The 64 bit version 90.0.4430.91 of Chrome is tested with the following devices:
- Pixel 3a firmware version RQ1A.210205.004
- Samsung Galaxy A71 firmware version A715FXXU3BUB5
The offsets included in arm64_renderer.patch are with respect to A71. To test Pixel3a, change the A71 specific offsets to the following instead:
uint64_t executeOffset = 0x711354;
uint64_t systemOffset = 0x5f278;
The arm64_renderer.patch is used to simulate a compromised renderer.
The patch browser.patch patches the browser to make local testing more convenient. It does the following:
- It removes the
ServerCardscheck to simulate having a credit card store in an account (rather than on the device):
@@ -163,7 +163,7 @@ void CreditCardAccessManager::PrepareToFetchCreditCard() {
#if !defined(OS_IOS)
// No need to fetch details if there are no server cards.
if (!ServerCardsAvailable())
- return;
+// return;
- It removes the requirement for secure content, which would require a properly set up https context. (Self signed certificate for localhost does not pass this)
@@ -2542,7 +2542,9 @@ void AutofillManager::GetAvailableSuggestions(
return;
}
- context->is_context_secure = !IsFormNonSecure(form);
+// context->is_context_secure = !IsFormNonSecure(form);
+ context->is_context_secure = true;
+
These are only for the convenience of local testing and are not a requirement of the vulnerability.
After applying both of these patches, build Chrome version 90.0.4430.91 with the following build config (args.gn):
target_os = "android"
target_cpu = "arm64"
is_java_debug = false
is_debug = false
symbol_level = 1
blink_symbol_level = 1
then follow the instructions in README.md of the parent directory to test.