[Backport] CVE-2023-0928: Use after free in SwiftShader

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4232858:
Fix UAF problem in AngleVulkanImageBacking

Right now, we use vulkan fence helper to release the backing.
It is right, if the last usage of the backing is by skia.
If the last usage is by gl, the fence helper(skia) isn't aware of
the submitted work from ANGLE, skia may call flush finish callback
to release the backing while the backing is still being referenced
by works in ANGLE. Fix the problem by calling glFinish() if the last
usage is GL.

Know issue: the finish callback of skia flush() is not always called
in order. So in edge cases, the UAF problem can still happen.

Bug: 1309035
Change-Id: I3562043650dd2b27bde3a370bef45b1226cdd48c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4232858
Reviewed-by: Vasiliy Telezhnikov <vasilyt@chromium.org>
Commit-Queue: Peng Huang <penghuang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1102905}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/462817
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

2 files changed, 16 insertions, 1 deletions

diff --git a/chromium/gpu/command_buffer/service/shared_image/angle_vulkan_image_backing.cc b/chromium/gpu/command_buffer/service/shared_image/angle_vulkan_image_backing.cc
index a2239f19b8d..c8b53477a7e 100644
--- a/chromium/gpu/command_buffer/service/shared_image/angle_vulkan_image_backing.cc
+++ b/chromium/gpu/command_buffer/service/shared_image/angle_vulkan_image_backing.cc
@@ -161,6 +161,11 @@ AngleVulkanImageBacking::~AngleVulkanImageBacking() {
 
     passthrough_texture_.reset();
     egl_image_.reset();
+
+    if (need_gl_finish_before_destroy_ && have_context()) {
+      gl::GLApi* api = gl::g_current_gl_context;
+      api->glFinishFn();
+    }
   }
 
   if (vulkan_image_) {
@@ -325,8 +330,9 @@ void AngleVulkanImageBacking::GLTextureImageRepresentationEndAccess(
     --gl_reads_in_process_;
 
     // For the last GL read access, release texture from ANGLE.
-    if (gl_reads_in_process_ == 0)
+    if (gl_reads_in_process_ == 0) {
       ReleaseTextureANGLE();
+    }
 
     return;
   }
@@ -356,6 +362,9 @@ void AngleVulkanImageBacking::ReleaseTextureANGLE() {
   GLuint texture = passthrough_texture_->service_id();
   // Release the texture from ANGLE, so it can be used elsewhere.
   api->glReleaseTexturesANGLEFn(1, &texture, &layout_);
+  // Releasing the texture will submit all related works to queue, so to be
+  // safe, glFinish() should be called before releasing the VkImage.
+  need_gl_finish_before_destroy_ = true;
 }
 
 void AngleVulkanImageBacking::PrepareBackendTexture() {
@@ -435,6 +444,11 @@ void AngleVulkanImageBacking::EndAccessSkia() {
       return;
   }
 
+  // The backing is used by skia, so skia should submit related work to the
+  // queue, and we can use vulkan fence helper to release the VkImage.
+  // glFinish() is not necessary anymore.
+  need_gl_finish_before_destroy_ = false;
+
   SyncImageLayoutFromBackendTexture();
 
   if (gl_reads_in_process_ > 0) {
diff --git a/chromium/gpu/command_buffer/service/shared_image/angle_vulkan_image_backing.h b/chromium/gpu/command_buffer/service/shared_image/angle_vulkan_image_backing.h
index e773aed4b20..9306868802d 100644
--- a/chromium/gpu/command_buffer/service/shared_image/angle_vulkan_image_backing.h
+++ b/chromium/gpu/command_buffer/service/shared_image/angle_vulkan_image_backing.h
@@ -80,6 +80,7 @@ class AngleVulkanImageBacking : public ClearTrackingSharedImageBacking,
   bool is_gl_write_in_process_ = false;
   int skia_reads_in_process_ = 0;
   int gl_reads_in_process_ = 0;
+  bool need_gl_finish_before_destroy_ = false;
 };
 
 }  // namespace gpu