From nobody Fri Jun 21 06:28:37 2024 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W56r53C1Lz5PZXh; Fri, 21 Jun 2024 06:28:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4W56r51W0Fz420d; Fri, 21 Jun 2024 06:28:37 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1718951317; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5XpdsRwjafUXiiRwTEW8AxUgTwVOlfgPi0Z6T/ki62M=; b=yztNyniUYCU7ifGmZq39/XdwgCpoODIz0vBsUnHKi3oTLBmEw8APNvXxJy+Z/cQC4rxpZU Io84uIqnbSbCL9tSb8VGlsxHdR52I5rqknRs7dcK7JZS6dCwSVSK0465CEz5yOsDkTrBAO aQGoNtLvfnkHKxe4WUUGpAKFoMpPQTXZTfi6Qmyhb9oWAM/2HbyiQjLc52Fy875DCmBI0+ unKN0w2arbCwqRnqAZK5jkr9jo+ku9MTzK3dSGaR7rqEkaIqzJ6nuBJVZLWv7TkYt54u6f 9ZuOdPi/KM8IgHo12mb8AwdlAmu3FroaQHpbuTjXp1j57/Tw80OvdycOjFi3vw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1718951317; a=rsa-sha256; cv=none; b=HYeU6YzMT2f0q1YdDN04Su1ZhFKUw8puPC4Bs4JFq5xWm2Y7tGhDOSGMzxxxCA2l9+EzNB SQbg7/FawfOIRdWkJBtuXafKq0lpk+J6GT+ia5jD6l4waEMqS3RfGflIwCnHReFyeH3EFq 4k36zPvOKzl4Z/bGKAQOeGZgqKw1Q1O9CCtBfUfzhqstWDKW3FCRb9009M7kLLE1hqJK4E LzNWyF61n7Z3tYb+ZApdMq/t9dYfX7iynnqHnNgYpqMsx8EhFcF8auXwR9Fl1GfvNwIdyV zLfOaOmKwVJhZM415rjHc57UYi6jf1hZAJbK6672itDNJWn+MzuLvVLG8f2xZg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1718951317; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5XpdsRwjafUXiiRwTEW8AxUgTwVOlfgPi0Z6T/ki62M=; b=SySzVKm4TnPzGrYs8PCEdy2xEeEXqJGmvXaaFZEw3sOjVji5WsTnL97PFaml5zKlj1ESdW EvYRRwkdOUYdz4kAiOpycvZ/SBp9RqfRRilZFqFSuy1ETGEjxWtgGuF5i6a1Lvxnju+m6U APBhGX2waYb/uxmtqM5ZiGKhsrFe5fNZldcQ0j4YFNeBoxSAv8G40xFAOKn75q+b1QJM1v XlBd/C2+iwwzTfryKUyjwW84aISzKjOUxIH4Nhdlkgi5sEMhlOWU6MtMtOs9YkPAmklcRk pIuAXf85JRAyCmwOkmR4w8BCI0Udi9Zl8W1HZd+Q2ojyt0sKZ3ZVPrwsB5IfIg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4W56r516NvzxW4; Fri, 21 Jun 2024 06:28:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 45L6SbEv035542; Fri, 21 Jun 2024 06:28:37 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 45L6Sbhd035539; Fri, 21 Jun 2024 06:28:37 GMT (envelope-from git) Date: Fri, 21 Jun 2024 06:28:37 GMT Message-Id: <202406210628.45L6Sbhd035539@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org From: "Jason E. Hale" Subject: git: 2254fd4c24b9 - 2024Q2 - www/qt5-webengine: Address a few CVEs in chromium List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-all@freebsd.org Sender: owner-dev-commits-ports-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhale X-Git-Repository: ports X-Git-Refname: refs/heads/2024Q2 X-Git-Reftype: branch X-Git-Commit: 2254fd4c24b94d3a45db4c3e59097e89fad525c0 Auto-Submitted: auto-generated The branch 2024Q2 has been updated by jhale: URL: https://cgit.FreeBSD.org/ports/commit/?id=2254fd4c24b94d3a45db4c3e59097e89fad525c0 commit 2254fd4c24b94d3a45db4c3e59097e89fad525c0 Author: Jason E. Hale AuthorDate: 2024-06-21 06:17:16 +0000 Commit: Jason E. Hale CommitDate: 2024-06-21 06:28:09 +0000 www/qt5-webengine: Address a few CVEs in chromium MFH: 2024Q2 Security: aa2b65e4-2f63-11ef-9cab-4ccc6adda413 (cherry picked from commit 0f4290c640f535b5fe7c9248c4c4ce7990ed4e1c) --- www/qt5-webengine/Makefile | 1 + www/qt5-webengine/files/patch-security-rollup | 618 ++++++++++++++++++++++++++ 2 files changed, 619 insertions(+) diff --git a/www/qt5-webengine/Makefile b/www/qt5-webengine/Makefile index 261a0f2559f3..9b1dbab6880c 100644 --- a/www/qt5-webengine/Makefile +++ b/www/qt5-webengine/Makefile @@ -19,6 +19,7 @@ PORTNAME= webengine DISTVERSION= ${QT5_VERSION}${QT5_KDE_PATCH} +PORTREVISION= 1 CATEGORIES= www PKGNAMEPREFIX= qt5- diff --git a/www/qt5-webengine/files/patch-security-rollup b/www/qt5-webengine/files/patch-security-rollup index e0554d3d7c61..b27b8cec77c9 100644 --- a/www/qt5-webengine/files/patch-security-rollup +++ b/www/qt5-webengine/files/patch-security-rollup @@ -5,6 +5,14 @@ Addresses the following security issues: - Security bug 329674887 - CVE-2024-3157 - CVE-2024-3516 +- CVE-2024-3839 +- CVE-2024-3837 +- Security bug 40940917 +- CVE-2024-4058 +- Security bug 327698060 +- CVE-2024-4558 +- CVE-2024-3914 +- Security bug 329699609 From a3580d0a0fc78016093fd96d72f1449589642292 Mon Sep 17 00:00:00 2001 From: Marco Paniconi @@ -271,3 +279,613 @@ index 84a0c8fd9e0d..3e8a4a71ff67 100644 } const TQualifier qualifier = fieldType->getQualifier(); +From 2c61d151bd3fab48c7e03a4cbfca22fa09c9022c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= +Date: Thu, 14 Mar 2024 12:48:18 +0000 +Subject: [PATCH] [Backport] CVE-2024-3839: Out of bounds read in Fonts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5361874: +Disable STAT sanitization/checks through OTS + +Due to issues in upstream, OTS STAT sanitization does not provide an +added security benefit. Pass-through the STAT table. + +Bug: chromium:41491859 +Change-Id: I19dcd87376af553afe242452396b951a74691f3c +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5361874 +Commit-Queue: Dominik Röttsches +Reviewed-by: Koji Ishii +Cr-Commit-Position: refs/heads/main@{#1272710} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560661 +Reviewed-by: Michal Klocek +--- + .../blink/renderer/platform/fonts/web_font_decoder.cc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc b/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc +index e72f801016a3..dfae30c22c22 100644 +--- src/3rdparty/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc ++++ src/3rdparty/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc +@@ -97,6 +97,7 @@ ots::TableAction BlinkOTSContext::GetTableAction(uint32_t tag) { + const uint32_t kCpalTag = OTS_TAG('C', 'P', 'A', 'L'); + const uint32_t kCff2Tag = OTS_TAG('C', 'F', 'F', '2'); + const uint32_t kSbixTag = OTS_TAG('s', 'b', 'i', 'x'); ++ const uint32_t kStatTag = OTS_TAG('S', 'T', 'A', 'T'); + #if HB_VERSION_ATLEAST(1, 0, 0) + const uint32_t kGdefTag = OTS_TAG('G', 'D', 'E', 'F'); + const uint32_t kGposTag = OTS_TAG('G', 'P', 'O', 'S'); +@@ -123,6 +124,7 @@ ots::TableAction BlinkOTSContext::GetTableAction(uint32_t tag) { + case kCpalTag: + case kCff2Tag: + case kSbixTag: ++ case kStatTag: + #if HB_VERSION_ATLEAST(1, 0, 0) + // Let HarfBuzz handle how to deal with broken tables. + case kAvarTag: +From 0594d0383b46e78d33fde62258ffb49b53d3c429 Mon Sep 17 00:00:00 2001 +From: Liza Burakova +Date: Wed, 21 Feb 2024 19:02:15 +0000 +Subject: [PATCH] [Backport] CVE-2024-3837: Use after free in QUIC + +Manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5268864: +Check if session is going away in Handle::RequestStream. + +This CL adds an extra check in the QuicChromiumClientSession +handle's RequestSession to make sure the session is not +marked as going away before creating a new StreamRequest. + +Bug: 41491379 +Change-Id: I687dfc23131871cdba345d3cf78dbbbd2e619ce9 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5268864 +Reviewed-by: Kenichi Ishibashi +Commit-Queue: Liza Burakova +Cr-Commit-Position: refs/heads/main@{#1263483} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560662 +Reviewed-by: Michal Klocek +--- + chromium/net/quic/quic_chromium_client_session.cc | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/chromium/net/quic/quic_chromium_client_session.cc b/chromium/net/quic/quic_chromium_client_session.cc +index 6e08826bbb0d..4bca38bd10db 100644 +--- src/3rdparty/chromium/net/quic/quic_chromium_client_session.cc ++++ src/3rdparty/chromium/net/quic/quic_chromium_client_session.cc +@@ -500,7 +500,8 @@ int QuicChromiumClientSession::Handle::RequestStream( + const NetworkTrafficAnnotationTag& traffic_annotation) { + DCHECK(!stream_request_); + +- if (!session_) ++ // TODO(crbug.com/41491379): Add a regression test. ++ if (!session_ || session_->going_away_) + return ERR_CONNECTION_CLOSED; + + requires_confirmation |= session_->gquic_zero_rtt_disabled(); +From 28c3af39d3bdaea88865f901d19862bf7d44199d Mon Sep 17 00:00:00 2001 +From: Pete Williamson +Date: Tue, 27 Feb 2024 00:19:05 +0000 +Subject: [PATCH] [Backport] Security bug 40940917 + +Cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5293726: +Fix misalligned address in hunspell::NodeReader::ReaderForLookupAt + +With the Hunspell spell checking library, we are using a custom wrapper +to read the dictionaries from files. In that custom wrapper, we were +reading by using reinterpret_cast to interpret an offset into a pointer, +and then reading the bytes at that pointer for the child_offset. + +The spell checking code appears to have been working properly in the +field. However, the current code caused fuzzing test failures, and +those failures are blocking other tests, so we need to fix this to +unblock other tests. + +It turns out that we were casting a value to a pointer that did not +have proper alignment (for instance, a pointer to a 32 bit int needs +to be 4 byte allinged, but this pointer was not). While it has often +worked in older compilers, it turns out this is undefined behavior. + +Instead of relying on undefined behavior, the right thing to do is to +use std::memcpy to copy the bytes from the misalligned address into +their final destination (either an int32 or an int16 in this case). + +Bug: 40940917 +Change-Id: I8aeba9ee8000b51e98863813235d8dceb1c41ceb +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5293726 +Commit-Queue: Peter Williamson +Reviewed-by: Trevor Perrier +Cr-Commit-Position: refs/heads/main@{#1265552} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560663 +Reviewed-by: Michal Klocek +--- + .../hunspell/google/bdict_reader.cc | 27 ++++++++++++++----- + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/chromium/third_party/hunspell/google/bdict_reader.cc b/chromium/third_party/hunspell/google/bdict_reader.cc +index 70416a7c9048..70e4d4977ad5 100644 +--- src/3rdparty/chromium/third_party/hunspell/google/bdict_reader.cc ++++ src/3rdparty/chromium/third_party/hunspell/google/bdict_reader.cc +@@ -5,6 +5,8 @@ + #include "third_party/hunspell/google/bdict_reader.h" + + #include ++#include ++#include + + #include "base/check.h" + +@@ -413,19 +415,32 @@ NodeReader::FindResult NodeReader::ReaderForLookupAt( + if (index >= static_cast(lookup_num_chars()) || !is_valid_) + return FIND_DONE; + +- size_t child_offset; ++ size_t child_offset = 0; + if (is_lookup_32()) { + // Table contains 32-bit absolute offsets. +- child_offset = +- reinterpret_cast(table_begin)[index]; ++ ++ // We need to use memcpy here instead of just casting the offset into a ++ // pointer to an int because the cast can cause undefined behavior if ++ // the pointer is not alligned, and in this case it is not. ++ int byte_offset = index * sizeof(uint32_t); ++ std::memcpy(&child_offset, ++ reinterpret_cast(table_begin + byte_offset), ++ sizeof(uint32_t)); + if (!child_offset) + return FIND_NOTHING; // This entry in the table is empty. + } else { + // Table contains 16-bit offsets relative to the current node. +- child_offset = +- reinterpret_cast(table_begin)[index]; +- if (!child_offset) ++ ++ // We need to use memcpy here instead of just casting the offset into a ++ // pointer to an int because the cast can cause undefined behavior if ++ // the pointer is not alligned, and in this case it is not. ++ int byte_offset = index * sizeof(uint16_t); ++ std::memcpy(&child_offset, ++ reinterpret_cast(table_begin + byte_offset), ++ sizeof(uint16_t)); ++ if (!child_offset) { + return FIND_NOTHING; // This entry in the table is empty. ++ } + child_offset += node_offset_; + } + +From b4d43a76e4c334084400402c09620ef24870704e Mon Sep 17 00:00:00 2001 +From: Shahbaz Youssefi +Date: Mon, 8 Apr 2024 10:14:45 -0400 +Subject: [PATCH] [Backport] CVE-2024-4058: Type Confusion in ANGLE + +Partial manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/angle/angle/+/5466390: +SPIR-V: Fix const constructors with single scalar + +These constructors may be generated because of +RemoveArrayLengthTraverser. + +Bug: chromium:332546345 +Change-Id: I2b2bf3728ef5bae148abc2a8518f8f3f42850025 +Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5462388 +(cherry picked from commit 0b776d32f69a932acb61963d9daad9e13f610944) +Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5466390 +Commit-Queue: Zakhar Voit +Reviewed-by: Shahbaz Youssefi +Reviewed-by: Geoff Lang +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560664 +Reviewed-by: Michal Klocek +--- + .../third_party/angle/src/compiler/translator/Compiler.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/chromium/third_party/angle/src/compiler/translator/Compiler.cpp b/chromium/third_party/angle/src/compiler/translator/Compiler.cpp +index 27975887086a..435d3b41b3a3 100644 +--- src/3rdparty/chromium/third_party/angle/src/compiler/translator/Compiler.cpp ++++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/Compiler.cpp +@@ -757,6 +757,11 @@ bool TCompiler::checkAndSimplifyAST(TIntermBlock *root, + { + return false; + } ++ // Fold the expressions again, because |RemoveArrayLengthMethod| can introduce new constants. ++ if (!FoldExpressions(this, root, &mDiagnostics)) ++ { ++ return false; ++ } + + if (!RemoveUnreferencedVariables(this, root, &mSymbolTable)) + { +From dceba69334080559303f92fc4a6c6d01e7dcd00c Mon Sep 17 00:00:00 2001 +From: Brendon Tiszka +Date: Sun, 3 Mar 2024 21:30:59 +0100 +Subject: [PATCH] [Backport] Security bug 327698060 + +Manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5337387: +PaintOpReader: Harden PaintImage deserialization + +Add missing validity check after `Read` + +Bug: 327698060 +Change-Id: I0aa5120296009998af3235a01304a1f597a82a33 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5337387 +Commit-Queue: Khushal Sagar +Reviewed-by: Khushal Sagar +Cr-Commit-Position: refs/heads/main@{#1267636} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560665 +Reviewed-by: Michal Klocek +Reviewed-by: Allan Sandfeld Jensen +--- + chromium/cc/paint/paint_op_reader.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/chromium/cc/paint/paint_op_reader.cc b/chromium/cc/paint/paint_op_reader.cc +index 0979f6630175..b6a9d8ca3641 100644 +--- src/3rdparty/chromium/cc/paint/paint_op_reader.cc ++++ src/3rdparty/chromium/cc/paint/paint_op_reader.cc +@@ -309,6 +309,10 @@ void PaintOpReader::Read(PaintImage* image) { + case PaintOp::SerializedImageType::kImageData: { + SkColorType color_type; + Read(&color_type); ++ if (!valid_) { ++ return; ++ } ++ + uint32_t width; + Read(&width); + uint32_t height; +From 2b188075ed5f01cc9c09b5273b5e6177d7252a0e Mon Sep 17 00:00:00 2001 +From: Geoff Lang +Date: Mon, 29 Apr 2024 15:27:36 -0400 +Subject: [PATCH] [Backport] CVE-2024-4558: Use after free in ANGLE + +Manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/angle/angle/+/5498735: +GL: Sync unpack state for glCompressedTexSubImage3D + +Unpack state is supposed to be ignored for compressed tex image calls +but some drivers use it anyways and read incorrect data. + +Texture3DTestES3.PixelUnpackStateTexSubImage covers this case. + +Bug: chromium:337766133 +Change-Id: Ic11a056113b1850bd5b4d6840527164a12849a22 +Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5498735 +Commit-Queue: Shahbaz Youssefi + +Reviewed-by: Shahbaz Youssefi +Change-Id: I0736ceb1e3165f571358ae06a0287b3f5a98d425 +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560666 +Reviewed-by: Michal Klocek +--- + .../third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp b/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp +index 035d4520b13b..0cfd21621bb3 100644 +--- src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp ++++ src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp +@@ -579,6 +579,7 @@ angle::Result TextureGL::setCompressedSubImage(const gl::Context *context, + nativegl::GetCompressedSubTexImageFormat(functions, features, format); + + stateManager->bindTexture(getType(), mTextureID); ++ ANGLE_TRY(stateManager->setPixelUnpackState(context, unpack)); + if (nativegl::UseTexImage2D(getType())) + { + ASSERT(area.z == 0 && area.depth == 1); +From d553c9366aedad5701852427f8e1910381c4ff8b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marja=20H=C3=B6ltt=C3=A4?= +Date: Tue, 26 Mar 2024 13:53:21 +0000 +Subject: [PATCH] [Backport] CVE-2024-3914: Use after free in V8 (1/2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Manual backport of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5387887: +[M120-LTS] Fix DOMArrayBuffer::IsDetached() + +M120 merge issues: + third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc: + - Conflicting types for variable worlds + - Conflicting AllWorldsInIsolate() call (M120 doesn't use the last argument) + +A DOMArrayBuffer was maintaining its own "is_detached_" state, and +would consider itself non-detached even if the corresponding +JSArrayBuffer (or, all of them, in case there are several) was +detached. + +Piping in the v8::Isolate would be a too big change for this fix, so this is using v8::Isolate::GetCurrent() for now. + +Bug: 330759272 +Change-Id: I1e98ebd2066d2e59658db12f1bb419b6ebc1d706 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5387887 +Commit-Queue: Marja Hölttä +Cr-Commit-Position: refs/heads/main@{#1278283} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/562706 +Reviewed-by: Allan Sandfeld Jensen +--- + .../core/typed_arrays/dom_array_buffer.cc | 50 +++++++++++++++++++ + .../core/typed_arrays/dom_array_buffer.h | 13 +++++ + .../core/typed_arrays/dom_array_buffer_base.h | 2 +- + 3 files changed, 64 insertions(+), 1 deletion(-) + +diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc +index c456d15f2f50..38dcd3a35737 100644 +--- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc ++++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc +@@ -18,6 +18,15 @@ static void AccumulateArrayBuffersForAllWorlds( + v8::Isolate* isolate, + DOMArrayBuffer* object, + Vector, 4>& buffers) { ++ if (!object->has_non_main_world_wrappers() && IsMainThread()) { ++ const DOMWrapperWorld& world = DOMWrapperWorld::MainWorld(); ++ v8::Local wrapper = world.DomDataStore().Get(object, isolate); ++ if (!wrapper.IsEmpty()) { ++ buffers.push_back(v8::Local::Cast(wrapper)); ++ } ++ return; ++ } ++ + Vector> worlds; + DOMWrapperWorld::AllWorldsInCurrentThread(worlds); + for (const auto& world : worlds) { +@@ -155,6 +164,47 @@ DOMArrayBuffer* DOMArrayBuffer::Create( + return Create(std::move(contents)); + } + ++bool DOMArrayBuffer::IsDetached() const { ++ if (contents_.BackingStore() == nullptr) { ++ return is_detached_; ++ } ++ if (is_detached_) { ++ return true; ++ } ++ ++ v8::Isolate* isolate = v8::Isolate::GetCurrent(); ++ v8::HandleScope handle_scope(isolate); ++ Vector, 4> buffer_handles; ++ AccumulateArrayBuffersForAllWorlds(isolate, const_cast(this), buffer_handles); ++ ++ // There may be several v8::ArrayBuffers corresponding to the DOMArrayBuffer, ++ // but at most one of them may be non-detached. ++ int nondetached_count = 0; ++ int detached_count = 0; ++ ++ for (const auto& buffer_handle : buffer_handles) { ++ if (buffer_handle->WasDetached()) { ++ ++detached_count; ++ } else { ++ ++nondetached_count; ++ } ++ } ++ CHECK_LE(nondetached_count, 1); ++ ++ return nondetached_count == 0 && detached_count > 0; ++} ++ ++v8::Local DOMArrayBuffer::AssociateWithWrapper( ++ v8::Isolate* isolate, ++ const WrapperTypeInfo* wrapper_type_info, ++ v8::Local wrapper) { ++ if (!DOMWrapperWorld::Current(isolate).IsMainWorld()) { ++ has_non_main_world_wrappers_ = true; ++ } ++ return ScriptWrappable::AssociateWithWrapper(isolate, wrapper_type_info, ++ wrapper); ++} ++ + DOMArrayBuffer* DOMArrayBuffer::Slice(size_t begin, size_t end) const { + begin = std::min(begin, ByteLengthAsSizeT()); + end = std::min(end, ByteLengthAsSizeT()); +diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h +index e9a85d38d4d4..b1820dfa8408 100644 +--- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h ++++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h +@@ -79,8 +79,21 @@ class CORE_EXPORT DOMArrayBuffer final : public DOMArrayBufferBase { + v8::Local Wrap(v8::Isolate*, + v8::Local creation_context) override; + ++ bool IsDetached() const override; ++ ++ v8::Local AssociateWithWrapper( ++ v8::Isolate* isolate, ++ const WrapperTypeInfo* wrapper_type_info, ++ v8::Local wrapper) override; ++ ++ bool has_non_main_world_wrappers() const { ++ return has_non_main_world_wrappers_; ++ } ++ + private: + bool TransferDetachable(v8::Isolate*, ArrayBufferContents& result); ++ ++ bool has_non_main_world_wrappers_ = false; + }; + + } // namespace blink +diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h +index e99cce60dd7f..3ae9a4360e85 100644 +--- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h ++++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h +@@ -33,7 +33,7 @@ class CORE_EXPORT DOMArrayBufferBase : public ScriptWrappable { + return base::checked_cast(contents_.DataLength()); + } + +- bool IsDetached() const { return is_detached_; } ++ virtual bool IsDetached() const { return is_detached_; } + + void Detach() { is_detached_ = true; } + +From efda8125f55049957e196995dffafb6dc171eadf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marja=20H=C3=B6ltt=C3=A4?= +Date: Thu, 4 Apr 2024 09:43:42 +0200 +Subject: [PATCH] [Backport] CVE-2024-3914: Use after free in V8 (2/2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5419329: +[M120-LTS] Comment out a CHECK that a DOMAB has maximally one non-detached JSAB + +Based on crash reports, this assumption is not true and has to be +investigated. + +Removing this newly introduced CHECK to be able to merge fixes in this +area - we still violate this invariant but the fixes are a step into +the right direction. + +Fix in question: +https://chromium-review.googlesource.com/5387887 +which also introduced this CHECK. + +Bug: 330759272 +Change-Id: I4ba52fee7ed8f45e352efd347e87df03d896ac3d +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5419329 +Commit-Queue: Marja Hölttä +Cr-Commit-Position: refs/heads/main@{#1282379} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/562707 +Reviewed-by: Allan Sandfeld Jensen +--- + .../blink/renderer/core/typed_arrays/dom_array_buffer.cc | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc +index 38dcd3a3573..69e332272dd 100644 +--- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc ++++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc +@@ -189,7 +189,11 @@ bool DOMArrayBuffer::IsDetached() const { + ++nondetached_count; + } + } +- CHECK_LE(nondetached_count, 1); ++ // This CHECK fires even though it should not. TODO(330759272): Investigate ++ // under which conditions we end up with multiple non-detached JSABs for the ++ // same DOMAB and potentially restore this check. ++ ++ // CHECK_LE(nondetached_count, 1); + + return nondetached_count == 0 && detached_count > 0; + } +From 91b3c705d739f6b6c58da6133e8e818e06dfcaa3 Mon Sep 17 00:00:00 2001 +From: Victor Gomes +Date: Thu, 21 Mar 2024 09:59:19 +0100 +Subject: [PATCH] [Backport] Security bug 329699609 + +Manual backport of patch originally reviewed on +https://chromium-review.googlesource.com/c/v8/v8/+/5378286: +Deal with large strings in NoSideEffectsErrorToString + +If name is too big, StringBuilder will fail to even add +"" suffix. + +In this case, we truncate name first. + +Bug: 329699609 +Change-Id: I6e4440c07eae84371f44b54f88127e2c70af0db5 +Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5378286 +Commit-Queue: Victor Gomes +Reviewed-by: Patrick Thier +Auto-Submit: Victor Gomes +Cr-Commit-Position: refs/heads/main@{#92932} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/562708 +Reviewed-by: Allan Sandfeld Jensen +--- + chromium/v8/src/objects/objects.cc | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/chromium/v8/src/objects/objects.cc b/chromium/v8/src/objects/objects.cc +index 7b38609e347..7820c7e8e58 100644 +--- src/3rdparty/chromium/v8/src/objects/objects.cc ++++ src/3rdparty/chromium/v8/src/objects/objects.cc +@@ -425,14 +425,27 @@ Handle NoSideEffectsErrorToString(Isolate* isolate, + if (name_str->length() == 0) return msg_str; + if (msg_str->length() == 0) return name_str; + +- IncrementalStringBuilder builder(isolate); +- builder.AppendString(name_str); +- builder.AppendCString(": "); ++ constexpr const char error_suffix[] = ""; ++ constexpr int error_suffix_size = sizeof(error_suffix); ++ int suffix_size = std::min(error_suffix_size, msg_str->length()); + +- if (builder.Length() + msg_str->length() <= String::kMaxLength) { +- builder.AppendString(msg_str); ++ IncrementalStringBuilder builder(isolate); ++ if (name_str->length() + suffix_size + 2 /* ": " */ > String::kMaxLength) { ++ constexpr const char connector[] = "... : "; ++ int connector_size = sizeof(connector); ++ Handle truncated_name = isolate->factory()->NewProperSubString( ++ name_str, 0, name_str->length() - error_suffix_size - connector_size); ++ builder.AppendString(truncated_name); ++ builder.AppendCString(connector); ++ builder.AppendCString(error_suffix); + } else { +- builder.AppendCString(""); ++ builder.AppendString(name_str); ++ builder.AppendCString(": "); ++ if (builder.Length() + msg_str->length() <= String::kMaxLength) { ++ builder.AppendString(msg_str); ++ } else { ++ builder.AppendCString(error_suffix); ++ } + } + + return builder.Finish().ToHandleChecked(); +From d3cb500c1d4b0508f3f21bb568c095984c614fcf Mon Sep 17 00:00:00 2001 +From: "Jason E. Hale" +Date: Thu, 20 Jun 2024 23:42:33 -0400 +Subject: [PATCH] [Backport] Fixup CVE-2024-3914: Use after free in V8 (1/2) + +Manual backport of requisite method WasDetached() in V8. +--- + chromium/v8/include/v8.h | 8 ++++++++ + chromium/v8/src/api/api.cc | 4 ++++ + 2 files changed, 12 insertions(+) + +diff --git a/chromium/v8/include/v8.h b/chromium/v8/include/v8.h +index 32687d90b5f..8a1b437bb06 100644 +--- src/3rdparty/chromium/v8/include/v8.h ++++ src/3rdparty/chromium/v8/include/v8.h +@@ -5299,6 +5299,11 @@ class V8_EXPORT ArrayBuffer : public Object { + */ + bool IsDetachable() const; + ++ /** ++ * Returns true if this ArrayBuffer has been detached. ++ */ ++ bool WasDetached() const; ++ + /** + * Detaches this ArrayBuffer and all its views (typed arrays). + * Detaching sets the byte length of the buffer and all typed arrays to zero, +@@ -5349,6 +5354,9 @@ class V8_EXPORT ArrayBuffer : public Object { + * should not attempt to manage lifetime of the storage through other means. + * + * This function replaces both Externalize() and GetContents(). ++ * ++ * The returned shared pointer will not be empty, even if the ArrayBuffer has ++ * been detached. Use |WasDetached| to tell if it has been detached instead. + */ + std::shared_ptr GetBackingStore(); + +diff --git a/chromium/v8/src/api/api.cc b/chromium/v8/src/api/api.cc +index b6f9d12769e..05d31a7cedf 100644 +--- src/3rdparty/chromium/v8/src/api/api.cc ++++ src/3rdparty/chromium/v8/src/api/api.cc +@@ -7386,6 +7386,10 @@ bool v8::ArrayBuffer::IsDetachable() const { + return Utils::OpenHandle(this)->is_detachable(); + } + ++bool v8::ArrayBuffer::WasDetached() const { ++ return Utils::OpenHandle(this)->was_detached(); ++} ++ + namespace { + // The backing store deleter just deletes the indirection, which downrefs + // the shared pointer. It will get collected normally.