diff options
author | Ken Rockot <rockot@google.com> | 2022-12-08 12:48:54 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-01-10 14:30:35 +0000 |
commit | 28a1b2eb95e06bc4dd8c93bb61106e35eaf715c7 (patch) | |
tree | 4b03288e5da4302f5efadd6d81145bfbe55aca6c | |
parent | ce9155cc73d8a94f1536b96e841c0aee2ff7d921 (diff) | |
download | qtwebengine-chromium-28a1b2eb95e06bc4dd8c93bb61106e35eaf715c7.tar.gz |
[Backport] CVE-2022-4437: Use after free in Mojo IPC
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4066994:
Mojo: Fix potential UAF in IPC Channel
Fixed: 1394692
Change-Id: I1753b79eb6e9230ebb663eca47295d81dd859068
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4066994
Commit-Queue: Ken Rockot <rockot@google.com>
Cr-Commit-Position: refs/heads/main@{#1077742}
(cherry picked from commit 120b4b05ac7eaa9024f677394aa663c2702174ce)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/450080
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/ipc/ipc_mojo_bootstrap.cc | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/chromium/ipc/ipc_mojo_bootstrap.cc b/chromium/ipc/ipc_mojo_bootstrap.cc index 7ab3e4fa8ea..616382cb8f9 100644 --- a/chromium/ipc/ipc_mojo_bootstrap.cc +++ b/chromium/ipc/ipc_mojo_bootstrap.cc @@ -596,9 +596,12 @@ class ChannelAssociatedGroupController void OnSyncMessageEventReady() { DCHECK(task_runner_->RunsTasksInCurrentSequence()); - scoped_refptr<Endpoint> keepalive(this); + // SUBTLE: The order of these scoped_refptrs matters. + // `controller_keepalive` MUST outlive `keepalive` because the Endpoint + // holds raw pointer to the AssociatedGroupController. scoped_refptr<AssociatedGroupController> controller_keepalive( controller_); + scoped_refptr<Endpoint> keepalive(this); base::AutoLock locker(controller_->lock_); bool more_to_process = false; if (!sync_messages_.empty()) { |