Validate untrusted VR mojo inputs into browser process

chrome/browser/android/vr_shell/vr_shell_gl.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/android/vr_shell/vr_shell_gl.h"
 
 #include <chrono>
 #include <limits>
 #include <utility>
 
@@ skipping 360 matching lines @@
                             const gpu::MailboxHolder& mailbox) {
   TRACE_EVENT0("gpu", "VrShellGl::SubmitWebVRFrame");
 
   // submit_client_ could be null when we exit presentation, if there were
   // pending SubmitFrame messages queued.  VRDisplayClient::OnExitPresent
   // will clean up state in blink, so it doesn't wait for
   // OnSubmitFrameTransferred or OnSubmitFrameRendered.
   if (!submit_client_.get())
     return;
 
+  if (frame_index < 0 ||
+      !webvr_frame_oustanding_[frame_index % kPoseRingBufferSize]) {
+    mojo::ReportBadMessage("SubmitFrame called with an invalid frame_index");
+    binding_.Close();
+    return;
+  }
+
   webvr_time_js_submit_[frame_index % kPoseRingBufferSize] =
       base::TimeTicks::Now();
 
   // Swapping twice on a Surface without calling updateTexImage in
   // between can lose frames, so don't draw+swap if we already have
   // a pending frame we haven't consumed yet.
   bool swapped = false;
   if (pending_frames_.empty()) {
     swapped = mailbox_bridge_->CopyMailboxToSurfaceAndSwap(mailbox);
     if (swapped) {
@@ skipping 57 matching lines @@
     browser_->ToggleCardboardGamepad(true);
   }
 }
 
 void VrShellGl::InitializeRenderer() {
   gvr_api_->InitializeGl();
   gfx::Transform head_pose;
   device::GvrDelegate::GetGvrPoseWithNeckModel(gvr_api_.get(), &head_pose);
   webvr_head_pose_.assign(kPoseRingBufferSize, head_pose);
   webvr_time_pose_.assign(kPoseRingBufferSize, base::TimeTicks());
+  webvr_frame_oustanding_.assign(kPoseRingBufferSize, false);
   webvr_time_js_submit_.assign(kPoseRingBufferSize, base::TimeTicks());
 
   std::vector<gvr::BufferSpec> specs;
   // For kFramePrimaryBuffer (primary VrShell and WebVR content)
   specs.push_back(gvr_api_->CreateBufferSpec());
   gvr::Sizei render_size_primary = specs[kFramePrimaryBuffer].GetSize();
   render_size_primary_ = {render_size_primary.width,
                           render_size_primary.height};
   render_size_vrshell_ = render_size_primary_;
 
@@ skipping 592 matching lines @@
 
   // When using async reprojection, we need to know which pose was
   // used in the WebVR app for drawing this frame and supply it when
   // submitting. Technically we don't need a pose if not reprojecting,
   // but keeping it uninitialized seems likely to cause problems down
   // the road. Copying it is cheaper than fetching a new one.
   if (ShouldDrawWebVr()) {
     static_assert(!((kPoseRingBufferSize - 1) & kPoseRingBufferSize),
                   "kPoseRingBufferSize must be a power of 2");
     head_pose = webvr_head_pose_[frame_index % kPoseRingBufferSize];
+    webvr_frame_oustanding_[frame_index % kPoseRingBufferSize] = false;
   } else {
     device::GvrDelegate::GetGvrPoseWithNeckModel(gvr_api_.get(), &head_pose);
   }
 
   // Update the render position of all UI elements (including desktop).
   scene_->OnBeginFrame(current_time);
 
   {
     // TODO(crbug.com/704690): Acquire controller state in a way that's timely
     // for both the gamepad API and UI input handling.
@@ skipping 490 matching lines @@
   vsync_timebase_ += base::TimeDelta::FromMicroseconds(timebase_nanos / 1000);
   vsync_interval_ = base::TimeDelta::FromSecondsD(interval_seconds);
   vsync_task_.Reset(base::Bind(&VrShellGl::OnVSync, base::Unretained(this)));
   OnVSync();
 }
 
 void VrShellGl::ForceExitVr() {
   browser_->ForceExitVr();
 }
 
+namespace {
+bool ValidateRect(const gfx::RectF& bounds) {
+  // Bounds should be between 0 and 1, with positive width/height.
+  // We simply clamp to [0,1], but still validate that the bounds are not NAN.
+  return !std::isnan(bounds.width()) && !std::isnan(bounds.height()) &&
+         !std::isnan(bounds.x()) && !std::isnan(bounds.y());
+}
+
+bool ValidateSize(const gfx::Size& size) {
+  // Size should be at least 0 in each direction.
+  return size.width() >= 0 && size.height() >= 0;
+}
+
+gfx::RectF ClampRect(const gfx::RectF& bounds) {
+  float left = std::max(0.0f, std::min(bounds.x(), 1.0f));

[mthiesse, 2017/07/11 14:52:24]

I think you can just use bounds.AdjustToFit(gfx::RectF(0, 0, 1, 1));?

[billorr, 2017/07/13 00:31:40]

That is close enough to the same behavior that I'll use it - same behavior for
well-behaved sites.  If a caller passes in something that doesn't intersect with
(0,0,1,1), the current code would make this a zero-sized rect, and AdjustToFit
will return a rect intersecting (0,0,1,1), with width/height a minimum of of the
current size or 1.  For example, (-2, -2, 0.5, 0.5).AdjustToFit(0,0,1,1) will
return (0,0,0.5,0.5), which doesn't even intersect with our initial rect.

+  float right = std::max(left, std::min(bounds.right(), 1.0f));
+  float top = std::max(0.0f, std::min(bounds.y(), 1.0f));
+  float bottom = std::max(top, std::min(bounds.bottom(), 1.0f));
+  return gfx::RectF(left, top, right - left, bottom - top);

[bajones1, 2017/07/11 17:11:06]

Sanity check: 
Does gfx::RectF enforces that right > left and bottom > top? I think so, but if
not we probably want to do that here.

[billorr, 2017/07/13 00:31:41]

Yes, setWidth/setHeight will make the width/height 0 if the parameter is <0.

+}
+
+}  // namespace
+
 void VrShellGl::UpdateLayerBounds(int16_t frame_index,
                                   const gfx::RectF& left_bounds,
                                   const gfx::RectF& right_bounds,
                                   const gfx::Size& source_size) {
+  if (!ValidateSize(source_size) || !ValidateRect(left_bounds) ||
+      !ValidateRect(right_bounds)) {
+    mojo::ReportBadMessage("UpdateLayerBounds called with invalid bounds");
+    binding_.Close();
+    return;
+  }
+
+  if (frame_index >= 0 &&
+      !webvr_frame_oustanding_[frame_index % kPoseRingBufferSize]) {
+    mojo::ReportBadMessage("UpdateLayerBounds called with invalid frame_index");
+    binding_.Close();
+    return;
+  }
+
   if (frame_index < 0) {
-    webvr_left_viewport_->SetSourceUv(UVFromGfxRect(left_bounds));
-    webvr_right_viewport_->SetSourceUv(UVFromGfxRect(right_bounds));
+    webvr_left_viewport_->SetSourceUv(UVFromGfxRect(ClampRect(left_bounds)));
+    webvr_right_viewport_->SetSourceUv(UVFromGfxRect(ClampRect(right_bounds)));
     CreateOrResizeWebVRSurface(source_size);
+
+    // clear all pending bounds
+    pending_bounds_ = std::queue<std::pair<uint8_t, WebVrBounds>>();
   } else {
     pending_bounds_.emplace(
         frame_index, WebVrBounds(left_bounds, right_bounds, source_size));
   }
 }
 
 int64_t VrShellGl::GetPredictedFrameTimeNanos() {
   int64_t frame_time_micros = vsync_interval_.InMicroseconds();
   // If we aim to submit at vsync, that frame will start scanning out
   // one vsync later. Add a half frame to split the difference between
@@ skipping 16 matching lines @@
   TRACE_EVENT1("input", "VrShellGl::SendVSync", "frame", frame_index);
 
   int64_t prediction_nanos = GetPredictedFrameTimeNanos();
 
   gfx::Transform head_mat;
   device::mojom::VRPosePtr pose =
       device::GvrDelegate::GetVRPosePtrWithNeckModel(gvr_api_.get(), &head_mat,
                                                      prediction_nanos);
 
   webvr_head_pose_[frame_index % kPoseRingBufferSize] = head_mat;
+  webvr_frame_oustanding_[frame_index % kPoseRingBufferSize] = true;
   webvr_time_pose_[frame_index % kPoseRingBufferSize] = base::TimeTicks::Now();
 
   std::move(callback).Run(
       std::move(pose), time, frame_index,
       device::mojom::VRPresentationProvider::VSyncStatus::SUCCESS);
 }
 
 void VrShellGl::CreateVRDisplayInfo(
     const base::Callback<void(device::mojom::VRDisplayInfoPtr)>& callback,
     uint32_t device_id) {
   // This assumes that the initial webvr_surface_size_ was set to the
   // appropriate recommended render resolution as the default size during
   // InitializeGl. Revisit if the initialization order changes.
   device::mojom::VRDisplayInfoPtr info =
       device::GvrDelegate::CreateVRDisplayInfo(gvr_api_.get(),
                                                webvr_surface_size_, device_id);
   browser_->RunVRDisplayInfoCallback(callback, &info);
 }
 
 }  // namespace vr_shell