New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 653298 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug-Security



Sign in to add a comment

Double-delete in BatteryMonitorImpl

Project Member Reported by dcheng@chromium.org, Oct 5 2016

Issue description

BatteryMonitorImpl is uniquely owned by the StrongBinding, so it's unsafe to delete it outside of that.
 
Probably my fault when I made StrongBinding's ctor private and introduced
MakeStrongBinding. >.>
Labels: -Pri-1 -Type-Bug -M-55 M-54 Restrict-View-SecurityTeam Pri-2 Type-Bug-Security
Status: Untriaged (was: Started)
(Tentatively tagging this as a security bug to be safe)
#1 I think this was never safe, but it's really easy to miss by accident (even more so in the past, because it used to less obvious that the object was owned unless you looked in the .h)
Cc: tguilbert@chromium.org
+tguilbert as well, who was the one who actually noticed this.

tguilbert, did you just find this with a manual search? I'm curious if there are other instances we should be fixing.
I found it (thinking it was the proper way to close a strong binding :P) using this search query:
https://cs.chromium.org/search/?q=%22delete+this%22+mojo&sq=package:chromium&type=cs

There might be a better query however.
Project Member

Comment 6 by sheriffbot@chromium.org, Oct 6 2016

Status: Assigned (was: Untriaged)
Project Member

Comment 7 by bugdroid1@chromium.org, Oct 6 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4d2bc44e0a5c25025fbad9126003ac9e347bc723

commit 4d2bc44e0a5c25025fbad9126003ac9e347bc723
Author: dcheng <dcheng@chromium.org>
Date: Thu Oct 06 15:17:19 2016

Fix double-delete in BatteryMonitor.

BatterMonitorImpl is uniquely owned by its StrongBinding, so deleting it
directly results in a double-delete.

BUG= 653298 

Review-Url: https://codereview.chromium.org/2398833003
Cr-Commit-Position: refs/heads/master@{#423536}

[modify] https://crrev.com/4d2bc44e0a5c25025fbad9126003ac9e347bc723/device/battery/battery_monitor_impl.cc
[modify] https://crrev.com/4d2bc44e0a5c25025fbad9126003ac9e347bc723/device/battery/battery_monitor_impl.h

Labels: Merge-Request-54
Status: Fixed (was: Assigned)
I think we probably want to merge this to M54
Project Member

Comment 9 by sheriffbot@chromium.org, Oct 7 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 10 by dimu@chromium.org, Oct 7 2016

Labels: -Merge-Request-54 Merge-Review-54 Hotlist-Merge-Review
[Automated comment] Less than 2 weeks to go before stable on M54, manual review required.
Labels: Security_Impact-Stable
Labels: -Merge-Review-54 Merge-Approved-54
This change meets the bar and is approved for merging into M54
Labels: -M-54 -Merge-Approved-54 M-55
Talked with rockot@, this doesn't need to be merged. The old StrongBinding definition is safe against this (since it didn't have a std::unique_ptr internally).

Updating labels to reflect this.
Labels: -Hotlist-Merge-review
Project Member

Comment 15 by bugdroid1@chromium.org, Oct 27 2016

Labels: merge-merged-2840
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4d2bc44e0a5c25025fbad9126003ac9e347bc723

commit 4d2bc44e0a5c25025fbad9126003ac9e347bc723
Author: dcheng <dcheng@chromium.org>
Date: Thu Oct 06 15:17:19 2016

Fix double-delete in BatteryMonitor.

BatterMonitorImpl is uniquely owned by its StrongBinding, so deleting it
directly results in a double-delete.

BUG= 653298 

Review-Url: https://codereview.chromium.org/2398833003
Cr-Commit-Position: refs/heads/master@{#423536}

[modify] https://crrev.com/4d2bc44e0a5c25025fbad9126003ac9e347bc723/device/battery/battery_monitor_impl.cc
[modify] https://crrev.com/4d2bc44e0a5c25025fbad9126003ac9e347bc723/device/battery/battery_monitor_impl.h

Comment 16 by dimu@google.com, Nov 4 2016

Labels: -merge-merged-2840
[Automated comment] removing mislabelled merge-merged-2840
Labels: Release-0-M55
Project Member

Comment 18 by sheriffbot@chromium.org, Jan 13 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment