summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKen Rockot <rockot@google.com>2022-12-08 12:48:54 +0000
committerMichael BrĂ¼ning <michael.bruning@qt.io>2023-01-10 14:30:35 +0000
commit28a1b2eb95e06bc4dd8c93bb61106e35eaf715c7 (patch)
tree4b03288e5da4302f5efadd6d81145bfbe55aca6c
parentce9155cc73d8a94f1536b96e841c0aee2ff7d921 (diff)
downloadqtwebengine-chromium-28a1b2eb95e06bc4dd8c93bb61106e35eaf715c7.tar.gz
[Backport] CVE-2022-4437: Use after free in Mojo IPC
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/4066994: Mojo: Fix potential UAF in IPC Channel Fixed: 1394692 Change-Id: I1753b79eb6e9230ebb663eca47295d81dd859068 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4066994 Commit-Queue: Ken Rockot <rockot@google.com> Cr-Commit-Position: refs/heads/main@{#1077742} (cherry picked from commit 120b4b05ac7eaa9024f677394aa663c2702174ce) Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/450080 Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat
-rw-r--r--chromium/ipc/ipc_mojo_bootstrap.cc5
1 files changed, 4 insertions, 1 deletions
diff --git a/chromium/ipc/ipc_mojo_bootstrap.cc b/chromium/ipc/ipc_mojo_bootstrap.cc
index 7ab3e4fa8ea..616382cb8f9 100644
--- a/chromium/ipc/ipc_mojo_bootstrap.cc
+++ b/chromium/ipc/ipc_mojo_bootstrap.cc
@@ -596,9 +596,12 @@ class ChannelAssociatedGroupController
void OnSyncMessageEventReady() {
DCHECK(task_runner_->RunsTasksInCurrentSequence());
- scoped_refptr<Endpoint> keepalive(this);
+ // SUBTLE: The order of these scoped_refptrs matters.
+ // `controller_keepalive` MUST outlive `keepalive` because the Endpoint
+ // holds raw pointer to the AssociatedGroupController.
scoped_refptr<AssociatedGroupController> controller_keepalive(
controller_);
+ scoped_refptr<Endpoint> keepalive(this);
base::AutoLock locker(controller_->lock_);
bool more_to_process = false;
if (!sync_messages_.empty()) {
View Lorry Controller Status