diff options
| author | Daniel Cheng <dcheng@chromium.org> | 2021-10-20 21:59:08 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-02-28 18:16:46 +0000 |
| commit | 77fe270126de99e880a07bff17b5614d27eee15c (patch) | |
| tree | 8dee9b599dc82a1abb98b82fe6d313a023cdae22 | |
| parent | 07a3b1fe7733279baef693258139095b35965105 (diff) | |
| download | qtwebengine-chromium-77fe270126de99e880a07bff17b5614d27eee15c.tar.gz | |
[Backport] CVE-2022-0290: Use after free in Site isolation
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3230016:
Reland "Consistently invalidate Mojo connections when render frame is deleted."
This is a reland of cab52ad80cb4985de0c9431d761fe9c909bbfb8f, but also
resets a few additional fields that hold Mojo endpoints to the renderer.
Original change's description:
> Consistently invalidate Mojo connections when render frame is deleted.
>
> Bug: 1260007, 1260134
> Change-Id: I2ae77fcbf04b557f7f6e68b55d6c2905708fc220
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3225563
> Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
> Commit-Queue: Daniel Cheng <dcheng@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#932196}
Bug: 1260007, 1260134
Change-Id: Ie04adf7240c2a62ccecca42da554259b0dbbbd7f
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/main@{#933654}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/content/browser/renderer_host/render_frame_host_impl.cc | 49 | ||||
| -rw-r--r-- | chromium/content/browser/renderer_host/render_frame_host_impl.h | 1 |
2 files changed, 30 insertions, 20 deletions
diff --git a/chromium/content/browser/renderer_host/render_frame_host_impl.cc b/chromium/content/browser/renderer_host/render_frame_host_impl.cc index 3abc1fff28f..6c3b61e8580 100644 --- a/chromium/content/browser/renderer_host/render_frame_host_impl.cc +++ b/chromium/content/browser/renderer_host/render_frame_host_impl.cc @@ -2158,8 +2158,6 @@ void RenderFrameHostImpl::RenderProcessExited( // Reset state for the current RenderFrameHost once the FrameTreeNode has been // reset. RenderFrameDeleted(); - InvalidateMojoConnection(); - broker_receiver_.reset(); SetLastCommittedUrl(GURL()); web_bundle_handle_.reset(); @@ -2537,6 +2535,7 @@ void RenderFrameHostImpl::RenderFrameDeleted() { if (was_created) { delegate_->RenderFrameDeleted(this); } + InvalidateMojoConnection(); if (web_ui_) { web_ui_->RenderFrameDeleted(); @@ -5129,8 +5128,9 @@ void RenderFrameHostImpl::BindDomOperationControllerHostReceiver( mojo::PendingAssociatedReceiver<mojom::DomAutomationControllerHost> receiver) { DCHECK(receiver.is_valid()); - // DOM automation controller is reinstalled after a cross-document navigation, - // which can reuse the frame. + // In the renderer side, the remote is document-associated so the receiver on + // the browser side can be reused after a cross-document navigation. + // TODO(dcheng): Make this document-associated? dom_automation_controller_receiver_.reset(); dom_automation_controller_receiver_.Bind(std::move(receiver)); dom_automation_controller_receiver_.SetFilter( @@ -7041,29 +7041,38 @@ void RenderFrameHostImpl::SetUpMojoIfNeeded() { } void RenderFrameHostImpl::InvalidateMojoConnection() { - frame_.reset(); - frame_bindings_control_.reset(); - frame_host_associated_receiver_.reset(); - back_forward_cache_controller_host_associated_receiver_.reset(); + // While not directly Mojo endpoints, both `geolocation_service_` and + // `sensor_provider_proxy_` may attempt to cancel permission requests. + geolocation_service_.reset(); + sensor_provider_proxy_.reset(); + + associated_registry_.reset(); + + mojo_image_downloader_.reset(); + find_in_page_.reset(); local_frame_.reset(); local_main_frame_.reset(); high_priority_local_frame_.reset(); - find_in_page_.reset(); - render_accessibility_.reset(); - // Disconnect with ImageDownloader Mojo service in Blink. - mojo_image_downloader_.reset(); + frame_host_associated_receiver_.reset(); + back_forward_cache_controller_host_associated_receiver_.reset(); + frame_.reset(); + frame_bindings_control_.reset(); + local_frame_host_receiver_.reset(); + local_main_frame_host_receiver_.reset(); - // The geolocation service and sensor provider proxy may attempt to cancel - // permission requests so they must be reset before the routing_id mapping is - // removed. - geolocation_service_.reset(); - sensor_provider_proxy_.reset(); + broker_receiver_.reset(); + render_accessibility_.reset(); render_accessibility_host_receiver_.reset(); - local_frame_host_receiver_.reset(); - local_main_frame_host_receiver_.reset(); - associated_registry_.reset(); + + dom_automation_controller_receiver_.reset(); + +#if BUILDFLAG(ENABLE_PLUGINS) + pepper_host_receiver_.reset(); + pepper_instance_map_.clear(); + pepper_hung_detectors_.Clear(); +#endif // BUILDFLAG(ENABLE_PLUGINS) } bool RenderFrameHostImpl::IsFocused() { diff --git a/chromium/content/browser/renderer_host/render_frame_host_impl.h b/chromium/content/browser/renderer_host/render_frame_host_impl.h index 5a345c2d51a..01d6f271504 100644 --- a/chromium/content/browser/renderer_host/render_frame_host_impl.h +++ b/chromium/content/browser/renderer_host/render_frame_host_impl.h @@ -3000,6 +3000,7 @@ class CONTENT_EXPORT RenderFrameHostImpl // RFH. std::unique_ptr<PermissionServiceContext> permission_service_context_; + // Remotes must be reset in InvalidateMojoConnection(). // Holder of Mojo connection with ImageDownloader service in Blink. mojo::Remote<blink::mojom::ImageDownloader> mojo_image_downloader_; |