From 9aabebeb69be9c62ded34e81217f648b0fa1c7d2 Mon Sep 17 00:00:00 2001 From: Raymond Toy Date: Mon, 16 Mar 2020 18:26:41 +0000 Subject: [Backport] CVE-2020-6449: Use after free in audio. Manual backport of patch originally reviewed on: https://chromium-review.googlesource.com/c/chromium/src/+/2098260 https://chromium-review.googlesource.com/c/chromium/src/+/2104992 Make finished_source_handlers_ hold scoped_refptrs Previously, finished_source_handlers_ held raw pointers to AudioHandlers and assumed that active_source_handlers_ also had a copy. But when the context goes away, active_source_handlers_ would be cleared, but not finished_source_handlers_, leaving pointers to deleted objects. So do two things: 1. Change finished_source_handlers_ to hold scoped_refptrs to manage lifetime of the objects 2. Clear finished_source_handler_ in ClearHandlersToBeDeleted() Either of these fix the repro case, but let's do both. Don't want to leaving dangling objects. Manually tested the repro case which no longer reproduces. Bug: 1059686 Change-Id: I11e999e6d7243351771d9530ceb924bd635578fd Reviewed-by: Michal Klocek --- .../blink/renderer/modules/webaudio/deferred_task_handler.cc | 3 ++- .../blink/renderer/modules/webaudio/deferred_task_handler.h | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc index fca70458c5a..b836b4d23ca 100644 --- a/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc +++ b/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc @@ -77,7 +77,7 @@ void DeferredTaskHandler::BreakConnections() { // connection. wtf_size_t size = finished_source_handlers_.size(); if (size > 0) { - for (auto* finished : finished_source_handlers_) { + for (auto finished : finished_source_handlers_) { // Break connection first and then remove from the list because that can // cause the handler to be deleted. finished->BreakConnectionWithLock(); @@ -358,6 +358,7 @@ void DeferredTaskHandler::ClearHandlersToBeDeleted() { deletable_orphan_handlers_.clear(); automatic_pull_handlers_.clear(); rendering_automatic_pull_handlers_.clear(); + finished_source_handlers_.clear(); active_source_handlers_.clear(); } diff --git a/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.h b/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.h index 0ede5f5b5da..5d7416e481e 100644 --- a/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.h +++ b/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.h @@ -188,7 +188,7 @@ class MODULES_EXPORT DeferredTaskHandler final return &active_source_handlers_; } - Vector* GetFinishedSourceHandlers() { + Vector>* GetFinishedSourceHandlers() { return &finished_source_handlers_; } @@ -257,7 +257,7 @@ class MODULES_EXPORT DeferredTaskHandler final // connection and elements here are removed from |active_source_handlers_|. // // This must be accessed only from the audio thread. - Vector finished_source_handlers_; + Vector> finished_source_handlers_; scoped_refptr task_runner_; -- cgit v1.2.1