[Backport] CVE-2021-21223: Integer overflow in Mojo

Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2837712: M86-LTS: Mojo: Properly validate broadcast events This corrects broadcast event deserialization by adding a missing validation step when decoding the outer message header. (cherry picked from commit 6740adb28374ddeee13febfd5e5d20cb8a365979) Fixed: 1195308 Change-Id: Ia67a20e48614e7ef00b1b32f7f4e5f20235be310 Reviewed-by: Daniel Cheng <dcheng@chromium.org> Commit-Queue: Ken Rockot <rockot@google.com> Cr-Original-Commit-Position: refs/heads/master@{#870238} Owners-Override: Achuith Bhandarkar <achuith@chromium.org> Auto-Submit: Achuith Bhandarkar <achuith@chromium.org> Reviewed-by: Artem Sumaneev <asumaneev@google.com> Commit-Queue: Achuith Bhandarkar <achuith@chromium.org> Cr-Commit-Position: refs/branch-heads/4240@{#1614} Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Ken Rockot <rockot@google.com> 2021-04-20 15:46:33 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2021-05-07 08:27:46 +0000
commit: fd48fe2466c1782c83c661d5196e6f9c365bb494 (patch)
tree: e8c66ea63fb5cb60863bc193076e4d0499cf7d26
parent: 2fbb0efc5f8a31517e8b69924d6c51e5e1db3e05 (diff)
download: qtwebengine-chromium-fd48fe2466c1782c83c661d5196e6f9c365bb494.tar.gz
4 files changed, 17 insertions, 8 deletions
diff --git a/chromium/mojo/core/node_channel.cc b/chromium/mojo/core/node_channel.cc
index ebcb8812e1e..ada2eb5e6f7 100644
--- a/chromium/mojo/core/node_channel.cc
+++ b/chromium/mojo/core/node_channel.cc
@@ -181,13 +181,16 @@ Channel::MessagePtr NodeChannel::CreateEventMessage(size_t capacity,
 }
 
 // static
-void NodeChannel::GetEventMessageData(Channel::Message* message,
+bool NodeChannel::GetEventMessageData(Channel::Message& message,
                                       void** data,
                                       size_t* num_data_bytes) {
-  // NOTE: OnChannelMessage guarantees that we never accept a Channel::Message
-  // with a payload of fewer than |sizeof(Header)| bytes.
-  *data = reinterpret_cast<Header*>(message->mutable_payload()) + 1;
-  *num_data_bytes = message->payload_size() - sizeof(Header);
+  // NOTE: Callers must guarantee that the payload in `message` must be at least
+  // large enough to hold a Header.
+  if (message.payload_size() < sizeof(Header))
+    return false;
+  *data = reinterpret_cast<Header*>(message.mutable_payload()) + 1;
+  *num_data_bytes = message.payload_size() - sizeof(Header);
+  return true;
 }
 
 void NodeChannel::Start() {
diff --git a/chromium/mojo/core/node_channel.h b/chromium/mojo/core/node_channel.h
index 5573305013f..ce337a214ef 100644
--- a/chromium/mojo/core/node_channel.h
+++ b/chromium/mojo/core/node_channel.h
@@ -87,7 +87,9 @@ class NodeChannel : public base::RefCountedThreadSafe<NodeChannel>,
                                                 void** payload,
                                                 size_t num_handles);
 
-  static void GetEventMessageData(Channel::Message* message,
+  // Retrieves address and size of an Event message's underlying message data.
+  // Returns `false` if the message is not a valid Event message.
+  static bool GetEventMessageData(Channel::Message& message,
                                   void** data,
                                   size_t* num_data_bytes);
 
diff --git a/chromium/mojo/core/node_controller.cc b/chromium/mojo/core/node_controller.cc
index 4a6e618833a..52082c3c289 100644
--- a/chromium/mojo/core/node_controller.cc
+++ b/chromium/mojo/core/node_controller.cc
@@ -81,7 +81,9 @@ ports::ScopedEvent DeserializeEventMessage(
     Channel::MessagePtr channel_message) {
   void* data;
   size_t size;
-  NodeChannel::GetEventMessageData(channel_message.get(), &data, &size);
+  bool valid = NodeChannel::GetEventMessageData(*channel_message, &data, &size);
+  if (!valid)
+    return nullptr;
   auto event = ports::Event::Deserialize(data, size);
   if (!event)
     return nullptr;
diff --git a/chromium/mojo/core/user_message_impl.cc b/chromium/mojo/core/user_message_impl.cc
index d4a4da16a23..661a80c9763 100644
--- a/chromium/mojo/core/user_message_impl.cc
+++ b/chromium/mojo/core/user_message_impl.cc
@@ -408,7 +408,9 @@ Channel::MessagePtr UserMessageImpl::FinalizeEventMessage(
   if (channel_message) {
     void* data;
     size_t size;
-    NodeChannel::GetEventMessageData(channel_message.get(), &data, &size);
+    bool result =
+        NodeChannel::GetEventMessageData(*channel_message, &data, &size);
+    DCHECK(result);
     message_event->Serialize(data);
   }
author	Ken Rockot <rockot@google.com>	2021-04-20 15:46:33 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2021-05-07 08:27:46 +0000
commit	fd48fe2466c1782c83c661d5196e6f9c365bb494 (patch)
tree	e8c66ea63fb5cb60863bc193076e4d0499cf7d26
parent	2fbb0efc5f8a31517e8b69924d6c51e5e1db3e05 (diff)
download	qtwebengine-chromium-fd48fe2466c1782c83c661d5196e6f9c365bb494.tar.gz