|
|
DescriptionRe-check existence of GuestViewContainer before requesting attach.
During GuestView attach, it's possible for the GuestViewContainer
pointer to become stale while enumerating the GuestView object's
properties, resulting in a use-after-free when the attach request is
queued.
This CL forces a re-check that the container pointer is valid after
the property enumeration takes place, and also checks that the container
hasn't changed.
In the case of AttachIFrameGuest(), it verifies that the RenderFrame
containing the GuestView object doesn't disappear during |params| enumeration.
BUG=683523
Review-Url: https://codereview.chromium.org/2695633008
Cr-Commit-Position: refs/heads/master@{#451330}
Committed: https://chromium.googlesource.com/chromium/src/+/87dd40c9b8ae1fb8c3eb15bf527ee464bd1c1bdd
Patch Set 1 #Patch Set 2 : Add checks for RenderFrame in AttachIFrameGuest. #
Total comments: 7
Patch Set 3 : Address suggestions. #Patch Set 4 : Use RenderFrameObserver instead. #Patch Set 5 : Fix Windows compile. #
Total comments: 2
Patch Set 6 : Remove unnecessary check. #
Depends on Patchset: Messages
Total messages: 42 (29 generated)
The CQ bit was checked by wjmaclean@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
The CQ bit was checked by wjmaclean@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Description was changed from ========== Re-check existence of GuestViewContainer before requesting attach. During GuestView attach, it's possible for the GuestViewContainer pointer to become stale while enumerating the GuestView object's properties, resulting in a use-after-free when the attach request is queued. This CL forces a re-check that the container pointer is valid after the property enumeration takes place, and also checks that the container hasn't changed. BUG=683523 ========== to ========== Re-check existence of GuestViewContainer before requesting attach. During GuestView attach, it's possible for the GuestViewContainer pointer to become stale while enumerating the GuestView object's properties, resulting in a use-after-free when the attach request is queued. This CL forces a re-check that the container pointer is valid after the property enumeration takes place, and also checks that the container hasn't changed. In the case of AttachIFrameGuest(), it verifies that the RenderFrame containing the GuestView object doesn't disappear during |params| enumeration. BUG=683523 ==========
wjmaclean@chromium.org changed reviewers: + kenrb@chromium.org, lfg@chromium.org
I'm not sure if we should be concerned about other null pointers in AttachIFrameGuest(), but this CL at least handles the test case in the bug.
On 2017/02/16 17:00:57, wjmaclean wrote: > I'm not sure if we should be concerned about other null pointers in > AttachIFrameGuest(), but this CL at least handles the test case in the bug. PTAL?
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
https://codereview.chromium.org/2695633008/diff/20001/extensions/renderer/gue... File extensions/renderer/guest_view/guest_view_internal_custom_bindings.cc (right): https://codereview.chromium.org/2695633008/diff/20001/extensions/renderer/gue... extensions/renderer/guest_view/guest_view_internal_custom_bindings.cc:180: guest_view::GuestViewContainer::FromID(element_instance_id)) { GuestViewContainer already has a weak ptr factory, can you use that instead? It will be safer than comparing pointers like this. Also, I think this can be moved above just after evaluating javascript for the params, so we don't need to create the request. https://codereview.chromium.org/2695633008/diff/20001/extensions/renderer/gue... extensions/renderer/guest_view/guest_view_internal_custom_bindings.cc:252: // It's possible that code executed during the |params| enumeration above Can we use the same approach as above: Get the RenderFrame before executing user code, grabbing a weak ptr to it, then executing the user code and checking the weak ptr after? https://codereview.chromium.org/2695633008/diff/20001/extensions/renderer/gue... extensions/renderer/guest_view/guest_view_internal_custom_bindings.cc:262: // GuestView object's RenderFrame exists, that it will have a local parent? The frame comes from getIframeContentWindow in javascript. Even if the parent could be null, I think it will be just a crash, not a UaF.
The CQ bit was checked by wjmaclean@chromium.org to run a CQ dry run
lfg@ - I think I've addressed your suggestions (though I couldn't find a WeakPtr already in RenderFrame, so I did something a little different there). PTAL? https://codereview.chromium.org/2695633008/diff/20001/extensions/renderer/gue... File extensions/renderer/guest_view/guest_view_internal_custom_bindings.cc (right): https://codereview.chromium.org/2695633008/diff/20001/extensions/renderer/gue... extensions/renderer/guest_view/guest_view_internal_custom_bindings.cc:180: guest_view::GuestViewContainer::FromID(element_instance_id)) { On 2017/02/16 20:00:58, lfg wrote: > GuestViewContainer already has a weak ptr factory, can you use that instead? It > will be safer than comparing pointers like this. > > Also, I think this can be moved above just after evaluating javascript for the > params, so we don't need to create the request. Done. https://codereview.chromium.org/2695633008/diff/20001/extensions/renderer/gue... extensions/renderer/guest_view/guest_view_internal_custom_bindings.cc:252: // It's possible that code executed during the |params| enumeration above On 2017/02/16 20:00:58, lfg wrote: > Can we use the same approach as above: Get the RenderFrame before executing user > code, grabbing a weak ptr to it, then executing the user code and checking the > weak ptr after? How about if we grab the parent_frame WebLocalFrame* and hang on to that. It's use later is just as a lookup token. https://codereview.chromium.org/2695633008/diff/20001/extensions/renderer/gue... extensions/renderer/guest_view/guest_view_internal_custom_bindings.cc:262: // GuestView object's RenderFrame exists, that it will have a local parent? On 2017/02/16 20:00:57, lfg wrote: > The frame comes from getIframeContentWindow in javascript. Even if the parent > could be null, I think it will be just a crash, not a UaF. Acknowledged.
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
lfg@chromium.org changed reviewers: + dcheng@chromium.org
https://codereview.chromium.org/2695633008/diff/20001/extensions/renderer/gue... File extensions/renderer/guest_view/guest_view_internal_custom_bindings.cc (right): https://codereview.chromium.org/2695633008/diff/20001/extensions/renderer/gue... extensions/renderer/guest_view/guest_view_internal_custom_bindings.cc:252: // It's possible that code executed during the |params| enumeration above On 2017/02/16 21:26:16, wjmaclean wrote: > On 2017/02/16 20:00:58, lfg wrote: > > Can we use the same approach as above: Get the RenderFrame before executing > user > > code, grabbing a weak ptr to it, then executing the user code and checking the > > weak ptr after? > > How about if we grab the parent_frame WebLocalFrame* and hang on to that. It's > use later is just as a lookup token. I think this is fine, the WebFrame may be closed while executing javascript, but oilpan won't delete it immediatelly. +dcheng@ to confirm this.
On 2017/02/16 22:09:14, lfg wrote: > https://codereview.chromium.org/2695633008/diff/20001/extensions/renderer/gue... > File extensions/renderer/guest_view/guest_view_internal_custom_bindings.cc > (right): > > https://codereview.chromium.org/2695633008/diff/20001/extensions/renderer/gue... > extensions/renderer/guest_view/guest_view_internal_custom_bindings.cc:252: // > It's possible that code executed during the |params| enumeration above > On 2017/02/16 21:26:16, wjmaclean wrote: > > On 2017/02/16 20:00:58, lfg wrote: > > > Can we use the same approach as above: Get the RenderFrame before executing > > user > > > code, grabbing a weak ptr to it, then executing the user code and checking > the > > > weak ptr after? > > > > How about if we grab the parent_frame WebLocalFrame* and hang on to that. It's > > use later is just as a lookup token. > > I think this is fine, the WebFrame may be closed while executing javascript, but > oilpan won't delete it immediatelly. > > +dcheng@ to confirm this. I think we probably don't want to rely on the implementation detail of WebFrame: it is garbage collected, but that's not something exposed publicly through the Blink API. We should consider frames to be invalid as soon as WebFrame::close() is called, even if you know it will remain around for a little while longer.
On 2017/02/16 22:29:14, dcheng wrote: > > I think we probably don't want to rely on the implementation detail of WebFrame: > it is garbage collected, but that's not something exposed publicly through the > Blink API. We should consider frames to be invalid as soon as WebFrame::close() > is called, even if you know it will remain around for a little while longer. We could just get a weak ptr to the RenderFrame instead, though I'm not sure about exposing that through the content/public interface. Alternatively, there's also the possibility of defining a RenderFrameObserver and listening for the FrameDetached callback.
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
The CQ bit was checked by wjmaclean@chromium.org to run a CQ dry run
Ptal?
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: win_chromium_compile_dbg_ng on master.tryserver.chromium.win (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_comp...)
The CQ bit was checked by wjmaclean@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
https://codereview.chromium.org/2695633008/diff/80001/extensions/renderer/gue... File extensions/renderer/guest_view/guest_view_internal_custom_bindings.cc (right): https://codereview.chromium.org/2695633008/diff/80001/extensions/renderer/gue... extensions/renderer/guest_view/guest_view_internal_custom_bindings.cc:278: if (!embedder_parent_frame) This shouldn't be needed anymore.
The CQ bit was checked by wjmaclean@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
https://codereview.chromium.org/2695633008/diff/80001/extensions/renderer/gue... File extensions/renderer/guest_view/guest_view_internal_custom_bindings.cc (right): https://codereview.chromium.org/2695633008/diff/80001/extensions/renderer/gue... extensions/renderer/guest_view/guest_view_internal_custom_bindings.cc:278: if (!embedder_parent_frame) On 2017/02/17 16:06:10, lfg wrote: > This shouldn't be needed anymore. Removed.
lgtm
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
The CQ bit was checked by wjmaclean@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
CQ is committing da patch. Bot data: {"patchset_id": 100001, "attempt_start_ts": 1487352008264200, "parent_rev": "fe5f6cb97ac57902e159afdfe42e30b4f8cf8ebd", "commit_rev": "87dd40c9b8ae1fb8c3eb15bf527ee464bd1c1bdd"}
Message was sent while issue was closed.
Description was changed from ========== Re-check existence of GuestViewContainer before requesting attach. During GuestView attach, it's possible for the GuestViewContainer pointer to become stale while enumerating the GuestView object's properties, resulting in a use-after-free when the attach request is queued. This CL forces a re-check that the container pointer is valid after the property enumeration takes place, and also checks that the container hasn't changed. In the case of AttachIFrameGuest(), it verifies that the RenderFrame containing the GuestView object doesn't disappear during |params| enumeration. BUG=683523 ========== to ========== Re-check existence of GuestViewContainer before requesting attach. During GuestView attach, it's possible for the GuestViewContainer pointer to become stale while enumerating the GuestView object's properties, resulting in a use-after-free when the attach request is queued. This CL forces a re-check that the container pointer is valid after the property enumeration takes place, and also checks that the container hasn't changed. In the case of AttachIFrameGuest(), it verifies that the RenderFrame containing the GuestView object doesn't disappear during |params| enumeration. BUG=683523 Review-Url: https://codereview.chromium.org/2695633008 Cr-Commit-Position: refs/heads/master@{#451330} Committed: https://chromium.googlesource.com/chromium/src/+/87dd40c9b8ae1fb8c3eb15bf527e... ==========
Message was sent while issue was closed.
Committed patchset #6 (id:100001) as https://chromium.googlesource.com/chromium/src/+/87dd40c9b8ae1fb8c3eb15bf527e...
Message was sent while issue was closed.
Description was changed from ========== Re-check existence of GuestViewContainer before requesting attach. During GuestView attach, it's possible for the GuestViewContainer pointer to become stale while enumerating the GuestView object's properties, resulting in a use-after-free when the attach request is queued. This CL forces a re-check that the container pointer is valid after the property enumeration takes place, and also checks that the container hasn't changed. In the case of AttachIFrameGuest(), it verifies that the RenderFrame containing the GuestView object doesn't disappear during |params| enumeration. BUG=683523 Review-Url: https://codereview.chromium.org/2695633008 Cr-Commit-Position: refs/heads/master@{#451330} Committed: https://chromium.googlesource.com/chromium/src/+/87dd40c9b8ae1fb8c3eb15bf527e... ========== to ========== Re-check existence of GuestViewContainer before requesting attach. During GuestView attach, it's possible for the GuestViewContainer pointer to become stale while enumerating the GuestView object's properties, resulting in a use-after-free when the attach request is queued. This CL forces a re-check that the container pointer is valid after the property enumeration takes place, and also checks that the container hasn't changed. In the case of AttachIFrameGuest(), it verifies that the RenderFrame containing the GuestView object doesn't disappear during |params| enumeration. BUG=683523 Review-Url: https://codereview.chromium.org/2695633008 Cr-Commit-Position: refs/heads/master@{#451330} Committed: https://chromium.googlesource.com/chromium/src/+/87dd40c9b8ae1fb8c3eb15bf527e... ========== |