From 6f1a37c63baf7cdbb919221258ad6fe294de9d82 Mon Sep 17 00:00:00 2001 From: Victor Costan Date: Mon, 21 Oct 2019 22:29:45 +0000 Subject: [Backport] Security bug 1016038 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/1869384: IndexedDB: Mark transactions inactive during structured cloning. Bug: 1016038 Change-Id: Icf24fb597c0dbfd83220fac20a557d05b0c9b96b Reviewed-by: Jüri Valdmann --- .../renderer/modules/indexeddb/idb_object_store.cc | 2 ++ .../renderer/modules/indexeddb/idb_transaction.cc | 25 ++++++++++++++++------ .../renderer/modules/indexeddb/idb_transaction.h | 9 +++++++- 3 files changed, 29 insertions(+), 7 deletions(-) diff --git a/chromium/third_party/blink/renderer/modules/indexeddb/idb_object_store.cc b/chromium/third_party/blink/renderer/modules/indexeddb/idb_object_store.cc index 72fbca73b91..38f60f03fcb 100644 --- a/chromium/third_party/blink/renderer/modules/indexeddb/idb_object_store.cc +++ b/chromium/third_party/blink/renderer/modules/indexeddb/idb_object_store.cc @@ -411,6 +411,7 @@ IDBRequest* IDBObjectStore::DoPut(ScriptState* script_state, v8::Isolate* isolate = script_state->GetIsolate(); DCHECK(isolate->InContext()); + transaction_->SetActiveDuringSerialization(false); // TODO(crbug.com/719053): This wasm behavior differs from other browsers. SerializedScriptValue::SerializeOptions::WasmSerializationPolicy wasm_policy = ExecutionContext::From(script_state)->IsSecureContext() @@ -418,6 +419,7 @@ IDBRequest* IDBObjectStore::DoPut(ScriptState* script_state, : SerializedScriptValue::SerializeOptions::kBlockedInNonSecureContext; IDBValueWrapper value_wrapper(isolate, value.V8Value(), wasm_policy, exception_state); + transaction_->SetActiveDuringSerialization(true); if (exception_state.HadException()) return nullptr; diff --git a/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.cc b/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.cc index 8d6a4a1d743..31069d060a0 100644 --- a/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.cc +++ b/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.cc @@ -316,18 +316,31 @@ void IDBTransaction::IndexDeleted(IDBIndex* index) { deleted_indexes_.push_back(index); } -void IDBTransaction::SetActive(bool active) { - DCHECK_NE(state_, kFinished) << "A finished transaction tried to SetActive(" - << (active ? "true" : "false") << ")"; +void IDBTransaction::SetActive(bool new_is_active) { + DCHECK_NE(state_, kFinished) + << "A finished transaction tried to SetActive(" << new_is_active << ")"; if (state_ == kFinishing) return; - DCHECK_NE(active, (state_ == kActive)); - state_ = active ? kActive : kInactive; + DCHECK_NE(new_is_active, (state_ == kActive)); + state_ = new_is_active ? kActive : kInactive; - if (!active && request_list_.IsEmpty() && transaction_backend()) + if (!new_is_active && request_list_.IsEmpty() && transaction_backend()) transaction_backend()->Commit(num_errors_handled_); } +void IDBTransaction::SetActiveDuringSerialization(bool new_is_active) { + if (new_is_active) { + DCHECK_EQ(state_, kInactive) + << "Incorrect state restore during Structured Serialization"; + state_ = kActive; + } else { + DCHECK_EQ(state_, kActive) + << "Structured serialization attempted while transaction is inactive"; + state_ = kInactive; + } +} + + void IDBTransaction::abort(ExceptionState& exception_state) { if (state_ == kFinishing || state_ == kFinished) { exception_state.ThrowDOMException( diff --git a/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.h b/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.h index 913cb291937..fdd50526429 100644 --- a/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.h +++ b/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.h @@ -152,7 +152,14 @@ class MODULES_EXPORT IDBTransaction final // Called when deleting an index whose IDBIndex had been created. void IndexDeleted(IDBIndex*); - void SetActive(bool); + // Called during event dispatch. + // + // This can trigger transaction auto-commit. + void SetActive(bool new_is_active); + + // Called right before and after structured serialization. + void SetActiveDuringSerialization(bool new_is_active); + void SetError(DOMException*); DEFINE_ATTRIBUTE_EVENT_LISTENER(abort, kAbort) -- cgit v1.2.1