[Backport] Security bug 1252858

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3251075:
[M90-LTS][mojo] Validate INTRODUCE source node

INTRODUCE NodeChannel messages should only be acknowledged when coming
from the broker process.

(cherry picked from commit 6e74f7b5cb2f48b17403f0431f3e4f3a2e716265)

Fixed: 1252858
Change-Id: I2dff6d5cab102ce744ad2ad66a9f24b4202cbea8
Commit-Queue: Ken Rockot <rockot@google.com>
Cr-Original-Commit-Position: refs/heads/main@{#926430}
Reviewed-by: Artem Sumaneev <asumaneev@google.com>
Owners-Override: Artem Sumaneev <asumaneev@google.com>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4430@{#1655}
Cr-Branched-From: e5ce7dc4f7518237b3d9bb93cccca35d25216cbe-refs/heads/master@{#857950}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 7 insertions, 0 deletions

diff --git a/chromium/mojo/core/node_controller.cc b/chromium/mojo/core/node_controller.cc
index 52082c3c289..d0f50b16815 100644
--- a/chromium/mojo/core/node_controller.cc
+++ b/chromium/mojo/core/node_controller.cc
@@ -22,6 +22,7 @@
 #include "mojo/core/broker.h"
 #include "mojo/core/broker_host.h"
 #include "mojo/core/configuration.h"
+#include "mojo/core/ports/name.h"
 #include "mojo/core/request_context.h"
 #include "mojo/core/user_message_impl.h"
 #include "mojo/public/cpp/platform/named_platform_channel.h"
@@ -1063,6 +1064,12 @@ void NodeController::OnIntroduce(const ports::NodeName& from_node,
                                  PlatformHandle channel_handle) {
   DCHECK(io_task_runner_->RunsTasksInCurrentSequence());
 
+  if (broker_name_ == ports::kInvalidNodeName || from_node != broker_name_) {
+    DVLOG(1) << "Ignoring introduction from non-broker process.";
+    DropPeer(from_node, nullptr);
+    return;
+  }
+
   if (!channel_handle.is_valid()) {
     node_->LostConnectionToNode(name);