wayland: Fix UAF in OnTabletToolProximityIn [chromium/src : main]
0 views
Skip to first unread message
Thomas Anderson (Gerrit)
May 15, 2026, 12:41:35 PM (9 days ago) May 15
to Phil Yan, chromium...@chromium.org, nickdiego+wa...@igalia.com, max+watc...@igalia.com, ozone-...@chromium.org
Attention needed from Phil Yan
Thomas Anderson has uploaded the change for review![]( "Open in Gerrit")
Thomas Anderson would like Phil Yan to review this change.
Commit message
wayland: Fix UAF in OnTabletToolProximityIn
Synchronous event dispatch during OnTabletToolProximityOut can trigger
a nested message loop, which may result in the destruction of the
WaylandWindow. Using a raw pointer after this call leads to a
Use-After-Free.
This CL fixes this by using a WeakPtr to re-validate the window's
existence before proceeding with the event dispatch.
R=phi...@chromium.org
Bug: 400494056
Change-Id: I4c4bdf2ff55b3d21356514a1350b85c58c4fbeed
Change diff
Change information
Files:
- M ui/ozone/platform/wayland/host/wayland_event_source.cc
- M ui/ozone/platform/wayland/host/wayland_event_source_unittest.cc
Change size: S
Delta: 2 files changed, 38 insertions(+), 0 deletions(-)
Related details
Attention is currently required from:
- Phil Yan
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Thomas Anderson (Gerrit)
May 15, 2026, 12:42:59 PM (9 days ago) May 15
to Lei Zhang, chromium...@chromium.org, max+watc...@igalia.com, nickdiego+wa...@igalia.com, ozone-...@chromium.org
Attention needed from Lei Zhang
Thomas Anderson voted![]( "Open in Gerrit")
Attention is currently required from:
- Lei Zhang
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Lei Zhang (Gerrit)
May 15, 2026, 12:59:27 PM (9 days ago) May 15
to Thomas Anderson, Lei Zhang, android-bu...@system.gserviceaccount.com, Chromium LUCI CQ, chromium...@chromium.org, max+watc...@igalia.com, nickdiego+wa...@igalia.com, ozone-...@chromium.org
Attention needed from Thomas Anderson
Lei Zhang voted and added 3 comments![]( "Open in Gerrit")
Votes added by Lei Zhang
| Code-Review | +1 |
3 comments
Commit Message
File ui/ozone/platform/wayland/host/wayland_event_source.cc
Line 592, Patchset 3 (Latest):
if (!window_weak) {Lei Zhang . unresolved
Should this be immediately after line 589? i.e. If that line doesn't run, then the WeakPtr should stay valid.
File ui/ozone/platform/wayland/host/wayland_event_source_unittest.cc
Line 390, Patchset 3 (Latest):
// Set up delegate1 to destroy window2 when it receives kMouseExited.Lei Zhang . unresolved
Wrap variable names in backticks.
Related details
Attention is currently required from:
- Thomas Anderson
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Thomas Anderson (Gerrit)
May 15, 2026, 4:17:08 PM (9 days ago) May 15
to Lei Zhang, android-bu...@system.gserviceaccount.com, Chromium LUCI CQ, chromium...@chromium.org, max+watc...@igalia.com, nickdiego+wa...@igalia.com, ozone-...@chromium.org
Thomas Anderson voted and added 3 comments![]( "Open in Gerrit")
Votes added by Thomas Anderson
| Auto-Submit | +0 |
| Commit-Queue | +2 |
3 comments
Commit Message
File ui/ozone/platform/wayland/host/wayland_event_source.cc
Should this be immediately after line 589? i.e. If that line doesn't run, then the WeakPtr should stay valid.
Thomas Anderson
Done
File ui/ozone/platform/wayland/host/wayland_event_source_unittest.cc
Line 390, Patchset 3:
// Set up delegate1 to destroy window2 when it receives kMouseExited.Lei Zhang . resolved
Wrap variable names in backticks.
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Chromium LUCI CQ (Gerrit)
May 15, 2026, 5:38:18 PM (9 days ago) May 15
to Thomas Anderson, Lei Zhang, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, max+watc...@igalia.com, nickdiego+wa...@igalia.com, ozone-...@chromium.org
Chromium LUCI CQ submitted the change with unreviewed changes![]( "Open in Gerrit")
Unreviewed changes
3 is the latest approved patch-set.
The change was submitted with unreviewed changes in the following files:
```
The name of the file: ui/ozone/platform/wayland/host/wayland_event_source_unittest.cc
Insertions: 6, Deletions: 5.
@@ -383,14 +383,15 @@
auto window2 = CreateWaylandWindowWithParams(PlatformWindowType::kWindow,
kDefaultBounds, &delegate2);
- // Set window1 as focused.
+ // Set `window1` as focused.
event_source->OnTabletToolProximityIn(window1.get(), gfx::PointF(), {},
base::TimeTicks::Now());
- // Set up delegate1 to destroy window2 when it receives kMouseExited.
- // When window1 is the tablet_tool_focused_window_, calling
- // OnTabletToolProximityIn(window2) will call OnTabletToolProximityOut(),
- // which dispatches kMouseExited to window1.
+ // Set up `delegate1` to destroy `window2` when it receives `kMouseExited`.
+ // When `window1` is the `tablet_tool_focused_window_`, calling
+ // `OnTabletToolProximityIn(window2)` will call `OnTabletToolProximityOut()`,
+ // which dispatches `kMouseExited` to `window1`.
+
EXPECT_CALL(delegate1, DispatchEvent(::testing::_))
.WillOnce([&](Event* event) {
if (event->type() == EventType::kMouseExited) {
```
```
The name of the file: ui/ozone/platform/wayland/host/wayland_event_source.cc
Insertions: 1, Deletions: 1.
@@ -583,8 +583,8 @@
const gfx::PointF& location,
const PointerDetails& details,
base::TimeTicks time) {
- base::WeakPtr<WaylandWindow> window_weak = window->AsWeakPtr();
WaylandWindow* old_focus = tablet_tool_focused_window_.get();
+ base::WeakPtr<WaylandWindow> window_weak = window->AsWeakPtr();
if (old_focus && old_focus != window) {
OnTabletToolProximityOut(time);
}
```
Change information
Commit message:
wayland: Fix UAF in OnTabletToolProximityIn
Synchronous event dispatch during OnTabletToolProximityOut can trigger
a nested message loop, which may result in the destruction of the
WaylandWindow. Using a raw pointer after this call leads to a
Use-After-Free.
This CL fixes this by using a WeakPtr to re-validate the window's
existence before proceeding with the event dispatch.
Fixed: 513454018
Change-Id: I4c4bdf2ff55b3d21356514a1350b85c58c4fbeed
Commit-Queue: Thomas Anderson <thomasa...@chromium.org>
Reviewed-by: Lei Zhang <the...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1631573}
Files:
- M ui/ozone/platform/wayland/host/wayland_event_source.cc
- M ui/ozone/platform/wayland/host/wayland_event_source_unittest.cc
Change size: S
Delta: 2 files changed, 39 insertions(+), 0 deletions(-)
Branch: refs/heads/main
Submit Requirements:
Code-Review: +1 by Lei Zhang
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages