diff options
| author | Brandon Jones <bajones@chromium.org> | 2022-12-02 21:34:35 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-02-15 14:00:56 +0000 |
| commit | 3eaa40d1f8a90e18e2ddb6d8a677b42652e489bc (patch) | |
| tree | c780726aed0d060c74d042c45c13c68f934cfaeb | |
| parent | 702735ee969634a9527280ff8ae39dacd177e576 (diff) | |
| download | qtwebengine-chromium-3eaa40d1f8a90e18e2ddb6d8a677b42652e489bc.tar.gz | |
[Backport] CVE-2023-0699: Use after free in GPU (1/2)
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4076865:
Early terminate GetBucketContents if WaitForCmd fails
This should avoid the scenario outlined in crbug.com/1371859 where the
command isn't run due to the GPU process shutting down, but the memcpy
is attempted anyway.
Bug: 1371859
Change-Id: Ib2a4b735365f29d092be8003ba668854be1d5c3b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4076865
Reviewed-by: Victor Miura <vmiura@chromium.org>
Commit-Queue: Brandon Jones <bajones@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1078779}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/460497
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/gpu/command_buffer/client/implementation_base.cc | 8 | ||||
| -rw-r--r-- | chromium/gpu/command_buffer/client/implementation_base.h | 2 |
2 files changed, 6 insertions, 4 deletions
diff --git a/chromium/gpu/command_buffer/client/implementation_base.cc b/chromium/gpu/command_buffer/client/implementation_base.cc index 0492f62a9f7..8a3aa39c7fc 100644 --- a/chromium/gpu/command_buffer/client/implementation_base.cc +++ b/chromium/gpu/command_buffer/client/implementation_base.cc @@ -256,9 +256,9 @@ gpu::ContextResult ImplementationBase::Initialize( return gpu::ContextResult::kSuccess; } -void ImplementationBase::WaitForCmd() { +bool ImplementationBase::WaitForCmd() { TRACE_EVENT0("gpu", "ImplementationBase::WaitForCmd"); - helper_->Finish(); + return helper_->Finish(); } int32_t ImplementationBase::GetResultShmId() { @@ -301,7 +301,9 @@ bool ImplementationBase::GetBucketContents(uint32_t bucket_id, } helper_->GetBucketData(bucket_id, offset, buffer.size(), buffer.shm_id(), buffer.offset()); - WaitForCmd(); + if (!WaitForCmd()) { + return false; + } } uint32_t size_to_copy = std::min(size, buffer.size()); memcpy(&(*data)[offset], buffer.address(), size_to_copy); diff --git a/chromium/gpu/command_buffer/client/implementation_base.h b/chromium/gpu/command_buffer/client/implementation_base.h index 9e1ec175552..25b19800fbd 100644 --- a/chromium/gpu/command_buffer/client/implementation_base.h +++ b/chromium/gpu/command_buffer/client/implementation_base.h @@ -107,7 +107,7 @@ class GLES2_IMPL_EXPORT ImplementationBase gpu::ContextResult Initialize(const SharedMemoryLimits& limits); // Waits for all commands to execute. - void WaitForCmd(); + bool WaitForCmd(); // Gets the value of the result. template <typename T> |