[Backport] Security bug 1016038

Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/1869384: IndexedDB: Mark transactions inactive during structured cloning. Bug: 1016038 Change-Id: Icf24fb597c0dbfd83220fac20a557d05b0c9b96b Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
author: Victor Costan <pwnall@chromium.org> 2019-10-21 22:29:45 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2020-03-10 15:49:11 +0000
commit: 6f1a37c63baf7cdbb919221258ad6fe294de9d82 (patch)
tree: 51991a2590f871a098facdc5ff82ae9dbb032945
parent: 334bb80e4cebb56ec96f048cbef5f7b4f45e0763 (diff)
download: qtwebengine-chromium-6f1a37c63baf7cdbb919221258ad6fe294de9d82.tar.gz
3 files changed, 29 insertions, 7 deletions
diff --git a/chromium/third_party/blink/renderer/modules/indexeddb/idb_object_store.cc b/chromium/third_party/blink/renderer/modules/indexeddb/idb_object_store.cc
index 72fbca73b91..38f60f03fcb 100644
--- a/chromium/third_party/blink/renderer/modules/indexeddb/idb_object_store.cc
+++ b/chromium/third_party/blink/renderer/modules/indexeddb/idb_object_store.cc
@@ -411,6 +411,7 @@ IDBRequest* IDBObjectStore::DoPut(ScriptState* script_state,
 
   v8::Isolate* isolate = script_state->GetIsolate();
   DCHECK(isolate->InContext());
+  transaction_->SetActiveDuringSerialization(false);
   // TODO(crbug.com/719053): This wasm behavior differs from other browsers.
   SerializedScriptValue::SerializeOptions::WasmSerializationPolicy wasm_policy =
       ExecutionContext::From(script_state)->IsSecureContext()
@@ -418,6 +419,7 @@ IDBRequest* IDBObjectStore::DoPut(ScriptState* script_state,
           : SerializedScriptValue::SerializeOptions::kBlockedInNonSecureContext;
   IDBValueWrapper value_wrapper(isolate, value.V8Value(), wasm_policy,
                                 exception_state);
+  transaction_->SetActiveDuringSerialization(true);
   if (exception_state.HadException())
     return nullptr;
 
diff --git a/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.cc b/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.cc
index 8d6a4a1d743..31069d060a0 100644
--- a/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.cc
+++ b/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.cc
@@ -316,18 +316,31 @@ void IDBTransaction::IndexDeleted(IDBIndex* index) {
   deleted_indexes_.push_back(index);
 }
 
-void IDBTransaction::SetActive(bool active) {
-  DCHECK_NE(state_, kFinished) << "A finished transaction tried to SetActive("
-                               << (active ? "true" : "false") << ")";
+void IDBTransaction::SetActive(bool new_is_active) {
+  DCHECK_NE(state_, kFinished)
+      << "A finished transaction tried to SetActive(" << new_is_active << ")";
   if (state_ == kFinishing)
     return;
-  DCHECK_NE(active, (state_ == kActive));
-  state_ = active ? kActive : kInactive;
+  DCHECK_NE(new_is_active, (state_ == kActive));
+  state_ = new_is_active ? kActive : kInactive;
 
-  if (!active && request_list_.IsEmpty() && transaction_backend())
+  if (!new_is_active && request_list_.IsEmpty() && transaction_backend())
     transaction_backend()->Commit(num_errors_handled_);
 }
 
+void IDBTransaction::SetActiveDuringSerialization(bool new_is_active) {
+  if (new_is_active) {
+    DCHECK_EQ(state_, kInactive)
+        << "Incorrect state restore during Structured Serialization";
+    state_ = kActive;
+  } else {
+    DCHECK_EQ(state_, kActive)
+        << "Structured serialization attempted while transaction is inactive";
+    state_ = kInactive;
+  }
+}
+
+
 void IDBTransaction::abort(ExceptionState& exception_state) {
   if (state_ == kFinishing || state_ == kFinished) {
     exception_state.ThrowDOMException(
diff --git a/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.h b/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.h
index 913cb291937..fdd50526429 100644
--- a/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.h
+++ b/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.h
@@ -152,7 +152,14 @@ class MODULES_EXPORT IDBTransaction final
   // Called when deleting an index whose IDBIndex had been created.
   void IndexDeleted(IDBIndex*);
 
-  void SetActive(bool);
+  // Called during event dispatch.
+  //
+  // This can trigger transaction auto-commit.
+  void SetActive(bool new_is_active);
+
+  // Called right before and after structured serialization.
+  void SetActiveDuringSerialization(bool new_is_active);
+
   void SetError(DOMException*);
 
   DEFINE_ATTRIBUTE_EVENT_LISTENER(abort, kAbort)
author	Victor Costan <pwnall@chromium.org>	2019-10-21 22:29:45 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2020-03-10 15:49:11 +0000
commit	6f1a37c63baf7cdbb919221258ad6fe294de9d82 (patch)
tree	51991a2590f871a098facdc5ff82ae9dbb032945
parent	334bb80e4cebb56ec96f048cbef5f7b4f45e0763 (diff)
download	qtwebengine-chromium-6f1a37c63baf7cdbb919221258ad6fe294de9d82.tar.gz