chore: cherry-pick 0333ecde9142 from chromium (#46728)

* chore: cherry-pick 0333ecde9142 from chromium * chore: update patches
2026-04-10 03:01:51 -04:00 · 2025-04-22 17:27:29 -07:00
parent a0c4972300
commit 0f8a2a9a8c
2 changed files with 105 additions and 0 deletions
--- a/patches/chromium/.patches
+++ b/patches/chromium/.patches
@@ -154,3 +154,4 @@ chore_modify_chromium_handling_of_mouse_events.patch
 cherry-pick-b8f80176b163.patch
 fix_false_activation_logic_for_context_menu.patch
 mac_fix_check_on_ime_reconversion_due_to_invalid_replacement_range.patch
+cherry-pick-0333ecde9142.patch
--- a/patches/chromium/cherry-pick-0333ecde9142.patch
+++ b/patches/chromium/cherry-pick-0333ecde9142.patch
@@ -0,0 +1,104 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alvin Ji <alvinji@chromium.org>
+Date: Tue, 8 Apr 2025 10:46:18 -0700
+Subject: usb: Use GlobalRenderFrameHostId in UsbChooserController
+
+The UsbChooserController currently holds a raw pointer to the requesting
+RenderFrameHost. This can lead to use-after-free issues if the
+RenderFrameHost is destroyed before the chooser controller. This CL
+replaces the raw pointer with a `GlobalRenderFrameHostId`. This ID can
+be used to retrieve the RenderFrameHost when needed, and checks are
+added to ensure the RenderFrameHost is still valid before accessing it.
+
+Bug: 405292639
+Change-Id: Ifedaf80f6700d57ea28691abfaf4d2ff9cdbb448
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6440254
+Commit-Queue: Alvin Ji <alvinji@chromium.org>
+Reviewed-by: Matt Reynolds <mattreynolds@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1444224}
+
+diff --git a/chrome/browser/usb/usb_chooser_controller.cc b/chrome/browser/usb/usb_chooser_controller.cc
+index fae7decadcf5ca7b508068aa803e11a9027dde1e..112a7986523e37a8bc87f564f9d80fc3a4bdf433 100644
+--- a/chrome/browser/usb/usb_chooser_controller.cc
+++ b/chrome/browser/usb/usb_chooser_controller.cc
+@@ -99,8 +99,8 @@ UsbChooserController::UsbChooserController(
+           CreateChooserTitle(render_frame_host, IDS_USB_DEVICE_CHOOSER_PROMPT)),
+       options_(std::move(options)),
+       callback_(std::move(callback)),
+-      requesting_frame_(render_frame_host) {
+-  RenderFrameHost* main_frame = requesting_frame_->GetMainFrame();
+      render_frame_host_id_(render_frame_host->GetGlobalId()) {
+  RenderFrameHost* main_frame = render_frame_host->GetMainFrame();
+   origin_ = main_frame->GetLastCommittedOrigin();
+   Profile* profile =
+       Profile::FromBrowserContext(main_frame->GetBrowserContext());
+@@ -202,7 +202,15 @@ void UsbChooserController::Cancel() {
+ void UsbChooserController::Close() {}
+ 
+ void UsbChooserController::OpenHelpCenterUrl() const {
+-  WebContents::FromRenderFrameHost(requesting_frame_)
+  content::RenderFrameHost* render_frame_host =
+      content::RenderFrameHost::FromID(render_frame_host_id_);
+  if (!render_frame_host) {
+    // When |render_frame_host| is not valid anymore we don't want to open help
+    // center url.
+    return;
+  }
+
+  WebContents::FromRenderFrameHost(render_frame_host)
+       ->OpenURL(content::OpenURLParams(
+                     GURL(chrome::kChooserUsbOverviewURL), content::Referrer(),
+                     WindowOpenDisposition::NEW_FOREGROUND_TAB,
+@@ -266,6 +274,14 @@ void UsbChooserController::GotUsbDeviceList(
+ 
+ bool UsbChooserController::DisplayDevice(
+     const device::mojom::UsbDeviceInfo& device_info) const {
+  content::RenderFrameHost* render_frame_host =
+      content::RenderFrameHost::FromID(render_frame_host_id_);
+  if (!render_frame_host) {
+    // When |render_frame_host| is not valid anymore we don't want to display
+    // any device information.
+    return false;
+  }
+
+   if (!device::UsbDeviceFilterMatchesAny(options_->filters, device_info)) {
+     return false;
+   }
+@@ -280,10 +296,9 @@ bool UsbChooserController::DisplayDevice(
+   bool is_usb_unrestricted = false;
+   if (base::FeatureList::IsEnabled(blink::features::kUnrestrictedUsb)) {
+     is_usb_unrestricted =
+-        requesting_frame_ &&
+-        requesting_frame_->IsFeatureEnabled(
+-            blink::mojom::PermissionsPolicyFeature::kUsbUnrestricted) &&
+-        content::HasIsolatedContextCapability(requesting_frame_);
+        render_frame_host->IsFeatureEnabled(
+            network::mojom::PermissionsPolicyFeature::kUsbUnrestricted) &&
+        content::HasIsolatedContextCapability(render_frame_host);
+   }
+   // Isolated context with permission to access the policy-controlled feature
+   // "usb-unrestricted" can bypass the USB blocklist.
+diff --git a/chrome/browser/usb/usb_chooser_controller.h b/chrome/browser/usb/usb_chooser_controller.h
+index de5d7fb1a3be1c356f291b444175bbf375d0bf83..8e1bb06e8fcfbe3feeb4bd30452fb5d6d546074c 100644
+--- a/chrome/browser/usb/usb_chooser_controller.h
+++ b/chrome/browser/usb/usb_chooser_controller.h
+@@ -15,6 +15,7 @@
+ #include "base/scoped_observation.h"
+ #include "chrome/browser/usb/usb_chooser_context.h"
+ #include "components/permissions/chooser_controller.h"
+#include "content/public/browser/global_routing_id.h"
+ #include "services/device/public/mojom/usb_device.mojom.h"
+ #include "third_party/blink/public/mojom/usb/web_usb_service.mojom.h"
+ #include "url/origin.h"
+@@ -64,8 +65,9 @@ class UsbChooserController : public permissions::ChooserController,
+   blink::mojom::WebUsbService::GetPermissionCallback callback_;
+   url::Origin origin_;
+ 
+-  const raw_ptr<content::RenderFrameHost, AcrossTasksDanglingUntriaged>
+-      requesting_frame_;
+  // Hold the GlobalRenderFrameHostId for requesting frame so we can always
+  // check whether the frame host is still valid before we access it.
+  const content::GlobalRenderFrameHostId render_frame_host_id_;
+   base::WeakPtr<UsbChooserContext> chooser_context_;
+   base::ScopedObservation<UsbChooserContext, UsbChooserContext::DeviceObserver>
+       observation_{this};