Update to 88.0.4324.182-1

2 years ago · c403efd588
12 changed files with 283 additions and 14 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,19 @@
+# 88.0.4324.182-1
+* Upstream important security fix
+ <details>
+ <summary>CVE list</summary>
+
+ [1138143] High CVE-2021-21149: Stack overflow in Data Transfer.
+ [1172192] High CVE-2021-21150: Use after free in Downloads.
+ [1165624] High CVE-2021-21151: Use after free in Payments.
+ [1166504] High CVE-2021-21152: Heap buffer overflow in Media.
+ [1155974] High CVE-2021-21153: Stack overflow in GPU Process.
+ [1173269] High CVE-2021-21154: Heap buffer overflow in Tab Strip.
+ [1175500] High CVE-2021-21155: Heap buffer overflow in Tab Strip.
+ [1177341] High CVE-2021-21156: Heap buffer overflow in V8.
+ [1170657] Medium CVE-2021-21157: Use after free in Web Sockets.
+ </details>
+
 # 88.0.4324.152-3
 * Extension version only:
 * Fix two bugs related to uninitialized web contents upon restoring the browser activity
--- a/README.md
+++ b/README.md
@ -177,6 +177,7 @@ There are three methods to install extensions:
 1. Download extension following the instructions [here](https://ungoogled-software.github.io/ungoogled-chromium-wiki/faq#downloading-the-crx-file).
 1. Optionally, you can use a third-party website to download the `crx` file. However, do so at your own risk, as I will take *absolutely no* responsibility for problems caused by using a third party website or service.
 2. Extract the `crx` file into a folder with`unzip`/`7z` and copy the folder to your device.
+ 1. For an alternative way to extract the crx` file on device, see [this comment](https://github.com/ungoogled-software/ungoogled-chromium-android/issues/49#issuecomment-767683754).
 3. **Notice for Android 10**: as a workaround for a [permission issue](https://github.com/wchen342/ungoogled-chromium-android/issues/27), you need to enable "Allow from unknown source" for "Ungoogled Chromium Extensions".
 4. **Make sure you also give storage access**.
 5. Open `chrome://extensions/` and enable Developer mode.
--- a/build.sh
+++ b/build.sh
@ -11,10 +11,10 @@ trichrome_chrome_apk_target=trichrome_library_apk
 webview_target=system_webview_apk
 trichrome_webview_target=trichrome_webview_apk

-chromium_version=88.0.4324.152
-ungoogled_chromium_version=88.0.4324.150
+chromium_version=88.0.4324.182
+ungoogled_chromium_version=88.0.4324.182
 ungoogled_chromium_revision=1
-ungoogled_chromium_android_revision=3
+ungoogled_chromium_android_revision=1

 # Show env
 pwd
--- a/patches/Bromite/AImageReader-CFI-crash-mitigations.patch
+++ b/patches/Bromite/AImageReader-CFI-crash-mitigations.patch
@ -0,0 +1,251 @@
+From: csagan5 <[email protected]>
+Date: Tue, 5 May 2020 07:22:20 +0200
+Subject: AImageReader CFI crash mitigations
+
+Revert "gpu/android: Remove setup for disabling AImageReader."
+This reverts commit dcd5a39518246eb999f1cc63bf1ec95d93fd5b2f.
+
+Revert "Remove flags to enable/disable AImageReader."
+This reverts commit 463fa0f2e3b9e418bc26e2c8954463f0b0f76634.
+
+Disable AImageReader for ARM64/P and ARM64/Q
+
+Restore GPU bug blacklist for AImageReader on ARM and Qualcomm CPUs
+
+Restore the AImageReader blacklist for ARM/ARM64/Qualcomm chipsets which causes
+crashes on Android 9 and 10 (at different code locations).
+
+See discussions at:
+* https://github.com/bromite/bromite/issues/445
+* https://github.com/bromite/bromite/issues/814
+---
+ base/android/android_image_reader_compat.cc | 8 +++++++-
+ base/android/android_image_reader_compat.h | 4 ++++
+ chrome/browser/flag-metadata.json | 2 +-
+ gpu/config/gpu_driver_bug_list.json | 16 ++++++++++++++++
+ gpu/config/gpu_finch_features.cc | 11 ++++++++++-
+ gpu/config/gpu_finch_features.h | 1 +
+ gpu/config/gpu_util.cc | 8 ++++++++
+ gpu/config/gpu_workaround_list.txt | 1 +
+ gpu/ipc/service/gpu_init.cc | 5 +++++
+ gpu/ipc/service/stream_texture_android.cc | 11 ++++++++++-
+ media/base/media_switches.cc | 4 ++++
+ media/base/media_switches.h | 1 +
+ 12 files changed, 68 insertions(+), 4 deletions(-)
+
+--- a/base/android/android_image_reader_compat.cc
+++ b/base/android/android_image_reader_compat.cc
+@@ -23,6 +23,8 @@
+ namespace base {
+ namespace android {
+ 
+bool AndroidImageReader::disable_support_ = false;
+
+ AndroidImageReader& AndroidImageReader::GetInstance() {
+ // C++11 static local variable initialization is
+ // thread-safe.
+@@ -30,8 +32,12 @@ AndroidImageReader& AndroidImageReader::
+ return *instance;
+ }
+ 
+void AndroidImageReader::DisableSupport() {
+ disable_support_ = true;
+}
+
+ bool AndroidImageReader::IsSupported() {
+- return is_supported_;
+ return !disable_support_ && is_supported_;
+ }
+ 
+ AndroidImageReader::AndroidImageReader() : is_supported_(LoadFunctions()) {}
+--- a/base/android/android_image_reader_compat.h
+++ b/base/android/android_image_reader_compat.h
+@@ -22,6 +22,9 @@ class BASE_EXPORT AndroidImageReader {
+ // Thread safe GetInstance.
+ static AndroidImageReader& GetInstance();
+ 
+ // Disable image reader support.
+ static void DisableSupport();
+
+ // Check if the image reader usage is supported. This function returns TRUE
+ // if android version is >=OREO, image reader support is not disabled and all
+ // the required functions are loaded.
+@@ -59,6 +62,7 @@ class BASE_EXPORT AndroidImageReader {
+ jobject ANativeWindow_toSurface(JNIEnv* env, ANativeWindow* window);
+ 
+ private:
+ static bool disable_support_;
+ friend class base::NoDestructor<AndroidImageReader>;
+ 
+ AndroidImageReader();
+--- a/chrome/browser/flag-metadata.json
+++ b/chrome/browser/flag-metadata.json
+@@ -1712,7 +1712,7 @@
+ {
+ "name": "enable-image-reader",
+ "owners": [ "vikassoni", "khushalsagar" ],
+- "expiry_milestone": 90
+ "expiry_milestone": -1
+ },
+ {
+ "name": "enable-immersive-fullscreen-toolbar",
+--- a/gpu/config/gpu_driver_bug_list.json
+++ b/gpu/config/gpu_driver_bug_list.json
+@@ -3255,6 +3255,22 @@
+ ]
+ },
+ {
+ "id":335,
+ "cr_bugs": [1051705],
+ "description": "Disable AImageReader on ARM GPUs",
+ "os": {
+ "type": "android",
+ "version": {
+ "op": "<",
+ "value": "10"
+ }
+ },
+ "gl_vendor": "ARM.*",
+ "features": [
+ "disable_aimagereader"
+ ]
+ },
+ {
+ "id": 336,
+ "cr_bugs": [625785],
+ "description": "DXVA video decoder crashes on some AMD GPUs.",
+--- a/gpu/config/gpu_finch_features.cc
+++ b/gpu/config/gpu_finch_features.cc
+@@ -38,6 +38,11 @@ bool FieldIsInBlocklist(const char* curr
+ } // namespace
+ 
+ #if defined(OS_ANDROID)
+
+// Use android AImageReader when playing videos with MediaPlayer.
+const base::Feature kAImageReaderMediaPlayer{"AImageReaderMediaPlayer",
+ base::FEATURE_ENABLED_BY_DEFAULT};
+
+ // Used to limit GL version to 2.0 for skia raster on Android.
+ const base::Feature kUseGles2ForOopR{"UseGles2ForOopR",
+ base::FEATURE_ENABLED_BY_DEFAULT};
+@@ -55,7 +60,11 @@ const base::FeatureParam<std::string> kA
+ 
+ // Use AImageReader for MediaCodec and MediaPlyer on android.
+ const base::Feature kAImageReader{"AImageReader",
+- base::FEATURE_ENABLED_BY_DEFAULT};
+#ifdef ARCH_CPU_ARM64
+ base::FEATURE_DISABLED_BY_DEFAULT};
+#else
+ base::FEATURE_ENABLED_BY_DEFAULT};
+#endif
+ 
+ // If webview-draw-functor-uses-vulkan is set, use vulkan for composite and
+ // raster.
+--- a/gpu/config/gpu_finch_features.h
+++ b/gpu/config/gpu_finch_features.h
+@@ -17,6 +17,7 @@ namespace features {
+ // All features in alphabetical order. The features should be documented
+ // alongside the definition of their values in the .cc file.
+ #if defined(OS_ANDROID)
+GPU_EXPORT extern const base::Feature kAImageReaderMediaPlayer;
+ GPU_EXPORT extern const base::Feature kUseGles2ForOopR;
+ GPU_EXPORT extern const base::Feature kAndroidSurfaceControl;
+ GPU_EXPORT extern const base::Feature kAImageReader;
+--- a/gpu/config/gpu_util.cc
+++ b/gpu/config/gpu_util.cc
+@@ -111,6 +111,9 @@ GpuFeatureStatus GetAndroidSurfaceContro
+ #if !defined(OS_ANDROID)
+ return kGpuFeatureStatusDisabled;
+ #else
+ if (blocklisted_features.count(GPU_FEATURE_TYPE_ANDROID_SURFACE_CONTROL))
+ return kGpuFeatureStatusBlocklisted;
+
+ if (!gpu_preferences.enable_android_surface_control)
+ return kGpuFeatureStatusDisabled;
+ 
+@@ -327,6 +330,11 @@ void AdjustGpuFeatureStatusToWorkarounds
+ gpu_feature_info->status_values[GPU_FEATURE_TYPE_ACCELERATED_WEBGL2] =
+ kGpuFeatureStatusBlocklisted;
+ }
+
+ if (gpu_feature_info->IsWorkaroundEnabled(DISABLE_AIMAGEREADER)) {
+ gpu_feature_info->status_values[GPU_FEATURE_TYPE_ANDROID_SURFACE_CONTROL] =
+ kGpuFeatureStatusBlocklisted;
+ }
+ }
+ 
+ // Estimates roughly user total disk space by counting in the drives where
+--- a/gpu/config/gpu_workaround_list.txt
+++ b/gpu/config/gpu_workaround_list.txt
+@@ -13,6 +13,7 @@ decode_encode_srgb_for_generatemipmap
+ depth_stencil_renderbuffer_resize_emulation
+ disable_2d_canvas_auto_flush
+ disable_accelerated_av1_decode
+disable_aimagereader
+ disable_accelerated_vp8_decode
+ disable_accelerated_vp8_encode
+ disable_accelerated_vp9_decode
+--- a/gpu/ipc/service/gpu_init.cc
+++ b/gpu/ipc/service/gpu_init.cc
+@@ -464,6 +464,11 @@ bool GpuInit::InitializeAndStartSandbox(
+ }
+ }
+ 
+ // Disable AImageReader if the workaround is enabled.
+ if (gpu_feature_info_.IsWorkaroundEnabled(DISABLE_AIMAGEREADER)) {
+ base::android::AndroidImageReader::DisableSupport();
+ }
+
+ if (gpu_feature_info_.status_values[GPU_FEATURE_TYPE_VULKAN] !=
+ kGpuFeatureStatusEnabled ||
+ !InitializeVulkan()) {
+--- a/gpu/ipc/service/stream_texture_android.cc
+++ b/gpu/ipc/service/stream_texture_android.cc
+@@ -6,6 +6,7 @@
+ 
+ #include <string.h>
+ 
+#include "base/android/android_image_reader_compat.h"
+ #include "base/android/scoped_hardware_buffer_fence_sync.h"
+ #include "base/bind.h"
+ #include "base/feature_list.h"
+@@ -47,7 +48,15 @@ std::unique_ptr<ui::ScopedMakeCurrent> M
+ }
+ 
+ TextureOwner::Mode GetTextureOwnerMode() {
+- return features::IsAImageReaderEnabled()
+ const bool a_image_reader_supported =
+ base::android::AndroidImageReader::GetInstance().IsSupported();
+
+ // TODO(vikassoni) : Currently we have 2 different flags to enable/disable
+ // AImageReader - one for MCVD and other for MediaPlayer here. Merge those 2
+ // flags into a single flag. Keeping the 2 flags separate for now since finch
+ // experiment using this flag is in progress.
+ return a_image_reader_supported && features::IsAImageReaderEnabled() &&
+ base::FeatureList::IsEnabled(features::kAImageReaderMediaPlayer)
+ ? TextureOwner::Mode::kAImageReaderInsecure
+ : TextureOwner::Mode::kSurfaceTextureInsecure;
+ }
+--- a/media/base/media_switches.cc
+++ b/media/base/media_switches.cc
+@@ -575,6 +575,10 @@ const base::Feature kMediaDrmPreprovisio
+ const base::Feature kMediaDrmPreprovisioningAtStartup{
+ "MediaDrmPreprovisioningAtStartup", base::FEATURE_ENABLED_BY_DEFAULT};
+ 
+// Enables the Android Image Reader path for Video decoding(for AVDA and MCVD)
+const base::Feature kAImageReaderVideoOutput{"AImageReaderVideoOutput",
+ base::FEATURE_ENABLED_BY_DEFAULT};
+
+ // Prevents using SurfaceLayer for videos. This is meant to be used by embedders
+ // that cannot support SurfaceLayer at the moment.
+ const base::Feature kDisableSurfaceLayerForVideo{
+--- a/media/base/media_switches.h
+++ b/media/base/media_switches.h
+@@ -194,6 +194,7 @@ MEDIA_EXPORT extern const base::Feature
+ MEDIA_EXPORT extern const base::Feature kMediaDrmPersistentLicense;
+ MEDIA_EXPORT extern const base::Feature kMediaDrmPreprovisioning;
+ MEDIA_EXPORT extern const base::Feature kMediaDrmPreprovisioningAtStartup;
+MEDIA_EXPORT extern const base::Feature kAImageReaderVideoOutput;
+ MEDIA_EXPORT extern const base::Feature kDisableSurfaceLayerForVideo;
+ MEDIA_EXPORT extern const base::Feature kCanPlayHls;
+ MEDIA_EXPORT extern const base::Feature kPictureInPictureAPI;
--- a/patches/Bromite/Remove-account-permissions-from-manifest.patch
+++ b/patches/Bromite/Remove-account-permissions-from-manifest.patch
@ -43,7 +43,7 @@ Subject: Remove all sync and account permissions/features from manifest
 {% block extra_uses_permissions %}
 {% endblock %}
 
-@@ -884,16 +876,6 @@ by a child template that "extends" this
+@@ -874,16 +866,6 @@ by a child template that "extends" this
  android:resource="@xml/file_paths" />
 </provider>
 
--- a/patches/Other/debug-fix.patch
+++ b/patches/Other/debug-fix.patch
@ -154,7 +154,7 @@ Subject: Remove DCHECK and other lines causing Debug builds to fail
 for (ShortcutMap::const_iterator it(
 --- a/components/omnibox/browser/autocomplete_controller.cc
 +++ b/components/omnibox/browser/autocomplete_controller.cc
-@@ -727,9 +727,6 @@ void AutocompleteController::UpdateResul
+@@ -716,9 +716,6 @@ void AutocompleteController::UpdateResul
 
 // Need to validate before invoking CopyOldMatches as the old matches are not
 // valid against the current input.
--- a/patches/Unobtainium/kill-GCM.patch
+++ b/patches/Unobtainium/kill-GCM.patch
@ -36,7 +36,7 @@ Subject: kill GCM
 "java/src/org/chromium/chrome/browser/ChromeBackupAgentImpl.java",
 "java/src/org/chromium/chrome/browser/ChromeBackupWatcher.java",
 "java/src/org/chromium/chrome/browser/ChromeBaseAppCompatActivity.java",
-@@ -1343,10 +1342,6 @@ chrome_java_sources = [
+@@ -1344,10 +1343,6 @@ chrome_java_sources = [
 "java/src/org/chromium/chrome/browser/send_tab_to_self/SendTabToSelfShareActivity.java",
 "java/src/org/chromium/chrome/browser/services/AccountsChangedReceiver.java",
 "java/src/org/chromium/chrome/browser/services/AndroidChildAccountHelper.java",
@ -73,7 +73,7 @@ Subject: kill GCM
 <uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT"/>
 
 <uses-permission android:name="com.google.android.apps.now.CURRENT_ACCOUNT_ACCESS" />
-@@ -989,36 +984,6 @@ by a child template that "extends" this
+@@ -979,36 +974,6 @@ by a child template that "extends" this
 android:configChanges="orientation|keyboardHidden|keyboard|screenSize|mcc|mnc|screenLayout|smallestScreenSize"
 android:hardwareAccelerated="false" />
 
@ -110,7 +110,7 @@ Subject: kill GCM
 <!-- Android Notification service listener -->
 <service android:name="org.chromium.chrome.browser.notifications.NotificationService"
 android:exported="false"/>
-@@ -1042,28 +1007,10 @@ by a child template that "extends" this
+@@ -1032,28 +997,10 @@ by a child template that "extends" this
 android:exported="false"
 android:permission="android.permission.BIND_JOB_SERVICE"/>
 
--- a/patches/series
+++ b/patches/series
@ -50,3 +50,4 @@ Bromite/Revert-flags-remove-disable-pull-to-refresh-effect.patch
 Bromite/updater-disable-updater-pings.patch
 Bromite/Add-bookmark-import-export-actions.patch
 Bromite/Disable-DRM-media-origin-IDs-preprovisioning.patch
+Bromite/AImageReader-CFI-crash-mitigations.patch
--- a/patches/ungoogled-chromium-android/Enable-update-notification.patch
+++ b/patches/ungoogled-chromium-android/Enable-update-notification.patch
@ -261,7 +261,7 @@
 "java/src/org/chromium/chrome/browser/download/DownloadActivity.java",
 "java/src/org/chromium/chrome/browser/download/DownloadBroadcastManagerImpl.java",
 "java/src/org/chromium/chrome/browser/download/DownloadController.java",
-@@ -1071,6 +1072,7 @@ chrome_java_sources = [
+@@ -1072,6 +1073,7 @@ chrome_java_sources = [
 "java/src/org/chromium/chrome/browser/omaha/inline/InlineUpdateController.java",
 "java/src/org/chromium/chrome/browser/omaha/inline/InlineUpdateControllerFactory.java",
 "java/src/org/chromium/chrome/browser/omaha/inline/NoopInlineUpdateController.java",
@ -396,7 +396,7 @@
 }
 --- a/chrome/browser/flags/android/chrome_feature_list.cc
 +++ b/chrome/browser/flags/android/chrome_feature_list.cc
-@@ -523,6 +523,7 @@ const base::Feature kIncognitoScreenshot
+@@ -526,6 +526,7 @@ const base::Feature kIncognitoScreenshot
 
 const base::Feature kInlineUpdateFlow{"InlineUpdateFlow",
 base::FEATURE_DISABLED_BY_DEFAULT};
@ -426,7 +426,7 @@
 return std::make_unique<UpdateNotificationConfig>();
 --- a/chrome/android/java/AndroidManifest.xml
 +++ b/chrome/android/java/AndroidManifest.xml
-@@ -1087,7 +1087,7 @@ by a child template that "extends" this
+@@ -1077,7 +1077,7 @@ by a child template that "extends" this
 <service android:name="org.chromium.chrome.browser.tracing.TracingNotificationService"
 android:exported="false"/>
 
--- a/patches/ungoogled-chromium-android/Remove-dependency-on-com.google.android.gms.auth.patch
+++ b/patches/ungoogled-chromium-android/Remove-dependency-on-com.google.android.gms.auth.patch
@ -460,7 +460,7 @@ Subject: Remove dependency on com.google.android.gms.auth
 }
 --- a/content/test/BUILD.gn
 +++ b/content/test/BUILD.gn
-@@ -2608,7 +2608,6 @@ if (is_android) {
+@@ -2609,7 +2609,6 @@ if (is_android) {
 testonly = true
 sources = content_java_sources_needing_jni
 deps = [
--- a/patches/ungoogled-chromium-android/Remove-dependency-on-com.google.android.gms.cast.patch
+++ b/patches/ungoogled-chromium-android/Remove-dependency-on-com.google.android.gms.cast.patch
@ -1421,7 +1421,7 @@ Subject: Remove dependency on com.google.android.gms.cast
 <!-- This activity is used to restart the main Chrome process. Should never be exported. -->
 <activity android:name="org.chromium.chrome.browser.BrowserRestartActivity"
 android:launchMode="singleInstance"
-@@ -1207,12 +1197,6 @@ by a child template that "extends" this
+@@ -1197,12 +1187,6 @@ by a child template that "extends" this
 <meta-data android:name="com.google.ar.core" android:value="optional" />
 {% endif %}
 
--- a/patches/ungoogled-chromium-android/Remove-dependency-on-com.google.android.gms.common-auth-signin-dynamic-com.google.android.gms.tasks.patch
+++ b/patches/ungoogled-chromium-android/Remove-dependency-on-com.google.android.gms.common-auth-signin-dynamic-com.google.android.gms.tasks.patch
@ -504,7 +504,7 @@ Subject: Remove dependency on
 "//components/download/public/common:public_java",
 --- a/content/test/BUILD.gn
 +++ b/content/test/BUILD.gn
-@@ -2608,9 +2608,6 @@ if (is_android) {
+@@ -2609,9 +2609,6 @@ if (is_android) {
 testonly = true
 sources = content_java_sources_needing_jni
 deps = [