From feeaf8ecd52e7a1fd95ebf989db58e4bc2253390 Mon Sep 17 00:00:00 2001 From: Hongchan Choi Date: Sat, 18 Jan 2020 00:24:38 +0000 Subject: [Backport] CVE-2020-6406 - Use after free in audio MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2003564 https://chromium-review.googlesource.com/c/chromium/src/+/2008320: Add a graph lock in PannerHandler::SetPanningModel() We need the graph lock to secure the panner backend because BaseAudioContext::Handle{Pre,Post}RenderTasks() from the audio thread can touch it. (cherry picked from commit 00962dd2d61776b03be93557683d8a301e4bb572) Test: ran two repro cases from the report over 1 hour and TSAN survived. Bug: 1042254 Change-Id: Ie768f00455198ebd4aa376f85da4fa4a66366061 Reviewed-by: Jüri Valdmann --- chromium/third_party/blink/renderer/modules/webaudio/panner_node.cc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/chromium/third_party/blink/renderer/modules/webaudio/panner_node.cc b/chromium/third_party/blink/renderer/modules/webaudio/panner_node.cc index 4eae502e4c8..313adf9dc0e 100644 --- a/chromium/third_party/blink/renderer/modules/webaudio/panner_node.cc +++ b/chromium/third_party/blink/renderer/modules/webaudio/panner_node.cc @@ -390,6 +390,11 @@ bool PannerHandler::SetPanningModel(unsigned model) { } if (!panner_.get() || model != panning_model_) { + // We need the graph lock to secure the panner backend because + // BaseAudioContext::Handle{Pre,Post}RenderTasks() from the audio thread + // can touch it. + BaseAudioContext::GraphAutoLocker context_locker(Context()); + // This synchronizes with process(). MutexLocker process_locker(process_lock_); panner_ = Panner::Create(model, Context()->sampleRate(), -- cgit v1.2.1