diff options
author | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-10-21 11:50:09 +0200 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-10-22 08:11:54 +0000 |
commit | 6475589b7edc2f70f1b9fd4c1cf49b39d82b267b (patch) | |
tree | a1155ae3bf483a5c9f6930f24ba92bc84fea3980 | |
parent | 1456539bd0516e97758201fbbc015b5d99b61471 (diff) | |
download | qtwebengine-chromium-6475589b7edc2f70f1b9fd4c1cf49b39d82b267b.tar.gz |
[Backport] CVE-2020-16001: Use after free in media.
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2472397:
Validate input of MediaStreamDispatcherHost::OpenDevice()
This method forwards to MediaStreamManager::OpenDevice(), which
DCHECKs for the stream type to be device video or audio capture
(i.e., webcam or mic). However, MSDH admits other stream types,
which cause MSM::OpenDevice to hit this DCHECK.
This CL ensures that a message containing an incorrect stream type,
which could be sent by a malicious renderer, results in killing the
renderer process.
Bug: 1135018
Change-Id: I3884dde95d92c41f44966a8ab1dd7bdfd4b23b9b
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/content/browser/bad_message.h | 2 | ||||
-rw-r--r-- | chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc | 8 | ||||
-rw-r--r-- | chromium/tools/metrics/histograms/enums.xml | 1 |
3 files changed, 10 insertions, 1 deletions
diff --git a/chromium/content/browser/bad_message.h b/chromium/content/browser/bad_message.h index f5e39320ca6..626b4a3cd58 100644 --- a/chromium/content/browser/bad_message.h +++ b/chromium/content/browser/bad_message.h @@ -230,7 +230,7 @@ enum BadMessageReason { PERMISSION_SERVICE_BAD_PERMISSION_DESCRIPTOR = 202, RFH_BLOB_URL_TOKEN_FOR_NON_BLOB_URL = 203, RFPH_BLOB_URL_TOKEN_FOR_NON_BLOB_URL = 204, - + MSDH_INVALID_STREAM_TYPE = 234, // Please add new elements here. The naming convention is abbreviated class // name (e.g. RenderFrameHost becomes RFH) plus a unique description of the // reason. After making changes, you MUST update histograms.xml by running: diff --git a/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc b/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc index 1125662f127..ecf96705a0b 100644 --- a/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc +++ b/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc @@ -10,6 +10,7 @@ #include "base/bind_helpers.h" #include "base/logging.h" #include "base/task_runner_util.h" +#include "content/browser/bad_message.h" #include "content/browser/renderer_host/media/media_stream_manager.h" #include "content/public/browser/browser_thread.h" #include "content/public/browser/render_frame_host.h" @@ -164,6 +165,13 @@ void MediaStreamDispatcherHost::OpenDevice(int32_t page_request_id, MediaStreamType type, OpenDeviceCallback callback) { DCHECK_CURRENTLY_ON(BrowserThread::IO); + // OpenDevice is only supported for microphone or webcam capture. + if (type != MediaStreamType::MEDIA_DEVICE_AUDIO_CAPTURE && + type != MediaStreamType::MEDIA_DEVICE_VIDEO_CAPTURE) { + bad_message::ReceivedBadMessage( + render_process_id_, bad_message::MDDH_INVALID_DEVICE_TYPE_REQUEST); + return; + } base::PostTaskAndReplyWithResult( BrowserThread::GetTaskRunnerForThread(BrowserThread::UI).get(), FROM_HERE, diff --git a/chromium/tools/metrics/histograms/enums.xml b/chromium/tools/metrics/histograms/enums.xml index 43bd4157f4f..2077e428be9 100644 --- a/chromium/tools/metrics/histograms/enums.xml +++ b/chromium/tools/metrics/histograms/enums.xml @@ -3342,6 +3342,7 @@ uploading your change for review. These are checked by presubmit scripts. <int value="202" label="PERMISSION_SERVICE_BAD_PERMISSION_DESCRIPTOR"/> <int value="203" label="RFH_BLOB_URL_TOKEN_FOR_NON_BLOB_URL"/> <int value="204" label="RFPH_BLOB_URL_TOKEN_FOR_NON_BLOB_URL"/> + <int value="234" label="MSDH_INVALID_STREAM_TYPE"/> </enum> <enum name="BadMessageReasonExtensions"> |