[Backport] CVE-2018-16068

[mojo-core] Validate data pipe endpoint metadata Ensures that we don't blindly trust specified buffer size and offset metadata when deserializing data pipe consumer and producer handles. TBR=rockot@chromium.org (cherry picked from commit 66e24a8793615bd9d5c238b1745b093090e1f72d) Bug: 877182 Change-Id: I10572a0627c282825593956b04ef235adb4add43 Reviewed-on: https://chromium-review.googlesource.com/1192922 Reviewed-on: https://chromium-review.googlesource.com/1196554 Reviewed-by: Michael Brüning <michael.bruning@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2018-09-06 12:40:36 +0200
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2018-09-12 07:43:30 +0000
commit: 38b701b44f54ff5e5b8b772d5cabe0e59569d032 (patch)
tree: d89fbfd120b91c05152264e2191272abf65d5bb9
parent: c92e99aa5f826d890cc22bc709039986a27968db (diff)
2 files changed, 14 insertions, 2 deletions
diff --git a/chromium/mojo/edk/system/data_pipe_consumer_dispatcher.cc b/chromium/mojo/edk/system/data_pipe_consumer_dispatcher.cc
index e1ecc853c25..03c1c2fcdf4 100644
--- a/chromium/mojo/edk/system/data_pipe_consumer_dispatcher.cc
+++ b/chromium/mojo/edk/system/data_pipe_consumer_dispatcher.cc
@@ -370,7 +370,9 @@ DataPipeConsumerDispatcher::Deserialize(const void* data,
 
   const SerializedState* state = static_cast<const SerializedState*>(data);
   if (!state->options.capacity_num_bytes || !state->options.element_num_bytes ||
-      state->options.capacity_num_bytes < state->options.element_num_bytes) {
+      state->options.capacity_num_bytes < state->options.element_num_bytes ||
+      state->read_offset >= state->options.capacity_num_bytes ||
+      state->bytes_available > state->options.capacity_num_bytes) {
     return nullptr;
   }
 
@@ -404,6 +406,10 @@ DataPipeConsumerDispatcher::Deserialize(const void* data,
     dispatcher->peer_closed_ = state->flags & kFlagPeerClosed;
     if (!dispatcher->InitializeNoLock())
       return nullptr;
+    if (state->options.capacity_num_bytes >
+        dispatcher->ring_buffer_mapping_->GetLength()) {
+      return nullptr;
+    }
     dispatcher->UpdateSignalsStateNoLock();
   }
 
diff --git a/chromium/mojo/edk/system/data_pipe_producer_dispatcher.cc b/chromium/mojo/edk/system/data_pipe_producer_dispatcher.cc
index de0b768b63b..add4c004423 100644
--- a/chromium/mojo/edk/system/data_pipe_producer_dispatcher.cc
+++ b/chromium/mojo/edk/system/data_pipe_producer_dispatcher.cc
@@ -333,7 +333,9 @@ DataPipeProducerDispatcher::Deserialize(const void* data,
 
   const SerializedState* state = static_cast<const SerializedState*>(data);
   if (!state->options.capacity_num_bytes || !state->options.element_num_bytes ||
-      state->options.capacity_num_bytes < state->options.element_num_bytes) {
+      state->options.capacity_num_bytes < state->options.element_num_bytes ||
+      state->write_offset >= state->options.capacity_num_bytes ||
+      state->available_capacity > state->options.capacity_num_bytes) {
     return nullptr;
   }
 
@@ -366,6 +368,10 @@ DataPipeProducerDispatcher::Deserialize(const void* data,
     dispatcher->peer_closed_ = state->flags & kFlagPeerClosed;
     if (!dispatcher->InitializeNoLock())
       return nullptr;
+    if (state->options.capacity_num_bytes >
+        dispatcher->ring_buffer_mapping_->GetLength()) {
+      return nullptr;
+    }
     dispatcher->UpdateSignalsStateNoLock();
   }
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2018-09-06 12:40:36 +0200
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2018-09-12 07:43:30 +0000
commit	38b701b44f54ff5e5b8b772d5cabe0e59569d032 (patch)
tree	d89fbfd120b91c05152264e2191272abf65d5bb9
parent	c92e99aa5f826d890cc22bc709039986a27968db (diff)