-
Notifications
You must be signed in to change notification settings - Fork 868
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[DanglingPtr] Fix UaFs with
SidePanelEntry
observation
This change addresses the uaf cases we were having with the multisource observation for `SidePanelEntry` on `SidebarContainerView`. The main issue we were having is that we can't precisely be notified of when a given `SidePanelEntry` is going out of scope, and in many cases the instances would be destroyed before the lifetime of `SidebarContainerView`. In such cases, the observation would be kept around in the multisource observer, and eventually would cause an UaF, as the multisource observer was being destroyed and trying to remove the outstanding observations that were dangling. `SidePanelEntry` observations do dangle in upstream. That's the model they have for the lifetimes: FeatureFoo is destroyed before `SidePanelEntry`. There are exactly 2 ways for a `SidePanelEntry` to be destroyed in chromium: FeatureFoo destroyes it via Deregister, or `SidePanelRegistry` is destroyed before `FeatureFoo`. `SidebarContainerView` cannot in a reliable way keep track of these guarantees. This change adds a few customisations to `SidePanelRegistry`, namely, an `Observer` that allows the communicating of `SidePanelRegistry` going out of scope, as well as an event for `SidePanelEntry` going out of scope. With `SidePanelRegistry`, we want to keep observations to it entirely in sync. That means that when a registry is destroyed, the observation is removed, but also when `SidebarContainerView` is destroyed, all observations are cancelled. With `SidePanelEntry` though observation management can be a bit more passive. We want to add observations to the entries, and we want to avoid double observations. However, calling `RemoveObserver` is something we don't have to do, and merely dropping it from the set is good enough. These customisation points are indeed cumbersome, but at this point it is the only way it can be guaranteed that all observations for individual entries in each individual registry is accounted for. Resolves brave/brave-browser#39053 Resolves brave/brave-browser#41924
- Loading branch information
1 parent
22adba2
commit 486ff21
Showing
9 changed files
with
147 additions
and
106 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
36 changes: 36 additions & 0 deletions
36
chromium_src/chrome/browser/ui/views/side_panel/side_panel_registry.cc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
/* Copyright (c) 2024 The Brave Authors. All rights reserved. | ||
* This Source Code Form is subject to the terms of the Mozilla Public | ||
* License, v. 2.0. If a copy of the MPL was not distributed with this file, | ||
* You can obtain one at https://mozilla.org/MPL/2.0/. */ | ||
|
||
#include "chrome/browser/ui/views/side_panel/side_panel_registry.h" | ||
|
||
#include "chrome/browser/ui/views/side_panel/side_panel_coordinator.h" | ||
|
||
#define RemoveObserver(...) \ | ||
RemoveObserver(__VA_ARGS__); \ | ||
OnEntryWillDestroy(entry) | ||
|
||
#include "src/chrome/browser/ui/views/side_panel/side_panel_registry.cc" | ||
|
||
#undef RemoveObserver | ||
|
||
RegistryScopeDestructionNotifier::RegistryScopeDestructionNotifier( | ||
SidePanelRegistry* registry) | ||
: registry_(registry) {} | ||
RegistryScopeDestructionNotifier::~RegistryScopeDestructionNotifier() { | ||
registry_->observers_.Notify( | ||
&SidePanelRegistry::Observer::OnRegistryWillDestroy, registry_); | ||
} | ||
|
||
void SidePanelRegistry::AddObserver(SidePanelRegistry::Observer* observer) { | ||
observers_.AddObserver(observer); | ||
} | ||
|
||
void SidePanelRegistry::RemoveObserver(SidePanelRegistry::Observer* observer) { | ||
observers_.RemoveObserver(observer); | ||
} | ||
|
||
void SidePanelRegistry::OnEntryWillDestroy(SidePanelEntry* entry) { | ||
observers_.Notify(&SidePanelRegistry::Observer::OnEntryWillDestroy, entry); | ||
} |
Oops, something went wrong.