Home Explore 引导页 在线工具 Blog
Register Sign In
Pchen0
/
electron
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

chore: cherry-pick d1d654d73222 from chromium (#36677)

Pedro Pontes 2 years ago
parent
d77c0f2e23
commit
44e0345320
2 changed files with 39 additions and 0 deletions
Split View Show Diff Stats
  1. 1 0
      patches/chromium/.patches
  2. 38 0
      patches/chromium/cherry-pick-d1d654d73222.patch

+ 1 - 0
patches/chromium/.patches
View File 

@@ -133,3 +133,4 @@ cherry-pick-f46db6aac3e9.patch
 
 cherry-pick-42e15c2055c4.patch
 
 cherry-pick-2ef09109c0ec.patch
 
 cherry-pick-f98adc846aad.patch
 
+cherry-pick-d1d654d73222.patch

+ 38 - 0
patches/chromium/cherry-pick-d1d654d73222.patch
View File 

@@ -0,0 +1,38 @@
 
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 
+From: Ken Rockot <[email protected]>
 
+Date: Wed, 7 Dec 2022 20:35:15 +0000
 
+Subject: Mojo: Fix potential UAF in IPC Channel
 
+
 
+(cherry picked from commit 120b4b05ac7eaa9024f677394aa663c2702174ce)
 
+
 
+Fixed: 1394692
 
+Change-Id: I1753b79eb6e9230ebb663eca47295d81dd859068
 
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4066994
 
+Commit-Queue: Ken Rockot <[email protected]>
 
+Reviewed-by: Daniel Cheng <[email protected]>
 
+Cr-Original-Commit-Position: refs/heads/main@{#1077742}
 
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4085806
 
+Commit-Queue: Rubber Stamper <[email protected]>
 
+Auto-Submit: Ken Rockot <[email protected]>
 
+Bot-Commit: Rubber Stamper <[email protected]>
 
+Cr-Commit-Position: refs/branch-heads/5359@{#1115}
 
+Cr-Branched-From: 27d3765d341b09369006d030f83f582a29eb57ae-refs/heads/main@{#1058933}
 
+
 
+diff --git a/ipc/ipc_mojo_bootstrap.cc b/ipc/ipc_mojo_bootstrap.cc
 
+index a0bd86951a20cf2d60c7805a3a7fa687d66ca329..eb8fa358b0a72eea2e294c531549da5fc81f394c 100644
 
+--- a/ipc/ipc_mojo_bootstrap.cc
 
++++ b/ipc/ipc_mojo_bootstrap.cc
 
+@@ -629,9 +629,12 @@ class ChannelAssociatedGroupController
 
+     void OnSyncMessageEventReady() {
 
+       DCHECK(task_runner_->RunsTasksInCurrentSequence());
 
+ 
+-      scoped_refptr<Endpoint> keepalive(this);
 
++      // SUBTLE: The order of these scoped_refptrs matters.
 
++      // `controller_keepalive` MUST outlive `keepalive` because the Endpoint
 
++      // holds raw pointer to the AssociatedGroupController.
 
+       scoped_refptr<AssociatedGroupController> controller_keepalive(
 
+           controller_.get());
 
++      scoped_refptr<Endpoint> keepalive(this);
 
+       base::AutoLock locker(controller_->lock_);
 
+       bool more_to_process = false;
 
+       if (!sync_messages_.empty()) {