diff options
| author | Brian Begnoche <bcb@chromium.org> | 2021-09-21 16:54:54 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-06-05 23:37:37 +0000 |
| commit | 0d342ab1dd5a25f8496e330af69a827c3297f3b4 (patch) | |
| tree | d83f81f3c1f2f4b4ef831dce3d5706cc4e2e2982 | |
| parent | 65134ba84bd639b626da942383579b772f05fdca (diff) | |
| download | qtwebengine-chromium-0d342ab1dd5a25f8496e330af69a827c3297f3b4.tar.gz | |
[Backport] Dependency for CVE-2022-1853: Use after free in Indexed DB
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3161276:
StorageBuckets: Create bucket on access for IndexedDB
This change ensures that a default bucket for a storage key
exists on IndexedDB access. This calls to get or create a
default bucket for the storage key to make sure there is
an entry in the QuotaDatabase buckets table. This is a
requirement for migrating Storage APIs to Buckets.
Bug: 1248103
Change-Id: I55b9c38515bd86ff14efbab9d3fd4abbb451d002
Commit-Queue: Brian Begnoche <bcb@chromium.org>
Reviewed-by: Ayu Ishii <ayui@chromium.org>
Reviewed-by: enne <enne@chromium.org>
Cr-Commit-Position: refs/heads/main@{#923443}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/content/browser/indexed_db/indexed_db_context_impl.cc | 19 | ||||
| -rw-r--r-- | chromium/content/browser/indexed_db/indexed_db_context_impl.h | 10 |
2 files changed, 28 insertions, 1 deletions
diff --git a/chromium/content/browser/indexed_db/indexed_db_context_impl.cc b/chromium/content/browser/indexed_db/indexed_db_context_impl.cc index 280d3224225..d0f917e651a 100644 --- a/chromium/content/browser/indexed_db/indexed_db_context_impl.cc +++ b/chromium/content/browser/indexed_db/indexed_db_context_impl.cc @@ -29,7 +29,10 @@ #include "components/services/storage/indexed_db/leveldb/leveldb_factory.h" #include "components/services/storage/indexed_db/scopes/varint_coding.h" #include "components/services/storage/indexed_db/transactional_leveldb/transactional_leveldb_database.h" +#include "components/services/storage/public/cpp/buckets/bucket_info.h" +#include "components/services/storage/public/cpp/buckets/constants.h" #include "components/services/storage/public/cpp/quota_client_callback_wrapper.h" +#include "components/services/storage/public/cpp/quota_error_or.h" #include "components/services/storage/public/mojom/quota_client.mojom.h" #include "components/services/storage/public/mojom/storage_usage_info.mojom.h" #include "content/browser/indexed_db/indexed_db_class_factory.h" @@ -207,7 +210,13 @@ void IndexedDBContextImpl::Bind( void IndexedDBContextImpl::BindIndexedDB( const blink::StorageKey& storage_key, mojo::PendingReceiver<blink::mojom::IDBFactory> receiver) { - dispatcher_host_.AddReceiver(storage_key, std::move(receiver)); + // Ensure default bucket exists for storage key on storage access and add + // bind receiver on retrieval. + quota_manager_proxy()->GetOrCreateBucket( + storage_key, storage::kDefaultBucketName, idb_task_runner_, + base::BindOnce(&IndexedDBContextImpl::BindIndexedDBWithBucket, + weak_factory_.GetWeakPtr(), storage_key, + std::move(receiver))); } void IndexedDBContextImpl::GetUsage(GetUsageCallback usage_callback) { @@ -863,6 +872,14 @@ IndexedDBContextImpl::~IndexedDBContextImpl() { indexeddb_factory_->ContextDestroyed(); } +void IndexedDBContextImpl::BindIndexedDBWithBucket( + const blink::StorageKey& storage_key, + mojo::PendingReceiver<blink::mojom::IDBFactory> receiver, + storage::QuotaErrorOr<storage::BucketInfo> result) { + DCHECK(result.ok()); + dispatcher_host_.AddReceiver(storage_key, std::move(receiver)); +} + void IndexedDBContextImpl::ShutdownOnIDBSequence() { DCHECK(idb_task_runner_->RunsTasksInCurrentSequence()); diff --git a/chromium/content/browser/indexed_db/indexed_db_context_impl.h b/chromium/content/browser/indexed_db/indexed_db_context_impl.h index faebf94a6ec..b4c6a2b6743 100644 --- a/chromium/content/browser/indexed_db/indexed_db_context_impl.h +++ b/chromium/content/browser/indexed_db/indexed_db_context_impl.h @@ -19,6 +19,7 @@ #include "base/gtest_prod_util.h" #include "base/macros.h" #include "base/memory/ref_counted.h" +#include "base/memory/weak_ptr.h" #include "components/services/storage/public/mojom/blob_storage_context.mojom.h" #include "components/services/storage/public/mojom/file_system_access_context.mojom.h" #include "components/services/storage/public/mojom/indexed_db_control.mojom.h" @@ -220,6 +221,13 @@ class CONTENT_EXPORT IndexedDBContextImpl ~IndexedDBContextImpl() override; + // Binds receiver on bucket retrieval to ensure that a bucket always exists + // for a storage key. + void BindIndexedDBWithBucket( + const blink::StorageKey& storage_key, + mojo::PendingReceiver<blink::mojom::IDBFactory> receiver, + storage::QuotaErrorOr<storage::BucketInfo> result); + void ShutdownOnIDBSequence(); base::FilePath GetBlobStorePath(const blink::StorageKey& storage_key) const; @@ -271,6 +279,8 @@ class CONTENT_EXPORT IndexedDBContextImpl mojo::Receiver<storage::mojom::QuotaClient> quota_client_receiver_; const std::unique_ptr<storage::FilesystemProxy> filesystem_proxy_; + base::WeakPtrFactory<IndexedDBContextImpl> weak_factory_{this}; + DISALLOW_COPY_AND_ASSIGN(IndexedDBContextImpl); }; |