summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael BrĂ¼ning <michael.bruning@qt.io>2020-10-21 11:50:09 +0200
committerMichael BrĂ¼ning <michael.bruning@qt.io>2020-10-22 08:11:54 +0000
commit6475589b7edc2f70f1b9fd4c1cf49b39d82b267b (patch)
treea1155ae3bf483a5c9f6930f24ba92bc84fea3980
parent1456539bd0516e97758201fbbc015b5d99b61471 (diff)
downloadqtwebengine-chromium-6475589b7edc2f70f1b9fd4c1cf49b39d82b267b.tar.gz
[Backport] CVE-2020-16001: Use after free in media.
Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2472397: Validate input of MediaStreamDispatcherHost::OpenDevice() This method forwards to MediaStreamManager::OpenDevice(), which DCHECKs for the stream type to be device video or audio capture (i.e., webcam or mic). However, MSDH admits other stream types, which cause MSM::OpenDevice to hit this DCHECK. This CL ensures that a message containing an incorrect stream type, which could be sent by a malicious renderer, results in killing the renderer process. Bug: 1135018 Change-Id: I3884dde95d92c41f44966a8ab1dd7bdfd4b23b9b Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r--chromium/content/browser/bad_message.h2
-rw-r--r--chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc8
-rw-r--r--chromium/tools/metrics/histograms/enums.xml1
3 files changed, 10 insertions, 1 deletions
diff --git a/chromium/content/browser/bad_message.h b/chromium/content/browser/bad_message.h
index f5e39320ca6..626b4a3cd58 100644
--- a/chromium/content/browser/bad_message.h
+++ b/chromium/content/browser/bad_message.h
@@ -230,7 +230,7 @@ enum BadMessageReason {
PERMISSION_SERVICE_BAD_PERMISSION_DESCRIPTOR = 202,
RFH_BLOB_URL_TOKEN_FOR_NON_BLOB_URL = 203,
RFPH_BLOB_URL_TOKEN_FOR_NON_BLOB_URL = 204,
-
+ MSDH_INVALID_STREAM_TYPE = 234,
// Please add new elements here. The naming convention is abbreviated class
// name (e.g. RenderFrameHost becomes RFH) plus a unique description of the
// reason. After making changes, you MUST update histograms.xml by running:
diff --git a/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc b/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc
index 1125662f127..ecf96705a0b 100644
--- a/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc
+++ b/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc
@@ -10,6 +10,7 @@
#include "base/bind_helpers.h"
#include "base/logging.h"
#include "base/task_runner_util.h"
+#include "content/browser/bad_message.h"
#include "content/browser/renderer_host/media/media_stream_manager.h"
#include "content/public/browser/browser_thread.h"
#include "content/public/browser/render_frame_host.h"
@@ -164,6 +165,13 @@ void MediaStreamDispatcherHost::OpenDevice(int32_t page_request_id,
MediaStreamType type,
OpenDeviceCallback callback) {
DCHECK_CURRENTLY_ON(BrowserThread::IO);
+ // OpenDevice is only supported for microphone or webcam capture.
+ if (type != MediaStreamType::MEDIA_DEVICE_AUDIO_CAPTURE &&
+ type != MediaStreamType::MEDIA_DEVICE_VIDEO_CAPTURE) {
+ bad_message::ReceivedBadMessage(
+ render_process_id_, bad_message::MDDH_INVALID_DEVICE_TYPE_REQUEST);
+ return;
+ }
base::PostTaskAndReplyWithResult(
BrowserThread::GetTaskRunnerForThread(BrowserThread::UI).get(), FROM_HERE,
diff --git a/chromium/tools/metrics/histograms/enums.xml b/chromium/tools/metrics/histograms/enums.xml
index 43bd4157f4f..2077e428be9 100644
--- a/chromium/tools/metrics/histograms/enums.xml
+++ b/chromium/tools/metrics/histograms/enums.xml
@@ -3342,6 +3342,7 @@ uploading your change for review. These are checked by presubmit scripts.
<int value="202" label="PERMISSION_SERVICE_BAD_PERMISSION_DESCRIPTOR"/>
<int value="203" label="RFH_BLOB_URL_TOKEN_FOR_NON_BLOB_URL"/>
<int value="204" label="RFPH_BLOB_URL_TOKEN_FOR_NON_BLOB_URL"/>
+ <int value="234" label="MSDH_INVALID_STREAM_TYPE"/>
</enum>
<enum name="BadMessageReasonExtensions">