-
Notifications
You must be signed in to change notification settings - Fork 868
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[DanglingPtr] Fix UaFs with
SidePanelEntry
observation
This change addresses the uaf cases we were having with the multisource observation for `SidePanelEntry` on `SidebarContainerView`. The main issue we were having is that we can't precisely be notified of when a given `SidePanelEntry` is going out of scope, and in many cases the instances would be destroyed before the lifetime of `SidebarContainerView`. In such cases, the observation would be kept around in the multisource observer, and eventually would cause an UaF, as the multisource observer was being destroyed and trying to remove the outstanding observations that were dangling. `SidePanelEntry` observations do dangle in upstream. That's the model they have for the lifetimes: FeatureFoo is destroyed before `SidePanelEntry`. There are exactly 2 ways for a `SidePanelEntry` to be destroyed in chromium: FeatureFoo destroyes it via Deregister, or `SidePanelRegistry` is destroyed before `FeatureFoo`. `SidebarContainerView` cannot in a reliable way keep track of these guarantees. This change is predicated on the fact that `SidebarContainerView` will always outlive all the use of events by any living `SidePanelEntry` instance. In this change we introduce a customisation point to `SidePanelEntry` that allows us to check if a certain entry is being observed or not. If it is we don't double-observe. Observations are then removed when a tab is destroyed, which includes when it gets moved to another Browser window. Resolves brave/brave-browser#39053 Resolves brave/brave-browser#41924
- Loading branch information
1 parent
dcd982b
commit dbca922
Showing
9 changed files
with
66 additions
and
106 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
12 changes: 12 additions & 0 deletions
12
chromium_src/chrome/browser/ui/views/side_panel/side_panel_entry.cc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
/* Copyright (c) 2024 The Brave Authors. All rights reserved. | ||
* This Source Code Form is subject to the terms of the Mozilla Public | ||
* License, v. 2.0. If a copy of the MPL was not distributed with this file, | ||
* You can obtain one at https://mozilla.org/MPL/2.0/. */ | ||
|
||
#include "chrome/browser/ui/views/side_panel/side_panel_entry.h" | ||
|
||
#include "src/chrome/browser/ui/views/side_panel/side_panel_entry.cc" | ||
|
||
bool SidePanelEntry::IsBeingObservedBy(SidePanelEntryObserver* observer) { | ||
return observers_.HasObserver(observer); | ||
} |
17 changes: 17 additions & 0 deletions
17
chromium_src/chrome/browser/ui/views/side_panel/side_panel_entry.h
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
/* Copyright (c) 2024 The Brave Authors. All rights reserved. | ||
* This Source Code Form is subject to the terms of the Mozilla Public | ||
* License, v. 2.0. If a copy of the MPL was not distributed with this file, | ||
* You can obtain one at https://mozilla.org/MPL/2.0/. */ | ||
|
||
#ifndef BRAVE_CHROMIUM_SRC_CHROME_BROWSER_UI_VIEWS_SIDE_PANEL_SIDE_PANEL_ENTRY_H_ | ||
#define BRAVE_CHROMIUM_SRC_CHROME_BROWSER_UI_VIEWS_SIDE_PANEL_SIDE_PANEL_ENTRY_H_ | ||
|
||
#define SupportsNewTabButton(...) \ | ||
SupportsNewTabButton(__VA_ARGS__); \ | ||
bool IsBeingObservedBy(SidePanelEntryObserver* observer) | ||
|
||
#include "src/chrome/browser/ui/views/side_panel/side_panel_entry.h" // IWYU pragma: export | ||
|
||
#undef SupportsNewTabButton | ||
|
||
#endif // BRAVE_CHROMIUM_SRC_CHROME_BROWSER_UI_VIEWS_SIDE_PANEL_SIDE_PANEL_ENTRY_H_ |