Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: ensure guest-embedder map is updated when webview is removed #23342

Merged
merged 1 commit into from May 1, 2020
Merged

fix: ensure guest-embedder map is updated when webview is removed #23342

merged 1 commit into from May 1, 2020

Conversation

deepak1556
Copy link
Member

@deepak1556 deepak1556 commented Apr 30, 2020
edited

Description of Change

There are use cases of webview where the container holding the webview is not
actually destroyed first, instead just webview gets removed from DOM, in such
situations the browser process map is not updated accordingly and holds reference
to stale guest contents, and any window operations like scroll, resize or keyboard
events that has to chain through browser embedder will lead to UAF crash.

Ref:

microsoft/vscode#92420
microsoft/vscode#96492

I was unable to isolate a test case to add for this.

Checklist

Release Notes

Notes: fix crash with webview during some window management events like resize, scroll etc.

@deepak1556 deepak1556 requested review from zcbenz and a team April 30, 2020 02:33
@electron-cation electron-cation bot added the new-pr 🌱 PR opened in the last 24 hours label Apr 30, 2020
@deepak1556 deepak1556 force-pushed the robo/fix_webview_desctruction_patch branch from b4ab9dc to cde4b6e Compare April 30, 2020 02:37
@deepak1556
fix: ensure guest-embedder map is updated when webview is removed
eef55a9 
There are use cases of webview where the container holding the webview is not
actually destroyed first, instead just webview gets removed from DOM, in such
situations the browser process map is not updated accordingly and holds reference
to stale guest contents, and any window operations like scroll, resize or keyboard
events that has to chain through browser embedder will lead to UAF crash.

Ref: microsoft/vscode#92420
@deepak1556 deepak1556 force-pushed the robo/fix_webview_desctruction_patch branch from cde4b6e to eef55a9 Compare April 30, 2020 10:18
@electron-cation electron-cation bot removed the new-pr 🌱 PR opened in the last 24 hours label May 1, 2020
@deepak1556 deepak1556 merged commit c438b93 into master May 1, 2020
@release-clerk
Copy link

release-clerk bot commented May 1, 2020

Release Notes Persisted

fix crash with webview during some window management events like resize, scroll etc.

@deepak1556 deepak1556 deleted the robo/fix_webview_desctruction_patch branch May 1, 2020 04:33
@trop
Copy link
Contributor

trop bot commented May 1, 2020

I was unable to backport this PR to "7-2-x" cleanly;
you will need to perform this backport manually.

@trop
Copy link
Contributor

trop bot commented May 1, 2020

I was unable to backport this PR to "8-x-y" cleanly;
you will need to perform this backport manually.

@trop trop bot mentioned this pull request May 1, 2020
Merged
@trop
Copy link
Contributor

trop bot commented May 1, 2020

I have automatically backported this PR to "9-x-y", please check out #23374

deepak1556 added a commit that referenced this pull request May 4, 2020
@deepak1556
fix: ensure guest-embedder map is updated when webview is removed (#2…
ca41b33 
…3342)

There are use cases of webview where the container holding the webview is not
actually destroyed first, instead just webview gets removed from DOM, in such
situations the browser process map is not updated accordingly and holds reference
to stale guest contents, and any window operations like scroll, resize or keyboard
events that has to chain through browser embedder will lead to UAF crash.

Ref: microsoft/vscode#92420
@deepak1556 deepak1556 mentioned this pull request May 4, 2020
Merged
6 tasks
@trop
Copy link
Contributor

trop bot commented May 4, 2020

@deepak1556 has manually backported this PR to "8-x-y", please check out #23397

deepak1556 added a commit that referenced this pull request May 4, 2020
@deepak1556
fix: ensure guest-embedder map is updated when webview is removed (#2…
ed35e64 
…3342)

There are use cases of webview where the container holding the webview is not
actually destroyed first, instead just webview gets removed from DOM, in such
situations the browser process map is not updated accordingly and holds reference
to stale guest contents, and any window operations like scroll, resize or keyboard
events that has to chain through browser embedder will lead to UAF crash.

Ref: microsoft/vscode#92420
@deepak1556 deepak1556 mentioned this pull request May 4, 2020
Merged
6 tasks
@trop
Copy link
Contributor

trop bot commented May 4, 2020

@deepak1556 has manually backported this PR to "7-2-x", please check out #23398

deepak1556 added a commit that referenced this pull request May 4, 2020
@deepak1556
fix: ensure guest-embedder map is updated when webview is removed (#2…
c7f1319 
…3342) (#23398)

There are use cases of webview where the container holding the webview is not
actually destroyed first, instead just webview gets removed from DOM, in such
situations the browser process map is not updated accordingly and holds reference
to stale guest contents, and any window operations like scroll, resize or keyboard
events that has to chain through browser embedder will lead to UAF crash.

Ref: microsoft/vscode#92420
deepak1556 added a commit that referenced this pull request May 4, 2020
@deepak1556
fix: ensure guest-embedder map is updated when webview is removed (#2…
30ae6f4 
…3342) (#23397)

There are use cases of webview where the container holding the webview is not
actually destroyed first, instead just webview gets removed from DOM, in such
situations the browser process map is not updated accordingly and holds reference
to stale guest contents, and any window operations like scroll, resize or keyboard
events that has to chain through browser embedder will lead to UAF crash.

Ref: microsoft/vscode#92420
@pelmers
Copy link

pelmers commented May 4, 2020

thanks once more for the quick fix @deepak1556
Do you know when to expect a new version of Electron 7.2 containing this patch to be released?

@deepak1556
Copy link
Member Author

Not sure of the timeline, but there will be one out sometime this week.

@Linskeyd
Copy link

@deepak1556 thanks again for the fix here. Any updates on when a new 7.2 release will be made? Looks like it is these 14 commits (which includes this one) that haven't been released as a part of 7.2 yet: v7.2.4...7-2-x

@bestander
Copy link

This is be released in 7.3.0 https://github.com/electron/electron/commits/v7.3.0/lib/browser/guest-view-manager.js

But looks like 7.2.4 is the last 7.2 release?

@bestander
Copy link

I guess for vscode it is not relevant since it's switched to 8.3 now?

@deepak1556
Copy link
Member Author

vscode has reverted to Electron 7 for the upcoming release due to performance concerns with Electron 8. I have updated the version to 7.3.0 to pick up this fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zcbenz zcbenz zcbenz approved these changes

@codebytere codebytere codebytere approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@deepak1556 @pelmers @Linskeyd @bestander @zcbenz @codebytere