540d88f809
* chore: bump chromium in DEPS to 126.0.6468.2 * chore: bump chromium in DEPS to 126.0.6478.4 * chore: bump chromium in DEPS to 126.0.6478.9 * chore: bump chromium in DEPS to 126.0.6478.8 * 5492605: Migrate TODOs referencing old crbug IDs to the new issue tracker IDs | https://chromium-review.googlesource.com/c/chromium/src/+/5492605 (cherry picked from commit 01bbc6b9609954e6f5e8ed2d7c5864e6f2a7929b) * 5513277: Move subresource-filter-ruleset to GCS | https://chromium-review.googlesource.com/c/chromium/src/+/5513277 (cherry picked from commit 284bbbdf86d640cfbe27831524a7cefa1f0ec344) * 5512656: Remove CustomizeChromeSupportsChromeRefresh2023 | https://chromium-review.googlesource.com/c/chromium/src/+/5512656 (cherry picked from commit 41acddd97e2f4f79dba13a3916c1af46d47fa6f5) * 5516009: Accept mouse events in inactive window for Top Chrome WebUIs | https://chromium-review.googlesource.com/c/chromium/src/+/5516009 (cherry picked from commit ffc88b3b2a7bee830a1e78b64afb6dfe6aff7347) * 5376861: Change references to RWHVB in RWHIER and RenderWidgetTargeter to RWHVI. | https://chromium-review.googlesource.com/c/chromium/src/+/5376861 (cherry picked from commit 5a48cf6952f0c3fde8a4d2b717ac5b2d50d13671) * 5490530: Use partition_alloc PA_BUILDFLAG(...) outside PA. #cleanup | https://chromium-review.googlesource.com/c/chromium/src/+/5490530 (cherry picked from commit 8deba32e729d3ded310be6645a27a78458046d69) * 5296870: network: Allow trusted loaders to learn the sent request cookies. | https://chromium-review.googlesource.com/c/chromium/src/+/5296870 (cherry picked from commit 7aef2f0ad890bb778fa8843bd262daf6909c5f52) * 5453438: Delegate delegated ink trails to RWHI from RWHIER. | https://chromium-review.googlesource.com/c/chromium/src/+/5453438 (cherry picked from commit 368eb3924a3b9b58430c7340b930254a3db6f1a3) * chore: update patches (cherry picked from commit 9d6dac074b0f173e43d8e587edbe7de1565de3d6) * chore: update patches (cherry picked from commit fb4134d68204ea85a095d496b31216905f801878) * update patches (cherry picked from commit 6f6fff5b0b08c4cccdbc98950f8cbb399caf6340) * only disable enterprise_cloud_content_analysis (cherry picked from commit 5426d227ee5f4ce60ed3f1c863fe506ee706e78b) * 5403888: [api] support v8::Data in v8::TracedReference and v8::EmbedderGraph https://chromium-review.googlesource.com/c/v8/v8/+/5403888 (cherry picked from commit 2030447cf5bbce26b73e2e9b054dee38438f9fdd) * chore: update patches * chore: fixup patch * 5465511: [api] Mark v8::ObjectTemplate::SetAccessor(..) for deprecation https://chromium-review.googlesource.com/c/v8/v8/+/5465511 * 5513528: Move service_provider_config files to components/enterprise/connectors/ https://chromium-review.googlesource.com/c/chromium/src/+/5513528 * chore: bump chromium in DEPS to 126.0.6478.17 * chore: bump chromium in DEPS to 126.0.6478.26 * chore: update patches * build: use Sha256Sum in script/sysroots.json Xref: https://chromium-review.googlesource.com/c/chromium/src/+/5506275 (cherry picked from commit fccef2b6ba8769da9d8b1bd81fda5cc61b2086e0) * fixup! build: use Sha256Sum in script/sysroots.json `sync` succeeds now (cherry picked from commit e71852729fbf3575d1bc37774deadddfebdeefb4) * chore: cherry-pick Node.js patch for V8 API removal fix Node.js PR: https://github.com/nodejs/node/pull/52996 V8 API Removal CL: https://chromium-review.googlesource.com/c/v8/v8/+/5539888 See the patch description for more details. (cherry picked from commit ef0c441dbaa97478828ad481a39d0c2c93748729) * chore: revert v8 deprecation See patch message for more details. https://chromium-review.googlesource.com/c/v8/v8/+/5526611 (cherry picked from commit 6f03785eadea8d8629970c24393f0900fc3fa4af) * chore: revert v8 removal https://chromium-review.googlesource.com/c/v8/v8/+/5497515 See patch message for more details. (cherry picked from commit 4fd7f5bbb603b0461482fee027de7bfdbf02ceac) * 5522321: [devtools] Support saving base64 encoded files via host bindings https://chromium-review.googlesource.com/c/chromium/src/+/5522321 (cherry picked from commit 4b5f43d7838062834de6d634033fe10af2f9d01a) * fixup! 5465511: [api] Mark v8::ObjectTemplate::SetAccessor(..) for deprecation https://chromium-review.googlesource.com/c/v8/v8/+/5465511 (cherry picked from commit 368005f2b2f9195bcffb5325041e3ff1041a3830) * 5514687: Reland "Add a secret handshake to the base::Feature constructor" https://chromium-review.googlesource.com/c/chromium/src/+/5514687 (cherry picked from commit 142c6e16b10496b3fffddc9924001fb94096852e) * 5512176: Remove OnEnvironmentEstimationComplete() https://chromium-review.googlesource.com/c/chromium/src/+/5512176 (cherry picked from commit 1e20ffb24ef6d0b0aeec8c314393cb77631ab279) * 5539888: [api] Remove several APIs deprecated in version 12.6 https://chromium-review.googlesource.com/c/v8/v8/+/5539888 This commit essentially only removes the `only_terminate_in_safe_scope` isolate creation parameter. This undoes some work that was originally done in #35766. (cherry picked from commit ceb6182b199e2471c64700203bf42b73052a38c6) * 5492183: Extensions: CodeHealth: Give enums some class https://chromium-review.googlesource.com/c/chromium/src/+/5492183 (cherry picked from commit a11b8e637cdc0868b6152dd5b0ed3b582f446aa7) * 5483406: [PEPC] Make PEPC permission subscription take into account device status https://chromium-review.googlesource.com/c/chromium/src/+/5483406 (cherry picked from commit fc93c876b481a988a6c1d5eb69d97035dc5ad64a) * 5463431: iwa: Only create IsolatedWebAppURLLoaderFactory for subresources in IWAs https://chromium-review.googlesource.com/c/chromium/src/+/5463431 (cherry picked from commit fbfe3c998c8251f28b76c2703a3212b5b0175a84) * 5502081: Migrate OnDisplayRemoved to OnDisplaysRemoved https://chromium-review.googlesource.com/c/chromium/src/+/5502081 (cherry picked from commit ccf9a5137efdf2ca18d9ee9851388338c26d036e) * 5376861: Change references to RWHVB in RWHIER and RenderWidgetTargeter to RWHVI. https://chromium-review.googlesource.com/c/chromium/src/+/5376861 (cherry picked from commit fd3e6ce148b3c5ab27e234d28b9405933ba32b14) * fixup! 5530163: [media] Use VideoFrame::Plane typed enum instead of nameless enum https://chromium-review.googlesource.com/c/chromium/src/+/5530163 (cherry picked from commit 9a900e734a8c08e534317ca4d7411bfadd9087f5) * 5530163: [media] Use VideoFrame::Plane typed enum instead of nameless enum https://chromium-review.googlesource.com/c/chromium/src/+/5530163 (cherry picked from commit fd94de9736125c3121aed99f50f2702fc430ba26) * 5466238: PDF Viewer: add metrics to record if PDF is opened with a11y https://chromium-review.googlesource.com/c/chromium/src/+/5466238 (cherry picked from commit 2abb5d1737083241b6b6a4c05d5982693e956a22) * 5513740: Reland "[Extensions] Restructure extensions::ProcessMap" https://chromium-review.googlesource.com/c/chromium/src/+/5513740 (cherry picked from commit 11905a9840f1e8dce21cfdda1a23f328e8ff6a6a) * 5498236: Make browser_tests force full async initialization for OSCrypt Async https://chromium-review.googlesource.com/c/chromium/src/+/5498236 (cherry picked from commit e00faacb58545c37cfbf8a38a0cbe4ccb9f9df06) * fixup: only disable enterprise_cloud_content_analysis The original commita5480accc2, was due to this CL 5527572: Move Connectors prefs files to components/enterprise/connectors/ | https://chromium-review.googlesource.com/c/chromium/src/+/5527572 (cherry picked from commit b0e2a7eab6c0decf982f913a892d5dfdb2501084) * chore: update patches * fixup: 5539888: [api] Remove several APIs deprecated in version 12.6 (cherry picked from commit ae65fea668baad44cac7073cbe0a64bca36bccac) * views: use CalculatePreferredSize(SizeBounds) in '/chrome/browser/ui/views/[frame, infobars, /test]'. https://chromium-review.googlesource.com/c/chromium/src/+/5493169 Needed because of 5504212: views: remove CalculatePreferredSize() | https://chromium-review.googlesource.com/c/chromium/src/+/5504212 * fixup: views: use CalculatePreferredSize(SizeBounds) * 5499157: Enable kBlockMidiByDefault by default https://chromium-review.googlesource.com/c/chromium/src/+/5499157 * 5518756: Reland^2: [heap] Add shared trusted spaces | https://chromium-review.googlesource.com/c/v8/v8/+/5518756ececfe7aea* chore: bump chromium in DEPS to 126.0.6478.36 * chore: update patches * chore: add currently-unused should_include_device_status arg to GetPermissionStatusForCurrentDocument() Xref: https://chromium-review.googlesource.com/c/chromium/src/+/5545382 (cherry picked from commit bc35c93efd2d3301e33116d2dd09abaf8eddbf70) --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: Keeley Hammond <khammond@slack-corp.com> Co-authored-by: VerteDinde <vertedinde@electronjs.org> Co-authored-by: Jeremy Rose <nornagon@nornagon.net> Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org> Co-authored-by: Charles Kerr <charles@charleskerr.com> Co-authored-by: clavin <clavin@electronjs.org> Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
121 lines
5.4 KiB
Diff
121 lines
5.4 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: deepak1556 <hop2deep@gmail.com>
|
|
Date: Wed, 28 Jun 2023 21:11:40 +0900
|
|
Subject: fix: harden blink::ScriptState::MaybeFrom
|
|
|
|
This is needed as side effect of https://chromium-review.googlesource.com/c/chromium/src/+/4609446
|
|
which now gets blink::ExecutionContext from blink::ScriptState
|
|
and there are isolate callbacks which get entered from Node.js
|
|
environment that has v8::Context not associated with blink::ScriptState.
|
|
Some examples are ModifyCodeGenerationFromStrings in node_bindings.cc,
|
|
blink::UseCounterCallback etc.
|
|
|
|
Without this patch when blink::ScriptState::MaybeFrom tries to extract
|
|
blink::ScriptState from the provided v8::Context and since Node.js has context
|
|
embedder data fields with index greater than blink (see node_context_data.h)
|
|
leading to the following CHECK failure.
|
|
|
|
```
|
|
script_state.h(169)] Security Check Failed: script_state
|
|
```
|
|
|
|
This patch adds a new tag in the context associated with ScriptState
|
|
to uniquely identify. It is based on what Node.js does to identify the
|
|
context created by it in `node_context_data.h`.
|
|
|
|
PS: We are not performing a check like
|
|
|
|
```
|
|
ScriptState* script_state =
|
|
static_cast<ScriptState*>(context->GetAlignedPointerFromEmbedderData(
|
|
kV8ContextPerContextDataIndex));
|
|
if (!script_state) {
|
|
return nullptr;
|
|
}
|
|
```
|
|
|
|
since in 32-bit builds which does not have v8 sandbox enabled unlike 64-bit builds,
|
|
the embedder data slot will not lazy initialize indexes in the former. This means
|
|
accessing uninitialized lower indexes can return garbage values that cannot be null checked.
|
|
Refer to v8::EmbedderDataSlot::store_aligned_pointer for context.
|
|
|
|
diff --git a/gin/public/gin_embedders.h b/gin/public/gin_embedders.h
|
|
index 8d7c5631fd8f1499c67384286f0e3c4037673b32..99b2e2f63be8a46c5546dd53bc9b05e8c54e857c 100644
|
|
--- a/gin/public/gin_embedders.h
|
|
+++ b/gin/public/gin_embedders.h
|
|
@@ -18,6 +18,8 @@ namespace gin {
|
|
enum GinEmbedder : uint16_t {
|
|
kEmbedderNativeGin,
|
|
kEmbedderBlink,
|
|
+ kEmbedderElectron,
|
|
+ kEmbedderBlinkTag,
|
|
kEmbedderPDFium,
|
|
kEmbedderFuchsia,
|
|
};
|
|
diff --git a/third_party/blink/renderer/platform/bindings/script_state.cc b/third_party/blink/renderer/platform/bindings/script_state.cc
|
|
index e4a27a24c83dd1a478b2ada8b6c8220076790791..c76dc818f38a62fff63852dbecbc85e304ac731d 100644
|
|
--- a/third_party/blink/renderer/platform/bindings/script_state.cc
|
|
+++ b/third_party/blink/renderer/platform/bindings/script_state.cc
|
|
@@ -13,6 +13,10 @@ namespace blink {
|
|
|
|
ScriptState::CreateCallback ScriptState::s_create_callback_ = nullptr;
|
|
|
|
+int const ScriptState::kScriptStateTag = 0x6e6f64;
|
|
+void* const ScriptState::kScriptStateTagPtr = const_cast<void*>(
|
|
+ static_cast<const void*>(&ScriptState::kScriptStateTag));
|
|
+
|
|
// static
|
|
void ScriptState::SetCreateCallback(CreateCallback create_callback) {
|
|
DCHECK(create_callback);
|
|
@@ -37,6 +41,8 @@ ScriptState::ScriptState(v8::Local<v8::Context> context,
|
|
DCHECK(world_);
|
|
context_.SetWeak(this, &OnV8ContextCollectedCallback);
|
|
context->SetAlignedPointerInEmbedderData(kV8ContextPerContextDataIndex, this);
|
|
+ context->SetAlignedPointerInEmbedderData(
|
|
+ kV8ContextPerContextDataTagIndex, ScriptState::kScriptStateTagPtr);
|
|
RendererResourceCoordinator::Get()->OnScriptStateCreated(this,
|
|
execution_context);
|
|
}
|
|
@@ -79,6 +85,8 @@ void ScriptState::DissociateContext() {
|
|
// Cut the reference from V8 context to ScriptState.
|
|
GetContext()->SetAlignedPointerInEmbedderData(kV8ContextPerContextDataIndex,
|
|
nullptr);
|
|
+ GetContext()->SetAlignedPointerInEmbedderData(
|
|
+ kV8ContextPerContextDataTagIndex, nullptr);
|
|
reference_from_v8_context_.Clear();
|
|
|
|
// Cut the reference from ScriptState to V8 context.
|
|
diff --git a/third_party/blink/renderer/platform/bindings/script_state.h b/third_party/blink/renderer/platform/bindings/script_state.h
|
|
index e9b16a9c71b9631222d0745428fea06be2e74472..aba4d930a9a45fb43e0aaac26af7df4fa07fc447 100644
|
|
--- a/third_party/blink/renderer/platform/bindings/script_state.h
|
|
+++ b/third_party/blink/renderer/platform/bindings/script_state.h
|
|
@@ -184,7 +184,12 @@ class PLATFORM_EXPORT ScriptState : public GarbageCollected<ScriptState> {
|
|
v8::Local<v8::Context> context) {
|
|
DCHECK(!context.IsEmpty());
|
|
if (context->GetNumberOfEmbedderDataFields() <=
|
|
- kV8ContextPerContextDataIndex) {
|
|
+ kV8ContextPerContextDataTagIndex) {
|
|
+ return nullptr;
|
|
+ }
|
|
+ if (context->GetAlignedPointerFromEmbedderData(
|
|
+ kV8ContextPerContextDataTagIndex) !=
|
|
+ ScriptState::kScriptStateTagPtr) {
|
|
return nullptr;
|
|
}
|
|
ScriptState* script_state =
|
|
@@ -251,9 +256,15 @@ class PLATFORM_EXPORT ScriptState : public GarbageCollected<ScriptState> {
|
|
static void SetCreateCallback(CreateCallback);
|
|
friend class ScriptStateImpl;
|
|
|
|
+ static void* const kScriptStateTagPtr;
|
|
+ static int const kScriptStateTag;
|
|
static constexpr int kV8ContextPerContextDataIndex =
|
|
static_cast<int>(gin::kPerContextDataStartIndex) +
|
|
static_cast<int>(gin::kEmbedderBlink);
|
|
+ static constexpr int kV8ContextPerContextDataTagIndex =
|
|
+ static_cast<int>(gin::kPerContextDataStartIndex) +
|
|
+ static_cast<int>(gin::kEmbedderBlink) +
|
|
+ static_cast<int>(gin::kEmbedderBlinkTag);
|
|
};
|
|
|
|
// ScriptStateProtectingContext keeps the context associated with the
|