[Backport] CVE-2022-4439: Use after free in Aura

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/4085820: Fix UaF in ui::DropTargetEvent::DropTargetEvent. There is an async operation in WebContentsViewAura that uses a ui::DropTargetEvent. DropTargetEvent has a pointer to OSExchangeData which gets destroyed before the async operation is called. This triggers the UaF because the operation attempts to reference a freed object (OSExchangeData). Fix is for WebContentsViewAura::DragUpdatedCallback to use a DropMetadata struct instead of a ui::DropTargetEvent. This is the same pattern used by other callbacks in WebContentsViewAura. (cherry picked from commit 9f4b5761c546a118b7187c0c7ddcb9ee5756f32c) Bug: 1392661 Change-Id: I3c62a7473ef9b6cdd223f75fbda50671f539f9eb Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4070787 Reviewed-by: Avi Drissman <avi@chromium.org> Commit-Queue: David Yeung <dayeung@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#1078218} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4085820 Cr-Commit-Position: refs/branch-heads/5414@{#551} Cr-Branched-From: 4417ee59d7bf6df7a9c9ea28f7722d2ee6203413-refs/heads/main@{#1070088} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/449911 Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: David Yeung <dayeung@chromium.org> 2022-12-08 17:58:25 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2022-12-22 08:18:31 +0000
commit: 96312244ec1bf5d263b7b26af9ffe6130ee1da7f (patch)
tree: 7be612d785b15f9e10c0c90c339d4f067ca7c17d
parent: b96b8e2381b86fecf1ded92eaafcce181262e365 (diff)
download: qtwebengine-chromium-96312244ec1bf5d263b7b26af9ffe6130ee1da7f.tar.gz
2 files changed, 15 insertions, 11 deletions
diff --git a/chromium/content/browser/web_contents/web_contents_view_aura.cc b/chromium/content/browser/web_contents/web_contents_view_aura.cc
index dad12d60cea..688b6af8665 100644
--- a/chromium/content/browser/web_contents/web_contents_view_aura.cc
+++ b/chromium/content/browser/web_contents/web_contents_view_aura.cc
@@ -348,6 +348,7 @@ aura::Window* GetHostWindow(aura::Window* window) {
 WebContentsViewAura::DropMetadata::DropMetadata(
     const ui::DropTargetEvent& event) {
   localized_location = event.location_f();
+  root_location = event.root_location_f();
   source_operations = event.source_operations();
   flags = event.flags();
 }
@@ -1437,7 +1438,7 @@ void WebContentsViewAura::OnDragEntered(const ui::DropTargetEvent& event) {
 }
 
 void WebContentsViewAura::DragUpdatedCallback(
-    ui::DropTargetEvent event,
+    DropMetadata drop_metadata,
     std::unique_ptr<DropData> drop_data,
     base::WeakPtr<RenderWidgetHostViewBase> target,
     absl::optional<gfx::PointF> transformed_pt) {
@@ -1458,24 +1459,23 @@ void WebContentsViewAura::DragUpdatedCallback(
   aura::Window* root_window = GetNativeView()->GetRootWindow();
   aura::client::ScreenPositionClient* screen_position_client =
       aura::client::GetScreenPositionClient(root_window);
-  gfx::PointF screen_pt = event.root_location_f();
+  gfx::PointF screen_pt = drop_metadata.root_location;
   if (screen_position_client)
     screen_position_client->ConvertPointToScreen(root_window, &screen_pt);
 
   if (target_rwh != current_rwh_for_drag_.get()) {
     if (current_rwh_for_drag_) {
-      gfx::PointF transformed_leave_point = event.location_f();
+      gfx::PointF transformed_leave_point = drop_metadata.localized_location;
       static_cast<RenderWidgetHostViewBase*>(
           web_contents_->GetRenderWidgetHostView())
           ->TransformPointToCoordSpaceForView(
-              event.location_f(),
+              drop_metadata.localized_location,
               static_cast<RenderWidgetHostViewBase*>(
                   current_rwh_for_drag_->GetView()),
               &transformed_leave_point);
       current_rwh_for_drag_->DragTargetDragLeave(transformed_leave_point,
                                                  screen_pt);
     }
-    DropMetadata drop_metadata(event);
     DragEnteredCallback(drop_metadata, std::move(drop_data), target,
                         transformed_pt);
   }
@@ -1486,10 +1486,11 @@ void WebContentsViewAura::DragUpdatedCallback(
 
   DCHECK(transformed_pt.has_value());
   blink::DragOperationsMask op_mask =
-      ConvertToDragOperationsMask(event.source_operations());
+      ConvertToDragOperationsMask(drop_metadata.source_operations);
   target_rwh->DragTargetDragOver(
       transformed_pt.value(), screen_pt, op_mask,
-      ui::EventFlagsToWebEventModifiers(event.flags()), base::DoNothing());
+      ui::EventFlagsToWebEventModifiers(drop_metadata.flags),
+      base::DoNothing());
 
   if (drag_dest_delegate_)
     drag_dest_delegate_->OnDragOver();
@@ -1499,7 +1500,6 @@ aura::client::DragUpdateInfo WebContentsViewAura::OnDragUpdated(
     const ui::DropTargetEvent& event) {
   if (web_contents_->ShouldIgnoreInputEvents())
     return aura::client::DragUpdateInfo();
-
   aura::client::DragUpdateInfo drag_info;
   auto* focused_frame = web_contents_->GetFocusedFrame();
   if (focused_frame && !web_contents_->GetBrowserContext()->IsOffTheRecord()) {
@@ -1510,13 +1510,13 @@ aura::client::DragUpdateInfo WebContentsViewAura::OnDragUpdated(
   std::unique_ptr<DropData> drop_data = std::make_unique<DropData>();
   // Calling this here as event.data might become invalid inside the callback.
   PrepareDropData(drop_data.get(), event.data());
-
+  DropMetadata drop_metadata(event);
   web_contents_->GetInputEventRouter()
       ->GetRenderWidgetHostAtPointAsynchronously(
           web_contents_->GetRenderViewHost()->GetWidget()->GetView(),
           event.location_f(),
           base::BindOnce(&WebContentsViewAura::DragUpdatedCallback,
-                         weak_ptr_factory_.GetWeakPtr(), event,
+                         weak_ptr_factory_.GetWeakPtr(), drop_metadata,
                          std::move(drop_data)));
 
   drag_info.drag_operation = static_cast<int>(current_drag_op_);
diff --git a/chromium/content/browser/web_contents/web_contents_view_aura.h b/chromium/content/browser/web_contents/web_contents_view_aura.h
index 793e35570ed..3b2cda2de40 100644
--- a/chromium/content/browser/web_contents/web_contents_view_aura.h
+++ b/chromium/content/browser/web_contents/web_contents_view_aura.h
@@ -83,6 +83,10 @@ class CONTENT_EXPORT WebContentsViewAura
 
     // Location local to WebContentsViewAura.
     gfx::PointF localized_location;
+
+    // Root location of the drop target event.
+    gfx::PointF root_location;
+
     // The supported DnD operation of the source. A bitmask of
     // ui::mojom::DragOperations.
     int source_operations;
@@ -264,7 +268,7 @@ class CONTENT_EXPORT WebContentsViewAura
                            std::unique_ptr<DropData> drop_data,
                            base::WeakPtr<RenderWidgetHostViewBase> target,
                            absl::optional<gfx::PointF> transformed_pt);
-  void DragUpdatedCallback(ui::DropTargetEvent event,
+  void DragUpdatedCallback(DropMetadata drop_metadata,
                            std::unique_ptr<DropData> drop_data,
                            base::WeakPtr<RenderWidgetHostViewBase> target,
                            absl::optional<gfx::PointF> transformed_pt);
author	David Yeung <dayeung@chromium.org>	2022-12-08 17:58:25 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2022-12-22 08:18:31 +0000
commit	96312244ec1bf5d263b7b26af9ffe6130ee1da7f (patch)
tree	7be612d785b15f9e10c0c90c339d4f067ca7c17d
parent	b96b8e2381b86fecf1ded92eaafcce181262e365 (diff)
download	qtwebengine-chromium-96312244ec1bf5d263b7b26af9ffe6130ee1da7f.tar.gz