[Backport] CVE-2022-1493: Use after free in Dev Tools

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/3510307: Use weak pointers for devtools http server handlers This makes sure that we do not call HttpServer message handlers on a deallocated HttpServer instance. Interestingly, the weak pointer factory was already there, but it was unused. Bug: chromium:1275414 Change-Id: Ic0c33319bb3e67e3c15349d07acbaad64a7f62e3 Reviewed-by: Robbie McElrath <rmcelrath@chromium.org> Reviewed-by: Danil Somsikov <dsv@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/main@{#979140} Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Jaroslav Sevcik <jarin@chromium.org> 2022-03-09 09:20:01 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2022-05-20 15:34:06 +0000
commit: acde086abfa804917448d8e3bdca470917d0e658 (patch)
tree: 6dc866bd990c94b062d65aded955ca0f0b15fda3
parent: ae89c0c16bfc7de4b999f82159ed9aa8f814fb81 (diff)
download: qtwebengine-chromium-acde086abfa804917448d8e3bdca470917d0e658.tar.gz
1 files changed, 7 insertions, 7 deletions
diff --git a/chromium/services/network/public/cpp/server/http_server.cc b/chromium/services/network/public/cpp/server/http_server.cc
index f390f38a2d2..a2cb2534f6c 100644
--- a/chromium/services/network/public/cpp/server/http_server.cc
+++ b/chromium/services/network/public/cpp/server/http_server.cc
@@ -105,8 +105,8 @@ void HttpServer::SendRaw(int connection_id,
     connection->write_watcher().Watch(
         connection->send_handle(),
         MOJO_HANDLE_SIGNAL_WRITABLE | MOJO_HANDLE_SIGNAL_PEER_CLOSED,
-        base::BindRepeating(&HttpServer::OnWritable, base::Unretained(this),
-                            connection->id()));
+        base::BindRepeating(&HttpServer::OnWritable,
+                            weak_ptr_factory_.GetWeakPtr(), connection->id()));
   }
 }
 
@@ -180,9 +180,9 @@ bool HttpServer::SetSendBufferSize(int connection_id, int32_t size) {
 }
 
 void HttpServer::DoAcceptLoop() {
-  server_socket_->Accept(
-      mojo::NullRemote(), /* observer */
-      base::BindOnce(&HttpServer::OnAcceptCompleted, base::Unretained(this)));
+  server_socket_->Accept(mojo::NullRemote(), /* observer */
+                         base::BindOnce(&HttpServer::OnAcceptCompleted,
+                                        weak_ptr_factory_.GetWeakPtr()));
 }
 
 void HttpServer::OnAcceptCompleted(
@@ -210,8 +210,8 @@ void HttpServer::OnAcceptCompleted(
         connection->receive_handle(),
         MOJO_HANDLE_SIGNAL_READABLE | MOJO_HANDLE_SIGNAL_PEER_CLOSED,
         MOJO_TRIGGER_CONDITION_SIGNALS_SATISFIED,
-        base::BindRepeating(&HttpServer::OnReadable, base::Unretained(this),
-                            connection->id()));
+        base::BindRepeating(&HttpServer::OnReadable,
+                            weak_ptr_factory_.GetWeakPtr(), connection->id()));
   }
 
   DoAcceptLoop();
author	Jaroslav Sevcik <jarin@chromium.org>	2022-03-09 09:20:01 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2022-05-20 15:34:06 +0000
commit	acde086abfa804917448d8e3bdca470917d0e658 (patch)
tree	6dc866bd990c94b062d65aded955ca0f0b15fda3
parent	ae89c0c16bfc7de4b999f82159ed9aa8f814fb81 (diff)
download	qtwebengine-chromium-acde086abfa804917448d8e3bdca470917d0e658.tar.gz