The 32 bit version 88.0.4324.181 of Chrome is tested with the following devices:
- Pixel 3a firmware version RQ1A.210205.004
- Samsung Galaxy A71 firmware version A715FXXU3BUB5
The offsets included in arm_renderer.patch are with respect to these firmware. (To test on Pixel 3a, the offset for A71 needs to be commented out) The arm_renderer.patch is used to simulate a compromised renderer.
The patch browser.patch patches the browser to make local testing more convenient. It does the following:
- It removes the
ServerCardscheck to simulate having a credit card store in an account (rather than on the device):
@@ -163,7 +163,7 @@ void CreditCardAccessManager::PrepareToFetchCreditCard() {
#if !defined(OS_IOS)
// No need to fetch details if there are no server cards.
if (!ServerCardsAvailable())
- return;
+// return;
- It removes the requirement for secure content, which would require a properly set up https context. (Self signed certificate for localhost does not pass this)
@@ -2542,7 +2542,9 @@ void AutofillManager::GetAvailableSuggestions(
return;
}
- context->is_context_secure = !IsFormNonSecure(form);
+// context->is_context_secure = !IsFormNonSecure(form);
+ context->is_context_secure = true;
+
These are only for the convenience of local testing and are not a requirement of the vulnerability.
After applying both of these patches, build Chrome version 88.0.4324.181 with the following build config (args.gn):
target_os = "android"
target_cpu = "arm"
is_java_debug = false
is_debug = false
symbol_level = 1
blink_symbol_level = 1
then follow the instructions in README.md of the parent directory to test.