diff options
author | Daniel Cheng <dcheng@chromium.org> | 2020-04-14 21:20:16 +0000 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2020-08-19 12:36:37 +0000 |
commit | ca61def88f8207d681846f576bc0d28a7b73afbc (patch) | |
tree | 9eb2f5bc9e43de16403f39528535cf60e26f2ec2 | |
parent | e490120c6b63735754b3e8a73173918d7dc40ec5 (diff) | |
download | qtwebengine-chromium-ca61def88f8207d681846f576bc0d28a7b73afbc.tar.gz |
[Backport] CVE-2020-6462: Use after free in task scheduling
Use std::deque to store the stack of currently executing tasks
The stack of currently executing stacks includes a PendingTask field. A
pointer to this field is stored in TLS. However, std::vector does not
guarantee pointer stability on resize.
Bug: 1064891
Change-Id: I04eb06c9521722f08fd72826f552cedaffe61b53
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Sami Kyöstilä <skyostil@chromium.org>
Reviewed-by: François Doray <fdoray@chromium.org>
Cr-Commit-Position: refs/heads/master@{#759017}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/base/task/sequence_manager/sequence_manager_impl.h | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/chromium/base/task/sequence_manager/sequence_manager_impl.h b/chromium/base/task/sequence_manager/sequence_manager_impl.h index b42dc727981..b0df3670306 100644 --- a/chromium/base/task/sequence_manager/sequence_manager_impl.h +++ b/chromium/base/task/sequence_manager/sequence_manager_impl.h @@ -5,7 +5,7 @@ #ifndef BASE_TASK_SEQUENCE_MANAGER_SEQUENCE_MANAGER_IMPL_H_ #define BASE_TASK_SEQUENCE_MANAGER_SEQUENCE_MANAGER_IMPL_H_ -#include <list> +#include <deque> #include <map> #include <memory> #include <random> @@ -228,7 +228,9 @@ class BASE_EXPORT SequenceManagerImpl bool task_was_run_on_quiescence_monitored_queue = false; // Due to nested runloops more than one task can be executing concurrently. - std::list<ExecutingTask> task_execution_stack; + // Note that this uses std::deque for pointer stability, since pointers to + // objects in this container are stored in TLS. + std::deque<ExecutingTask> task_execution_stack; Observer* observer = nullptr; // NOT OWNED }; |