github/electron
1
1
Fork 0
mirror of https://github.com/electron/electron.git synced 2026-01-09 15:38:08 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
66367e9db497ed592a541daeadfacafa57072f15
electron/patches/chromium/fix_harden_blink_scriptstate_maybefrom.patch
electron-roller[bot] 595920a308 chore: bump chromium to 144.0.7512.1 (main) (#48768) 
* chore: bump chromium in DEPS to 144.0.7507.0

* chore: bump chromium in DEPS to 144.0.7508.0

* chore: update patches

* 7101838: [pathbuilder] Enforce immutable SkPath APIs globally

https://chromium-review.googlesource.com/c/chromium/src/+/7101838

* chore: update filenames.libcxx.gni

* [pathbuilder] Enforce immutable SkPath APIs globally

https://chromium-review.googlesource.com/c/chromium/src/+/7101838

* Reduce service_worker_info.h includes in headers

https://chromium-review.googlesource.com/c/chromium/src/+/7108401

* chore: bump chromium in DEPS to 144.0.7510.0

* chore: update patches

* Use internal popup menus for tabs in actor-controlled states

https://chromium-review.googlesource.com/c/chromium/src/+/7074751

* [api] Delete deprecated fields on v8::Isolate

https://chromium-review.googlesource.com/c/v8/v8/+/7081397
xref: 98d243aea0

* Fixup Reduce service_worker_info.h includes in headers

* Promote deprecation of v8::Context and v8::Object API methods

https://chromium-review.googlesource.com/c/v8/v8/+/7087956

* fixup Promote deprecation of v8::Context and v8::Object API methods

* chore: bump chromium in DEPS to 144.0.7512.1

* chore: update patches

* fixup [pathbuilder] Enforce immutable SkPath APIs global

* chore: update filenames.hunspell.gni

* fix deprecation of v8::Context and v8::Object API methods for nan

https://chromium-review.googlesource.com/c/v8/v8/+/7087956

* [PDF] Implement PdfHelpBubbleHandlerFactory

https://chromium-review.googlesource.com/c/chromium/src/+/7056325

also: [PDF Ink Signatures] Hook up IPH
https://chromium-review.googlesource.com/c/chromium/src/+/7056207

* Remove base/hash/md5.h

https://chromium-review.googlesource.com/c/chromium/src/+/7113738

* fixup for lint

* Remove deprecated interceptor callback types and AccessControl enum

https://chromium-review.googlesource.com/c/v8/v8/+/7112747

* fixup for lint

* fixup [PDF] Implement PdfHelpBubbleHandlerFactory

* use base::SHA1HashString instead of std::hash

---------

Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com>
Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org>
2025-11-07 10:13:45 -05:00

141 lines
6.2 KiB
Diff
Raw Blame History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: deepak1556 <hop2deep@gmail.com>
Date: Wed, 28 Jun 2023 21:11:40 +0900
Subject: fix: harden blink::ScriptState::MaybeFrom
NOTE: since https://chromium-review.googlesource.com/c/chromium/src/+/6973697
the patch is only needed for 32-bit builds.
This is needed as side effect of https://chromium-review.googlesource.com/c/chromium/src/+/4609446
which now gets blink::ExecutionContext from blink::ScriptState
and there are isolate callbacks which get entered from Node.js
environment that has v8::Context not associated with blink::ScriptState.
Some examples are ModifyCodeGenerationFromStrings in node_bindings.cc,
blink::UseCounterCallback etc.
Without this patch when blink::ScriptState::MaybeFrom tries to extract
blink::ScriptState from the provided v8::Context and since Node.js has context
embedder data fields with index greater than blink (see node_context_data.h)
leading to the following CHECK failure.
```
script_state.h(169)] Security Check Failed: script_state
```
This patch adds a new tag in the context associated with ScriptState
to uniquely identify. It is based on what Node.js does to identify the
context created by it in `node_context_data.h`.
PS: We are not performing a check like
```
ScriptState* script_state =
static_cast<ScriptState*>(context->GetAlignedPointerFromEmbedderData(
kV8ContextPerContextDataIndex));
if (!script_state) {
return nullptr;
}
```
since in 32-bit builds which does not have v8 sandbox enabled unlike 64-bit builds,
the embedder data slot will not lazy initialize indexes in the former. This means
accessing uninitialized lower indexes can return garbage values that cannot be null checked.
Refer to v8::EmbedderDataSlot::store_aligned_pointer for context.
diff --git a/gin/public/gin_embedders.h b/gin/public/gin_embedders.h
index cecf528475cb832ed1876381878eade582bc83d6..71308b2d963c2d083328aad6be356dc547ba5629 100644
--- a/gin/public/gin_embedders.h
+++ b/gin/public/gin_embedders.h
@@ -20,6 +20,8 @@ enum GinEmbedder : uint16_t {
kEmbedderBlink,
kEmbedderPDFium,
kEmbedderFuchsia,
+ kEmbedderElectron,
+ kEmbedderBlinkTag,
};
enum EmbedderDataTag : uint16_t {
diff --git a/third_party/blink/renderer/platform/bindings/script_state.cc b/third_party/blink/renderer/platform/bindings/script_state.cc
index 8b6522c9299bef5ab766795b64a1ba30bc382a12..a714aeb8a62886bedb3820b33b49b1ebdb9c7cc0 100644
--- a/third_party/blink/renderer/platform/bindings/script_state.cc
+++ b/third_party/blink/renderer/platform/bindings/script_state.cc
@@ -14,6 +14,12 @@ namespace blink {
ScriptState::CreateCallback ScriptState::s_create_callback_ = nullptr;
+#if defined(ARCH_CPU_32_BITS)
+int const ScriptState::kScriptStateTag = 0x6e6f64;
+void* const ScriptState::kScriptStateTagPtr = const_cast<void*>(
+ static_cast<const void*>(&ScriptState::kScriptStateTag));
+#endif // defined(ARCH_CPU_32_BITS)
+
// static
void ScriptState::SetCreateCallback(CreateCallback create_callback) {
DCHECK(create_callback);
@@ -40,6 +46,10 @@ ScriptState::ScriptState(v8::Local<v8::Context> context,
context_.SetWeak(this, &OnV8ContextCollectedCallback);
context->SetAlignedPointerInEmbedderData(kV8ContextPerContextDataIndex, this,
gin::kBlinkScriptState);
+#if defined(ARCH_CPU_32_BITS)
+ context->SetAlignedPointerInEmbedderData(
+ kV8ContextPerContextDataTagIndex, ScriptState::kScriptStateTagPtr, v8::kEmbedderDataTypeTagDefault);
+#endif // defined(ARCH_CPU_32_BITS)
RendererResourceCoordinator::Get()->OnScriptStateCreated(this,
execution_context);
}
@@ -83,6 +93,10 @@ void ScriptState::DissociateContext() {
// Cut the reference from V8 context to ScriptState.
GetContext()->SetAlignedPointerInEmbedderData(
kV8ContextPerContextDataIndex, nullptr, gin::kBlinkScriptState);
+#if defined(ARCH_CPU_32_BITS)
+ GetContext()->SetAlignedPointerInEmbedderData(
+ kV8ContextPerContextDataTagIndex, nullptr, v8::kEmbedderDataTypeTagDefault);
+#endif // defined(ARCH_CPU_32_BITS)
reference_from_v8_context_.Clear();
// Cut the reference from ScriptState to V8 context.
diff --git a/third_party/blink/renderer/platform/bindings/script_state.h b/third_party/blink/renderer/platform/bindings/script_state.h
index 5ccdf26cead17031d510589b74288cbe79692779..bf3023d5305c05c5d92953b5bf5f655f964e5c28 100644
--- a/third_party/blink/renderer/platform/bindings/script_state.h
+++ b/third_party/blink/renderer/platform/bindings/script_state.h
@@ -6,6 +6,7 @@
#define THIRD_PARTY_BLINK_RENDERER_PLATFORM_BINDINGS_SCRIPT_STATE_H_
#include "base/memory/raw_ptr.h"
+#include "build/build_config.h"
#include "gin/public/context_holder.h"
#include "gin/public/gin_embedders.h"
#include "third_party/blink/public/common/tokens/tokens.h"
@@ -188,6 +189,16 @@ class PLATFORM_EXPORT ScriptState : public GarbageCollected<ScriptState> {
kV8ContextPerContextDataIndex) {
return nullptr;
}
+#if defined(ARCH_CPU_32_BITS)
+ if (context->GetNumberOfEmbedderDataFields() <=
+ kV8ContextPerContextDataTagIndex ||
+ context->GetAlignedPointerFromEmbedderData(
+ kV8ContextPerContextDataTagIndex,
+ v8::kEmbedderDataTypeTagDefault) !=
+ ScriptState::kScriptStateTagPtr) {
+ return nullptr;
+ }
+#endif // defined(ARCH_CPU_32_BITS)
ScriptState* script_state =
static_cast<ScriptState*>(context->GetAlignedPointerFromEmbedderData(
isolate, kV8ContextPerContextDataIndex, gin::kBlinkScriptState));
@@ -270,6 +281,14 @@ class PLATFORM_EXPORT ScriptState : public GarbageCollected<ScriptState> {
static_cast<int>(gin::kPerContextDataStartIndex) +
static_cast<int>(gin::kEmbedderBlink);
+#if defined(ARCH_CPU_32_BITS)
+ static void* const kScriptStateTagPtr;
+ static int const kScriptStateTag;
+ static constexpr int kV8ContextPerContextDataTagIndex =
+ static_cast<int>(gin::kPerContextDataStartIndex) +
+ static_cast<int>(gin::kEmbedderBlinkTag);
+#endif // defined(ARCH_CPU_32_BITS)
+
// For accessing information about the last script compilation via
// internals.idl.
String last_compiled_script_file_name_;
Reference in New Issue View Git Blame Copy Permalink