usb: prevent UAF in macOS WebUSB isochronous transfers [chromium/src : main]
0 views
Skip to first unread message
Alvin Ji (Gerrit)
May 27, 2026, 8:35:02 PM (20 hours ago) May 27
to Matt Reynolds, Chromium LUCI CQ, chromium...@chromium.org, mattreyno...@chromium.org, odejesu...@chromium.org
Attention needed from Matt Reynolds
Alvin Ji added 1 comment![]( "Open in Gerrit")
Patchset-level comments
Related details
Attention is currently required from:
- Matt Reynolds
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Matt Reynolds (Gerrit)
May 27, 2026, 10:34:27 PM (18 hours ago) May 27
to Alvin Ji, Chromium LUCI CQ, chromium...@chromium.org, mattreyno...@chromium.org, odejesu...@chromium.org
Attention needed from Alvin Ji
Matt Reynolds voted and added 6 comments![]( "Open in Gerrit")
Votes added by Matt Reynolds
| Code-Review | +1 |
6 comments
Patchset-level comments
Matt Reynolds . resolved
lgtm % nits
File services/device/usb/usb_device_handle_impl.cc
Line 778, Patchset 2 (Latest):
const auto endpoint_it = endpoint_map_.find(endpoint_address);
if (endpoint_it == endpoint_map_.end()) {Matt Reynolds . unresolved
Use contains
Line 780, Patchset 2 (Latest):
USB_LOG(ERROR) << "Failed to submit isochronous transfer because endpoint "
<< static_cast<int>(endpoint_address)
<< " not part of a claimed interface.";Matt Reynolds . unresolved
Add missing "is"
```suggestion
USB_LOG(ERROR) << "Failed to submit isochronous transfer because endpoint "
<< static_cast<int>(endpoint_address)
<< " is not part of a claimed interface.";
```
Line 815, Patchset 2 (Latest):
const auto endpoint_it = endpoint_map_.find(endpoint_address);
if (endpoint_it == endpoint_map_.end()) {Matt Reynolds . unresolved
Use contains
Line 817, Patchset 2 (Latest):
USB_LOG(ERROR) << "Failed to submit isochronous transfer because endpoint "
<< static_cast<int>(endpoint_address)
<< " not part of a claimed interface.";Matt Reynolds . unresolved
Add missing "is"
```suggestion
USB_LOG(ERROR) << "Failed to submit isochronous transfer because endpoint "
<< static_cast<int>(endpoint_address)
<< " is not part of a claimed interface.";
```
Line 853, Patchset 2 (Latest):
USB_LOG(ERROR) << "Failed to submit transfer because endpoint "
<< static_cast<int>(endpoint_address)
<< " not part of a claimed interface.";Matt Reynolds . unresolved
Add missing "is"
```suggestion
USB_LOG(ERROR) << "Failed to submit transfer because endpoint "
<< static_cast<int>(endpoint_address)
<< " is not part of a claimed interface.";
```
Related details
Attention is currently required from:
- Alvin Ji
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Alvin Ji (Gerrit)
2:28 PM (3 hours ago) 2:28 PM
to Matt Reynolds, Chromium LUCI CQ, chromium...@chromium.org, mattreyno...@chromium.org, odejesu...@chromium.org
Alvin Ji voted Commit-Queue+2![]( "Open in Gerrit")
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Alvin Ji (Gerrit)
2:28 PM (3 hours ago) 2:28 PM
to Matt Reynolds, Chromium LUCI CQ, chromium...@chromium.org, mattreyno...@chromium.org, odejesu...@chromium.org
Alvin Ji added 6 comments![]( "Open in Gerrit")
Patchset-level comments
File services/device/usb/usb_device_handle_impl.cc
Line 778, Patchset 2:
const auto endpoint_it = endpoint_map_.find(endpoint_address);
if (endpoint_it == endpoint_map_.end()) {Matt Reynolds . resolved
Alvin JiUse contains
Done
Line 780, Patchset 2:
USB_LOG(ERROR) << "Failed to submit isochronous transfer because endpoint "
<< static_cast<int>(endpoint_address)
<< " not part of a claimed interface.";Matt Reynolds . resolved
Add missing "is"
```suggestion
USB_LOG(ERROR) << "Failed to submit isochronous transfer because endpoint "
<< static_cast<int>(endpoint_address)
<< " is not part of a claimed interface.";
```
Alvin Ji
Done
Line 815, Patchset 2:
const auto endpoint_it = endpoint_map_.find(endpoint_address);
if (endpoint_it == endpoint_map_.end()) {Matt Reynolds . resolved
Alvin JiUse contains
Done
Line 817, Patchset 2:
USB_LOG(ERROR) << "Failed to submit isochronous transfer because endpoint "
<< static_cast<int>(endpoint_address)
<< " not part of a claimed interface.";Matt Reynolds . resolved
Add missing "is"
```suggestion
USB_LOG(ERROR) << "Failed to submit isochronous transfer because endpoint "
<< static_cast<int>(endpoint_address)
<< " is not part of a claimed interface.";
```
Alvin Ji
Done
Line 853, Patchset 2:
USB_LOG(ERROR) << "Failed to submit transfer because endpoint "
<< static_cast<int>(endpoint_address)
<< " not part of a claimed interface.";Matt Reynolds . resolved
Add missing "is"
```suggestion
USB_LOG(ERROR) << "Failed to submit transfer because endpoint "
<< static_cast<int>(endpoint_address)
<< " is not part of a claimed interface.";
```
Alvin Ji
Done
Related details
Attention set is empty
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Chromium LUCI CQ (Gerrit)
3:40 PM (1 hour ago) 3:40 PM
to Alvin Ji, Matt Reynolds, chromium...@chromium.org, mattreyno...@chromium.org, odejesu...@chromium.org
Chromium LUCI CQ submitted the change with unreviewed changes![]( "Open in Gerrit")
Unreviewed changes
2 is the latest approved patch-set.
The change was submitted with unreviewed changes in the following files:
```
The name of the file: services/device/usb/usb_device_handle_impl.cc
Insertions: 5, Deletions: 7.
@@ -775,11 +775,10 @@
uint8_t endpoint_address =
ConvertTransferDirection(UsbTransferDirection::INBOUND) | endpoint_number;
- const auto endpoint_it = endpoint_map_.find(endpoint_address);
- if (endpoint_it == endpoint_map_.end()) {
+ if (!endpoint_map_.contains(endpoint_address)) {
USB_LOG(ERROR) << "Failed to submit isochronous transfer because endpoint "
<< static_cast<int>(endpoint_address)
- << " not part of a claimed interface.";
+ << " is not part of a claimed interface.";
ReportIsochronousTransferError(std::move(callback), packet_lengths,
UsbTransferStatus::TRANSFER_ERROR);
return;
@@ -812,11 +811,10 @@
uint8_t endpoint_address =
ConvertTransferDirection(UsbTransferDirection::OUTBOUND) |
endpoint_number;
- const auto endpoint_it = endpoint_map_.find(endpoint_address);
- if (endpoint_it == endpoint_map_.end()) {
+ if (!endpoint_map_.contains(endpoint_address)) {
USB_LOG(ERROR) << "Failed to submit isochronous transfer because endpoint "
<< static_cast<int>(endpoint_address)
- << " not part of a claimed interface.";
+ << " is not part of a claimed interface.";
ReportIsochronousTransferError(std::move(callback), packet_lengths,
UsbTransferStatus::TRANSFER_ERROR);
return;
@@ -852,7 +850,7 @@
if (endpoint_it == endpoint_map_.end()) {
USB_LOG(ERROR) << "Failed to submit transfer because endpoint "
<< static_cast<int>(endpoint_address)
- << " not part of a claimed interface.";
+ << " is not part of a claimed interface.";
task_runner_->PostTask(
FROM_HERE,
base::BindOnce(std::move(callback), UsbTransferStatus::TRANSFER_ERROR,
```
Change information
Commit message:
usb: prevent UAF in macOS WebUSB isochronous transfers
Add endpoint verification to IsochronousTransferIn and IsochronousTransferOut to ensure the target endpoint is part of a claimed interface before creating the transfer. This prevents transfers from being created with a null claimed interface, which allowed them to bypass cancellation during ReleaseInterface and lead to a Use-After-Free on macOS.
BUG=516999424
Change-Id: Ie957a81626631ee914a685860debab357f8191aa
Commit-Queue: Alvin Ji <alv...@chromium.org>
Reviewed-by: Matt Reynolds <mattre...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1637882}
Files:
- M services/device/usb/usb_device_handle_impl.cc
Change size: S
Delta: 1 file changed, 20 insertions(+), 2 deletions(-)
Branch: refs/heads/main
Submit Requirements:
Code-Review: +1 by Matt Reynolds
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages