From 76271a2368ed06214ef1f112c6322d94cf968fdd Mon Sep 17 00:00:00 2001 From: Ken Rockot Date: Thu, 4 Nov 2021 15:08:56 +0000 Subject: [Backport] Security bug 1252858 Manual cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/3251075: [M90-LTS][mojo] Validate INTRODUCE source node INTRODUCE NodeChannel messages should only be acknowledged when coming from the broker process. (cherry picked from commit 6e74f7b5cb2f48b17403f0431f3e4f3a2e716265) Fixed: 1252858 Change-Id: I2dff6d5cab102ce744ad2ad66a9f24b4202cbea8 Commit-Queue: Ken Rockot Cr-Original-Commit-Position: refs/heads/main@{#926430} Reviewed-by: Artem Sumaneev Owners-Override: Artem Sumaneev Commit-Queue: Roger Felipe Zanoni da Silva Cr-Commit-Position: refs/branch-heads/4430@{#1655} Cr-Branched-From: e5ce7dc4f7518237b3d9bb93cccca35d25216cbe-refs/heads/master@{#857950} Reviewed-by: Allan Sandfeld Jensen --- chromium/mojo/core/node_controller.cc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/chromium/mojo/core/node_controller.cc b/chromium/mojo/core/node_controller.cc index 52082c3c289..d0f50b16815 100644 --- a/chromium/mojo/core/node_controller.cc +++ b/chromium/mojo/core/node_controller.cc @@ -22,6 +22,7 @@ #include "mojo/core/broker.h" #include "mojo/core/broker_host.h" #include "mojo/core/configuration.h" +#include "mojo/core/ports/name.h" #include "mojo/core/request_context.h" #include "mojo/core/user_message_impl.h" #include "mojo/public/cpp/platform/named_platform_channel.h" @@ -1063,6 +1064,12 @@ void NodeController::OnIntroduce(const ports::NodeName& from_node, PlatformHandle channel_handle) { DCHECK(io_task_runner_->RunsTasksInCurrentSequence()); + if (broker_name_ == ports::kInvalidNodeName || from_node != broker_name_) { + DVLOG(1) << "Ignoring introduction from non-broker process."; + DropPeer(from_node, nullptr); + return; + } + if (!channel_handle.is_valid()) { node_->LostConnectionToNode(name); -- cgit v1.2.1