Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: cherry-pick 2 changes from Release-1-M116 #39648

Merged
merged 3 commits into from Aug 28, 2023
Merged

chore: cherry-pick 2 changes from Release-1-M116 #39648

merged 3 commits into from Aug 28, 2023

Conversation

ppontes
Copy link
Member

@ppontes ppontes commented Aug 24, 2023
edited

electron/security#396 - 1939f7b78eda from chromium [M114-LTS] Don't keep pointer to popped stack memory for :has()

The sibling_features pass into UpdateFeaturesFromCombinator may be
initialized to last_compound_in_adjacent_chain_features if null. The
outer while loop in
AddFeaturesToInvalidationSetsForLogicalCombinationInHas() could then
reference to the last_compound_in_adjacent_chain_features which is
popped from the stack on every outer iteration. That caused an ASAN
failure for reading stack memory that had been popped.

Instead make sure each inner iteration restarts with the same
sibling_features pointer, which seems to have been the intent here.

(cherry picked from commit 5e213507a2f0d6e3c96904a710407b01493670bd)

Bug: 1470477
Change-Id: I260c93016f8ab0d165e4b29ca1aea810bede5b97
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4759326
Commit-Queue: Rune Lillesveen futhark@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#1181365}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4777251
Cr-Commit-Position: refs/branch-heads/5845@{#1482}
Cr-Branched-From: 5a5dff63a4a4c63b9b18589819bebb2566c85443-refs/heads/main@{#1160321}
(cherry picked from commit 34e544e4dedf299211f104a2822d98ce1db80f61)

electron/security#398 - e4669a74888d from angle [M114-LTS] Vulkan: Fix data race with DynamicDescriptorPool

Right now DynamicDescriptorPool::destroyCachedDescriptorSet can be
called from garbage clean up thread, while simultaneously accessed from
context main thread, and data race will happen and cause bugs. This can
only happen when the buffer is not being suballocated. In this case,
suballocation owns the bufferBlock and bufferBlock gets destroyed when
suballocation is destroyed from garbage collection thread. If buffer is
suballocated, the shared group owns pool which owns bufferBlocks and
they gets destroyed from shared group with the share group lock. This CL
avoids this race problem by release the shared cacheKey when the buffer
is released, while we still had the shared group lock.

Bug: chromium:1469542
Change-Id: Ie6235fcfb77dee2a12b2ebde44042c3845fc0aca
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/4790523
(cherry picked from commit b48983ab8c74d2fcd9ef17c80727affb9e690c53)

Notes:

@ppontes
chore: [22-x-y] cherry-pick 2 changes from Release-1-M116
fdc986b 
* 1939f7b78eda from chromium
* e4669a74888d from angle
@ppontes ppontes requested a review from a team as a code owner August 24, 2023 21:56
@ppontes ppontes added security 🔒 semver/patch backwards-compatible bug fixes backport-check-skip Skip trop's backport validity checking 22-x-y labels Aug 24, 2023
@electron-cation electron-cation bot added new-pr 🌱 PR opened in the last 24 hours and removed new-pr 🌱 PR opened in the last 24 hours labels Aug 24, 2023
@ppontes ppontes marked this pull request as draft August 24, 2023 21:57
@ppontes ppontes changed the title chore: cherry-pick 2 changes from Release-1-M116 chore: cherry-pick 3 changes from Release-1-M116 Aug 24, 2023
@ppontes ppontes force-pushed the cherry-pick/security/22-x-y/release-1-m116 branch from bf1d082 to ef258f1 Compare August 24, 2023 22:51
@ppontes ppontes marked this pull request as ready for review August 24, 2023 22:52
@ppontes ppontes marked this pull request as draft August 24, 2023 22:59
@ppontes ppontes changed the title chore: cherry-pick 3 changes from Release-1-M116 chore: cherry-pick 2 changes from Release-1-M116 Aug 25, 2023
@ppontes ppontes force-pushed the cherry-pick/security/22-x-y/release-1-m116 branch from ef258f1 to b76e334 Compare August 25, 2023 16:51
@ppontes ppontes force-pushed the cherry-pick/security/22-x-y/release-1-m116 branch from b76e334 to 9585900 Compare August 25, 2023 17:23
@ppontes ppontes marked this pull request as ready for review August 25, 2023 17:42
@zcbenz zcbenz merged commit 33f9dce into 22-x-y Aug 28, 2023
13 checks passed
@zcbenz zcbenz deleted the cherry-pick/security/22-x-y/release-1-m116 branch August 28, 2023 06:18
@release-clerk
Copy link

release-clerk bot commented Aug 28, 2023

Release Notes Persisted

  • Security: backported fix for CVE-2023-4427.
  • Security: backported fix for CVE-2023-4428.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zcbenz zcbenz zcbenz approved these changes

Assignees
No one assigned
Labels
22-x-y backport-check-skip Skip trop's backport validity checking security 🔒 semver/patch backwards-compatible bug fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ppontes @zcbenz