diff options
| author | Reilly Grant <reillyg@chromium.org> | 2021-05-25 20:10:25 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-11-10 18:25:14 +0000 |
| commit | 2f70e10d4ded2e2c9c6ac7d34bdfde5a3fd1a085 (patch) | |
| tree | 0c1d5924288db5835ec714945ab4ef17c885bf26 | |
| parent | 439637e3aeab4b09bf441d395575a6e801af713d (diff) | |
| download | qtwebengine-chromium-2f70e10d4ded2e2c9c6ac7d34bdfde5a3fd1a085.tar.gz | |
[Backport] CVE-2021-30585: Use after free in sensor handling
Partial backport of patch originally reviedwed on
https://chromium-review.googlesource.com/c/chromium/src/+/2911135:
sensors: Add locking when passing sensor updates to the client
This change updates the Win32 and WinRT sensor backends to acquire the
lock when calling back into the client. This is important because the
client_ variable is set to nullptr when the sensor reader is destroyed
and so synchronization is needed to prevent a null pointer dereference
or use after free.
(cherry picked from commit 6d6e9b5443d3cafce07b8cfc64a52f4ee59cb8ad)
Bug: 1023503
Change-Id: Ie677c7a7376e1b01bacaad66264439c5f5af6a0e
Commit-Queue: Reilly Grant <reillyg@chromium.org>
Auto-Submit: Reilly Grant <reillyg@chromium.org>
Reviewed-by: Chris Mumford <cmumford@google.com>
Cr-Original-Commit-Position: refs/heads/master@{#885336}
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/branch-heads/4515@{#47}
Cr-Branched-From: 488fc70865ddaa05324ac00a54a6eb783b4bc41c-refs/heads/master@{#885287}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/services/device/generic_sensor/platform_sensor_reader_win.cc | 4 | ||||
| -rw-r--r-- | chromium/services/device/generic_sensor/platform_sensor_reader_win.h | 8 |
2 files changed, 8 insertions, 4 deletions
diff --git a/chromium/services/device/generic_sensor/platform_sensor_reader_win.cc b/chromium/services/device/generic_sensor/platform_sensor_reader_win.cc index 93c9e059434..0b654d8b2fe 100644 --- a/chromium/services/device/generic_sensor/platform_sensor_reader_win.cc +++ b/chromium/services/device/generic_sensor/platform_sensor_reader_win.cc @@ -485,7 +485,8 @@ bool PlatformSensorReaderWin::SetReportingInterval( HRESULT PlatformSensorReaderWin::SensorReadingChanged( ISensorDataReport* report, - SensorReading* reading) const { + SensorReading* reading) { + base::AutoLock autolock(lock_); if (!client_) return E_FAIL; @@ -496,6 +497,7 @@ HRESULT PlatformSensorReaderWin::SensorReadingChanged( } void PlatformSensorReaderWin::SensorError() { + base::AutoLock autolock(lock_); if (client_) client_->OnSensorError(); } diff --git a/chromium/services/device/generic_sensor/platform_sensor_reader_win.h b/chromium/services/device/generic_sensor/platform_sensor_reader_win.h index 8b31ae2f4a0..f14474a1ede 100644 --- a/chromium/services/device/generic_sensor/platform_sensor_reader_win.h +++ b/chromium/services/device/generic_sensor/platform_sensor_reader_win.h @@ -8,6 +8,8 @@ #include <SensorsApi.h> #include <wrl/client.h> +#include "base/synchronization/lock.h" +#include "base/thread_annotations.h" #include "services/device/public/mojom/sensor.mojom.h" namespace device { @@ -56,7 +58,7 @@ class PlatformSensorReaderWin { bool SetReportingInterval(const PlatformSensorConfiguration& configuration); void ListenSensorEvent(); HRESULT SensorReadingChanged(ISensorDataReport* report, - SensorReading* reading) const; + SensorReading* reading); void SensorError(); private: @@ -68,8 +70,8 @@ class PlatformSensorReaderWin { // StartSensor and StopSensor are called from another thread by // PlatformSensorWin that can modify internal state of the object. base::Lock lock_; - bool sensor_active_; - Client* client_; + bool sensor_active_ GUARDED_BY(lock_); + Client* client_ GUARDED_BY(lock_); Microsoft::WRL::ComPtr<ISensor> sensor_; scoped_refptr<EventListener> event_listener_; base::WeakPtrFactory<PlatformSensorReaderWin> weak_factory_; |