Fixed a use-after-free in exo::Pointer

Basically you can get the UAF by binding to either one of the delegates twice. Naturally (as a comment suggested) this doesnt make much sense, but its still an attack surface so this fix will stop it. The fix means that if a user binds the delegate's interface twice, then we will only keep the latest one alive, and we simulate removal of the pointer interface for the other (which prevents it from invoking methods on that pointer during its destruction). Bug: b:135720248 Change-Id: I39f4ca1602058efa650a51a41e3ce7b955bb43bd Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1670574 Commit-Queue: Nic Hollingum <hollingum@google.com> Reviewed-by: Mitsuru Oshima <oshima@chromium.org> Cr-Commit-Position: refs/heads/master@{#671568}

Fixed a use-after-free in exo::Pointer
Basically you can get the UAF by binding to either one of the delegates twice. Naturally (as a comment suggested) this doesnt make much sense, but its still an attack surface so this fix will stop it. The fix means that if a user binds the delegate's interface twice, then we will only keep the latest one alive, and we simulate removal of the pointer interface for the other (which prevents it from invoking methods on that pointer during its destruction). Bug: b:135720248 Change-Id: I39f4ca1602058efa650a51a41e3ce7b955bb43bd Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1670574 Commit-Queue: Nic Hollingum <hollingum@google.com> Reviewed-by: Mitsuru Oshima <oshima@chromium.org> Cr-Commit-Position: refs/heads/master@{#671568}
da8ef10a · Nicholas Hollingum · Commit Bot · fbe4473c · da8ef10a
Commit da8ef10a authored Jun 24, 2019 by Nicholas Hollingum Committed by Commit Bot Jun 24, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 6 deletions

components/exo/pointer.cc components/exo/pointer.cc +10 -6

No files found.
--- a/components/exo/pointer.cc
+++ b/components/exo/pointer.cc
@@ -193,15 +193,20 @@ void Pointer::SetCursorType(ui::CursorType cursor_type) {
 }
 void Pointer::SetGesturePinchDelegate(PointerGesturePinchDelegate* delegate) {
+  // For the |pinch_delegate_| (and |relative_pointer_delegate_| below) it is
+  // possible to bind multiple extensions to the same pointer interface (not
+  // that this is a particularly reasonable thing to do). When that happens we
+  // choose to only keep a single binding alive, so we simulate pointer
+  // destruction for the previous binding.
+  if (pinch_delegate_)
+    pinch_delegate_->OnPointerDestroying(this);
  pinch_delegate_ = delegate;
 }
 void Pointer::RegisterRelativePointerDelegate(
    RelativePointerDelegate* delegate) {
-  // It does not seem that wayland forbids multiple relative pointer interfaces
+  if (relative_pointer_delegate_)
-  // being registered against the same pointer, though that is not really
+    relative_pointer_delegate_->OnPointerDestroying(this);
-  // reasonable behaviour.
-  DCHECK(!relative_pointer_delegate_);
  relative_pointer_delegate_ = delegate;
 }
@@ -334,8 +339,7 @@ void Pointer::OnMouseEvent(ui::MouseEvent* event) {
  TRACE_EXO_INPUT_EVENT(event);
-  if (event->IsMouseEvent() &&
+  if (event->IsMouseEvent() && event->type() != ui::ET_MOUSE_EXITED &&
-      event->type() != ui::ET_MOUSE_EXITED &&
      event->type() != ui::ET_MOUSE_CAPTURE_CHANGED) {
    // Generate motion event if location changed. We need to check location
    // here as mouse movement can generate both "moved" and "entered" events