content/browser/browser_child_process_host_impl.cc - Issue 2054303002: Kill child processes on bad Mojo messages

Unified Diff: content/browser/browser_child_process_host_impl.cc

Issue 2054303002: Kill child processes on bad Mojo messages (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@bad-message

Patch Set: . Created 4 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « content/browser/browser_child_process_host_impl.h ('k') | content/browser/child_process_launcher.h » ('j') | content/browser/child_process_launcher.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: content/browser/browser_child_process_host_impl.cc

diff --git a/content/browser/browser_child_process_host_impl.cc b/content/browser/browser_child_process_host_impl.cc

index 23f4c05c188a419299b921f272fb2a03e42042ab..58e571f9648c9e6b02350bb4b01da98076e6412f 100644

--- a/content/browser/browser_child_process_host_impl.cc

+++ b/content/browser/browser_child_process_host_impl.cc

@@ -18,6 +18,7 @@

#include "base/stl_util.h"

#include "base/strings/string_util.h"

#include "base/synchronization/waitable_event.h"

+#include "base/threading/thread_task_runner_handle.h"

#include "build/build_config.h"

#include "components/tracing/common/tracing_switches.h"

#include "content/browser/histogram_message_filter.h"

@@ -140,7 +141,8 @@ BrowserChildProcessHostImpl::BrowserChildProcessHostImpl(

mojo_child_token_(mojo_child_token),

power_monitor_message_broadcaster_(this),

is_channel_connected_(false),

- notify_child_disconnected_(false) {

+ notify_child_disconnected_(false),

+ weak_factory_(this) {

data_.id = ChildProcessHostImpl::GenerateChildProcessUniqueId();

#if USE_ATTACHMENT_BROKER

@@ -241,6 +243,9 @@ void BrowserChildProcessHostImpl::Launch(

data_.id,

this,

mojo_child_token_,

+ base::Bind(&BrowserChildProcessHostImpl::OnMojoError,

+ weak_factory_.GetWeakPtr(),

+ base::ThreadTaskRunnerHandle::Get()),

terminate_on_shutdown));

}

@@ -469,6 +474,33 @@ bool BrowserChildProcessHostImpl::IsProcessLaunched() const {

return child_process_.get() && child_process_->GetProcess().IsValid();

}

+// static

+void BrowserChildProcessHostImpl::OnMojoError(

+ base::WeakPtr<BrowserChildProcessHostImpl> process,

+ scoped_refptr<base::SingleThreadTaskRunner> task_runner,

+ const std::string& error) {

+ if (!task_runner->BelongsToCurrentThread()) {

+ task_runner->PostTask(

+ FROM_HERE, base::Bind(&BrowserChildProcessHostImpl::OnMojoError,

+ process, task_runner, error));

+ }

+ if (!process)

+ return;

+ HistogramBadMessageTerminated(process->data_.process_type);

+ if (base::CommandLine::ForCurrentProcess()->HasSwitch(

+ switches::kDisableKillAfterBadIPC)) {

+ return;

+ }

+ LOG(ERROR) << "Terminating child process for bad Mojo message: " << error;

+ // Create a memory dump with the error message aliased. This will make it easy

+ // to determine details about what interface call failed.

+ base::debug::Alias(&error);

+ base::debug::DumpWithoutCrashing();

+ process->child_process_->GetProcess().Terminate(

+ RESULT_CODE_KILLED_BAD_MESSAGE, false);

#if defined(OS_WIN)

void BrowserChildProcessHostImpl::OnObjectSignaled(HANDLE object) {

« no previous file with comments | « content/browser/browser_child_process_host_impl.h ('k') | content/browser/child_process_launcher.h » ('j') | content/browser/child_process_launcher.cc » ('J')