Change information
Commit message:
[M148] CRD: Fix Use-After-Free in WtsSessionProcessDelegate::Core
Original change's description:
> CRD: Fix Use-After-Free in WtsSessionProcessDelegate::Core
>
> A race condition during the shutdown of WtsSessionProcessDelegate::Core
> in the Windows Remoting Host allowed asynchronous Job object
> notifications to be processed after the object's destruction. Because
> the object pointer is stored in the Windows kernel as a raw integer,
> MiraclePtr protections were completely bypassed.
>
> This patch ensures that WtsSessionProcessDelegate::Core stays alive
> until the JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO notification is received,
> confirming that all processes in the job have exited and no further
> notifications will be sent to the completion port.
>
> Additionally, all PostTask calls in Core now use base::RetainedRef(this)
> to ensure the object is kept alive while tasks are pending on other
> threads.
>
> Bug: 501833981
> Change-Id: I5dbfc73acf22425f038a381fd852baeaba3ef0d9
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7773702
> Commit-Queue: Joe Downing <joe...@chromium.org>
> Reviewed-by: Yuwei Huang <yuw...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#1617797}
(cherry picked from commit d426f672125bfa1f92653bd0b4ab39814b4340b5)
Bug: 504872264,501833981
Change-Id: I5dbfc73acf22425f038a381fd852baeaba3ef0d9
Cr-Commit-Position: refs/branch-heads/7778@{#1294}
Cr-Branched-From: 77f495ee216d4c3cc784d33658bad4778c0680ee-refs/heads/main@{#1610480}
Files:
- M remoting/host/win/wts_session_process_delegate.cc
Change size: M
Delta: 1 file changed, 47 insertions(+), 13 deletions(-)
Branch: refs/branch-heads/7778