diff options
| author | Ken Rockot <rockot@google.com> | 2021-03-23 21:13:00 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-05-07 08:37:23 +0000 |
| commit | 7ee750fffd694a69a1394ce592b6443e2513026f (patch) | |
| tree | 32210016f7939c26755cdda5e88f4b8d3ba759af | |
| parent | 4bf755ea017b3152b3ee9eb8fe9542ca6b374fe0 (diff) | |
| download | qtwebengine-chromium-7ee750fffd694a69a1394ce592b6443e2513026f.tar.gz | |
[Backport] CVE-2021-21207: Use after free in IndexedDB
Manual backport and adaptation to BindingSet of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2778871:
Never fail in ReceiverSet::Add
Because of how UniqueReceiverSet is implemented and used, it is
dangerous to allow Add() to fail: callers reasonably assume that added
objects are still alive immediately after the Add() call.
This changes ReceiverId to a uint64 and simply CHECK-fails on
insert collision.
This fundamentally increases binary size of 32-bit builds, because
a widely used 32-bit data type is expanding to 64 bits for the sake
of security and stability. It is effectively unavoidable for now, and
also just barely above the tolerable threshold.
A follow-up (but less backwards-mergeable) change should be able to
reduce binary size beyond this increase by consolidating shared
code among ReceiverSet template instantiations.
Fixed: 1185732
Change-Id: I9acf6aaaa36e10fdce5aa49a890173caddc13c52
Binary-Size: Unavoidable (see above)
Commit-Queue: Ken Rockot <rockot@google.com>
Auto-Submit: Ken Rockot <rockot@google.com>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#865815}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/mojo/public/cpp/bindings/binding_set.h | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/chromium/mojo/public/cpp/bindings/binding_set.h b/chromium/mojo/public/cpp/bindings/binding_set.h index 414583bbd72..9be2501e4ab 100644 --- a/chromium/mojo/public/cpp/bindings/binding_set.h +++ b/chromium/mojo/public/cpp/bindings/binding_set.h @@ -35,7 +35,7 @@ struct BindingSetTraits<Binding<Interface, ImplRefTraits>> { } }; -using BindingId = size_t; +using BindingId = uint64_t; template <typename ContextType> struct BindingSetContextTraits { @@ -279,10 +279,10 @@ class BindingSetBase { RequestType request, Context context) { BindingId id = next_binding_id_++; - DCHECK_GE(next_binding_id_, 0u); auto entry = std::make_unique<Entry>(std::move(impl), std::move(request), this, id, std::move(context)); - bindings_.insert(std::make_pair(id, std::move(entry))); + auto result = bindings_.insert(std::make_pair(id, std::move(entry))); + CHECK(result.second) << "BindingId overflow with collision"; return id; } |