Pchen0/electron

Browse Source

chore: cherry-pick 6b9a07d9eb9b from chromium (#25223)

Jeremy Rose 4 years ago

parent

732ce44e61

commit

a60211333c

2 changed files with 94 additions and 0 deletions

Split View Show Diff Stats

						
							+ 1
							
							- 0
						
patches/chromium/.patches
							 
								View File
							
				@@ -122,3 +122,4 @@ reconnect_p2p_socket_dispatcher_if_network_service_dies.patch
			
				 allow_focus_to_move_into_an_editable_combobox_s_listbox.patch
			
				 cherry-pick-70579363ce7b.patch
			
				 avoid_loading_dri_via_gbm_when_gpumemorybuffers_are_disabled.patch
			
				+reland_fix_uaf_in_selecttype.patch

						
							+ 93
							
							- 0
						
patches/chromium/reland_fix_uaf_in_selecttype.patch
							 
								View File
							
				@@ -0,0 +1,93 @@
			
				+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
			
				+From: Mason Freed <[email protected]>
			
				+Date: Mon, 20 Jul 2020 19:55:49 +0000
			
				+Subject: Reland "Fix UAF in SelectType"
			
				+
			
				+This is a reland of 72158deaf3751325f1983c87829f65441ee32de3
			
				+
			
				+The only change made here is to add the new test to LeakExpectations,
			
				+pointing to crbug.com/1103082. Local testing shows that this leak
			
				+is triggered by the new test, both before and after this patch. And
			
				+since the patch fixes a UAF security bug, I'd like to land it with the
			
				+test, and then work on the leak.
			
				+
			
				+Fixed: 1102408
			
				+Bug: 1103082
			
				+
			
				[email protected]
			
				+
			
				+Original change's description:
			
				+> Fix UAF in SelectType
			
				+>
			
				+> This fixes the UAF detected by ClusterFuzz in [1], caused by [2].
			
				+> The test case added here is a minimized version of the clusterfuzz
			
				+> case, and I verified that it crashes (ASAN UAF) before this patch
			
				+> and no longer crashes after.
			
				+>
			
				+> [1] https://clusterfuzz.com/testcase-detail/6224868955193344
			
				+> [2] https://chromium-review.googlesource.com/c/chromium/src/+/1912682
			
				+>
			
				+> Fixed: 1102408
			
				+> Change-Id: Ieb6a9582ff5b9676596048920bbcff881fdc2eb2
			
				+> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2283901
			
				+> Commit-Queue: Mason Freed <[email protected]>
			
				+> Auto-Submit: Mason Freed <[email protected]>
			
				+> Reviewed-by: Kent Tamura <[email protected]>
			
				+> Cr-Commit-Position: refs/heads/master@{#785970}
			
				+
			
				+(cherry picked from commit e1c45006a8e5a97778eeed0010a7f57d86e70ca4)
			
				+
			
				+Change-Id: I471cb4abc98a7627803de4e434e0453cb729c15f
			
				+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2288372
			
				+Auto-Submit: Mason Freed <[email protected]>
			
				+Reviewed-by: Kent Tamura <[email protected]>
			
				+Commit-Queue: Mason Freed <[email protected]>
			
				+Cr-Original-Commit-Position: refs/heads/master@{#786562}
			
				+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2307621
			
				+Reviewed-by: Mason Freed <[email protected]>
			
				+Cr-Commit-Position: refs/branch-heads/4147@{#902}
			
				+Cr-Branched-From: 16307825352720ae04d898f37efa5449ad68b606-refs/heads/master@{#768962}
			
				+
			
				+diff --git a/third_party/blink/renderer/core/html/forms/select_type.cc b/third_party/blink/renderer/core/html/forms/select_type.cc
			
				+index 345cbeb26823c5f111f2bc2b98fc15f99efe3314..b5a7e169964b40a51b073ae13b2922019bee0927 100644
			
				+--- a/third_party/blink/renderer/core/html/forms/select_type.cc
			
				++++ b/third_party/blink/renderer/core/html/forms/select_type.cc
			
				+@@ -709,7 +709,7 @@ bool ListBoxSelectType::DefaultEventHandler(const Event& event) {
			
				+ 
			
				+       if (Page* page = select_->GetDocument().GetPage()) {
			
				+         page->GetAutoscrollController().StartAutoscrollForSelection(
			
				+-            layout_object);
			
				++            select_->GetLayoutObject());
			
				+       }
			
				+     }
			
				+     // Mousedown didn't happen in this element.
			
				+diff --git a/third_party/blink/web_tests/fast/forms/select/select-change-layout-object-crash-expected.txt b/third_party/blink/web_tests/fast/forms/select/select-change-layout-object-crash-expected.txt
			
				+new file mode 100644
			
				+index 0000000000000000000000000000000000000000..cbe81f73ef4a3684565b70d51fe460b22702964f
			
				+--- /dev/null
			
				++++ b/third_party/blink/web_tests/fast/forms/select/select-change-layout-object-crash-expected.txt
			
				+@@ -0,0 +1 @@
			
				++PASS - this test passes if it does not crash (ASAN)
			
				+diff --git a/third_party/blink/web_tests/fast/forms/select/select-change-layout-object-crash.html b/third_party/blink/web_tests/fast/forms/select/select-change-layout-object-crash.html
			
				+new file mode 100644
			
				+index 0000000000000000000000000000000000000000..8e9361dd7cd1f954a2c482aab7c182789ddc0701
			
				+--- /dev/null
			
				++++ b/third_party/blink/web_tests/fast/forms/select/select-change-layout-object-crash.html
			
				+@@ -0,0 +1,17 @@
			
				++<style>
			
				++.c:hover { display: block; }
			
				++</style>
			
				++
			
				++<select id=target autofocus=autofocus size=2 class=c></select>
			
				++
			
				++<script>
			
				++if (window.testRunner)
			
				++	testRunner.dumpAsText();
			
				++
			
				++window.onload = function() {
			
				++    eventSender.beginDragWithFiles( ["resources/file-for-drag-to-navigate.html"]);
			
				++    eventSender.mouseMoveTo(target.offsetLeft + 5, target.offsetTop + 5);
			
				++};
			
				++</script>
			
				++
			
				++<p>PASS - this test passes if it does not crash (ASAN)</p>

chore: cherry-pick 6b9a07d9eb9b from chromium (#25223)

+ 1 - 0 patches/chromium/.patches View File

+ 93 - 0 patches/chromium/reland_fix_uaf_in_selecttype.patch View File

+ 1 - 0
patches/chromium/.patches
View File

+ 93 - 0
patches/chromium/reland_fix_uaf_in_selecttype.patch
View File