From 77fe270126de99e880a07bff17b5614d27eee15c Mon Sep 17 00:00:00 2001
From: Daniel Cheng <dcheng@chromium.org>
Date: Wed, 20 Oct 2021 21:59:08 +0000
Subject: [Backport] CVE-2022-0290: Use after free in Site isolation

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3230016:
Reland "Consistently invalidate Mojo connections when render frame is deleted."

This is a reland of cab52ad80cb4985de0c9431d761fe9c909bbfb8f, but also
resets a few additional fields that hold Mojo endpoints to the renderer.

Original change's description:
> Consistently invalidate Mojo connections when render frame is deleted.
>
> Bug: 1260007, 1260134
> Change-Id: I2ae77fcbf04b557f7f6e68b55d6c2905708fc220
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3225563
> Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
> Commit-Queue: Daniel Cheng <dcheng@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#932196}

Bug: 1260007, 1260134
Change-Id: Ie04adf7240c2a62ccecca42da554259b0dbbbd7f
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/main@{#933654}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 .../renderer_host/render_frame_host_impl.cc        | 49 +++++++++++++---------
 .../browser/renderer_host/render_frame_host_impl.h |  1 +
 2 files changed, 30 insertions(+), 20 deletions(-)

diff --git a/chromium/content/browser/renderer_host/render_frame_host_impl.cc b/chromium/content/browser/renderer_host/render_frame_host_impl.cc
index 3abc1fff28f..6c3b61e8580 100644
--- a/chromium/content/browser/renderer_host/render_frame_host_impl.cc
+++ b/chromium/content/browser/renderer_host/render_frame_host_impl.cc
@@ -2158,8 +2158,6 @@ void RenderFrameHostImpl::RenderProcessExited(
   // Reset state for the current RenderFrameHost once the FrameTreeNode has been
   // reset.
   RenderFrameDeleted();
-  InvalidateMojoConnection();
-  broker_receiver_.reset();
   SetLastCommittedUrl(GURL());
   web_bundle_handle_.reset();
 
@@ -2537,6 +2535,7 @@ void RenderFrameHostImpl::RenderFrameDeleted() {
   if (was_created) {
     delegate_->RenderFrameDeleted(this);
   }
+  InvalidateMojoConnection();
 
   if (web_ui_) {
     web_ui_->RenderFrameDeleted();
@@ -5129,8 +5128,9 @@ void RenderFrameHostImpl::BindDomOperationControllerHostReceiver(
     mojo::PendingAssociatedReceiver<mojom::DomAutomationControllerHost>
         receiver) {
   DCHECK(receiver.is_valid());
-  // DOM automation controller is reinstalled after a cross-document navigation,
-  // which can reuse the frame.
+  // In the renderer side, the remote is document-associated so the receiver on
+  // the browser side can be reused after a cross-document navigation.
+  // TODO(dcheng): Make this document-associated?
   dom_automation_controller_receiver_.reset();
   dom_automation_controller_receiver_.Bind(std::move(receiver));
   dom_automation_controller_receiver_.SetFilter(
@@ -7041,29 +7041,38 @@ void RenderFrameHostImpl::SetUpMojoIfNeeded() {
 }
 
 void RenderFrameHostImpl::InvalidateMojoConnection() {
-  frame_.reset();
-  frame_bindings_control_.reset();
-  frame_host_associated_receiver_.reset();
-  back_forward_cache_controller_host_associated_receiver_.reset();
+  // While not directly Mojo endpoints, both `geolocation_service_` and
+  // `sensor_provider_proxy_` may attempt to cancel permission requests.
+  geolocation_service_.reset();
+  sensor_provider_proxy_.reset();
+
+  associated_registry_.reset();
+
+  mojo_image_downloader_.reset();
+  find_in_page_.reset();
   local_frame_.reset();
   local_main_frame_.reset();
   high_priority_local_frame_.reset();
-  find_in_page_.reset();
-  render_accessibility_.reset();
 
-  // Disconnect with ImageDownloader Mojo service in Blink.
-  mojo_image_downloader_.reset();
+  frame_host_associated_receiver_.reset();
+  back_forward_cache_controller_host_associated_receiver_.reset();
+  frame_.reset();
+  frame_bindings_control_.reset();
+  local_frame_host_receiver_.reset();
+  local_main_frame_host_receiver_.reset();
 
-  // The geolocation service and sensor provider proxy may attempt to cancel
-  // permission requests so they must be reset before the routing_id mapping is
-  // removed.
-  geolocation_service_.reset();
-  sensor_provider_proxy_.reset();
+  broker_receiver_.reset();
 
+  render_accessibility_.reset();
   render_accessibility_host_receiver_.reset();
-  local_frame_host_receiver_.reset();
-  local_main_frame_host_receiver_.reset();
-  associated_registry_.reset();
+
+  dom_automation_controller_receiver_.reset();
+
+#if BUILDFLAG(ENABLE_PLUGINS)
+  pepper_host_receiver_.reset();
+  pepper_instance_map_.clear();
+  pepper_hung_detectors_.Clear();
+#endif  // BUILDFLAG(ENABLE_PLUGINS)
 }
 
 bool RenderFrameHostImpl::IsFocused() {
diff --git a/chromium/content/browser/renderer_host/render_frame_host_impl.h b/chromium/content/browser/renderer_host/render_frame_host_impl.h
index 5a345c2d51a..01d6f271504 100644
--- a/chromium/content/browser/renderer_host/render_frame_host_impl.h
+++ b/chromium/content/browser/renderer_host/render_frame_host_impl.h
@@ -3000,6 +3000,7 @@ class CONTENT_EXPORT RenderFrameHostImpl
   // RFH.
   std::unique_ptr<PermissionServiceContext> permission_service_context_;
 
+  // Remotes must be reset in InvalidateMojoConnection().
   // Holder of Mojo connection with ImageDownloader service in Blink.
   mojo::Remote<blink::mojom::ImageDownloader> mojo_image_downloader_;
 
-- 
cgit v1.2.1