- Define missing bundlelibwebp variable

- update to 121.0.6167.139 * High CVE-2024-1060: Use after free in Canvas * High CVE-2024-1059: Use after free in WebRTC * High CVE-2024-1077: Use after free in Network - Enable Qt - Support for 64K pages on Linux/AArch64
9 months ago · 87a66b2a7b
parent 2bebd403ec
commit 87a66b2a7b
5 changed files with 181 additions and 10 deletions
--- a/.chromium.metadata
+++ b/.chromium.metadata
@ -1,4 +1,4 @@
-eac1a111ddf5c9dfceaea799c14738a989136af1  SOURCES/chromium-121.0.6167.85.tar.xz
+698b0c0966f2d94ee24672bece1d4251892ad3f3  SOURCES/chromium-121.0.6167.139.tar.xz
 dea187019741602d57aaf189a80abba261fbd2aa  SOURCES/linux-x64-0.19.2.tgz
 7e5d2c7864c5c83ec789b59c77cd9c20d2594916  SOURCES/linux-arm64-0.19.2.tgz
 769196d081c6a0ad37f1c63dec56febfff3370de  SOURCES/node-v20.6.1-linux-x64.tar.xz
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,4 @@
-SOURCES/chromium-121.0.6167.85.tar.xz
+SOURCES/chromium-121.0.6167.139.tar.xz
 SOURCES/linux-x64-0.19.2.tgz
 SOURCES/linux-arm64-0.19.2.tgz
 SOURCES/node-v20.6.1-linux-x64.tar.xz
--- a/SOURCES/chromium-121-el8-support-64kpage.patch
+++ b/SOURCES/chromium-121-el8-support-64kpage.patch
@ -0,0 +1,126 @@
+diff -up chromium-121.0.6167.139/base/allocator/partition_allocator/src/partition_alloc/partition_bucket.h.el8-support-64kpage.patch chromium-121.0.6167.139/base/allocator/partition_allocator/src/partition_alloc/partition_bucket.h
+--- chromium-121.0.6167.139/base/allocator/partition_allocator/src/partition_alloc/partition_bucket.h.el8-support-64kpage.patch	2024-01-30 21:24:10.000000000 +0100
+++ chromium-121.0.6167.139/base/allocator/partition_allocator/src/partition_alloc/partition_bucket.h	2024-02-01 17:20:37.178877448 +0100
+@@ -146,7 +146,13 @@ struct PartitionBucket {
+   // Returns a slot number starting from the beginning of the slot span.
+   PA_ALWAYS_INLINE size_t GetSlotNumber(size_t offset_in_slot_span) const {
+     // See the static assertion for `kReciprocalShift` above.
+-    PA_DCHECK(offset_in_slot_span <= kMaxBucketed);
+    // TODO(casey.smalley@arm.com): triggers on Aarch64/Linux
+    // systems with 64k system pages. Constants need to be
+    // adjusted to prevent different parts of the allocator
+    // from overlapping. For now this will allow 64k pages
+    // to function on Aarch64/Linux systems, albeit not
+    // very efficiently.
+    // PA_DCHECK(offset_in_slot_span <= kMaxBucketed);
+     PA_DCHECK(slot_size <= kMaxBucketed);
+ 
+     const size_t offset_in_slot =
+diff -up chromium-121.0.6167.139/base/allocator/partition_allocator/src/partition_alloc/partition_page_constants.h.el8-support-64kpage.patch chromium-121.0.6167.139/base/allocator/partition_allocator/src/partition_alloc/partition_page_constants.h
+--- chromium-121.0.6167.139/base/allocator/partition_allocator/src/partition_alloc/partition_page_constants.h.el8-support-64kpage.patch	2024-02-01 17:20:37.178877448 +0100
+++ chromium-121.0.6167.139/base/allocator/partition_allocator/src/partition_alloc/partition_page_constants.h	2024-02-01 17:31:08.500268457 +0100
+@@ -17,10 +17,8 @@ namespace partition_alloc::internal {
+ // PartitionPageSize() is 4 times the OS page size.
+ static constexpr size_t kMaxSlotsPerSlotSpan = 4 * (1 << 14) / kSmallestBucket;
+ #elif BUILDFLAG(IS_LINUX) && defined(ARCH_CPU_ARM64)
+-// System page size can be 4, 16, or 64 kiB on Linux on arm64. 64 kiB is
+-// currently (kMaxSlotsPerSlotSpanBits == 13) not supported by the code,
+-// so we use the 16 kiB maximum (64 kiB will crash).
+-static constexpr size_t kMaxSlotsPerSlotSpan = 4 * (1 << 14) / kSmallestBucket;
+// System page size can be 4, 16, or 64 kiB on Linux on AArch64.
+static constexpr size_t kMaxSlotsPerSlotSpan = 4 * (1 << 16) / kSmallestBucket;
+ #else
+ // A slot span can "span" multiple PartitionPages, but then its slot size is
+ // larger, so it doesn't have as many slots.
+diff -up chromium-121.0.6167.139/base/allocator/partition_allocator/src/partition_alloc/partition_page.h.el8-support-64kpage.patch chromium-121.0.6167.139/base/allocator/partition_allocator/src/partition_alloc/partition_page.h
+--- chromium-121.0.6167.139/base/allocator/partition_allocator/src/partition_alloc/partition_page.h.el8-support-64kpage.patch	2024-01-30 21:24:10.000000000 +0100
+++ chromium-121.0.6167.139/base/allocator/partition_allocator/src/partition_alloc/partition_page.h	2024-02-01 17:20:37.178877448 +0100
+@@ -95,26 +95,25 @@ struct SlotSpanMetadata {
+ 
+   // CHECK()ed in AllocNewSlotSpan().
+   // The maximum number of bits needed to cover all currently supported OSes.
+-  static constexpr size_t kMaxSlotsPerSlotSpanBits = 13;
+  static constexpr size_t kMaxSlotsPerSlotSpanBits = 15;
+   static_assert(kMaxSlotsPerSlotSpan < (1 << kMaxSlotsPerSlotSpanBits), "");
+ 
+-  // |marked_full| isn't equivalent to being full. Slot span is marked as full
+-  // iff it isn't on the active slot span list (or any other list).
+-  uint32_t marked_full : 1;
+   // |num_allocated_slots| is 0 for empty or decommitted slot spans, which can
+   // be further differentiated by checking existence of the freelist.
+-  uint32_t num_allocated_slots : kMaxSlotsPerSlotSpanBits;
+-  uint32_t num_unprovisioned_slots : kMaxSlotsPerSlotSpanBits;
+  uint16_t num_allocated_slots : kMaxSlotsPerSlotSpanBits;
+  uint16_t num_unprovisioned_slots : kMaxSlotsPerSlotSpanBits;
+
+  // |marked_full| isn't equivalent to being full. Slot span is marked as full
+  // iff it isn't on the active slot span list (or any other list).
+  bool marked_full : 1;
+ 
+  private:
+-  const uint32_t can_store_raw_size_ : 1;
+-  uint32_t freelist_is_sorted_ : 1;
+-  uint32_t unused1_ : (32 - 1 - 2 * kMaxSlotsPerSlotSpanBits - 1 - 1);
+  const uint8_t can_store_raw_size_ : 1;
+  uint8_t freelist_is_sorted_ : 1;
+   // If |in_empty_cache_|==1, |empty_cache_index| is undefined and mustn't be
+   // used.
+-  uint16_t in_empty_cache_ : 1;
+-  uint16_t empty_cache_index_ : kEmptyCacheIndexBits;  // < kMaxFreeableSpans.
+-  uint16_t unused2_ : (16 - 1 - kEmptyCacheIndexBits);
+  bool in_empty_cache_ : 1;
+  uint8_t empty_cache_index_ : kEmptyCacheIndexBits;  // < kMaxFreeableSpans.
+   // Can use only 48 bits (6B) in this bitfield, as this structure is embedded
+   // in PartitionPage which has 2B worth of fields and must fit in 32B.
+ 
+@@ -279,18 +278,13 @@ static_assert(sizeof(SlotSpanMetadata) <
+               "SlotSpanMetadata must fit into a Page Metadata slot.");
+ 
+ inline constexpr SlotSpanMetadata::SlotSpanMetadata() noexcept
+-    : marked_full(0),
+-      num_allocated_slots(0),
+    : num_allocated_slots(0),
+       num_unprovisioned_slots(0),
+      marked_full(0),
+       can_store_raw_size_(false),
+       freelist_is_sorted_(true),
+-      unused1_(0),
+       in_empty_cache_(0),
+-      empty_cache_index_(0),
+-      unused2_(0) {
+-  (void)unused1_;
+-  (void)unused2_;
+-}
+      empty_cache_index_(0) {}
+ 
+ inline SlotSpanMetadata::SlotSpanMetadata(const SlotSpanMetadata&) = default;
+ 
+@@ -883,7 +877,7 @@ PA_ALWAYS_INLINE void SlotSpanMetadata::
+ 
+   size_t num_slots_per_span = bucket->get_slots_per_span();
+   PA_DCHECK(num_slots_per_span <= kMaxSlotsPerSlotSpan);
+-  num_unprovisioned_slots = static_cast<uint32_t>(num_slots_per_span);
+  num_unprovisioned_slots = static_cast<uint16_t>(num_slots_per_span);
+   PA_DCHECK(num_unprovisioned_slots);
+ 
+   ToSuperPageExtent()->IncrementNumberOfNonemptySlotSpans();
+diff -up chromium-121.0.6167.139/base/allocator/partition_allocator/src/partition_alloc/partition_root.cc.el8-support-64kpage.patch chromium-121.0.6167.139/base/allocator/partition_allocator/src/partition_alloc/partition_root.cc
+--- chromium-121.0.6167.139/base/allocator/partition_allocator/src/partition_alloc/partition_root.cc.el8-support-64kpage.patch	2024-01-30 21:24:10.000000000 +0100
+++ chromium-121.0.6167.139/base/allocator/partition_allocator/src/partition_alloc/partition_root.cc	2024-02-01 17:20:37.178877448 +0100
+@@ -950,12 +950,11 @@ void PartitionRoot::Init(PartitionOption
+              (internal::SystemPageSize() == (size_t{1} << 14)));
+ #elif BUILDFLAG(IS_LINUX) && defined(ARCH_CPU_ARM64)
+     // Check runtime pagesize. Though the code is currently the same, it is
+-    // not merged with the IS_APPLE case above as a 1 << 16 case needs to be
+-    // added here in the future, to allow 64 kiB pagesize. That is only
+-    // supported on Linux on arm64, not on IS_APPLE, but not yet present here
+-    // as the rest of the partition allocator does not currently support it.
+    // not merged with the IS_APPLE case above as a 1 << 16 case is only
+    // supported on Linux on AArch64.
+     PA_CHECK((internal::SystemPageSize() == (size_t{1} << 12)) ||
+-             (internal::SystemPageSize() == (size_t{1} << 14)));
+             (internal::SystemPageSize() == (size_t{1} << 14)) ||
+             (internal::SystemPageSize() == (size_t{1} << 16)));
+ #endif
+ 
+     ::partition_alloc::internal::ScopedGuard guard{lock_};
--- a/SOURCES/chromium-121-no_matching_constructor.patch
+++ b/SOURCES/chromium-121-no_matching_constructor.patch
@ -943,3 +943,38 @@ diff -up chromium-121.0.6167.57/content/browser/worker_host/dedicated_worker_hos
               creator_);
 
   if (!creator_render_frame_host && !creator_worker) {
+diff -up chromium-121.0.6167.139/chrome/browser/ui/autofill/autofill_context_menu_manager.cc.me chromium-121.0.6167.139/chrome/browser/ui/autofill/autofill_context_menu_manager.cc
+--- chromium-121.0.6167.139/chrome/browser/ui/autofill/autofill_context_menu_manager.cc.me	2024-02-02 21:07:42.852096466 +0100
+++ chromium-121.0.6167.139/chrome/browser/ui/autofill/autofill_context_menu_manager.cc	2024-02-02 21:07:49.336212697 +0100
+@@ -249,8 +249,8 @@ void AutofillContextMenuManager::Execute
+     AutofillManager& manager) {
+   auto& driver = static_cast<ContentAutofillDriver&>(manager.driver());
+   driver.browser_events().RendererShouldTriggerSuggestions(
+-      FieldGlobalId(driver.GetFrameToken(),
+-                    FieldRendererId(params_.field_renderer_id)),
+      FieldGlobalId{driver.GetFrameToken(),
+                    FieldRendererId(params_.field_renderer_id)},
+       AutofillSuggestionTriggerSource::kManualFallbackPayments);
+ }
+ 
+diff -up chromium-121.0.6167.139/chrome/browser/ui/web_applications/sub_apps_service_impl.cc.me chromium-121.0.6167.139/chrome/browser/ui/web_applications/sub_apps_service_impl.cc
+--- chromium-121.0.6167.139/chrome/browser/ui/web_applications/sub_apps_service_impl.cc.me	2024-02-02 22:24:28.167153031 +0100
+++ chromium-121.0.6167.139/chrome/browser/ui/web_applications/sub_apps_service_impl.cc	2024-02-02 22:26:43.994144340 +0100
+@@ -102,7 +102,7 @@ AddOptionsFromMojo(
+                      ConvertPathToUrl(sub_app->manifest_id_path, origin));
+     ASSIGN_OR_RETURN(GURL install_url,
+                      ConvertPathToUrl(sub_app->install_url_path, origin));
+-    sub_apps.emplace_back(std::move(manifest_id), std::move(install_url));
+    sub_apps.emplace_back() = {std::move(manifest_id), std::move(install_url)};
+   }
+   return sub_apps;
+ }
+@@ -389,7 +389,7 @@ void SubAppsServiceImpl::ScheduleSubAppI
+         base::BindOnce(
+             [](webapps::ManifestId manifest_id, const webapps::AppId& app_id,
+                webapps::InstallResultCode result_code) {
+-              return SubAppInstallResult(manifest_id, app_id, result_code);
+              return SubAppInstallResult{manifest_id, app_id, result_code};
+             },
+             manifest_id)
+             .Then(install_results_collector));
--- a/SPECS/chromium.spec
+++ b/SPECS/chromium.spec
@ -209,12 +209,6 @@
 %global use_qt6 0
 %endif

-# disable due to gcc-14 bug
-%if 0%{?fedora} > 39
-%global use_qt6 0
-%global use_qt 0
-%endif
-
 # enable gtk3 by default
 %global gtk3 1

@ -323,8 +317,8 @@
 %endif

 Name:	chromium%{chromium_channel}
-Version: 121.0.6167.85
-Release: 1%{?dist}.inferit
+Version: 121.0.6167.139
+Release: 2%{?dist}.inferit
 Summary: A WebKit (Blink) powered web browser that Google doesn't want you to use
 Url: http://www.chromium.org/Home
 License: BSD-3-Clause AND LGPL-2.1-or-later AND Apache-2.0 AND IJG AND MIT AND GPL-2.0-or-later AND ISC AND OpenSSL AND (MPL-1.1 OR GPL-2.0-only OR LGPL-2.0-only)
@ -1199,6 +1193,12 @@ sed -i 's/std::string data_dir_basename = "chromium"/std::string data_dir_basena
 %patch -P358 -p1 -b .rust-clang_lib
 %patch -P359 -p1 -b .python3-invalid-escape-sequence

+%%ifarch aarch64
+%if 0%{?rhel} == 8
+%patch -P400 -p1 -b .el8-support-64kpage.patch
+%endif
+%endif
+
 #%patch -P500 -p1 -b .Yandex-as-default-search-engine
 %patch -P501 -p1 -b .Added-Russian-description-and-summary-for-gnome-soft
 %if ! %{with gost}
@ -1944,6 +1944,16 @@ getent group chrome-remote-desktop >/dev/null || groupadd -r chrome-remote-deskt
 %endif

 %changelog
+* Sat Feb  3 2024 Arkady L. Shane <tigro@msvsphere-os.ru> - 121.0.6167.139-2.inferit
+- Define missing bundlelibwebp variable
+- update to 121.0.6167.139
+  * High CVE-2024-1060: Use after free in Canvas
+  * High CVE-2024-1059: Use after free in WebRTC
+  * High CVE-2024-1077: Use after free in Network
+- Enable Qt
+- Support for 64K pages on Linux/AArch64
+
+
 * Wed Jan 24 2024 Arkady L. Shane <tigro@msvsphere-os.ru> - 121.0.6167.85-1.inferit
 - update to 121.0.6167.85
  * High CVE-2024-0807: Use after free in WebAudio