diff options
author | Daniel Rubery <drubery@chromium.org> | 2020-04-09 00:12:05 +0000 |
---|---|---|
committer | Michal Klocek <michal.klocek@qt.io> | 2020-04-24 14:31:56 +0000 |
commit | bb3309303f4020ab526d9c7889d455793c65ad0c (patch) | |
tree | 2dc0b6be7d118022d8be25585e922f5507f2dcce | |
parent | 17dd703700e2316746cea0a08609909ab00cf3ed (diff) | |
download | qtwebengine-chromium-bb3309303f4020ab526d9c7889d455793c65ad0c.tar.gz |
[Backport] Security bug 1055933
Check ResourceContext is alive before binding SafeBrowsing in weblayer/webview
If the ResourceContext has been torn down before we bind the
SafeBrowsing mojo interface, it's possible to create a UaF. This was
fixed for desktop Chrome in
https://chromium-review.googlesource.com/c/chromium/src/+/1972168
by checking that the RenderProcessHost is still active before binding
the interface.
Bug: 1055933
Change-Id: I4ebecd3144136302a62c45b48de0ca5323780dcf
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/weblayer/browser/safe_browsing/safe_browsing_service.cc | 28 |
1 files changed, 25 insertions, 3 deletions
diff --git a/chromium/weblayer/browser/safe_browsing/safe_browsing_service.cc b/chromium/weblayer/browser/safe_browsing/safe_browsing_service.cc index 6f288fe4fda..e4ede3449a3 100644 --- a/chromium/weblayer/browser/safe_browsing/safe_browsing_service.cc +++ b/chromium/weblayer/browser/safe_browsing/safe_browsing_service.cc @@ -33,6 +33,28 @@ network::mojom::NetworkContextParamsPtr CreateDefaultNetworkContextParams( return network_context_params; } +// Helper method that checks the RenderProcessHost is still alive before hopping +// over to the IO thread. +void MaybeCreateSafeBrowsing( + int rph_id, + content::ResourceContext* resource_context, + base::RepeatingCallback<scoped_refptr<safe_browsing::UrlCheckerDelegate>()> + get_checker_delegate, + mojo::PendingReceiver<safe_browsing::mojom::SafeBrowsing> receiver) { + DCHECK_CURRENTLY_ON(content::BrowserThread::UI); + + content::RenderProcessHost* render_process_host = + content::RenderProcessHost::FromID(rph_id); + if (!render_process_host) + return; + + base::PostTask( + FROM_HERE, {content::BrowserThread::IO}, + base::BindOnce(&safe_browsing::MojoSafeBrowsingImpl::MaybeCreate, rph_id, + resource_context, std::move(get_checker_delegate), + std::move(receiver))); +} + } // namespace SafeBrowsingService::SafeBrowsingService(const std::string& user_agent) @@ -159,12 +181,12 @@ void SafeBrowsingService::AddInterface( render_process_host->GetBrowserContext()->GetResourceContext(); registry->AddInterface( base::BindRepeating( - &safe_browsing::MojoSafeBrowsingImpl::MaybeCreate, - render_process_host->GetID(), resource_context, + &MaybeCreateSafeBrowsing, render_process_host->GetID(), + resource_context, base::BindRepeating( &SafeBrowsingService::GetSafeBrowsingUrlCheckerDelegate, base::Unretained(this))), - base::CreateSingleThreadTaskRunner({content::BrowserThread::IO})); + base::CreateSingleThreadTaskRunner({content::BrowserThread::UI})); } } // namespace weblayer |