[M148] [DC] Fix UAF in DigitalIdentityMultiStepDialog::TryShow [chromium/src : refs/branch-heads/7778]

0 views
Skip to first unread message

Chromium LUCI CQ (Gerrit)

unread,
Jun 12, 2026, 1:49:54 PM (2 days ago) Jun 12
to chrome-che...@chops-service-accounts.iam.gserviceaccount.com, Mohamed Amir Yosef, Kevin Babbitt, Menard, Alexis, Hongchan Choi, Mirko Bonadei, Hirokazu Honda, Rijubrata Bhaumik, Mark Schillaci, Zijie He, Kentaro Hara, Thorsten Kober, Dirk Schulze, Ian Vollick, Peter Williamson, Akihiro Ota, Zhe Su, Simon Hangl, AJITH KUMAR V, Nikhil Nayunigari, Jerome Jiang, Lei Zhang, (Julie)Jeongeun Kim, Wang, Wei4, Henrique Ferreiro, Anurag Simgeker, Chromium Metrics Reviews, Kevin McNee, Fredrik Söderquist, Stephen Chenney, srirama chandra sekhar, Hiroki Nakagawa, Josh Karlin, Olga Gerchikov, Enterprise Policy Reviews, Mathias Bynens, James Maclean, Peter Beverloo, CJ DiMeglio, Yao Xiao, Zewen Li, Daniel Cheng, Kenneth R Christiansen, Sadrul Chowdhury, Nate Chapin, Christian Biesinger, Mangesh Ghiware, Heron Yang, Andrew Rayskiy, Mandy, Arnaud, android-bu...@system.gserviceaccount.com, Adem Derinel, crostin...@chromium.org, dtraino...@chromium.org, anastas...@google.com, hirokisa...@chromium.org, cc-...@chromium.org, cblume...@chromium.org, lens-chrome...@google.com, yigu+...@chromium.org, blink-rev...@chromium.org, grt+...@chromium.org, arc-review...@google.com, permissio...@chromium.org, osaul+aut...@google.com, dfried...@chromium.org, jatapiaro+wat...@google.com, blink-re...@chromium.org, yhanada+...@chromium.org, mfoltz+wa...@chromium.org, dmurph+watchi...@chromium.org, mercer...@google.com, fenced-fra...@chromium.org, mattsimm...@chromium.org, dibyapal+wa...@chromium.org, christia...@chromium.org, android-web...@chromium.org, storage...@chromium.org, chrome-intell...@chromium.org, drott...@chromium.org, yhanada...@chromium.org, shimazu...@chromium.org, meilian...@chromium.org, loading-re...@chromium.org, srahim...@chromium.org, blink-revie...@chromium.org, dmurph+watchin...@chromium.org, donnd...@chromium.org, mattreyno...@chromium.org, katie...@chromium.org, pdf-r...@chromium.org, lwinston+watc...@google.com, agriev...@chromium.org, philli...@chromium.org, blink-work...@chromium.org, csharris...@chromium.org, tranbaod...@chromium.org, hsuregan+wa...@chromium.org, webauthn...@chromium.org, lucasrada...@google.com, ddrone...@google.com, japhet+...@chromium.org, creis...@chromium.org, nona+...@chromium.org, jorgel...@chromium.org, ejcaruso+wa...@chromium.org, dcheng+c...@chromium.org, lizeb+watch...@chromium.org, dtseng...@chromium.org, mac-r...@chromium.org, pdr+svgw...@chromium.org, oshima...@chromium.org, scheduler-...@chromium.org, crisrael+...@google.com, yuzo+...@chromium.org, nyquis...@chromium.org, speed-metr...@chromium.org, gavin...@chromium.org, titoua...@chromium.org, asvitkine...@chromium.org, jonmann+w...@chromium.org, blink-revie...@chromium.org, dullweb...@chromium.org, kyungjunle...@google.com, max+watc...@igalia.com, erickun...@chromium.org, dtapuska+...@chromium.org, tommyw+w...@chromium.org, chfreme...@chromium.org, davidj...@chromium.org, halliwe...@chromium.org, cbe-cep-eng...@google.com, browser-comp...@chromium.org, core-timi...@chromium.org, edgesto...@microsoft.com, cblume+im...@chromium.org, toshikikikuchi+...@chromium.org, asvitki...@chromium.org, ananyasee...@google.com, khorimoto+w...@chromium.org, vaapi-...@chromium.org, video-networking...@google.com, blink-...@chromium.org, fuchsia...@chromium.org, yongshun+...@google.com, rkgibso...@chromium.org, shgar+aut...@google.com, fmalit...@chromium.org, blink-rev...@chromium.org, shannc...@chromium.org, yusufo...@chromium.org, gangwu...@chromium.org, network-ser...@chromium.org, jackshira+...@google.com, bnc+...@chromium.org, jinsukk...@chromium.org, fgal...@chromium.org, cros-ed...@google.com, yuezhang...@chromium.org, kinuko...@chromium.org, horo+...@chromium.org, armalhotra+a...@google.com, martijn...@martijnc.be, peilinwa...@google.com, bmcquad...@chromium.org, chadduffin+w...@chromium.org, net-r...@chromium.org, ramyagopa...@google.com, blink-re...@chromium.org, jackshira+wa...@google.com, ajayramamurt...@google.com, loyso...@chromium.org, msrame...@chromium.org, pkotwic...@chromium.org, nektar...@chromium.org, ntp-dev...@chromium.org, chrome-intelligence-te...@google.com, kouhe...@chromium.org, prerenderi...@chromium.org, nwoked...@chromium.org, dmurph+wat...@chromium.org, jonmann+wat...@chromium.org, media-cro...@chromium.org, nickdiego+wa...@igalia.com, chromium-a...@chromium.org, devtools...@chromium.org, yfriedm...@chromium.org, dewitt...@chromium.org, aixba+wat...@chromium.org, trewin...@google.com, loading-rev...@chromium.org, enne...@chromium.org, spang...@chromium.org, mgiuca...@chromium.org, crisrael+wa...@google.com, servicewor...@chromium.org, kinuko...@chromium.org, wfh+...@chromium.org, jshin...@chromium.org, omnibox-...@chromium.org, sky+...@chromium.org, tmartino+tran...@chromium.org, cros-system-ui-prod...@google.com, headless...@chromium.org, jdeblas...@chromium.org, yhanada+...@chromium.org, navigation...@chromium.org, derinel+wat...@google.com, jiajunz+wa...@google.com, jophba...@chromium.org, zelin+watch-we...@chromium.org, wnwen...@chromium.org, chikamu...@chromium.org, penghu...@chromium.org, rsleev...@chromium.org, tbarzi...@chromium.org, jonmann+wa...@chromium.org, sloboda...@chromium.org, vasilii+watchlis...@chromium.org, toyosh...@chromium.org, eic+...@google.com, ender...@chromium.org, abigailbk...@google.com, mar...@chromium.org, ajayramamurthy...@google.com, dmurph+wa...@chromium.org, drott+bl...@chromium.org, pushi+wa...@google.com, oilpan-rev...@chromium.org, jz...@chromium.org, alexmo...@chromium.org, mek+w...@chromium.org, vinnypersky+...@google.com, stanfie...@google.com, lizeb...@chromium.org, tburkar...@chromium.org, webap...@microsoft.com, andysjl...@chromium.org, blink-reviews-p...@chromium.org, feature-v...@chromium.org, niharm...@google.com, ios-revie...@chromium.org, webapks-...@chromium.org, dtapuska+ch...@chromium.org, hanxi...@chromium.org, blink-rev...@chromium.org, penghuan...@chromium.org, siyua+aut...@chromium.org, speed-metrics...@chromium.org, blink-re...@chromium.org, rrsilva+wat...@google.com, cros-print...@google.com, torne...@chromium.org, hidehik...@chromium.org, lighthouse-eng-extern...@google.com, loading...@chromium.org, roblia...@chromium.org, rginda...@chromium.org, blink-revi...@chromium.org, droger+w...@chromium.org, shimazu+se...@chromium.org, kinuko+ser...@chromium.org, pushi+watc...@google.com, chromeos-gfx-...@google.com, lingqi...@chromium.org, filesapp...@chromium.org, ortuno...@chromium.org, xinghui...@chromium.org, tracing...@chromium.org, odejesu...@chromium.org, jessemcke...@google.com, mbarowsky+watc...@chromium.org, kouhe...@chromium.org, kainin...@chromium.org, ozone-...@chromium.org, yhanad...@chromium.org, shuche...@chromium.org, chromotin...@chromium.org, cwalle...@chromium.org, blink-re...@chromium.org, francisjp...@google.com, josiah...@chromium.org, blink-revi...@chromium.org, kinuko+...@chromium.org, stevenjb+wa...@chromium.org, npm+...@chromium.org, geoffla...@chromium.org, joeantonetti+...@google.com, michaelchec...@google.com, hansberry+wa...@chromium.org, jackshira+w...@google.com, jmedle...@chromium.org, gcasto+w...@chromium.org, devtools-re...@chromium.org, keithle...@chromium.org, performance-m...@chromium.org, chromiumme...@microsoft.com, zackha...@chromium.org, jdonnel...@chromium.org, mfoltz+wa...@chromium.org, ios-rev...@chromium.org, eric.c...@apple.com, aji...@samsung.com, fserb...@chromium.org, wychen...@chromium.org, dtseng+c...@chromium.org, gavinp...@chromium.org, gogeral...@chromium.org, marq+...@chromium.org, estali...@chromium.org, crmulli...@chromium.org, media-wi...@chromium.org, ios-r...@chromium.org, chrome-regionalc...@google.com, extension...@chromium.org, jbauma...@chromium.org, dominicc+...@chromium.org, pasko...@chromium.org, kuragin+web-ap...@chromium.org, shend...@chromium.org, dmurph+watc...@chromium.org, zol...@webkit.org, feature-me...@chromium.org, vakh+safe_br...@chromium.org, print-rev...@chromium.org, twelling...@chromium.org, nicolas...@chromium.org, apavlo...@chromium.org, blink-revi...@chromium.org, siashah+au...@chromium.org

Chromium LUCI CQ submitted the change

Change information

Commit message:
[M148] [DC] Fix UAF in DigitalIdentityMultiStepDialog::TryShow

Original change's description:
> [DC] Fix UAF in DigitalIdentityMultiStepDialog::TryShow
>
> The dialog object could be synchronously destroyed during a nested
> message loop spun by exiting HTML fullscreen mode in
> `ShowWebModalDialogViews`. This causes a write-after-free when
> `TryShow` returns and attempts to assign the returned widget to
> `this->dialog_`.
>
> This CL introduces a `base::WeakPtrFactory` to
> `DigitalIdentityMultiStepDialog` and checks the liveness of `this`
> using a `WeakPtr` before accessing member variables after the dialog
> creation call returns.
>
> Fixed: 519728275
> Change-Id: Ifc3bf9eaa5bfa501d3e8d967df5c8252a6fdcad9
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7914992
> Commit-Queue: Rafał Godlewski <rg...@google.com>
> Commit-Queue: Mohamed Amir Yosef <ma...@chromium.org>
> Reviewed-by: Rafał Godlewski <rg...@google.com>
> Cr-Commit-Position: refs/heads/main@{#1644566}

(cherry picked from commit 4059bc49eb1209be38510ad6fe4dba00fd8c1771)
Bug: 522600534,519728275
Change-Id: Ifc3bf9eaa5bfa501d3e8d967df5c8252a6fdcad9
Reviewed-by: Mohamed Amir Yosef <ma...@chromium.org>
Reviewed-by: Adem Derinel <der...@google.com>
Commit-Queue: Mohamed Amir Yosef <ma...@chromium.org>
Cr-Commit-Position: refs/branch-heads/7778@{#4341}
Cr-Branched-From: 77f495ee216d4c3cc784d33658bad4778c0680ee-refs/heads/main@{#1610480}
Files:
  • M chrome/browser/ui/views/digital_credentials/digital_identity_multi_step_dialog.cc
  • M chrome/browser/ui/views/digital_credentials/digital_identity_multi_step_dialog.h
Change size: S
Delta: 2 files changed, 13 insertions(+), 3 deletions(-)
Branch: refs/branch-heads/7778
Submit Requirements:
  • requirement satisfiedCode-Review: +1 by Mohamed Amir Yosef, +1 by Adem Derinel
Open in Gerrit
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: merged
Gerrit-Project: chromium/src
Gerrit-Branch: refs/branch-heads/7778
Gerrit-Change-Id: Ifc3bf9eaa5bfa501d3e8d967df5c8252a6fdcad9
Gerrit-Change-Number: 7933067
Gerrit-PatchSet: 5
Gerrit-Reviewer: Adem Derinel <der...@google.com>
Gerrit-Reviewer: Chromium LUCI CQ <chromiu...@luci-project-accounts.iam.gserviceaccount.com>
Gerrit-Reviewer: Mohamed Amir Yosef <ma...@chromium.org>
Gerrit-CC: (Julie)Jeongeun Kim <je_jul...@chromium.org>
Gerrit-CC: AJITH KUMAR V <aji...@chromium.org>
Gerrit-CC: Akihiro Ota <akihi...@chromium.org>
Gerrit-CC: Andrew Rayskiy <green...@google.com>
Gerrit-CC: Anurag Simgeker <anurags...@google.com>
Gerrit-CC: CJ DiMeglio <lethala...@chromium.org>
Gerrit-CC: Christian Biesinger <cbies...@chromium.org>
Gerrit-CC: Chromium Metrics Reviews <chromium-met...@google.com>
Gerrit-CC: Daniel Cheng <dch...@chromium.org>
Gerrit-CC: Dirk Schulze <dsch...@chromium.org>
Gerrit-CC: Enterprise Policy Reviews <enterprise-p...@google.com>
Gerrit-CC: Frank Liberato <libe...@chromium.org>
Gerrit-CC: Fredrik Söderquist <f...@opera.com>
Gerrit-CC: Henrique Ferreiro <hfer...@igalia.com>
Gerrit-CC: Heron Yang <hero...@google.com>
Gerrit-CC: Hirokazu Honda <hi...@chromium.org>
Gerrit-CC: Hiroki Nakagawa <nhi...@chromium.org>
Gerrit-CC: Hongchan Choi <hong...@chromium.org>
Gerrit-CC: Ian Vollick <vol...@chromium.org>
Gerrit-CC: James Maclean <wjma...@chromium.org>
Gerrit-CC: Jerome Jiang <ji...@chromium.org>
Gerrit-CC: Josh Karlin <jka...@chromium.org>
Gerrit-CC: Kenneth R Christiansen <kenneth.r.c...@intel.com>
Gerrit-CC: Kentaro Hara <har...@chromium.org>
Gerrit-CC: Kevin Babbitt <kbab...@microsoft.com>
Gerrit-CC: Kevin McNee <mc...@chromium.org>
Gerrit-CC: Lei Zhang <the...@chromium.org>
Gerrit-CC: Mandy, Arnaud <arnaud...@intel.com>
Gerrit-CC: Mangesh Ghiware <mghi...@google.com>
Gerrit-CC: Mark Schillaci <mschi...@google.com>
Gerrit-CC: Mathias Bynens <mat...@chromium.org>
Gerrit-CC: Menard, Alexis <alexis...@intel.com>
Gerrit-CC: Michael Wilson <mjwi...@chromium.org>
Gerrit-CC: Mirko Bonadei <mbon...@chromium.org>
Gerrit-CC: Nate Chapin <jap...@chromium.org>
Gerrit-CC: Nikhil Nayunigari <nikh...@google.com>
Gerrit-CC: Olga Gerchikov <gerc...@microsoft.com>
Gerrit-CC: Peter Beverloo <pe...@chromium.org>
Gerrit-CC: Peter Williamson <pet...@chromium.org>
Gerrit-CC: Rijubrata Bhaumik <rijubrat...@intel.com>
Gerrit-CC: Sadrul Chowdhury <sad...@chromium.org>
Gerrit-CC: Simon Hangl <sim...@google.com>
Gerrit-CC: Stephen Chenney <sche...@chromium.org>
Gerrit-CC: Thorsten Kober <thor...@google.com>
Gerrit-CC: Wang, Wei4 <wei4...@intel.com>
Gerrit-CC: Yao Xiao <yao...@chromium.org>
Gerrit-CC: Zewen Li <zew...@google.com>
Gerrit-CC: Zhe Su <su...@chromium.org>
Gerrit-CC: Zijie He <zij...@google.com>
Gerrit-CC: srirama chandra sekhar <srir...@samsung.com>
open
diffy
satisfied_requirement
Reply all
Reply to author
Forward
0 new messages