|
|
@@ -0,0 +1,57 @@
|
|
|
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
+From: Bill Budge <[email protected]>
|
|
|
+Date: Tue, 20 Apr 2021 15:22:33 +0000
|
|
|
+Subject: M86-LTS: [GeneratedCodeCache] Copy large data before hashing and
|
|
|
+ writing
|
|
|
+
|
|
|
+- Makes a copy before hashing and writing large code entries.
|
|
|
+
|
|
|
+(cherry picked from commit cea0cb8eee9900308d9b43661e9faca449086940)
|
|
|
+
|
|
|
+Bug: chromium:1194046
|
|
|
+Change-Id: Id5a6e6d3a04c83cfed2f18db53587d654d642fc0
|
|
|
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2807255
|
|
|
+Reviewed-by: Nasko Oskov <[email protected]>
|
|
|
+Reviewed-by: Mythri Alle <[email protected]>
|
|
|
+Commit-Queue: Bill Budge <[email protected]>
|
|
|
+Cr-Original-Commit-Position: refs/heads/master@{#870064}
|
|
|
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2838077
|
|
|
+Reviewed-by: Bill Budge <[email protected]>
|
|
|
+Commit-Queue: Achuith Bhandarkar <[email protected]>
|
|
|
+Owners-Override: Achuith Bhandarkar <[email protected]>
|
|
|
+Cr-Commit-Position: refs/branch-heads/4240@{#1612}
|
|
|
+Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218}
|
|
|
+
|
|
|
+diff --git a/content/browser/code_cache/generated_code_cache.cc b/content/browser/code_cache/generated_code_cache.cc
|
|
|
+index dd5c28f92503ce95082b9b6b6254f6922e5b81ac..4b71cde691a7a89344a556396780ce71cf7aebf7 100644
|
|
|
+--- a/content/browser/code_cache/generated_code_cache.cc
|
|
|
++++ b/content/browser/code_cache/generated_code_cache.cc
|
|
|
+@@ -382,9 +382,18 @@ void GeneratedCodeCache::WriteEntry(const GURL& url,
|
|
|
+ // [stream1] <empty>
|
|
|
+ // [stream0 (checksum key entry)] <empty>
|
|
|
+ // [stream1 (checksum key entry)] data
|
|
|
++
|
|
|
++ // Make a copy of the data before hashing. A compromised renderer could
|
|
|
++ // change shared memory before we can compute the hash and write the data.
|
|
|
++ // TODO(1135729) Eliminate this copy when the shared memory can't be written
|
|
|
++ // by the sender.
|
|
|
++ mojo_base::BigBuffer copy({data.data(), data.size()});
|
|
|
++ if (copy.size() != data.size())
|
|
|
++ return;
|
|
|
++ data = mojo_base::BigBuffer(); // Release the old buffer.
|
|
|
+ uint8_t result[crypto::kSHA256Length];
|
|
|
+ crypto::SHA256HashString(
|
|
|
+- base::StringPiece(reinterpret_cast<char*>(data.data()), data.size()),
|
|
|
++ base::StringPiece(reinterpret_cast<char*>(copy.data()), copy.size()),
|
|
|
+ result, base::size(result));
|
|
|
+ std::string checksum_key = base::HexEncode(result, base::size(result));
|
|
|
+ small_buffer = base::MakeRefCounted<net::IOBufferWithSize>(
|
|
|
+@@ -399,7 +408,7 @@ void GeneratedCodeCache::WriteEntry(const GURL& url,
|
|
|
+ // Issue another write operation for the code, with the checksum as the key
|
|
|
+ // and nothing in the header.
|
|
|
+ auto small_buffer2 = base::MakeRefCounted<net::IOBufferWithSize>(0);
|
|
|
+- auto large_buffer2 = base::MakeRefCounted<BigIOBuffer>(std::move(data));
|
|
|
++ auto large_buffer2 = base::MakeRefCounted<BigIOBuffer>(std::move(copy));
|
|
|
+ auto op2 = std::make_unique<PendingOperation>(Operation::kWriteWithSHAKey,
|
|
|
+ checksum_key, small_buffer2,
|
|
|
+ large_buffer2);
|
Pedro Pontes