[M148] CRD: Fix Use-After-Free in WtsSessionProcessDelegate::Core [chromium/src : refs/branch-heads/7778]

0 views
Skip to first unread message

rubber-stamper@appspot.gserviceaccount.com (Gerrit)

unread,
Apr 21, 2026, 3:03:16 PM (3 days ago) Apr 21
to Joe Downing, chrome-che...@chops-service-accounts.iam.gserviceaccount.com, android-bu...@system.gserviceaccount.com, chromotin...@chromium.org

rubber-...@appspot.gserviceaccount.com voted

Bot-Commit+1
Commit-Queue+2
Open in Gerrit

Related details

Attention set is empty
Submit Requirements:
  • requirement satisfiedCode-Owners
  • requirement satisfiedCode-Review
  • requirement satisfiedLint
  • requirement satisfiedReview-Enforcement
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: chromium/src
Gerrit-Branch: refs/branch-heads/7778
Gerrit-Change-Id: I5dbfc73acf22425f038a381fd852baeaba3ef0d9
Gerrit-Change-Number: 7782772
Gerrit-PatchSet: 2
Gerrit-CC: Joe Downing <joe...@chromium.org>
Gerrit-Comment-Date: Tue, 21 Apr 2026 19:03:10 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: Yes
satisfied_requirement
open
diffy

Chromium LUCI CQ (Gerrit)

unread,
Apr 21, 2026, 4:37:15 PM (3 days ago) Apr 21
to Joe Downing, chrome-che...@chops-service-accounts.iam.gserviceaccount.com, rubber-...@appspot.gserviceaccount.com, android-bu...@system.gserviceaccount.com, chromotin...@chromium.org

Chromium LUCI CQ submitted the change

Change information

Commit message:
[M148] CRD: Fix Use-After-Free in WtsSessionProcessDelegate::Core

Original change's description:
> CRD: Fix Use-After-Free in WtsSessionProcessDelegate::Core
>
> A race condition during the shutdown of WtsSessionProcessDelegate::Core
> in the Windows Remoting Host allowed asynchronous Job object
> notifications to be processed after the object's destruction. Because
> the object pointer is stored in the Windows kernel as a raw integer,
> MiraclePtr protections were completely bypassed.
>
> This patch ensures that WtsSessionProcessDelegate::Core stays alive
> until the JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO notification is received,
> confirming that all processes in the job have exited and no further
> notifications will be sent to the completion port.
>
> Additionally, all PostTask calls in Core now use base::RetainedRef(this)
> to ensure the object is kept alive while tasks are pending on other
> threads.
>
> Bug: 501833981
> Change-Id: I5dbfc73acf22425f038a381fd852baeaba3ef0d9
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7773702
> Commit-Queue: Joe Downing <joe...@chromium.org>
> Reviewed-by: Yuwei Huang <yuw...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#1617797}

(cherry picked from commit d426f672125bfa1f92653bd0b4ab39814b4340b5)
Bug: 504872264,501833981
Change-Id: I5dbfc73acf22425f038a381fd852baeaba3ef0d9
Cr-Commit-Position: refs/branch-heads/7778@{#1294}
Cr-Branched-From: 77f495ee216d4c3cc784d33658bad4778c0680ee-refs/heads/main@{#1610480}
Files:
  • M remoting/host/win/wts_session_process_delegate.cc
Change size: M
Delta: 1 file changed, 47 insertions(+), 13 deletions(-)
Branch: refs/branch-heads/7778
Submit Requirements:
Open in Gerrit
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: merged
Gerrit-Project: chromium/src
Gerrit-Branch: refs/branch-heads/7778
Gerrit-Change-Id: I5dbfc73acf22425f038a381fd852baeaba3ef0d9
Gerrit-Change-Number: 7782772
open
diffy
satisfied_requirement
Reply all
Reply to author
Forward
0 new messages