[Backport] Security bug 1025740 2/2

Lifecycle change safety check Lifecycle changes should not occur during a11y serialization. This adds a safety check that triggers a DCHECK when that occurs. Bug: 1025740 Change-Id: I858b7e437eeb97e3d0284192bda39128c16b6b7e Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Aaron Leventhal <aleventhal@google.com> 2020-04-02 17:14:57 +0000
committer: Michal Klocek <michal.klocek@qt.io> 2020-04-24 14:32:47 +0000
commit: 798537f6ebbcfaf459b47724539daf795368a40e (patch)
tree: aba48cba10726554952602d2bdb6bcc0e850c1d4
parent: f3fbe32fb256da3d0a8f92e61ebdca639d417e23 (diff)
download: qtwebengine-chromium-798537f6ebbcfaf459b47724539daf795368a40e.tar.gz
6 files changed, 85 insertions, 0 deletions
diff --git a/chromium/content/renderer/accessibility/blink_ax_tree_source.cc b/chromium/content/renderer/accessibility/blink_ax_tree_source.cc
index ed974c80302..094773f193f 100644
--- a/chromium/content/renderer/accessibility/blink_ax_tree_source.cc
+++ b/chromium/content/renderer/accessibility/blink_ax_tree_source.cc
@@ -31,6 +31,7 @@
 #include "third_party/blink/public/platform/web_vector.h"
 #include "third_party/blink/public/web/web_ax_enums.h"
 #include "third_party/blink/public/web/web_ax_object.h"
+#include "third_party/blink/public/web/web_disallow_transition_scope.h"
 #include "third_party/blink/public/web/web_document.h"
 #include "third_party/blink/public/web/web_element.h"
 #include "third_party/blink/public/web/web_form_control_element.h"
@@ -548,6 +549,13 @@ WebAXObject BlinkAXTreeSource::GetNull() const {
 
 void BlinkAXTreeSource::SerializeNode(WebAXObject src,
                                       AXContentNodeData* dst) const {
+#if DCHECK_IS_ON()
+  // Never causes a document lifecycle change during serialization,
+  // because the assumption is that layout is in a safe, stable state.
+  WebDocument document = GetMainDocument();
+  blink::WebDisallowTransitionScope disallow(&document);
+#endif
+
   dst->role = src.Role();
   AXStateFromBlink(src, dst);
   dst->id = src.AxID();
diff --git a/chromium/third_party/blink/public/BUILD.gn b/chromium/third_party/blink/public/BUILD.gn
index 9afd94a0762..2a0799012bb 100644
--- a/chromium/third_party/blink/public/BUILD.gn
+++ b/chromium/third_party/blink/public/BUILD.gn
@@ -3,6 +3,7 @@
 # found in the LICENSE file.
 
 import("//build/buildflag_header.gni")
+import("//build/config/dcheck_always_on.gni")
 import("//mojo/public/tools/bindings/mojom.gni")
 import("//third_party/blink/public/public_features.gni")
 import("//third_party/blink/renderer/config.gni")
@@ -443,6 +444,10 @@ source_set("blink_headers") {
     "web/win/web_font_rendering.h",
   ]
 
+  if (is_debug || dcheck_always_on) {
+    sources += [ "web/web_disallow_transition_scope.h" ]
+  }
+
   public_configs = [
     ":blink_headers_config",
 
diff --git a/chromium/third_party/blink/public/web/web_disallow_transition_scope.h b/chromium/third_party/blink/public/web/web_disallow_transition_scope.h
new file mode 100644
index 00000000000..f66515a6f58
--- /dev/null
+++ b/chromium/third_party/blink/public/web/web_disallow_transition_scope.h
@@ -0,0 +1,33 @@
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef THIRD_PARTY_BLINK_PUBLIC_WEB_WEB_DISALLOW_TRANSITION_SCOPE_H_
+#define THIRD_PARTY_BLINK_PUBLIC_WEB_WEB_DISALLOW_TRANSITION_SCOPE_H_
+
+#include <memory>
+
+#include "third_party/blink/public/platform/web_common.h"
+#include "third_party/blink/public/web/web_document.h"
+
+namespace blink {
+
+class DocumentLifecycle;
+
+class WebDisallowTransitionScope {
+  // Causes DCHECKs only, does not actually prevent lifecycle changes.
+  // This is useful to prevent certain types of crashes that occur, for example,
+  // when updating properties in the accessible object hierarchy.
+ public:
+  BLINK_EXPORT explicit WebDisallowTransitionScope(WebDocument* web_document);
+  BLINK_EXPORT virtual ~WebDisallowTransitionScope();
+
+ private:
+  DocumentLifecycle& Lifecycle(WebDocument*) const;
+
+  DocumentLifecycle& document_lifecycle_;
+};
+
+}  // namespace blink
+
+#endif  // THIRD_PARTY_BLINK_PUBLIC_WEB_WEB_DISALLOW_TRANSITION_SCOPE_H_
diff --git a/chromium/third_party/blink/renderer/core/BUILD.gn b/chromium/third_party/blink/renderer/core/BUILD.gn
index 1c2e3e6e287..4d6865ed531 100644
--- a/chromium/third_party/blink/renderer/core/BUILD.gn
+++ b/chromium/third_party/blink/renderer/core/BUILD.gn
@@ -1594,6 +1594,10 @@ jumbo_source_set("unit_tests") {
     "xml/xpath_functions_test.cc",
   ]
 
+  if (is_debug || dcheck_always_on) {
+    sources += [ "exported/web_disallow_transition_scope_test.cc" ]
+  }
+
   configs += [
     ":blink_core_pch",
     "//third_party/blink/renderer:config",
diff --git a/chromium/third_party/blink/renderer/core/exported/BUILD.gn b/chromium/third_party/blink/renderer/core/exported/BUILD.gn
index 069f2e17000..2d8b1a89e44 100644
--- a/chromium/third_party/blink/renderer/core/exported/BUILD.gn
+++ b/chromium/third_party/blink/renderer/core/exported/BUILD.gn
@@ -1,6 +1,7 @@
 # Copyright 2017 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
+import("//build/config/dcheck_always_on.gni")
 import("//third_party/blink/renderer/core/core.gni")
 
 blink_core_sources("exported") {
@@ -81,5 +82,10 @@ blink_core_sources("exported") {
     "web_view_impl.h",
   ]
 
+  if (is_debug || dcheck_always_on) {
+    sources += [ "web_disallow_transition_scope.cc" ]
+  }
+
+
   defines = [ "BLINK_IMPLEMENTATION=1" ]
 }
diff --git a/chromium/third_party/blink/renderer/core/exported/web_disallow_transition_scope.cc b/chromium/third_party/blink/renderer/core/exported/web_disallow_transition_scope.cc
new file mode 100644
index 00000000000..e94290cbdb5
--- /dev/null
+++ b/chromium/third_party/blink/renderer/core/exported/web_disallow_transition_scope.cc
@@ -0,0 +1,29 @@
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "third_party/blink/public/web/web_disallow_transition_scope.h"
+
+#include "third_party/blink/public/web/web_document.h"
+#include "third_party/blink/renderer/core/dom/document.h"
+#include "third_party/blink/renderer/core/dom/document_lifecycle.h"
+
+namespace blink {
+
+WebDisallowTransitionScope::WebDisallowTransitionScope(
+    WebDocument* web_document)
+    : document_lifecycle_(Lifecycle(web_document)) {
+  document_lifecycle_.IncrementNoTransitionCount();
+}
+
+WebDisallowTransitionScope::~WebDisallowTransitionScope() {
+  document_lifecycle_.DecrementNoTransitionCount();
+}
+
+DocumentLifecycle& WebDisallowTransitionScope::Lifecycle(
+    WebDocument* web_document) const {
+  Document* document = *web_document;
+  return document->Lifecycle();
+}
+
+}  // namespace blink
author	Aaron Leventhal <aleventhal@google.com>	2020-04-02 17:14:57 +0000
committer	Michal Klocek <michal.klocek@qt.io>	2020-04-24 14:32:47 +0000
commit	798537f6ebbcfaf459b47724539daf795368a40e (patch)
tree	aba48cba10726554952602d2bdb6bcc0e850c1d4
parent	f3fbe32fb256da3d0a8f92e61ebdca639d417e23 (diff)
download	qtwebengine-chromium-798537f6ebbcfaf459b47724539daf795368a40e.tar.gz