summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Kosyakov <caseq@chromium.org>2021-03-30 08:04:11 +0000
committerMichael BrĂ¼ning <michael.bruning@qt.io>2021-04-19 22:34:13 +0000
commit88d217a8b9e4d990e8930ee6b59d3a97289a2276 (patch)
tree629999cac0acdfa0c0a76ef7048ccfdfcac80913
parent53a608aff9c39b18cbcaf6cc9784420410fa587f (diff)
[Backport] CVE-2021-21202: Use after free in extensions.
Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2787756: DevTools: expect PageHandler may be destroyed during Page.navigate Bug: 1188889 Change-Id: I5c2fcca84834d66c46d77a70683212c2330177a5 Commit-Queue: Andrey Kosyakov <caseq@chromium.org> Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Reviewed-by: Karan Bhatia <karandeepb@chromium.org> Cr-Commit-Position: refs/heads/master@{#867507} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat
-rw-r--r--chromium/content/browser/devtools/protocol/page_handler.cc6
-rw-r--r--chromium/content/browser/devtools/render_frame_devtools_agent_host.cc5
2 files changed, 9 insertions, 2 deletions
diff --git a/chromium/content/browser/devtools/protocol/page_handler.cc b/chromium/content/browser/devtools/protocol/page_handler.cc
index 770f61f64d5..c23d575ca94 100644
--- a/chromium/content/browser/devtools/protocol/page_handler.cc
+++ b/chromium/content/browser/devtools/protocol/page_handler.cc
@@ -501,8 +501,12 @@ void PageHandler::Navigate(const std::string& url,
params.referrer = Referrer(GURL(referrer.fromMaybe("")), policy);
params.transition_type = type;
params.frame_tree_node_id = frame_tree_node->frame_tree_node_id();
+ // Handler may be destroyed while navigating if the session
+ // gets disconnected as a result of access checks.
+ base::WeakPtr<PageHandler> weak_self = weak_factory_.GetWeakPtr();
frame_tree_node->navigator().GetController()->LoadURLWithParams(params);
-
+ if (!weak_self)
+ return;
base::UnguessableToken frame_token = frame_tree_node->devtools_frame_token();
auto navigate_callback = navigate_callbacks_.find(frame_token);
if (navigate_callback != navigate_callbacks_.end()) {
diff --git a/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc b/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc
index 02a655ba98a..2b0ca5c7801 100644
--- a/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc
+++ b/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc
@@ -474,8 +474,11 @@ void RenderFrameDevToolsAgentHost::UpdateFrameHost(
if (!ShouldAllowSession(session))
restricted_sessions.push_back(session);
}
- if (!restricted_sessions.empty())
+ scoped_refptr<RenderFrameDevToolsAgentHost> protect;
+ if (!restricted_sessions.empty()) {
+ protect = this;
ForceDetachRestrictedSessions(restricted_sessions);
+ }
UpdateFrameAlive();
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-06 22:52:37 +0000