Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(33)

Issue 2004763002: [mojo-edk] Add some buffer checks and fix UAF on NodeChannel (Closed)

Created:
4 years, 7 months ago by Ken Rockot(use gerrit already)
Modified:
4 years, 7 months ago
Reviewers:
Oliver Chang
CC:
Aaron Boodman, abarth-chromium, ben+mojo_chromium.org, chromium-reviews, darin (slow to review), qsr+mojo_chromium.org, viettrungluu+watch_chromium.org, yzshen+watch_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

[mojo-edk] Add some buffer checks and fix UAF on NodeChannel Adds message sanity checks at the dispatcher layer for message and data pipes. Also eliminates potential UAFs on NodeChannel by ensuring it stays alive through any delegate calls which might have otherwise deleted it. BUG=613698 Committed: https://crrev.com/99a83d5bc1df0c4d6d660dedf45c9b0e14a9df3f Cr-Commit-Position: refs/heads/master@{#395373}

Patch Set 1 #

Total comments: 2

Patch Set 2 : #

Unified diffs Side-by-side diffs Delta from patch set Stats (+59 lines, -17 lines) Patch
M mojo/edk/system/data_pipe_consumer_dispatcher.cc View 1 chunk +5 lines, -0 lines 0 comments Download
M mojo/edk/system/data_pipe_producer_dispatcher.cc View 1 chunk +6 lines, -2 lines 0 comments Download
M mojo/edk/system/message_pipe_dispatcher.cc View 1 6 chunks +40 lines, -15 lines 0 comments Download
M mojo/edk/system/node_channel.cc View 2 chunks +8 lines, -0 lines 0 comments Download

Messages

Total messages: 11 (3 generated)
Ken Rockot(use gerrit already)
PTAL - I think this should address everything in the linked bug
4 years, 7 months ago (2016-05-21 23:25:53 UTC) #2
Oliver Chang
https://codereview.chromium.org/2004763002/diff/1/mojo/edk/system/message_pipe_dispatcher.cc File mojo/edk/system/message_pipe_dispatcher.cc (right): https://codereview.chromium.org/2004763002/diff/1/mojo/edk/system/message_pipe_dispatcher.cc#newcode295 mojo/edk/system/message_pipe_dispatcher.cc:295: if (msg->num_payload_bytes() < data_payload_index + dh.num_bytes) It's possible this ...
4 years, 7 months ago (2016-05-23 17:25:14 UTC) #3
Ken Rockot(use gerrit already)
On 2016/05/23 at 17:25:14, ochang wrote: > https://codereview.chromium.org/2004763002/diff/1/mojo/edk/system/message_pipe_dispatcher.cc > File mojo/edk/system/message_pipe_dispatcher.cc (right): > > https://codereview.chromium.org/2004763002/diff/1/mojo/edk/system/message_pipe_dispatcher.cc#newcode295 ...
4 years, 7 months ago (2016-05-23 17:42:23 UTC) #4
Ken Rockot(use gerrit already)
On 2016/05/23 at 17:25:14, ochang wrote: > https://codereview.chromium.org/2004763002/diff/1/mojo/edk/system/message_pipe_dispatcher.cc > File mojo/edk/system/message_pipe_dispatcher.cc (right): > > https://codereview.chromium.org/2004763002/diff/1/mojo/edk/system/message_pipe_dispatcher.cc#newcode295 ...
4 years, 7 months ago (2016-05-23 17:42:23 UTC) #5
Oliver Chang
LGTM, thanks! Might be worth it to start using base::CheckedNumeric<> for things like this in ...
4 years, 7 months ago (2016-05-23 17:50:20 UTC) #6
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/2004763002/20001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/2004763002/20001
4 years, 7 months ago (2016-05-23 18:01:56 UTC) #8
commit-bot: I haz the power
Committed patchset #2 (id:20001)
4 years, 7 months ago (2016-05-23 18:42:20 UTC) #9
commit-bot: I haz the power
4 years, 7 months ago (2016-05-23 18:44:49 UTC) #11
Message was sent while issue was closed.
Patchset 2 (id:??) landed as
https://crrev.com/99a83d5bc1df0c4d6d660dedf45c9b0e14a9df3f
Cr-Commit-Position: refs/heads/master@{#395373}

Powered by Google App Engine
This is Rietveld 408576698