From 2208c5f091e318ab599a9957df022d1745f3b5fd43c3cb2b243d20a7d68a22bb Mon Sep 17 00:00:00 2001 From: Fabian Vogt Date: Mon, 4 Apr 2022 20:03:22 +0000 Subject: [PATCH 1/2] Accepting request 966881 from home:cgiboudeaux:qtwebengine-lts - Add security fixes: * CVE-2022-0971-qtwebengine-5.15.patch (CVE-2022-0971) * CVE-2022-1096-qtwebengine-5.15.patch (CVE-2022-1096, boo#1197552) OBS-URL: https://build.opensuse.org/request/show/966881 OBS-URL: https://build.opensuse.org/package/show/KDE:Qt:5.15/libqt5-qtwebengine?expand=0&rev=37 --- CVE-2022-0971-qtwebengine-5.15.patch | 157 +++++++++++++++++++++++++++ CVE-2022-1096-qtwebengine-5.15.patch | 47 ++++++++ libqt5-qtwebengine.changes | 7 ++ libqt5-qtwebengine.spec | 4 + 4 files changed, 215 insertions(+) create mode 100644 CVE-2022-0971-qtwebengine-5.15.patch create mode 100644 CVE-2022-1096-qtwebengine-5.15.patch diff --git a/CVE-2022-0971-qtwebengine-5.15.patch b/CVE-2022-0971-qtwebengine-5.15.patch new file mode 100644 index 0000000..55d527c --- /dev/null +++ b/CVE-2022-0971-qtwebengine-5.15.patch @@ -0,0 +1,157 @@ +From d13d0924c4e18ecc4b79adf0fec142ee9a9eaa14 Mon Sep 17 00:00:00 2001 +From: "liberato@chromium.org" +Date: Mon, 7 Mar 2022 20:17:13 +0000 +Subject: [Backport] CVE-2022-0971 + +Don't use a deleted RenderFrameHost. + +Since we do not check for frame liveness, a RenderFrameHost might be +deleted (in the use-after-free sense) without another call to +RenderFrameDeleted. So, WeakPtr it to avoid these cases. + +Bug: 1299422 + +Task-number: QTBUG-101946 +Change-Id: Ie4fe85f88ef80f4e4c3d0452397c0e5050ed881c +Reviewed-by: Allan Sandfeld Jensen +--- + .../display_cutout/display_cutout_host_impl.cc | 29 +++++++++++++--------- + .../display_cutout/display_cutout_host_impl.h | 10 ++++++-- + 2 files changed, 25 insertions(+), 14 deletions(-) + +diff --git a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc +index 1640ec83489..8f89cc24b5f 100644 +--- a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc ++++ b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc +@@ -5,6 +5,7 @@ + #include "content/browser/display_cutout/display_cutout_host_impl.h" + + #include "content/browser/display_cutout/display_cutout_constants.h" ++#include "content/browser/renderer_host/render_frame_host_impl.h" + #include "content/browser/web_contents/web_contents_impl.h" + #include "content/public/browser/navigation_handle.h" + #include "mojo/public/cpp/bindings/associated_remote.h" +@@ -33,7 +34,7 @@ void DisplayCutoutHostImpl::ViewportFitChangedForFrame( + + // If we are the current |RenderFrameHost| frame then notify + // WebContentsObservers about the new value. +- if (current_rfh_ == rfh) ++ if (current_rfh_.get() == rfh) + web_contents_impl_->NotifyViewportFitChanged(value); + + MaybeQueueUKMEvent(rfh); +@@ -60,7 +61,9 @@ void DisplayCutoutHostImpl::DidFinishNavigation( + + // If we finish a main frame navigation and the |WebDisplayMode| is + // fullscreen then we should make the main frame the current +- // |RenderFrameHost|. ++ // |RenderFrameHost|. Note that this is probably not correct; we do not check ++ // that the navigation completed successfully, nor do we check if the main ++ // frame is still IsRenderFrameLive(). + blink::mojom::DisplayMode mode = web_contents_impl_->GetDisplayMode(); + if (mode == blink::mojom::DisplayMode::kFullscreen) + SetCurrentRenderFrameHost(web_contents_impl_->GetMainFrame()); +@@ -70,7 +73,7 @@ void DisplayCutoutHostImpl::RenderFrameDeleted(RenderFrameHost* rfh) { + values_.erase(rfh); + + // If we were the current |RenderFrameHost| then we should clear that. +- if (current_rfh_ == rfh) ++ if (current_rfh_.get() == rfh) + SetCurrentRenderFrameHost(nullptr); + } + +@@ -87,7 +90,7 @@ void DisplayCutoutHostImpl::SetDisplayCutoutSafeArea(gfx::Insets insets) { + insets_ = insets; + + if (current_rfh_) +- SendSafeAreaToFrame(current_rfh_, insets); ++ SendSafeAreaToFrame(current_rfh_.get(), insets); + + // If we have a pending UKM event on the top of the stack that is |kAllowed| + // and we have a |current_rfh_| then we should update that UKM event as it +@@ -100,26 +103,28 @@ void DisplayCutoutHostImpl::SetDisplayCutoutSafeArea(gfx::Insets insets) { + } + + void DisplayCutoutHostImpl::SetCurrentRenderFrameHost(RenderFrameHost* rfh) { +- if (current_rfh_ == rfh) ++ if (current_rfh_.get() == rfh) + return; + + // If we had a previous frame then we should clear the insets on that frame. + if (current_rfh_) +- SendSafeAreaToFrame(current_rfh_, gfx::Insets()); +- +- // Update the |current_rfh_| with the new frame. +- current_rfh_ = rfh; ++ SendSafeAreaToFrame(current_rfh_.get(), gfx::Insets()); + + // If the new RenderFrameHost is nullptr we should stop here and notify + // observers that the new viewport fit is kAuto (the default). + if (!rfh) { ++ current_rfh_ = nullptr; + web_contents_impl_->NotifyViewportFitChanged( + blink::mojom::ViewportFit::kAuto); + return; + } + ++ ++ // Update the |current_rfh_| with the new frame. ++ current_rfh_ = static_cast(rfh)->GetWeakPtr(); ++ + // Record a UKM event for the new frame. +- MaybeQueueUKMEvent(current_rfh_); ++ MaybeQueueUKMEvent(current_rfh_.get()); + + // Send the current safe area to the new frame. + SendSafeAreaToFrame(rfh, insets_); +@@ -159,11 +164,11 @@ void DisplayCutoutHostImpl::MaybeQueueUKMEvent(RenderFrameHost* frame) { + blink::mojom::ViewportFit supplied_value = GetValueOrDefault(frame); + if (supplied_value == blink::mojom::ViewportFit::kAuto) + return; +- blink::mojom::ViewportFit applied_value = GetValueOrDefault(current_rfh_); ++ blink::mojom::ViewportFit applied_value = GetValueOrDefault(current_rfh_.get()); + + // Set the reason why this frame is not the current frame. + int ignored_reason = DisplayCutoutIgnoredReason::kAllowed; +- if (current_rfh_ != frame) { ++ if (current_rfh_.get() != frame) { + ignored_reason = + current_rfh_ == nullptr + ? DisplayCutoutIgnoredReason::kWebContentsNotFullscreen +diff --git a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h +index 56081029df0..2477a4bcd7d 100644 +--- a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h ++++ b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h +@@ -5,12 +5,15 @@ + #ifndef CONTENT_BROWSER_DISPLAY_CUTOUT_DISPLAY_CUTOUT_HOST_IMPL_H_ + #define CONTENT_BROWSER_DISPLAY_CUTOUT_DISPLAY_CUTOUT_HOST_IMPL_H_ + ++#include "base/memory/weak_ptr.h" + #include "content/public/browser/web_contents_observer.h" + #include "content/public/browser/web_contents_receiver_set.h" + #include "third_party/blink/public/mojom/page/display_cutout.mojom.h" + + namespace content { + ++class RenderFrameHostImpl; ++ + class DisplayCutoutHostImpl : public blink::mojom::DisplayCutoutHost { + public: + explicit DisplayCutoutHostImpl(WebContentsImpl*); +@@ -74,8 +77,11 @@ class DisplayCutoutHostImpl : public blink::mojom::DisplayCutoutHost { + gfx::Insets insets_; + + // Stores the current |RenderFrameHost| that has the applied safe area insets +- // and is controlling the viewport fit value. +- RenderFrameHost* current_rfh_ = nullptr; ++ // and is controlling the viewport fit value. This value is different than ++ // `WebContentsImpl::current_fullscreen_frame_` because it also considers ++ // browser side driven fullscreen mode, not just renderer side requested ++ // frames. ++ base::WeakPtr current_rfh_; + + // Stores a map of RenderFrameHosts and their current viewport fit values. + std::map values_; +-- +cgit v1.2.1 + diff --git a/CVE-2022-1096-qtwebengine-5.15.patch b/CVE-2022-1096-qtwebengine-5.15.patch new file mode 100644 index 0000000..4254fba --- /dev/null +++ b/CVE-2022-1096-qtwebengine-5.15.patch @@ -0,0 +1,47 @@ +From abb5119d0f307f7f98e59a5f3ee9872f3d286b37 Mon Sep 17 00:00:00 2001 +From: Allan Sandfeld Jensen +Date: Tue, 29 Mar 2022 17:31:58 +0200 +Subject: [Backport] CVE-2022-1096 + +[runtime] Fix handling of interceptors + +Change-Id: I36b218f25c0dff6f5a39931e7536c6588ff46eef +Reviewed-by: Igor Sheludko +(cherry picked from commit b85cb23217f629522702c19381db9c65accc1fba) +Reviewed-by: Michal Klocek +--- + chromium/v8/src/objects/objects.cc | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/3rdparty/chromium/v8/src/objects/objects.cc b/src/3rdparty/chromium/v8/src/objects/objects.cc +index 43d835044de..f1d15d27c6e 100644 +--- a/src/3rdparty/chromium/v8/src/objects/objects.cc ++++ b/src/3rdparty/chromium/v8/src/objects/objects.cc +@@ -2481,6 +2481,12 @@ Maybe Object::SetPropertyInternal(LookupIterator* it, + Maybe result = + JSObject::SetPropertyWithInterceptor(it, should_throw, value); + if (result.IsNothing() || result.FromJust()) return result; ++ // Assuming that the callback have side effects, we use ++ // Object::SetSuperProperty() which works properly regardless on ++ // whether the property was present on the receiver or not when ++ // storing to the receiver. ++ // Proceed lookup from the next state. ++ it->Next(); + } else { + Maybe maybe_attributes = + JSObject::GetPropertyAttributesWithInterceptor(it); +@@ -2501,10 +2507,8 @@ Maybe Object::SetPropertyInternal(LookupIterator* it, + // property to the receiver. + it->NotFound(); + } +- return Object::SetSuperProperty(it, value, store_origin, +- should_throw); + } +- break; ++ return Object::SetSuperProperty(it, value, store_origin, should_throw); + } + + case LookupIterator::ACCESSOR: { +-- +cgit v1.2.1 + diff --git a/libqt5-qtwebengine.changes b/libqt5-qtwebengine.changes index b90ef57..01014f6 100644 --- a/libqt5-qtwebengine.changes +++ b/libqt5-qtwebengine.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Apr 4 19:25:12 UTC 2022 - Christophe Giboudeaux + +- Add security fixes: + * CVE-2022-0971-qtwebengine-5.15.patch (CVE-2022-0971) + * CVE-2022-1096-qtwebengine-5.15.patch (CVE-2022-1096, boo#1197552) + ------------------------------------------------------------------- Fri Mar 25 14:31:28 UTC 2022 - Fabian Vogt diff --git a/libqt5-qtwebengine.spec b/libqt5-qtwebengine.spec index 33f7fd1..96a2abf 100644 --- a/libqt5-qtwebengine.spec +++ b/libqt5-qtwebengine.spec @@ -49,6 +49,10 @@ Patch2: sandbox-statx-futex_time64.patch Patch3: rtc-dont-use-h264.patch # PATCH-FIX-UPSTREAM Patch4: 0001-skia-Some-includes-to-fix-build-with-GCC-12.patch +# PATCH-FIX-UPSTREAM +Patch5: CVE-2022-0971-qtwebengine-5.15.patch +# PATCH-FIX-UPSTREAM +Patch6: CVE-2022-1096-qtwebengine-5.15.patch # http://www.chromium.org/blink is not ported to PowerPC & s390 ExcludeArch: ppc ppc64 ppc64le s390 s390x # Try to fix i586 MemoryErrors with rpmlint From 078276d4611a7d654d5fe0a44b382e650595efdbca9ed1c595491d49cc3a645c Mon Sep 17 00:00:00 2001 From: Christophe Giboudeaux Date: Mon, 4 Apr 2022 20:06:42 +0000 Subject: [PATCH 2/2] OBS-URL: https://build.opensuse.org/package/show/KDE:Qt:5.15/libqt5-qtwebengine?expand=0&rev=38 --- libqt5-qtwebengine.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libqt5-qtwebengine.changes b/libqt5-qtwebengine.changes index 01014f6..c97ae89 100644 --- a/libqt5-qtwebengine.changes +++ b/libqt5-qtwebengine.changes @@ -2,7 +2,7 @@ Mon Apr 4 19:25:12 UTC 2022 - Christophe Giboudeaux - Add security fixes: - * CVE-2022-0971-qtwebengine-5.15.patch (CVE-2022-0971) + * CVE-2022-0971-qtwebengine-5.15.patch (CVE-2022-0971, boo#1197163) * CVE-2022-1096-qtwebengine-5.15.patch (CVE-2022-1096, boo#1197552) -------------------------------------------------------------------