Fix DOMStorageNamespace UAF |
||||||||
Issue descriptionFiling a bug for a merge request for http://crrev.com/e17c5244514c97df to M69. e17c5244514c97df should fix a potential UAF around DOMStorageNamespace, which we can observe as a portion of crashes below: https://crash.corp.google.com/browse?q=product_name+LIKE+%27Chrome%25%27+AND+STRPOS%28expanded_custom_data.ChromeCrashProto.magic_signature_1.name%2C+%27DOMStorageNamespace%27%29+%3E+0#-property-selector,+samplereports,productname:1000,-magicsignature:50,-magicsignature2:50,-stablesignature:50,-magicsignaturesorted:50
,
Jul 25
,
Jul 25
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 26
Your change meets the bar and is auto-approved for M69. Please go ahead and merge the CL to branch 3497 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 26
,
Jul 26
Please merge your change to M69 branch 3497 by 4:00 PM PT today, so we can pick it up for next week last M69 Dev release. Thank you.
,
Jul 27
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4d110229385af383d23bcdb2f16f9c391b4541b1 commit 4d110229385af383d23bcdb2f16f9c391b4541b1 Author: tzik <tzik@chromium.org> Date: Fri Jul 27 04:56:51 2018 Keep reference to DOMStorageNamespace while it's being cloned While DOMStorageNamespace::Clone constructs an instance, it binds it to a callback, post it to a task runner and returns the instance as a raw pointer. Note that base::BindOnce here retains a reference to |clone| and releases the reference when the callback instance is destroyed. However, if PostTaskAndReply there failed, the callback instance is destroyed immediately and DOMStorageNamespace loses the last reference. Then, DOMStorageNamespace::Clone may return a stale pointer. This CL converts the return value to scoped_refptr, and has Clone() to keep the reference to the resulting instance. Bug: 866456 , 867306 Change-Id: Ic3a5a02e266bf55f8ad3c4f901eb1eebc2ea9d8e Reviewed-on: https://chromium-review.googlesource.com/1146409 Reviewed-by: Daniel Murphy <dmurph@chromium.org> Commit-Queue: Taiju Tsuiki <tzik@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#577377}(cherry picked from commit e17c5244514c97df94a26f17ecf25af135ef6c49) Reviewed-on: https://chromium-review.googlesource.com/1152588 Reviewed-by: Taiju Tsuiki <tzik@chromium.org> Cr-Commit-Position: refs/branch-heads/3497@{#140} Cr-Branched-From: 271eaf50594eb818c9295dc78d364aea18c82ea8-refs/heads/master@{#576753} [modify] https://crrev.com/4d110229385af383d23bcdb2f16f9c391b4541b1/content/browser/dom_storage/dom_storage_namespace.cc [modify] https://crrev.com/4d110229385af383d23bcdb2f16f9c391b4541b1/content/browser/dom_storage/dom_storage_namespace.h
,
Aug 16
,
Nov 1
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by sheriffbot@chromium.org
, Jul 25