From e2170d719950d7c48d767ea09be1617a63707e24 Mon Sep 17 00:00:00 2001
From: Ken Rockot <rockot@google.com>
Date: Tue, 23 Mar 2021 21:13:00 +0000
Subject: [Backport] CVE-2021-21207: Use after free in IndexedDB

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2778871:
Never fail in ReceiverSet::Add

Because of how UniqueReceiverSet is implemented and used, it is
dangerous to allow Add() to fail: callers reasonably assume that added
objects are still alive immediately after the Add() call.

This changes ReceiverId to a uint64 and simply CHECK-fails on
insert collision.

This fundamentally increases binary size of 32-bit builds, because
a widely used 32-bit data type is expanding to 64 bits for the sake
of security and stability. It is effectively unavoidable for now, and
also just barely above the tolerable threshold.

A follow-up (but less backwards-mergeable) change should be able to
reduce binary size beyond this increase by consolidating shared
code among ReceiverSet template instantiations.

Fixed: 1185732
Change-Id: I9acf6aaaa36e10fdce5aa49a890173caddc13c52
Binary-Size: Unavoidable (see above)
Commit-Queue: Ken Rockot <rockot@google.com>
Auto-Submit: Ken Rockot <rockot@google.com>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#865815}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 chromium/mojo/public/cpp/bindings/receiver_set.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/chromium/mojo/public/cpp/bindings/receiver_set.h b/chromium/mojo/public/cpp/bindings/receiver_set.h
index 6cd2b982077..84ac4527dae 100644
--- a/chromium/mojo/public/cpp/bindings/receiver_set.h
+++ b/chromium/mojo/public/cpp/bindings/receiver_set.h
@@ -24,7 +24,7 @@
 
 namespace mojo {
 
-using ReceiverId = size_t;
+using ReceiverId = uint64_t;
 
 template <typename ReceiverType>
 struct ReceiverSetTraits;
@@ -361,11 +361,11 @@ class ReceiverSetBase {
                      Context context,
                      scoped_refptr<base::SequencedTaskRunner> task_runner) {
     ReceiverId id = next_receiver_id_++;
-    DCHECK_GE(next_receiver_id_, 0u);
     auto entry =
         std::make_unique<Entry>(std::move(impl), std::move(receiver), this, id,
                                 std::move(context), std::move(task_runner));
-    receivers_.insert(std::make_pair(id, std::move(entry)));
+    auto result = receivers_.insert(std::make_pair(id, std::move(entry)));
+    CHECK(result.second) << "ReceiverId overflow with collision";
     return id;
   }
 
-- 
cgit v1.2.3