diff options
author | Andrey Kosyakov <caseq@chromium.org> | 2021-03-30 08:04:11 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-04-19 22:34:13 +0000 |
commit | 88d217a8b9e4d990e8930ee6b59d3a97289a2276 (patch) | |
tree | 629999cac0acdfa0c0a76ef7048ccfdfcac80913 | |
parent | 53a608aff9c39b18cbcaf6cc9784420410fa587f (diff) |
[Backport] CVE-2021-21202: Use after free in extensions.
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2787756:
DevTools: expect PageHandler may be destroyed during Page.navigate
Bug: 1188889
Change-Id: I5c2fcca84834d66c46d77a70683212c2330177a5
Commit-Queue: Andrey Kosyakov <caseq@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Reviewed-by: Karan Bhatia <karandeepb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#867507}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/content/browser/devtools/protocol/page_handler.cc | 6 | ||||
-rw-r--r-- | chromium/content/browser/devtools/render_frame_devtools_agent_host.cc | 5 |
2 files changed, 9 insertions, 2 deletions
diff --git a/chromium/content/browser/devtools/protocol/page_handler.cc b/chromium/content/browser/devtools/protocol/page_handler.cc index 770f61f64d5..c23d575ca94 100644 --- a/chromium/content/browser/devtools/protocol/page_handler.cc +++ b/chromium/content/browser/devtools/protocol/page_handler.cc @@ -501,8 +501,12 @@ void PageHandler::Navigate(const std::string& url, params.referrer = Referrer(GURL(referrer.fromMaybe("")), policy); params.transition_type = type; params.frame_tree_node_id = frame_tree_node->frame_tree_node_id(); + // Handler may be destroyed while navigating if the session + // gets disconnected as a result of access checks. + base::WeakPtr<PageHandler> weak_self = weak_factory_.GetWeakPtr(); frame_tree_node->navigator().GetController()->LoadURLWithParams(params); - + if (!weak_self) + return; base::UnguessableToken frame_token = frame_tree_node->devtools_frame_token(); auto navigate_callback = navigate_callbacks_.find(frame_token); if (navigate_callback != navigate_callbacks_.end()) { diff --git a/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc b/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc index 02a655ba98a..2b0ca5c7801 100644 --- a/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc +++ b/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc @@ -474,8 +474,11 @@ void RenderFrameDevToolsAgentHost::UpdateFrameHost( if (!ShouldAllowSession(session)) restricted_sessions.push_back(session); } - if (!restricted_sessions.empty()) + scoped_refptr<RenderFrameDevToolsAgentHost> protect; + if (!restricted_sessions.empty()) { + protect = this; ForceDetachRestrictedSessions(restricted_sessions); + } UpdateFrameAlive(); } |