_make_restore_tokens_re-usable_more_than_one_time.patch Xref: https://webrtc-review.googlesource.com/c/src/+/322621 no longer needed because upstreamed * chore: add //components/compose:buildflags dep Xref: https://chromium-review.googlesource.com/c/chromium/src/+/4912601 needed by browser/ui/browser_dialogs.h * chore: update filenames.libcxx.gni node ./script/gen-libc++-filenames.js * test: fix UI.InspectorView -> UI.InspectorView.instance() --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org> Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com> Co-authored-by: clavin <clavin@electronjs.org> Co-authored-by: Charles Kerr <charles@charleskerr.com> Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>
121 lines
5.4 KiB
Diff
121 lines
5.4 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: deepak1556 <hop2deep@gmail.com>
|
|
Date: Wed, 28 Jun 2023 21:11:40 +0900
|
|
Subject: fix: harden blink::ScriptState::MaybeFrom
|
|
|
|
This is needed as side effect of https://chromium-review.googlesource.com/c/chromium/src/+/4609446
|
|
which now gets blink::ExecutionContext from blink::ScriptState
|
|
and there are isolate callbacks which get entered from Node.js
|
|
environment that has v8::Context not associated with blink::ScriptState.
|
|
Some examples are ModifyCodeGenerationFromStrings in node_bindings.cc,
|
|
blink::UseCounterCallback etc.
|
|
|
|
Without this patch when blink::ScriptState::MaybeFrom tries to extract
|
|
blink::ScriptState from the provided v8::Context and since Node.js has context
|
|
embedder data fields with index greater than blink (see node_context_data.h)
|
|
leading to the following CHECK failure.
|
|
|
|
```
|
|
script_state.h(169)] Security Check Failed: script_state
|
|
```
|
|
|
|
This patch adds a new tag in the context associated with ScriptState
|
|
to uniquely identify. It is based on what Node.js does to identify the
|
|
context created by it in `node_context_data.h`.
|
|
|
|
PS: We are not performing a check like
|
|
|
|
```
|
|
ScriptState* script_state =
|
|
static_cast<ScriptState*>(context->GetAlignedPointerFromEmbedderData(
|
|
kV8ContextPerContextDataIndex));
|
|
if (!script_state) {
|
|
return nullptr;
|
|
}
|
|
```
|
|
|
|
since in 32-bit builds which does not have v8 sandbox enabled unlike 64-bit builds,
|
|
the embedder data slot will not lazy initialize indexes in the former. This means
|
|
accessing uninitialized lower indexes can return garbage values that cannot be null checked.
|
|
Refer to v8::EmbedderDataSlot::store_aligned_pointer for context.
|
|
|
|
diff --git a/gin/public/gin_embedders.h b/gin/public/gin_embedders.h
|
|
index 8d7c5631fd8f1499c67384286f0e3c4037673b32..99b2e2f63be8a46c5546dd53bc9b05e8c54e857c 100644
|
|
--- a/gin/public/gin_embedders.h
|
|
+++ b/gin/public/gin_embedders.h
|
|
@@ -18,6 +18,8 @@ namespace gin {
|
|
enum GinEmbedder : uint16_t {
|
|
kEmbedderNativeGin,
|
|
kEmbedderBlink,
|
|
+ kEmbedderElectron,
|
|
+ kEmbedderBlinkTag,
|
|
kEmbedderPDFium,
|
|
kEmbedderFuchsia,
|
|
};
|
|
diff --git a/third_party/blink/renderer/platform/bindings/script_state.cc b/third_party/blink/renderer/platform/bindings/script_state.cc
|
|
index 7ff8785cd64c1264a88f91f7bd3292c6943f58ea..bc14ad8cab9fa3ec45bcb9f670b198970ecbeb92 100644
|
|
--- a/third_party/blink/renderer/platform/bindings/script_state.cc
|
|
+++ b/third_party/blink/renderer/platform/bindings/script_state.cc
|
|
@@ -13,6 +13,10 @@ namespace blink {
|
|
|
|
ScriptState::CreateCallback ScriptState::s_create_callback_ = nullptr;
|
|
|
|
+int const ScriptState::kScriptStateTag = 0x6e6f64;
|
|
+void* const ScriptState::kScriptStateTagPtr = const_cast<void*>(
|
|
+ static_cast<const void*>(&ScriptState::kScriptStateTag));
|
|
+
|
|
// static
|
|
void ScriptState::SetCreateCallback(CreateCallback create_callback) {
|
|
DCHECK(create_callback);
|
|
@@ -37,6 +41,8 @@ ScriptState::ScriptState(v8::Local<v8::Context> context,
|
|
DCHECK(world_);
|
|
context_.SetWeak(this, &OnV8ContextCollectedCallback);
|
|
context->SetAlignedPointerInEmbedderData(kV8ContextPerContextDataIndex, this);
|
|
+ context->SetAlignedPointerInEmbedderData(
|
|
+ kV8ContextPerContextDataTagIndex, ScriptState::kScriptStateTagPtr);
|
|
RendererResourceCoordinator::Get()->OnScriptStateCreated(this,
|
|
execution_context);
|
|
}
|
|
@@ -78,6 +84,8 @@ void ScriptState::DissociateContext() {
|
|
// Cut the reference from V8 context to ScriptState.
|
|
GetContext()->SetAlignedPointerInEmbedderData(kV8ContextPerContextDataIndex,
|
|
nullptr);
|
|
+ GetContext()->SetAlignedPointerInEmbedderData(
|
|
+ kV8ContextPerContextDataTagIndex, nullptr);
|
|
reference_from_v8_context_.Clear();
|
|
|
|
// Cut the reference from ScriptState to V8 context.
|
|
diff --git a/third_party/blink/renderer/platform/bindings/script_state.h b/third_party/blink/renderer/platform/bindings/script_state.h
|
|
index 6230f4272feb8aab426d45bebe55846020931bcf..2a973e435cfb0fbe4675a4a34bde8d3ecb9f4ac4 100644
|
|
--- a/third_party/blink/renderer/platform/bindings/script_state.h
|
|
+++ b/third_party/blink/renderer/platform/bindings/script_state.h
|
|
@@ -182,7 +182,12 @@ class PLATFORM_EXPORT ScriptState : public GarbageCollected<ScriptState> {
|
|
static ScriptState* MaybeFrom(v8::Local<v8::Context> context) {
|
|
DCHECK(!context.IsEmpty());
|
|
if (context->GetNumberOfEmbedderDataFields() <=
|
|
- kV8ContextPerContextDataIndex) {
|
|
+ kV8ContextPerContextDataTagIndex) {
|
|
+ return nullptr;
|
|
+ }
|
|
+ if (context->GetAlignedPointerFromEmbedderData(
|
|
+ kV8ContextPerContextDataTagIndex) !=
|
|
+ ScriptState::kScriptStateTagPtr) {
|
|
return nullptr;
|
|
}
|
|
ScriptState* script_state =
|
|
@@ -257,9 +262,15 @@ class PLATFORM_EXPORT ScriptState : public GarbageCollected<ScriptState> {
|
|
static void SetCreateCallback(CreateCallback);
|
|
friend class ScriptStateImpl;
|
|
|
|
+ static void* const kScriptStateTagPtr;
|
|
+ static int const kScriptStateTag;
|
|
static constexpr int kV8ContextPerContextDataIndex =
|
|
static_cast<int>(gin::kPerContextDataStartIndex) +
|
|
static_cast<int>(gin::kEmbedderBlink);
|
|
+ static constexpr int kV8ContextPerContextDataTagIndex =
|
|
+ static_cast<int>(gin::kPerContextDataStartIndex) +
|
|
+ static_cast<int>(gin::kEmbedderBlink) +
|
|
+ static_cast<int>(gin::kEmbedderBlinkTag);
|
|
};
|
|
|
|
// ScriptStateProtectingContext keeps the context associated with the
|