chore: cherry-pick 0e36d324d6ef from chromium #29777
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[M86-LTS] BFCache: remove a controllee stored in
bfcached_controllee_map_
This CL fixes the UAF that happens with the following case:
Let's assume we have 2 service workers (sw1.js and sw2.js) are
registered in the same page. When the second service worker (sw2.js) is
registered, ServiceWorkerContainerHost::UpdateController() is called
and the previous SWVersion (sw1.js) removes a controllee from
controllee_map_
. If BackForwardCache is enabled, a controllee isstored in
bfcached_controllee_map_
instead and the controllee willnot be removed in ServiceWorkerContainerHost::UpdateController().
When ServiceWorkerContainerHost::UpdateController() is called and
keep a controllee in
bfcached_controllee_map_
, and a page navigates toa different page (evicts BFCache), use-after-free (UAF) happens.
This CL updates ServiceWorkerContainerHost::UpdateController()
to remove a controllee from
bfcached_controllee_map_
if it exists.(cherry picked from commit a2414a05a486ca0ad18ba4caf78e883a668a0555)
(cherry picked from commit 7cd7f6741fc4491c2f7ef21052a370ee23887e37)
Bug: 1212618
Change-Id: I13e023e6d273268a08ea9276a056f7f5acba39cd
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2919020
Commit-Queue: Asami Doi asamidoi@chromium.org
Reviewed-by: Matt Falkenhagen falken@chromium.org
Cr-Original-Original-Commit-Position: refs/heads/master@{#887109}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2929401
Reviewed-by: Krishna Govind govind@chromium.org
Reviewed-by: Ben Mason benmason@chromium.org
Reviewed-by: Prudhvi Kumar Bommana pbommana@google.com
Commit-Queue: Krishna Govind govind@chromium.org
Owners-Override: Krishna Govind govind@chromium.org
Cr-Original-Commit-Position: refs/branch-heads/4472@{#1375}
Cr-Original-Branched-From: 3d60439cfb36485e76a1c5bb7f513d3721b20da1-refs/heads/master@{#870763}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2948660
Owners-Override: Victor-Gabriel Savu vsavu@google.com
Reviewed-by: Artem Sumaneev asumaneev@google.com
Commit-Queue: Victor-Gabriel Savu vsavu@google.com
Cr-Commit-Position: refs/branch-heads/4240@{#1663}
Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218}
Notes: Security: backported fix for CVE-2021-30544.