chore: cherry-pick 0e36d324d6ef from chromium #29777
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ppontes
added
11-x-y
backport-check-skip
electron-cation
bot
added
new-pr 🌱
nornagon
approved these changes
Jun 18, 2021
zcbenz
approved these changes
Jun 21, 2021
|
Release Notes Persisted
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[M86-LTS] BFCache: remove a controllee stored in
bfcached_controllee_map_This CL fixes the UAF that happens with the following case:
Let's assume we have 2 service workers (sw1.js and sw2.js) are
registered in the same page. When the second service worker (sw2.js) is
registered, ServiceWorkerContainerHost::UpdateController() is called
and the previous SWVersion (sw1.js) removes a controllee from
controllee_map_. If BackForwardCache is enabled, a controllee isstored in
bfcached_controllee_map_instead and the controllee willnot be removed in ServiceWorkerContainerHost::UpdateController().
When ServiceWorkerContainerHost::UpdateController() is called and
keep a controllee in
bfcached_controllee_map_, and a page navigates toa different page (evicts BFCache), use-after-free (UAF) happens.
This CL updates ServiceWorkerContainerHost::UpdateController()
to remove a controllee from
bfcached_controllee_map_if it exists.(cherry picked from commit a2414a05a486ca0ad18ba4caf78e883a668a0555)
(cherry picked from commit 7cd7f6741fc4491c2f7ef21052a370ee23887e37)
Bug: 1212618
Change-Id: I13e023e6d273268a08ea9276a056f7f5acba39cd
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2919020
Commit-Queue: Asami Doi asamidoi@chromium.org
Reviewed-by: Matt Falkenhagen falken@chromium.org
Cr-Original-Original-Commit-Position: refs/heads/master@{#887109}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2929401
Reviewed-by: Krishna Govind govind@chromium.org
Reviewed-by: Ben Mason benmason@chromium.org
Reviewed-by: Prudhvi Kumar Bommana pbommana@google.com
Commit-Queue: Krishna Govind govind@chromium.org
Owners-Override: Krishna Govind govind@chromium.org
Cr-Original-Commit-Position: refs/branch-heads/4472@{#1375}
Cr-Original-Branched-From: 3d60439cfb36485e76a1c5bb7f513d3721b20da1-refs/heads/master@{#870763}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2948660
Owners-Override: Victor-Gabriel Savu vsavu@google.com
Reviewed-by: Artem Sumaneev asumaneev@google.com
Commit-Queue: Victor-Gabriel Savu vsavu@google.com
Cr-Commit-Position: refs/branch-heads/4240@{#1663}
Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218}
Notes: Security: backported fix for CVE-2021-30544.