diff options
| author | Andrey Kosyakov <caseq@chromium.org> | 2021-03-30 08:04:11 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-05-07 08:27:20 +0000 |
| commit | 2abd3ca82deef66c5011e8c7df26f0eac66cc5bb (patch) | |
| tree | c96351ad8a82567136a95f957769dc78fe21682d | |
| parent | fdc2fda10577902e01078b27ad817031f758ed74 (diff) | |
| download | qtwebengine-chromium-2abd3ca82deef66c5011e8c7df26f0eac66cc5bb.tar.gz | |
[Backport] CVE-2021-21202: Use after free in extensions.
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2787756:
DevTools: expect PageHandler may be destroyed during Page.navigate
Bug: 1188889
Change-Id: I5c2fcca84834d66c46d77a70683212c2330177a5
Commit-Queue: Andrey Kosyakov <caseq@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Reviewed-by: Karan Bhatia <karandeepb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#867507}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/content/browser/devtools/protocol/page_handler.cc | 5 | ||||
| -rw-r--r-- | chromium/content/browser/devtools/render_frame_devtools_agent_host.cc | 5 |
2 files changed, 9 insertions, 1 deletions
diff --git a/chromium/content/browser/devtools/protocol/page_handler.cc b/chromium/content/browser/devtools/protocol/page_handler.cc index 47f8c012923..9dfbf12b793 100644 --- a/chromium/content/browser/devtools/protocol/page_handler.cc +++ b/chromium/content/browser/devtools/protocol/page_handler.cc @@ -508,7 +508,12 @@ void PageHandler::Navigate(const std::string& url, Referrer(GURL(referrer.fromMaybe("")), blink::kWebReferrerPolicyDefault); params.transition_type = type; params.frame_tree_node_id = frame_tree_node->frame_tree_node_id(); + // Handler may be destroyed while navigating if the session + // gets disconnected as a result of access checks. + base::WeakPtr<PageHandler> weak_self = weak_factory_.GetWeakPtr(); frame_tree_node->navigator()->GetController()->LoadURLWithParams(params); + if (!weak_self) + return; base::UnguessableToken frame_token = frame_tree_node->devtools_frame_token(); auto navigate_callback = navigate_callbacks_.find(frame_token); diff --git a/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc b/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc index 9493103481a..a05538c3c8b 100644 --- a/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc +++ b/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc @@ -612,8 +612,11 @@ void RenderFrameDevToolsAgentHost::UpdateFrameHost( restricted_sessions.push_back(session); } - if (!restricted_sessions.empty()) + scoped_refptr<RenderFrameDevToolsAgentHost> protect; + if (!restricted_sessions.empty()) { + protect = this; ForceDetachRestrictedSessions(restricted_sessions); + } if (!render_frame_alive_) { render_frame_alive_ = true; |