From edc86cc74b9565c7d67341bbfa6efbe1859dbb8d Mon Sep 17 00:00:00 2001
From: Takashi Toyoshima <toyoshim@chromium.org>
Date: Mon, 12 Apr 2021 13:57:08 +0000
Subject: [Backport] CVE-2021-21213: Use after free in WebMIDI

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2817801:
Web MIDI: Add a SECURITY_CHECK to be robust for attacks and changes

In the current production code, `client_` is always set immediately
after the MIDIDispatcher construction, and there is no timing to run
SessionStarted without a valid `client_` on the same thread.

This SECURITY_CHECK just makes the code robust against attacks via
mojo injections and code changes in the future.

(cherry picked from commit 5c63f62b2d58a4fcd4acd22a18dd1f5bfd129045)

Bug: 1161806
Change-Id: Ic8a5f6e0dc70e6bb4c7cccb4d69d63fc12382c19
Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org>
Auto-Submit: Takashi Toyoshima <toyoshim@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#844503}
Reviewed-by: Artem Sumaneev <asumaneev@google.com>
Reviewed-by: Victor-Gabriel Savu <vsavu@google.com>
Commit-Queue: Jana Grill <janagrill@chromium.org>
Cr-Commit-Position: refs/branch-heads/4240@{#1593}
Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 .../third_party/blink/renderer/modules/webmidi/midi_dispatcher.cc  | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/chromium/third_party/blink/renderer/modules/webmidi/midi_dispatcher.cc b/chromium/third_party/blink/renderer/modules/webmidi/midi_dispatcher.cc
index cbc52a63f97..88ccf042f3f 100644
--- a/chromium/third_party/blink/renderer/modules/webmidi/midi_dispatcher.cc
+++ b/chromium/third_party/blink/renderer/modules/webmidi/midi_dispatcher.cc
@@ -101,8 +101,13 @@ void MIDIDispatcher::SetOutputPortState(uint32_t port,
 void MIDIDispatcher::SessionStarted(midi::mojom::blink::Result result) {
   TRACE_EVENT0("midi", "MIDIDispatcher::OnSessionStarted");
 
+  // We always have a valid instance in `client_` in the production code, but
+  // just in case to be robust for mojo injections and code changes in the
+  // future. Other methods protect accesses to `client_` by `initialized_` flag
+  // that is set below.
+  SECURITY_CHECK(client_);
+
   DCHECK(!initialized_);
-  DCHECK(client_);
   initialized_ = true;
 
   if (result == midi::mojom::blink::Result::OK) {
-- 
cgit v1.2.3