Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: cherry-pick 6b2643846ae3 from chromium #33167

Merged
merged 2 commits into from Mar 8, 2022
Merged

chore: cherry-pick 6b2643846ae3 from chromium #33167

merged 2 commits into from Mar 8, 2022

Conversation

nornagon
Copy link
Member

@nornagon nornagon commented Mar 7, 2022
edited

[M96-LTS] Guard BatchingMediaLog::event_handlers_ with lock

It seems that despite MediaLog::OnWebMediaPlayerDestroyed and
MediaLog::AddLogRecord both grabbing a lock,
BatchingMediaLog::AddLogRecordLocked can escape the lock handle by
posting BatchingMediaLog::SendQueuedMediaEvents, causing a race.

When the addition of an event is interrupted by the deletion of a player
due to player culling in MediaInspectorContextImpl, a UAF can occur.

R=​dalecurtis

(cherry picked from commit 34526c3d0a857a22618e4d77c7f63b5ca6f8d3d2)

Bug: 1295786
Change-Id: I77df94988f806e4d98924669d27860e50455299d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3451494
Commit-Queue: Ted (Chromium) Meyer tmathmeyer@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#970815}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3483655
Reviewed-by: Victor-Gabriel Savu vsavu@google.com
Owners-Override: Victor-Gabriel Savu vsavu@google.com
Commit-Queue: Roger Felipe Zanoni da Silva rzanoni@google.com
Cr-Commit-Position: refs/branch-heads/4664@{#1508}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}

Notes: Security: backported fix for 1295786.

@nornagon nornagon requested review from a team as code owners March 7, 2022 18:27
@nornagon nornagon added 14-x-y backport-check-skip Skip trop's backport validity checking semver/patch backwards-compatible bug fixes labels Mar 7, 2022
@electron-cation electron-cation bot added new-pr 🌱 PR opened in the last 24 hours and removed new-pr 🌱 PR opened in the last 24 hours labels Mar 7, 2022
@nornagon nornagon merged commit c3c2d84 into 14-x-y Mar 8, 2022
@nornagon nornagon deleted the cherry-pick/14-x-y/chromium/6b2643846ae3 branch March 8, 2022 00:52
@release-clerk
Copy link

release-clerk bot commented Mar 8, 2022

Release Notes Persisted

Security: backported fix for 1295786.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkleinsc jkleinsc jkleinsc approved these changes

Assignees
No one assigned
Labels
14-x-y backport-check-skip Skip trop's backport validity checking security 🔒 semver/patch backwards-compatible bug fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@nornagon @jkleinsc