From 43ea0649d4b70fdcf3e9fa5c03aee1bbba0b04bb Mon Sep 17 00:00:00 2001 From: rob Date: Fri, 18 Mar 2016 18:05:01 -0700 Subject: Deal with frame removal by content scripts Blink and the RenderFrame implementations are currently not prepared to deal with frame detachments in their callbacks. Consequently, extension code (content scripts, chrome.app.window.create) that run arbitrary code in the "document element created" and "document loaded" notifications may result in unexpected invalidation of memory, resulting in a UAF. This patch fixes the bug by moving all code that runs untrusted code from observers to dedicated callbacks, which are only run at a safe point. All document parsers in Blink have been modified to make sure that they still work even when the document creation is interrupted by frame removal. An extensive set of tests for all different kinds of documents, frame removal methods (e.g. synchronously / in mutation events / ...) and injection points (document start/end) have been added to avoid regressions. BUG=582008 Review URL: https://codereview.chromium.org/1642283002 Cr-Commit-Position: refs/heads/master@{#382162} --- extensions/shell/renderer/shell_content_renderer_client.cc | 10 ++++++++++ extensions/shell/renderer/shell_content_renderer_client.h | 2 ++ 2 files changed, 12 insertions(+) (limited to 'extensions/shell') diff --git a/extensions/shell/renderer/shell_content_renderer_client.cc b/extensions/shell/renderer/shell_content_renderer_client.cc index 7dc2aaa..92b7149 100644 --- a/extensions/shell/renderer/shell_content_renderer_client.cc +++ b/extensions/shell/renderer/shell_content_renderer_client.cc @@ -133,6 +133,16 @@ ShellContentRendererClient::CreateBrowserPluginDelegate( } } +void ShellContentRendererClient::RunScriptsAtDocumentStart( + content::RenderFrame* render_frame) { + extension_dispatcher_->RunScriptsAtDocumentStart(render_frame); +} + +void ShellContentRendererClient::RunScriptsAtDocumentEnd( + content::RenderFrame* render_frame) { + extension_dispatcher_->RunScriptsAtDocumentEnd(render_frame); +} + ExtensionsClient* ShellContentRendererClient::CreateExtensionsClient() { return new ShellExtensionsClient; } diff --git a/extensions/shell/renderer/shell_content_renderer_client.h b/extensions/shell/renderer/shell_content_renderer_client.h index a928e10..639da37 100644 --- a/extensions/shell/renderer/shell_content_renderer_client.h +++ b/extensions/shell/renderer/shell_content_renderer_client.h @@ -47,6 +47,8 @@ class ShellContentRendererClient : public content::ContentRendererClient { content::RenderFrame* render_frame, const std::string& mime_type, const GURL& original_url) override; + void RunScriptsAtDocumentStart(content::RenderFrame* render_frame) override; + void RunScriptsAtDocumentEnd(content::RenderFrame* render_frame) override; protected: // app_shell embedders may need custom extensions client interfaces. -- cgit v1.1