Convert Out of Process Pepper Creation/Deletion messages to mojom.

Convert FrameHostMsg_DidCreateOutOfProcessPepperInstance and FrameHostMsg_DidDeleteOutOfProcessPepperInstance to mojo messages. These messages can use the PepperBrowserConnection The implementation for RenderFrameMessageFilter can move into the pepper subclasses themselves. BUG=1157519 Change-Id: Ic051729ed0edf99d5bd8165fe5d4d5e21b3cf42c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2626413 Commit-Queue: Dave Tapuska <dtapuska@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Bill Budge <bbudge@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Cr-Commit-Position: refs/heads/master@{#844121}

Convert Out of Process Pepper Creation/Deletion messages to mojom.
Convert FrameHostMsg_DidCreateOutOfProcessPepperInstance and FrameHostMsg_DidDeleteOutOfProcessPepperInstance to mojo messages. These messages can use the PepperBrowserConnection The implementation for RenderFrameMessageFilter can move into the pepper subclasses themselves. BUG=1157519 Change-Id: Ic051729ed0edf99d5bd8165fe5d4d5e21b3cf42c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2626413 Commit-Queue: Dave Tapuska <dtapuska@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Bill Budge <bbudge@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Cr-Commit-Position: refs/heads/master@{#844121}
b9fc3ef6 · Dave Tapuska · Chromium LUCI CQ · 362ca06a · b9fc3ef6 · b9fc3ef6
Commit b9fc3ef6 authored Jan 15, 2021 by Dave Tapuska Committed by Chromium LUCI CQ Jan 15, 2021
9 changed files
--- a/content/browser/renderer_host/pepper/pepper_renderer_connection.cc
+++ b/content/browser/renderer_host/pepper/pepper_renderer_connection.cc
@@ -245,4 +245,53 @@ void PepperRendererConnection::DidDeleteInProcessInstance(int32_t instance) {
  in_process_host_->DeleteInstance(instance);
 }

+void PepperRendererConnection::DidCreateOutOfProcessPepperInstance(
+    int32_t plugin_child_id,
+    int32_t pp_instance,
+    bool is_external,
+    int32_t render_frame_id,
+    const GURL& document_url,
+    const GURL& plugin_url,
+    bool is_privileged_context,
+    DidCreateOutOfProcessPepperInstanceCallback callback) {
+  // It's important that we supply the render process ID ourselves based on the
+  // channel the message arrived on. We use the
+  //   PP_Instance -> (process id, frame id)
+  // mapping to decide how to handle messages received from the (untrusted)
+  // plugin. An exploited renderer must not be able to insert fake mappings
+  // that may allow it access to other render processes.
+  PepperRendererInstanceData instance_data{render_process_id_, render_frame_id,
+                                           document_url, plugin_url,
+                                           is_privileged_context};
+  if (is_external) {
+    // We provide the BrowserPpapiHost to the embedder, so it's safe to cast.
+    BrowserPpapiHostImpl* host = static_cast<BrowserPpapiHostImpl*>(
+        GetContentClient()->browser()->GetExternalBrowserPpapiHost(
+            plugin_child_id));
+    if (host)
+      host->AddInstance(pp_instance, instance_data);
+  } else {
+    PpapiPluginProcessHost::DidCreateOutOfProcessInstance(
+        plugin_child_id, pp_instance, instance_data);
+  }
+  std::move(callback).Run();
+}
+
+void PepperRendererConnection::DidDeleteOutOfProcessPepperInstance(
+    int32_t plugin_child_id,
+    int32_t pp_instance,
+    bool is_external) {
+  if (is_external) {
+    // We provide the BrowserPpapiHost to the embedder, so it's safe to cast.
+    BrowserPpapiHostImpl* host = static_cast<BrowserPpapiHostImpl*>(
+        GetContentClient()->browser()->GetExternalBrowserPpapiHost(
+            plugin_child_id));
+    if (host)
+      host->DeleteInstance(pp_instance);
+  } else {
+    PpapiPluginProcessHost::DidDeleteOutOfProcessInstance(plugin_child_id,
+                                                          pp_instance);
+  }
+}
+
 }  // namespace content
--- a/content/browser/renderer_host/pepper/pepper_renderer_connection.h
+++ b/content/browser/renderer_host/pepper/pepper_renderer_connection.h
@@ -60,6 +60,18 @@ class PepperRendererConnection
                                  const GURL& document_url,
                                  const GURL& plugin_url) override;
  void DidDeleteInProcessInstance(int32_t instance) override;
+  void DidCreateOutOfProcessPepperInstance(
+      int32_t plugin_child_id,
+      int32_t pp_instance,
+      bool is_external,
+      int32_t render_frame_id,
+      const GURL& document_url,
+      const GURL& plugin_url,
+      bool is_priviledged_context,
+      DidCreateOutOfProcessPepperInstanceCallback callback) override;
+  void DidDeleteOutOfProcessPepperInstance(int32_t plugin_child_id,
+                                           int32_t pp_instance,
+                                           bool is_external) override;

  int render_process_id_;


--- a/content/browser/renderer_host/render_frame_message_filter.cc
+++ b/content/browser/renderer_host/render_frame_message_filter.cc
@@ -120,10 +120,6 @@ bool RenderFrameMessageFilter::OnMessageReceived(const IPC::Message& message) {
    IPC_MESSAGE_HANDLER(FrameHostMsg_GetPluginInfo, OnGetPluginInfo)
    IPC_MESSAGE_HANDLER_DELAY_REPLY(FrameHostMsg_OpenChannelToPepperPlugin,
                                    OnOpenChannelToPepperPlugin)
-    IPC_MESSAGE_HANDLER(FrameHostMsg_DidCreateOutOfProcessPepperInstance,
-                        OnDidCreateOutOfProcessPepperInstance)
-    IPC_MESSAGE_HANDLER(FrameHostMsg_DidDeleteOutOfProcessPepperInstance,
-                        OnDidDeleteOutOfProcessPepperInstance)
    IPC_MESSAGE_UNHANDLED(handled = false)
  IPC_END_MESSAGE_MAP()

@@ -175,47 +171,4 @@ void RenderFrameMessageFilter::OnOpenChannelToPepperPlugin(
      origin_lock, new OpenChannelToPpapiPluginCallback(this, reply_msg));
 }

-void RenderFrameMessageFilter::OnDidCreateOutOfProcessPepperInstance(
-    int plugin_child_id,
-    int32_t pp_instance,
-    PepperRendererInstanceData instance_data,
-    bool is_external) {
-  // It's important that we supply the render process ID ourselves based on the
-  // channel the message arrived on. We use the
-  //   PP_Instance -> (process id, frame id)
-  // mapping to decide how to handle messages received from the (untrusted)
-  // plugin, so an exploited renderer must not be able to insert fake mappings
-  // that may allow it access to other render processes.
-  DCHECK_EQ(0, instance_data.render_process_id);
-  instance_data.render_process_id = render_process_id_;
-  if (is_external) {
-    // We provide the BrowserPpapiHost to the embedder, so it's safe to cast.
-    BrowserPpapiHostImpl* host = static_cast<BrowserPpapiHostImpl*>(
-        GetContentClient()->browser()->GetExternalBrowserPpapiHost(
-            plugin_child_id));
-    if (host)
-      host->AddInstance(pp_instance, instance_data);
-  } else {
-    PpapiPluginProcessHost::DidCreateOutOfProcessInstance(
-        plugin_child_id, pp_instance, instance_data);
-  }
-}
-
-void RenderFrameMessageFilter::OnDidDeleteOutOfProcessPepperInstance(
-    int plugin_child_id,
-    int32_t pp_instance,
-    bool is_external) {
-  if (is_external) {
-    // We provide the BrowserPpapiHost to the embedder, so it's safe to cast.
-    BrowserPpapiHostImpl* host = static_cast<BrowserPpapiHostImpl*>(
-        GetContentClient()->browser()->GetExternalBrowserPpapiHost(
-            plugin_child_id));
-    if (host)
-      host->DeleteInstance(pp_instance);
-  } else {
-    PpapiPluginProcessHost::DidDeleteOutOfProcessInstance(plugin_child_id,
-                                                          pp_instance);
-  }
-}
-
 }  // namespace content
--- a/content/browser/renderer_host/render_frame_message_filter.h
+++ b/content/browser/renderer_host/render_frame_message_filter.h
@@ -76,14 +76,6 @@ class CONTENT_EXPORT RenderFrameMessageFilter : public BrowserMessageFilter {
      const base::FilePath& path,
      const base::Optional<url::Origin>& origin_lock,
      IPC::Message* reply_msg);
-  void OnDidCreateOutOfProcessPepperInstance(
-      int plugin_child_id,
-      int32_t pp_instance,
-      PepperRendererInstanceData instance_data,
-      bool is_external);
-  void OnDidDeleteOutOfProcessPepperInstance(int plugin_child_id,
-                                             int32_t pp_instance,
-                                             bool is_external);
  void OnOpenChannelToPpapiBroker(int routing_id, const base::FilePath& path);

  PluginServiceImpl* plugin_service_;

--- a/content/common/frame_messages.h
+++ b/content/common/frame_messages.h
@@ -218,16 +218,6 @@ IPC_STRUCT_TRAITS_BEGIN(network::mojom::ContentSecurityPolicyHeader)
  IPC_STRUCT_TRAITS_MEMBER(source)
 IPC_STRUCT_TRAITS_END()

-#if BUILDFLAG(ENABLE_PLUGINS)
-IPC_STRUCT_TRAITS_BEGIN(content::PepperRendererInstanceData)
-  IPC_STRUCT_TRAITS_MEMBER(render_process_id)
-  IPC_STRUCT_TRAITS_MEMBER(render_frame_id)
-  IPC_STRUCT_TRAITS_MEMBER(document_url)
-  IPC_STRUCT_TRAITS_MEMBER(plugin_url)
-  IPC_STRUCT_TRAITS_MEMBER(is_potentially_secure_plugin_context)
-IPC_STRUCT_TRAITS_END()
-#endif
-
 // -----------------------------------------------------------------------------
 // Messages sent from the browser to the renderer.

@@ -283,34 +273,6 @@ IPC_SYNC_MESSAGE_CONTROL3_3(FrameHostMsg_OpenChannelToPepperPlugin,
                            base::ProcessId /* plugin_pid */,
                            int /* plugin_child_id */)

-// Notification that a plugin has created a new plugin instance. The parameters
-// indicate:
-//  - The plugin process ID that we're creating the instance for.
-//  - The instance ID of the instance being created.
-//  - A PepperRendererInstanceData struct which contains properties from the
-//    renderer which are associated with the plugin instance. This includes the
-//    routing ID of the associated RenderFrame and the URL of plugin.
-//  - Whether the plugin we're creating an instance for is external or internal.
-//
-// This message must be sync even though it returns no parameters to avoid
-// a race condition with the plugin process. The plugin process sends messages
-// to the browser that assume the browser knows about the instance. We need to
-// make sure that the browser actually knows about the instance before we tell
-// the plugin to run.
-IPC_SYNC_MESSAGE_CONTROL4_0(
-    FrameHostMsg_DidCreateOutOfProcessPepperInstance,
-    int /* plugin_child_id */,
-    int32_t /* pp_instance */,
-    content::PepperRendererInstanceData /* creation_data */,
-    bool /* is_external */)
-
-// Notification that a plugin has destroyed an instance. This is the opposite of
-// the "DidCreate" message above.
-IPC_MESSAGE_CONTROL3(FrameHostMsg_DidDeleteOutOfProcessPepperInstance,
-                     int /* plugin_child_id */,
-                     int32_t /* pp_instance */,
-                     bool /* is_external */)
-
 #endif  // BUILDFLAG(ENABLE_PLUGINS)

 // Used to tell the parent that the user right clicked on an area of the

--- a/content/common/pepper_plugin.mojom
+++ b/content/common/pepper_plugin.mojom
@@ -32,6 +32,34 @@ interface PepperIOHost {

  // Notification that an in-process instance has been destroyed.
  DidDeleteInProcessInstance(int32 instance_id);
+
+  // Notification that a plugin has created a new plugin instance. The
+  // parameters indicate:
+  //  - The plugin process ID that we're creating the instance for.
+  //  - The instance ID of the instance being created.
+  //  - A PepperRendererInstanceData struct which contains properties from the
+  //    renderer which are associated with the plugin instance. This includes
+  //    the routing ID of the associated RenderFrame and the URL of plugin.
+  //  - Whether the plugin we're creating an instance for is external or
+  //    internal.
+  //
+  // This message must be sync even though it returns no parameters to avoid
+  // a race condition with the plugin process. The plugin process sends messages
+  // to the browser that assume the browser knows about the instance. We need to
+  // make sure that the browser actually knows about the instance before we tell
+  // the plugin to run.
+  [Sync] DidCreateOutOfProcessPepperInstance(int32 plugin_child_id,
+                                             int32 pp_instance,
+                                             bool is_external,
+                                             int32 frame_routing_id,
+                                             url.mojom.Url document_url,
+                                             url.mojom.Url plugin_url,
+                                             bool is_privileged_context) => ();
+
+  // Notification that a plugin has destroyed an instance.
+  DidDeleteOutOfProcessPepperInstance(int32 plugin_child_id,
+                                      int32 pp_instance,
+                                      bool is_external);
 };

 // This interface is used on the renderer IO thread and is received on the

--- a/content/renderer/pepper/host_dispatcher_wrapper.cc
+++ b/content/renderer/pepper/host_dispatcher_wrapper.cc
@@ -6,6 +6,7 @@

 #include "build/build_config.h"
 #include "content/common/frame_messages.h"
+#include "content/renderer/pepper/pepper_browser_connection.h"
 #include "content/renderer/pepper/pepper_hung_plugin_filter.h"
 #include "content/renderer/pepper/pepper_plugin_instance_impl.h"
 #include "content/renderer/pepper/pepper_proxy_channel_delegate_impl.h"
@@ -87,13 +88,11 @@ void HostDispatcherWrapper::AddInstance(PP_Instance instance) {
    bool is_privileged_context =
        plugin_instance->GetContainer()->GetDocument().IsSecureContext() &&
        network::IsUrlPotentiallyTrustworthy(plugin_instance->GetPluginURL());
-    render_frame->Send(new FrameHostMsg_DidCreateOutOfProcessPepperInstance(
-        plugin_child_id_, instance,
-        PepperRendererInstanceData(
-            0,  // The render process id will be supplied in the browser.
+    PepperBrowserConnection::Get(render_frame)
+        ->DidCreateOutOfProcessPepperInstance(
+            plugin_child_id_, instance, is_external_,
            render_frame->GetRoutingID(), host->GetDocumentURL(instance),
-            plugin_instance->GetPluginURL(), is_privileged_context),
-        is_external_));
+            plugin_instance->GetPluginURL(), is_privileged_context);
  }
 }

@@ -106,8 +105,9 @@ void HostDispatcherWrapper::RemoveInstance(PP_Instance instance) {
  if (host) {
    RenderFrame* render_frame = host->GetRenderFrameForInstance(instance);
    if (render_frame) {
-      render_frame->Send(new FrameHostMsg_DidDeleteOutOfProcessPepperInstance(
-          plugin_child_id_, instance, is_external_));
+      PepperBrowserConnection::Get(render_frame)
+          ->DidDeleteOutOfProcessPepperInstance(plugin_child_id_, instance,
+                                                is_external_);
    }
  }
 }

--- a/content/renderer/pepper/pepper_browser_connection.cc
+++ b/content/renderer/pepper/pepper_browser_connection.cc
@@ -43,15 +43,41 @@ void PepperBrowserConnection::DidCreateInProcessInstance(
    int render_frame_id,
    const GURL& document_url,
    const GURL& plugin_url) {
-  if (auto* io_host = GetIOHost()) {
-    io_host->DidCreateInProcessInstance(instance, render_frame_id, document_url,
-                                        plugin_url);
-  }
+  if (!GetIOHost())
+    return;
+  GetIOHost()->DidCreateInProcessInstance(instance, render_frame_id,
+                                          document_url, plugin_url);
 }

 void PepperBrowserConnection::DidDeleteInProcessInstance(PP_Instance instance) {
-  if (auto* io_host = GetIOHost())
-    io_host->DidDeleteInProcessInstance(instance);
+  if (!GetIOHost())
+    return;
+  GetIOHost()->DidDeleteInProcessInstance(instance);
+}
+
+void PepperBrowserConnection::DidCreateOutOfProcessPepperInstance(
+    int32_t plugin_child_id,
+    int32_t pp_instance,
+    bool is_external,
+    int32_t render_frame_id,
+    const GURL& document_url,
+    const GURL& plugin_url,
+    bool is_priviledged_context) {
+  if (!GetIOHost())
+    return;
+  GetIOHost()->DidCreateOutOfProcessPepperInstance(
+      plugin_child_id, pp_instance, is_external, render_frame_id, document_url,
+      plugin_url, is_priviledged_context);
+}
+
+void PepperBrowserConnection::DidDeleteOutOfProcessPepperInstance(
+    int32_t plugin_child_id,
+    int32_t pp_instance,
+    bool is_external) {
+  if (!GetIOHost())
+    return;
+  GetIOHost()->DidDeleteOutOfProcessPepperInstance(plugin_child_id, pp_instance,
+                                                   is_external);
 }

 void PepperBrowserConnection::SendBrowserCreate(

--- a/content/renderer/pepper/pepper_browser_connection.h
+++ b/content/renderer/pepper/pepper_browser_connection.h
@@ -61,6 +61,20 @@ class PepperBrowserConnection
  // Called when the renderer deletes an in-process instance.
  void DidDeleteInProcessInstance(PP_Instance instance);

+  // Called when the renderer creates an out of process instance.
+  void DidCreateOutOfProcessPepperInstance(int32_t plugin_child_id,
+                                           int32_t pp_instance,
+                                           bool is_external,
+                                           int32_t render_frame_id,
+                                           const GURL& document_url,
+                                           const GURL& plugin_url,
+                                           bool is_priviledged_context);
+
+  // Called when the renderer deletes an out of process instance.
+  void DidDeleteOutOfProcessPepperInstance(int32_t plugin_child_id,
+                                           int32_t pp_instance,
+                                           bool is_external);
+
 private:
  // RenderFrameObserver implementation.
  void OnDestruct() override;