Supporting Dangling Ptr Detection via BackupRefPtr: enabled by default

License: GPL-2.0-or-later - https://spdx.org/licenses/GPL-2.0-or-later.html

---

 base/allocator/partition_alloc_features.cc    |  3 ++

 base/allocator/partition_alloc_features.cc    |  5 +++-

 base/allocator/partition_alloc_support.cc     | 30 ++++++++++++++-----

 .../partition_allocator/partition_alloc.gni   |  6 ++--

 base/observer_list_types.cc                   | 11 +++++++

 build_overrides/partition_alloc.gni           |  3 +-

 .../java/res/xml/privacy_preferences.xml      |  5 ++++

 .../compositor/CompositorViewHolder.java      |  2 +-

 .../layouts/LayoutManagerChromeTablet.java    | 12 ++++----

 ...ngling-Ptr-Detection-via-BackupRefPtr.grdp |  9 ++++++

 .../Enable-Partition-Alloc-BRP-Checks.inc     | 11 +++++++

 .../platform/wtf/allocator/partitions.cc      | 10 +------

 9 files changed, 61 insertions(+), 27 deletions(-)

 11 files changed, 76 insertions(+), 28 deletions(-)

 create mode 100644 chrome/browser/ui/android/strings/cromite_android_chrome_strings_grd/Supporting-Dangling-Ptr-Detection-via-BackupRefPtr.grdp

 create mode 100644 cromite_flags/chrome/browser/about_flags_cc/Enable-Partition-Alloc-BRP-Checks.inc

diff --git a/base/allocator/partition_alloc_features.cc b/base/allocator/partition_alloc_features.cc

              FEATURE_DISABLED_BY_DEFAULT

 #endif

 );

+SET_CROMITE_FEATURE_DISABLED(kPartitionAllocBackupRefPtr);

+SET_CROMITE_FEATURE_ENABLED(kPartitionAllocBackupRefPtr);

 constexpr FeatureParam<BackupRefPtrEnabledProcesses>::Option

     kBackupRefPtrEnabledProcessesOptions[] = {

@@ -190,7 +192,7 @@ BASE_FEATURE_ENUM_PARAM(BackupRefPtrEnabledProcesses,

                         &kPartitionAllocBackupRefPtr,

                         kPAFeatureEnabledProcessesStr,

 // Exception for IS_DESKTOP_ANDROID approved in crbug.com/482155132.

-#if BUILDFLAG(IS_ANDROID) && !BUILDFLAG(IS_DESKTOP_ANDROID)

+#if BUILDFLAG(IS_ANDROID) && !BUILDFLAG(IS_DESKTOP_ANDROID_CROMITE)

                         BackupRefPtrEnabledProcesses::kNonRenderer,

 #else

                         BackupRefPtrEnabledProcesses::kAllProcesses,

@@ -231,6 +233,7 @@ BASE_FEATURE(kPartitionAllocMemoryTagging,

              FEATURE_DISABLED_BY_DEFAULT

 #endif

 raw_ptr_zero_on_construct_default = true

 raw_ptr_zero_on_move_default = true

diff --git a/chrome/android/java/res/xml/privacy_preferences.xml b/chrome/android/java/res/xml/privacy_preferences.xml

--- a/chrome/android/java/res/xml/privacy_preferences.xml

+++ b/chrome/android/java/res/xml/privacy_preferences.xml

@@ -98,6 +98,11 @@ found in the LICENSE file.

         android:summary="@string/throttle_main_thread_to_60hz_summary"

         app:featureName="throttle-main-thread-to-60hz"

         app:needRestart="true" />

+    <org.chromium.components.browser_ui.settings.ChromeSwitchPreference

+        android:title="@string/dangling_pointer_detector_title"

+        android:summary="@string/dangling_pointer_detector_summary"

+        app:featureName="enable-dangling-pointer-detector"

+        app:needRestart="true" />

     <PreferenceCategory

         android:key="security_section"

       android:title="@string/security_section_title" />

diff --git a/chrome/android/java/src/org/chromium/chrome/browser/compositor/CompositorViewHolder.java b/chrome/android/java/src/org/chromium/chrome/browser/compositor/CompositorViewHolder.java

--- a/chrome/android/java/src/org/chromium/chrome/browser/compositor/CompositorViewHolder.java

+++ b/chrome/android/java/src/org/chromium/chrome/browser/compositor/CompositorViewHolder.java

     }

     @Override

diff --git a/chrome/browser/ui/android/strings/cromite_android_chrome_strings_grd/Supporting-Dangling-Ptr-Detection-via-BackupRefPtr.grdp b/chrome/browser/ui/android/strings/cromite_android_chrome_strings_grd/Supporting-Dangling-Ptr-Detection-via-BackupRefPtr.grdp

new file mode 100644

--- /dev/null

+++ b/chrome/browser/ui/android/strings/cromite_android_chrome_strings_grd/Supporting-Dangling-Ptr-Detection-via-BackupRefPtr.grdp

@@ -0,0 +1,9 @@

+<?xml version="1.0" encoding="utf-8"?>

+<grit-part>

+    <message name="IDS_DANGLING_POINTER_DETECTOR_TITLE" desc="Text for 'dangling pointer detector' settings option.">

+        Enable Dangling Ptr Detection (DPD) via BackupRefPtr (BRP)

+    </message>

+    <message name="IDS_DANGLING_POINTER_DETECTOR_SUMMARY" desc="Summary text for 'dangling pointer detector' settings option.">

+        Enable checking raw pointer do not become dangling during their lifetime to prevent UAF and write a fixed cookie pattern at the end of each allocation to ensure there is no OOB write.

+    </message>

+</grit-part>

diff --git a/cromite_flags/chrome/browser/about_flags_cc/Enable-Partition-Alloc-BRP-Checks.inc b/cromite_flags/chrome/browser/about_flags_cc/Enable-Partition-Alloc-BRP-Checks.inc

new file mode 100644

--- /dev/null