[Backport] CVE-2020-6462: Use after free in task scheduling

Use std::deque to store the stack of currently executing tasks

The stack of currently executing stacks includes a PendingTask field. A
pointer to this field is stored in TLS. However, std::vector does not
guarantee pointer stability on resize.

Bug: 1064891
Change-Id: I04eb06c9521722f08fd72826f552cedaffe61b53
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Sami Kyöstilä <skyostil@chromium.org>
Reviewed-by: François Doray <fdoray@chromium.org>
Cr-Commit-Position: refs/heads/master@{#759017}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 4 insertions, 2 deletions

diff --git a/chromium/base/task/sequence_manager/sequence_manager_impl.h b/chromium/base/task/sequence_manager/sequence_manager_impl.h
index b42dc727981..b0df3670306 100644
--- a/chromium/base/task/sequence_manager/sequence_manager_impl.h
+++ b/chromium/base/task/sequence_manager/sequence_manager_impl.h
@@ -5,7 +5,7 @@
 #ifndef BASE_TASK_SEQUENCE_MANAGER_SEQUENCE_MANAGER_IMPL_H_
 #define BASE_TASK_SEQUENCE_MANAGER_SEQUENCE_MANAGER_IMPL_H_
 
-#include <list>
+#include <deque>
 #include <map>
 #include <memory>
 #include <random>
@@ -228,7 +228,9 @@ class BASE_EXPORT SequenceManagerImpl
     bool task_was_run_on_quiescence_monitored_queue = false;
 
     // Due to nested runloops more than one task can be executing concurrently.
-    std::list<ExecutingTask> task_execution_stack;
+    // Note that this uses std::deque for pointer stability, since pointers to
+    // objects in this container are stored in TLS.
+    std::deque<ExecutingTask> task_execution_stack;
 
     Observer* observer = nullptr;  // NOT OWNED
   };