[Backport] Security bug 1055933

Check ResourceContext is alive before binding SafeBrowsing in weblayer/webview If the ResourceContext has been torn down before we bind the SafeBrowsing mojo interface, it's possible to create a UaF. This was fixed for desktop Chrome in https://chromium-review.googlesource.com/c/chromium/src/+/1972168 by checking that the RenderProcessHost is still active before binding the interface. Bug: 1055933 Change-Id: I4ebecd3144136302a62c45b48de0ca5323780dcf Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Daniel Rubery <drubery@chromium.org> 2020-04-09 00:12:05 +0000
committer: Michal Klocek <michal.klocek@qt.io> 2020-04-24 14:31:56 +0000
commit: bb3309303f4020ab526d9c7889d455793c65ad0c (patch)
tree: 2dc0b6be7d118022d8be25585e922f5507f2dcce
parent: 17dd703700e2316746cea0a08609909ab00cf3ed (diff)
download: qtwebengine-chromium-bb3309303f4020ab526d9c7889d455793c65ad0c.tar.gz
1 files changed, 25 insertions, 3 deletions
diff --git a/chromium/weblayer/browser/safe_browsing/safe_browsing_service.cc b/chromium/weblayer/browser/safe_browsing/safe_browsing_service.cc
index 6f288fe4fda..e4ede3449a3 100644
--- a/chromium/weblayer/browser/safe_browsing/safe_browsing_service.cc
+++ b/chromium/weblayer/browser/safe_browsing/safe_browsing_service.cc
@@ -33,6 +33,28 @@ network::mojom::NetworkContextParamsPtr CreateDefaultNetworkContextParams(
   return network_context_params;
 }
 
+// Helper method that checks the RenderProcessHost is still alive before hopping
+// over to the IO thread.
+void MaybeCreateSafeBrowsing(
+    int rph_id,
+    content::ResourceContext* resource_context,
+    base::RepeatingCallback<scoped_refptr<safe_browsing::UrlCheckerDelegate>()>
+        get_checker_delegate,
+    mojo::PendingReceiver<safe_browsing::mojom::SafeBrowsing> receiver) {
+  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
+
+  content::RenderProcessHost* render_process_host =
+      content::RenderProcessHost::FromID(rph_id);
+  if (!render_process_host)
+    return;
+
+  base::PostTask(
+      FROM_HERE, {content::BrowserThread::IO},
+      base::BindOnce(&safe_browsing::MojoSafeBrowsingImpl::MaybeCreate, rph_id,
+                     resource_context, std::move(get_checker_delegate),
+                     std::move(receiver)));
+}
+
 }  // namespace
 
 SafeBrowsingService::SafeBrowsingService(const std::string& user_agent)
@@ -159,12 +181,12 @@ void SafeBrowsingService::AddInterface(
       render_process_host->GetBrowserContext()->GetResourceContext();
   registry->AddInterface(
       base::BindRepeating(
-          &safe_browsing::MojoSafeBrowsingImpl::MaybeCreate,
-          render_process_host->GetID(), resource_context,
+          &MaybeCreateSafeBrowsing, render_process_host->GetID(),
+          resource_context,
           base::BindRepeating(
               &SafeBrowsingService::GetSafeBrowsingUrlCheckerDelegate,
               base::Unretained(this))),
-      base::CreateSingleThreadTaskRunner({content::BrowserThread::IO}));
+      base::CreateSingleThreadTaskRunner({content::BrowserThread::UI}));
 }
 
 }  // namespace weblayer
author	Daniel Rubery <drubery@chromium.org>	2020-04-09 00:12:05 +0000
committer	Michal Klocek <michal.klocek@qt.io>	2020-04-24 14:31:56 +0000
commit	bb3309303f4020ab526d9c7889d455793c65ad0c (patch)
tree	2dc0b6be7d118022d8be25585e922f5507f2dcce
parent	17dd703700e2316746cea0a08609909ab00cf3ed (diff)
download	qtwebengine-chromium-bb3309303f4020ab526d9c7889d455793c65ad0c.tar.gz