From 61a977ec3427d21c5555d09151b8845c74bfb9ed Mon Sep 17 00:00:00 2001 From: Kevin Kofler Date: Thu, 27 Jul 2017 02:53:12 +0200 Subject: [PATCH] Add the backports fixing CVE-2017-5052 and CVE-2017-5054 from Qt Gerrit * Thu Jul 27 2017 Kevin Kofler - 5.6.3-0.2.20170712gitee719ad313e564 - Add the backports fixing CVE-2017-5052 and CVE-2017-5054 from Qt Gerrit --- qt5-qtwebengine.spec | 16 +- qtwebengine-chromium-CVE-2017-5052.patch | 58 +++++++ ...bengine-chromium-CVE-2017-5054-debug.patch | 39 +++++ qtwebengine-chromium-CVE-2017-5054.patch | 145 ++++++++++++++++++ 4 files changed, 257 insertions(+), 1 deletion(-) create mode 100644 qtwebengine-chromium-CVE-2017-5052.patch create mode 100644 qtwebengine-chromium-CVE-2017-5054-debug.patch create mode 100644 qtwebengine-chromium-CVE-2017-5054.patch diff --git a/qt5-qtwebengine.spec b/qt5-qtwebengine.spec index 6765bba..9d01160 100644 --- a/qt5-qtwebengine.spec +++ b/qt5-qtwebengine.spec @@ -37,7 +37,7 @@ Summary: Qt5 - QtWebEngine components Name: qt5-qtwebengine Version: 5.6.3 -Release: 0.1.%{snapdate}git%(c=%{snaphash}; echo ${c:0:14})%{?dist} +Release: 0.2.%{snapdate}git%(c=%{snaphash}; echo ${c:0:14})%{?dist} # See LICENSE.GPL LICENSE.LGPL LGPL_EXCEPTION.txt, for details # See also http://qt-project.org/doc/qt-5.0/qtdoc/licensing.html @@ -98,6 +98,14 @@ Patch11: qtwebengine-opensource-src-5.7.1-skia-neon.patch # feature detection for ARM Linux." and enable the detection also for Chromium Patch12: qtwebengine-opensource-src-5.7.1-webrtc-neon-detect.patch +# security patches from codereview.qt-project.org (Qt Gerrit): +# [Backport] CVE-2017-5052 - https://codereview.qt-project.org/#/c/200312/ +Patch100: qtwebengine-chromium-CVE-2017-5052.patch +# [Backport] CVE-2017-5054 - https://codereview.qt-project.org/#/c/200313/ +Patch101: qtwebengine-chromium-CVE-2017-5054.patch +# Fix broken debug build - https://codereview.qt-project.org/#/c/200401/ +Patch102: qtwebengine-chromium-CVE-2017-5054-debug.patch + # the architectures theoretically supported by the version of V8 used (#1298011) # You may need some minor patching to build on one of the secondary # architectures, e.g., to add to the Qt -> Chromium -> V8 arch translations. @@ -317,6 +325,9 @@ BuildArch: noarch %prep %setup -q -n %{qt_module}-opensource-src-%{version}%{?prerelease:-%{prerelease}} +%patch100 -p1 -b .CVE-2017-5052 +%patch101 -p1 -b .CVE-2017-5054 +%patch102 -p1 -b .CVE-2017-5054-debug %patch0 -p1 -b .linux-pri %patch1 -p1 -b .no-icudtl-dat %patch2 -p1 -b .fix-extractcflag @@ -498,6 +509,9 @@ sed -i -e "s|%{version} \${_Qt5WebEngine|%{_qt5_version} \${_Qt5WebEngine|" \ %changelog +* Thu Jul 27 2017 Kevin Kofler - 5.6.3-0.2.20170712gitee719ad313e564 +- Add the backports fixing CVE-2017-5052 and CVE-2017-5054 from Qt Gerrit + * Sat Jul 15 2017 Kevin Kofler - 5.6.3-0.1.20170712gitee719ad313e564 - Update to 5.6 branch revision ee719ad313e564d4e6f06d74b313ae179169466f - Sync FFmpeg cleaning scripts from 5.7, upstream backported its Chromium diff --git a/qtwebengine-chromium-CVE-2017-5052.patch b/qtwebengine-chromium-CVE-2017-5052.patch new file mode 100644 index 0000000..27f57e9 --- /dev/null +++ b/qtwebengine-chromium-CVE-2017-5052.patch @@ -0,0 +1,58 @@ +From 2c15cc053c4bbb8a3ad3bf9b52c0502cd0a632f8 Mon Sep 17 00:00:00 2001 +From: Michal Klocek +Date: Tue, 18 Jul 2017 13:33:07 +0200 +Subject: [PATCH] [Backport] CVE-2017-5052 + +Search the entire subtree when looking for the end of an inline continuation chain. + +Inlines may be nested, so we may not find the last inline in the chain as a +direct child of the anonymous blocks. We need to search the entire subtree. +Don't do this with anonymous blocks that wrap block children (the block-level +DOM children of the inline-level objects), though. We're not going to find +anything interesting there. + +This fix is speculative; the original bug report didn't come with a test case. + +BUG=662767 + +Review-Url: https://codereview.chromium.org/2738503004 +Cr-Commit-Position: refs/heads/master@{#455420} +(cherry picked from commit e72c8c06b956706b54648589f807086d17340831) + +Review-Url: https://codereview.chromium.org/2769703003 . +Cr-Commit-Position: refs/branch-heads/2987@{#862} +Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943} + +Change-Id: Ia89df9909da88b8891ae89fc18ffdc9d042c8eaa +Reviewed-by: Allan Sandfeld Jensen +--- + chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp +index 618a4ed..665b1e1 100644 +--- a/src/3rdparty/chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp ++++ b/src/3rdparty/chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp +@@ -1029,11 +1029,18 @@ LayoutRect LayoutInline::absoluteClippedOverflowRect() const + endContinuation = nextContinuation; + + for (LayoutBlock* currBlock = containingBlock(); currBlock && currBlock->isAnonymousBlock(); currBlock = toLayoutBlock(currBlock->nextSibling())) { ++ bool walkChildrenOnly = !currBlock->childrenInline(); + for (LayoutObject* curr = currBlock->firstChild(); curr; curr = curr->nextSibling()) { + LayoutRect rect(curr->clippedOverflowRectForPaintInvalidation(view())); + context(FloatRect(rect)); +- if (curr == endContinuation) ++ if (walkChildrenOnly) ++ continue; ++ for (LayoutObject* walker = curr; walker; ++ walker = walker->nextInPreOrder(curr)) { ++ if (walker != endContinuation) ++ continue; + return LayoutRect(enclosingIntRect(floatResult)); ++ } + } + } + return LayoutRect(); +-- +2.7.4 + diff --git a/qtwebengine-chromium-CVE-2017-5054-debug.patch b/qtwebengine-chromium-CVE-2017-5054-debug.patch new file mode 100644 index 0000000..1da84d5 --- /dev/null +++ b/qtwebengine-chromium-CVE-2017-5054-debug.patch @@ -0,0 +1,39 @@ +From 4854a4fa365527b57f66f72eab1c07cfc5b2b9fd Mon Sep 17 00:00:00 2001 +From: Michal Klocek +Date: Wed, 19 Jul 2017 16:43:04 +0200 +Subject: [PATCH] Fix broken debug build introduced in security backport + +Fix DCHECK to call HasSufficientCapacity instead of +HasSufficientCapacityToAdd (introduced in chromium's v8 a76d133f769). +Avoid right-shifting a negative integer in HasSufficientCapacity. + +Change-Id: Id5370803896814f7536d7a026985b27e689c902e +--- + chromium/v8/src/objects.cc | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/3rdparty/chromium/v8/src/objects.cc b/src/3rdparty/chromium/v8/src/objects.cc +index 9b463de..673a219 100644 +--- a/src/3rdparty/chromium/v8/src/objects.cc ++++ b/src/3rdparty/chromium/v8/src/objects.cc +@@ -17281,7 +17281,7 @@ bool HashTable::HasSufficientCapacity(int n) { + // Return true if: + // 50% is still free after adding n elements and + // at most 50% of the free elements are deleted elements. +- if (nod <= (capacity - nof) >> 1) { ++ if ((nof < capacity) && ((nod <= (capacity - nof) >> 1))) { + int needed_free = nof >> 1; + if (nof + needed_free <= capacity) return true; + } +@@ -18171,7 +18171,7 @@ Handle Dictionary::NewEmpty( + Isolate* isolate, PretenureFlag pretenure) { + Handle dict = DerivedHashTable::New(isolate, 1, pretenure); + // Attempt to add one element to the empty dictionary must cause reallocation. +- DCHECK(!dict->HasSufficientCapacityToAdd(1)); ++ DCHECK(!dict->HasSufficientCapacity(1)); + // Initialize the next enumeration index. + dict->SetNextEnumerationIndex(PropertyDetails::kInitialIndex); + return dict; +-- +2.7.4 + diff --git a/qtwebengine-chromium-CVE-2017-5054.patch b/qtwebengine-chromium-CVE-2017-5054.patch new file mode 100644 index 0000000..4d40131 --- /dev/null +++ b/qtwebengine-chromium-CVE-2017-5054.patch @@ -0,0 +1,145 @@ +From 9966a98c2c90603a7ed3c7bd61609d441b782116 Mon Sep 17 00:00:00 2001 +From: Michal Klocek +Date: Tue, 16 May 2017 13:04:46 +0200 +Subject: [PATCH] [Backport] CVE-2017-5054 + +Merged: [runtime] Ensure that canonical empty dictionaries reallocate upon addition. + +Revision: 17ac7c5f4d712c914030e1fb7247d2083b04b929 + +BUG=chromium:699166 +LOG=N +NOTRY=true +NOPRESUBMIT=true +NOTREECHECKS=true + +Reviewed-on: https://chromium-review.googlesource.com/456703 +Reviewed-by: Igor Sheludko +Cr-Commit-Position: refs/branch-heads/5.8@{#35} +Cr-Branched-From: eda659cc5e307f20ac1ad542ba12ab32eaf4c7ef-refs/heads/5.8.283@{#1} +Cr-Branched-From: 4310cd02d2160b1457baed81a2f40063eb264a21-refs/heads/master@{#43429} + +Change-Id: Icb1453cc24519319992629b13846cb46d7e9fc85 +Reviewed-by: Allan Sandfeld Jensen +--- + chromium/v8/src/heap/heap.cc | 4 ++-- + chromium/v8/src/objects.cc | 26 +++++++++++++++++++++++++- + chromium/v8/src/objects.h | 7 +++++++ + 3 files changed, 34 insertions(+), 3 deletions(-) + +diff --git a/src/3rdparty/chromium/v8/src/heap/heap.cc b/src/3rdparty/chromium/v8/src/heap/heap.cc +index 7983d47..f93adb8 100644 +--- a/src/3rdparty/chromium/v8/src/heap/heap.cc ++++ b/src/3rdparty/chromium/v8/src/heap/heap.cc +@@ -2753,7 +2753,7 @@ void Heap::CreateInitialObjects() { + set_intrinsic_function_names(*intrinsic_names); + + Handle empty_properties_dictionary = +- NameDictionary::New(isolate(), 0, TENURED); ++ NameDictionary::NewEmpty(isolate(), TENURED); + empty_properties_dictionary->SetRequiresCopyOnCapacityChange(); + set_empty_properties_dictionary(*empty_properties_dictionary); + +@@ -2850,7 +2850,7 @@ void Heap::CreateInitialObjects() { + set_script_list(Smi::FromInt(0)); + + Handle slow_element_dictionary = +- SeededNumberDictionary::New(isolate(), 0, TENURED); ++ SeededNumberDictionary::NewEmpty(isolate(), TENURED); + slow_element_dictionary->set_requires_slow_elements(); + set_empty_slow_element_dictionary(*slow_element_dictionary); + +diff --git a/src/3rdparty/chromium/v8/src/objects.cc b/src/3rdparty/chromium/v8/src/objects.cc +index 5601768..9b463de 100644 +--- a/src/3rdparty/chromium/v8/src/objects.cc ++++ b/src/3rdparty/chromium/v8/src/objects.cc +@@ -17082,7 +17082,13 @@ Handle HashTable::New( + if (capacity > HashTable::kMaxCapacity) { + v8::internal::Heap::FatalProcessOutOfMemory("invalid table size", true); + } ++ return New(isolate, capacity, pretenure); ++} + ++template ++Handle HashTable::New(Isolate* isolate, ++ int capacity, ++ PretenureFlag pretenure) { + Factory* factory = isolate->factory(); + int length = EntryToIndex(capacity); + Handle array = factory->NewFixedArray(length, pretenure); +@@ -17095,7 +17101,6 @@ Handle HashTable::New( + return table; + } + +- + // Find entry for key otherwise return kNotFound. + template + int NameDictionaryBase::FindEntry(Handle key) { +@@ -17363,6 +17368,10 @@ template Handle + Dictionary:: + New(Isolate*, int at_least_space_for, PretenureFlag pretenure); + ++template Handle ++Dictionary::NewEmpty(Isolate*, PretenureFlag pretenure); ++ + template Handle + Dictionary:: + New(Isolate*, int at_least_space_for, PretenureFlag pretenure); +@@ -17371,6 +17380,10 @@ template Handle + Dictionary >:: + New(Isolate*, int n, PretenureFlag pretenure); + ++template Handle ++Dictionary>::NewEmpty( ++ Isolate*, PretenureFlag pretenure); ++ + template Handle + Dictionary >::New( + Isolate*, int n, PretenureFlag pretenure); +@@ -18154,6 +18167,17 @@ Handle Dictionary::BuildIterationIndicesArray( + + + template ++Handle Dictionary::NewEmpty( ++ Isolate* isolate, PretenureFlag pretenure) { ++ Handle dict = DerivedHashTable::New(isolate, 1, pretenure); ++ // Attempt to add one element to the empty dictionary must cause reallocation. ++ DCHECK(!dict->HasSufficientCapacityToAdd(1)); ++ // Initialize the next enumeration index. ++ dict->SetNextEnumerationIndex(PropertyDetails::kInitialIndex); ++ return dict; ++} ++ ++template + Handle + Dictionary::GenerateNewEnumerationIndices( + Handle dictionary) { +diff --git a/src/3rdparty/chromium/v8/src/objects.h b/src/3rdparty/chromium/v8/src/objects.h +index d737a18..151ab52 100644 +--- a/src/3rdparty/chromium/v8/src/objects.h ++++ b/src/3rdparty/chromium/v8/src/objects.h +@@ -3199,6 +3199,9 @@ class HashTable : public HashTableBase { + protected: + friend class ObjectHashTable; + ++ MUST_USE_RESULT static Handle New(Isolate* isolate, int capacity, ++ PretenureFlag pretenure); ++ + // Find the entry at which to insert element with the given key that + // has the given hash value. + uint32_t FindInsertionEntry(uint32_t hash); +@@ -3415,6 +3418,10 @@ class Dictionary: public HashTable { + int at_least_space_for, + PretenureFlag pretenure = NOT_TENURED); + ++ // Creates an dictionary with minimal possible capacity. ++ MUST_USE_RESULT static Handle NewEmpty( ++ Isolate* isolate, PretenureFlag pretenure = NOT_TENURED); ++ + // Ensures that a new dictionary is created when the capacity is checked. + void SetRequiresCopyOnCapacityChange(); + +-- +2.7.4 +