Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2915813002:
Add missing return statement after ReceivedBadMessage call. (Closed)
|
Created:
3 years, 6 months ago by jam Modified:
3 years, 6 months ago Reviewers:
Charlie Reis CC:
chromium-reviews, jam, nasko+codewatch_chromium.org, darin-cc_chromium.org, creis+watch_chromium.org, ncarter (slow), nasko Target Ref:
refs/heads/master Project:
chromium Visibility:
Public. |
DescriptionAdd missing return statement after ReceivedBadMessage call.
This prevents the scheme access being granted and used if the renderer is restarted.
BUG=726142
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
Review-Url: https://codereview.chromium.org/2915813002
Cr-Commit-Position: refs/heads/master@{#476161}
Committed: https://chromium.googlesource.com/chromium/src/+/d5226ddf44a52a3f066755e8d32710f6a093aa30
Patch Set 1 #
Total comments: 2
Patch Set 2 : review comment #
Total comments: 5
Patch Set 3 : review comment #
Messages
Total messages: 40 (32 generated)
Description was changed from ========== Reset the ChildProcessSecurityPolicy state for a renderer when it sends a bad message. This prevents a bug that continues processing a bad IPC from persisting after a killed tab is reloaded. Also fix a missing return statement I added in r475043 BUG=726142 ========== to ========== Reset the ChildProcessSecurityPolicy state for a renderer when it sends a bad message. This prevents a bug that continues processing a bad IPC from persisting after a killed tab is reloaded. Also fix a missing return statement I added in r475043 BUG=726142 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation ==========
The CQ bit was checked by jam@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
jam@chromium.org changed reviewers: + creis@chromium.org
Thanks for catching the earlier bug. This patch should hopefully make this not possible again.
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: cast_shell_linux on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/cast_shell_linu...)
The CQ bit was checked by jam@chromium.org to run a CQ dry run
Patchset #1 (id:1) has been deleted
Dry run: CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: linux_chromium_chromeos_ozone_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
On 2017/05/31 14:56:42, jam wrote: > Thanks for catching the earlier bug. This patch should hopefully make this not > possible again. Thanks! That's an interesting idea to reset on kills, but I think we should stick with the early return for a CL that we plan to merge. Clearing the CPSP state is likely to cause additional kills that are harder to diagnose when the user reloads the tab. (If we want to try that, it should have a lot of bake time on Dev.) Can you also include a test for this case in BrowserSideNavigationBrowserTest.ValidateBaseUrlForDataUrl, like https://codereview.chromium.org/2905293002/diff/1/content/browser/browser_sid... https://codereview.chromium.org/2915813002/diff/20001/content/browser/child_p... File content/browser/child_process_security_policy_browsertest.cc (right): https://codereview.chromium.org/2915813002/diff/20001/content/browser/child_p... content/browser/child_process_security_policy_browsertest.cc:80: ChildProcessSecurityPolicyImpl::GetInstance()->CanReadFile(child_id, This is failing on the bots, but maybe that doesn't matter if we stick with the early return approach for now.
The CQ bit was checked by jam@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Patchset #2 (id:40001) has been deleted
The CQ bit was checked by jam@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was checked by jam@chromium.org to run a CQ dry run
Patchset #2 (id:60001) has been deleted
Dry run: CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
https://codereview.chromium.org/2915813002/diff/20001/content/browser/child_p... File content/browser/child_process_security_policy_browsertest.cc (right): https://codereview.chromium.org/2915813002/diff/20001/content/browser/child_p... content/browser/child_process_security_policy_browsertest.cc:80: ChildProcessSecurityPolicyImpl::GetInstance()->CanReadFile(child_id, On 2017/05/31 17:28:23, Charlie Reis wrote: > This is failing on the bots, but maybe that doesn't matter if we stick with the > early return approach for now. ok, I'll do this separately since it's a good point we don't have to do it on branch. The test passes on windows, must be a race condition that it fails elsewhere (or maybe the error code doesn't get signalled correctly there).
Description was changed from ========== Reset the ChildProcessSecurityPolicy state for a renderer when it sends a bad message. This prevents a bug that continues processing a bad IPC from persisting after a killed tab is reloaded. Also fix a missing return statement I added in r475043 BUG=726142 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation ========== to ========== Add missing return statement after ReceivedBadMessage call. This prevents the scheme access being granted and used if the renderer is restarted. BUG=726142 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation ==========
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: cast_shell_linux on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/cast_shell_linu...)
The CQ bit was checked by jam@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Thanks! Fix looks good. One question about the data URL in the test. https://codereview.chromium.org/2915813002/diff/100001/content/browser/browse... File content/browser/browser_side_navigation_browsertest.cc (right): https://codereview.chromium.org/2915813002/diff/100001/content/browser/browse... content/browser/browser_side_navigation_browsertest.cc:475: data_url, Referrer(), ui::PAGE_TRANSITION_LINK, Just curious, why did you need to use a data URL? I would think that the previous web URL would also not be allowed to access the file URL, and would thus be an ok test case without needing kAllowContentInitiatedDataUrlNavigations. But maybe there's a problem I'm overlooking? https://codereview.chromium.org/2915813002/diff/100001/content/browser/browse... content/browser/browser_side_navigation_browsertest.cc:495: process_exit_observer.Wait(); Does the CanReadFile check work? We should add it if so. Something like: EXPECT_FALSE(ChildProcessSecurityPolicyImpl::GetInstance()->CanReadFile(rfh->GetProcess()->GetID(), file_url));
Patchset #2 (id:80001) has been deleted
https://codereview.chromium.org/2915813002/diff/100001/content/browser/browse... File content/browser/browser_side_navigation_browsertest.cc (right): https://codereview.chromium.org/2915813002/diff/100001/content/browser/browse... content/browser/browser_side_navigation_browsertest.cc:475: data_url, Referrer(), ui::PAGE_TRANSITION_LINK, On 2017/06/01 00:33:43, Charlie Reis wrote: > Just curious, why did you need to use a data URL? I would think that the > previous web URL would also not be allowed to access the file URL, and would > thus be an ok test case without needing > kAllowContentInitiatedDataUrlNavigations. But maybe there's a problem I'm > overlooking? The call to ChildProcessSecurityPolicy that uses base_url_for_data_url in UpdatePermissionsForNavigation() is only done if the request is for a data url (see line 3643 in the other file) https://codereview.chromium.org/2915813002/diff/100001/content/browser/browse... content/browser/browser_side_navigation_browsertest.cc:495: process_exit_observer.Wait(); On 2017/06/01 00:33:43, Charlie Reis wrote: > Does the CanReadFile check work? We should add it if so. Something like: > > EXPECT_FALSE(ChildProcessSecurityPolicyImpl::GetInstance()->CanReadFile(rfh->GetProcess()->GetID(), > file_url)); Done.
The CQ bit was checked by jam@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
LGTM https://codereview.chromium.org/2915813002/diff/100001/content/browser/browse... File content/browser/browser_side_navigation_browsertest.cc (right): https://codereview.chromium.org/2915813002/diff/100001/content/browser/browse... content/browser/browser_side_navigation_browsertest.cc:475: data_url, Referrer(), ui::PAGE_TRANSITION_LINK, On 2017/06/01 00:51:19, jam wrote: > On 2017/06/01 00:33:43, Charlie Reis wrote: > > Just curious, why did you need to use a data URL? I would think that the > > previous web URL would also not be allowed to access the file URL, and would > > thus be an ok test case without needing > > kAllowContentInitiatedDataUrlNavigations. But maybe there's a problem I'm > > overlooking? > > The call to ChildProcessSecurityPolicy that uses base_url_for_data_url in > UpdatePermissionsForNavigation() is only done if the request is for a data url > (see line 3643 in the other file) Ah, thanks. So the original test wouldn't have gotten as far as the exploit without the fix. Sounds good!
The CQ bit was unchecked by jam@chromium.org
The CQ bit was checked by jam@chromium.org
CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
CQ is committing da patch.
Bot data: {"patchset_id": 120001, "attempt_start_ts": 1496279124417870,
"parent_rev": "8f09864d8e5e1702e719d594f05bad3e098f0a52", "commit_rev":
"777f581901a971b72f945a8108a2c0bbdcdf2f92"}
CQ is committing da patch.
Bot data: {"patchset_id": 120001, "attempt_start_ts": 1496279124417870,
"parent_rev": "0ba9bbc1468d08e9268699a76d542913ea13c758", "commit_rev":
"d5226ddf44a52a3f066755e8d32710f6a093aa30"}
Message was sent while issue was closed.
Description was changed from ========== Add missing return statement after ReceivedBadMessage call. This prevents the scheme access being granted and used if the renderer is restarted. BUG=726142 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation ========== to ========== Add missing return statement after ReceivedBadMessage call. This prevents the scheme access being granted and used if the renderer is restarted. BUG=726142 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation Review-Url: https://codereview.chromium.org/2915813002 Cr-Commit-Position: refs/heads/master@{#476161} Committed: https://chromium.googlesource.com/chromium/src/+/d5226ddf44a52a3f066755e8d327... ==========
Message was sent while issue was closed.
Committed patchset #3 (id:120001) as https://chromium.googlesource.com/chromium/src/+/d5226ddf44a52a3f066755e8d327... |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
