diff options
author | Rohit Agarwal <roagarwal@chromium.org> | 2020-01-13 22:36:06 +0100 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-01-16 13:10:30 +0000 |
commit | 046bd9f50b6910b7bf4eb074ac6631ff69ea6afe (patch) | |
tree | 5f4c5528d3e57e021f1b84e109b2df558ffb9381 | |
parent | 8417e8352600298a901aeb0360eba25361b2343d (diff) | |
download | qtwebengine-chromium-046bd9f50b6910b7bf4eb074ac6631ff69ea6afe.tar.gz |
[Backport] Security bug 889276
Manual backport of patch:
Delete PermissionServiceContext instance when shutting down RPHI.
The PermissionServiceContext holds PermissionSubscriptions originating
from service workers. These subscriptions observe the
PermissionControllerImpl that is owned by the Profile. When we delete
the profile, we terminate the RenderProcessHosts associated with
the profile first but however, in the OTR case, the RenderProcessHost
corresponding to PermissionControllerImpl is not deleted before
Profile.
The fix was to explicitly delete the PermissionServiceContext instance
when we call the RenderProcessHost::CleanUp method.
(cherry picked from commit 2045162fc4bd5ef1966dee183162cc1984941629)
Bug: 889276
Commit-Queue: Rohit Agarwal <roagarwal@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#724643}
Cr-Commit-Position: refs/branch-heads/3945@{#1014}
Cr-Branched-From: e4635fff7defbae0f9c29e798349f6fc0cce4b1b-refs/heads/master
@{#706915}
Change-Id: I302e40fba225a5b732f681a734c68e4d113374b6
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/content/browser/renderer_host/render_process_host_impl.cc | 9 | ||||
-rw-r--r-- | chromium/content/browser/renderer_host/render_process_host_impl.h | 2 |
2 files changed, 10 insertions, 1 deletions
diff --git a/chromium/content/browser/renderer_host/render_process_host_impl.cc b/chromium/content/browser/renderer_host/render_process_host_impl.cc index 35c35dd0900..c0b7e50a9a8 100644 --- a/chromium/content/browser/renderer_host/render_process_host_impl.cc +++ b/chromium/content/browser/renderer_host/render_process_host_impl.cc @@ -4238,6 +4238,15 @@ void RenderProcessHostImpl::ResetIPC() { // away first, since deleting the channel proxy will post a // OnChannelClosed() to IPC::ChannelProxy::Context on the IO thread. ResetChannelProxy(); + + // The PermissionServiceContext holds PermissionSubscriptions originating from + // service workers. These subscriptions observe the PermissionControllerImpl + // that is owned by the Profile corresponding to |this|. At this point, IPC + // are unbound so no new subscriptions can be made. Existing subscriptions + // need to be released here, as the Profile, and with it, the + // PermissionControllerImpl, can be destroyed anytime after + // RenderProcessHostImpl::Cleanup() returns. + permission_service_context_.reset(); } size_t RenderProcessHost::GetActiveViewCount() { diff --git a/chromium/content/browser/renderer_host/render_process_host_impl.h b/chromium/content/browser/renderer_host/render_process_host_impl.h index aa89b51321a..59df1d3b56e 100644 --- a/chromium/content/browser/renderer_host/render_process_host_impl.h +++ b/chromium/content/browser/renderer_host/render_process_host_impl.h @@ -849,7 +849,7 @@ class CONTENT_EXPORT RenderProcessHostImpl base::TimeTicks keep_alive_start_time_; // Context shared for each mojom::PermissionService instance created for this - // RPH. + // RPH. This is destroyed early in ResetIPC() method. std::unique_ptr<PermissionServiceContext> permission_service_context_; // The memory allocator, if any, in which the renderer will write its metrics. |