Extensions: WT: Fix UAF in WebTransport proxy during profile teardown [chromium/src : main]
0 views
Skip to first unread message
Solomon Kinard (Gerrit)
2:12 AM (15 hours ago) 2:12 AM
to chromium...@chromium.org, chromium-a...@chromium.org, extension...@chromium.org
Solomon Kinard has uploaded the change for review![]( "Open in Gerrit")
Commit message
Extensions: WT: Fix UAF in WebTransport proxy during profile teardown
When an Incognito window is closed, hanging WebTransport connections
can cause the proxy to outlive its associated `BrowserContext`.
Because `WebRequestAPI` spans both regular and Incognito profiles,
proxies tied to the Incognito context miss the standard KeyedService
shutdown event. When the hanging network connection eventually times
out or errors, the proxy attempts to access the destroyed
`BrowserContext`, triggering a fatal BackupRefPtr (BRP) Use-After-Free
crash.
This CL fixes the Use-After-Free by:
1. Introducing `WebRequestProxyingWebTransportShutdownNotifierFactory`
to proactively listen for the specific `BrowserContext`'s
destruction.
2. Updating `WebTransportHandshakeProxy` to subscribe to this notifier
and cleanly self-destruct (and sever its Mojo pipes) before the
profile memory is quarantined.
3. Adding factory dependencies to ensure `WebRequestEventRouterFactory`
outlives `WebRequestAPI` so network errors can be safely broadcasted
during the teardown sequence.
Additionally, a comprehensive regression test is added to
deterministically race asynchronous cross-process WebTransport Mojo
network errors against Incognito profile destruction.
Bug: 483990346
Change-Id: Iba66e007ad74ebc48f60b3824e9a27d162f519cd
Change diff
Change information
Files:
- M chrome/browser/extensions/api/web_request/web_request_apitest.cc
- M extensions/browser/BUILD.gn
- M extensions/browser/api/api_browser_context_keyed_service_factories.cc
- M extensions/browser/api/web_request/web_request_api.h
- M extensions/browser/api/web_request/web_request_proxying_webtransport.cc
- A extensions/browser/api/web_request/web_request_proxying_webtransport_shutdown_notifier_factory.cc
- A extensions/browser/api/web_request/web_request_proxying_webtransport_shutdown_notifier_factory.h
Change size: M
Delta: 7 files changed, 208 insertions(+), 2 deletions(-)
Related details
Attention set is empty
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Solomon Kinard (Gerrit)
10:15 AM (7 hours ago) 10:15 AM
to Devlin Cronin, Ryan Sultanem, Chromium LUCI CQ, chromium...@chromium.org, chromium-a...@chromium.org, extension...@chromium.org
Attention needed from Devlin Cronin
Solomon Kinard added 1 comment![]( "Open in Gerrit")
Patchset-level comments
Related details
Attention is currently required from:
- Devlin Cronin
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Devlin Cronin (Gerrit)
1:52 PM (3 hours ago) 1:52 PM
to Solomon Kinard, Andrea Orru, Ryan Sultanem, Chromium LUCI CQ, chromium...@chromium.org, chromium-a...@chromium.org, extension...@chromium.org, Devlin Cronin
Attention needed from Andrea Orru
Devlin Cronin added 1 comment![]( "Open in Gerrit")
Patchset-level comments
Devlin Cronin . resolved
Thanks, Solomon!
webRequest -> andreaorru
(Feel free to add me back if there's anything that needs my specific review)
Related details
Attention is currently required from:
- Andrea Orru
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages