BrowserContext should not be deleted until all RenderProcessHosts using it are gone

Bug #1431484 reported by Chris Coulson on 2015-03-12
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Oxide
High
Chris Coulson
1.5
High
Chris Coulson
1.6
High
Chris Coulson

Bug Description

Currently Oxide keeps a BrowserContext alive as long as there are WebContents that are still using it (WebContents being owned by the WebView). However, deleting all WebContents isn't a guarantee that any associated RenderProcessHost instances are also deleted, as a render process can be kept alive by shared / service workers that are busy. In this case, RenderProcessHost will be left with a dangling pointer to its BrowserContext, resulting in a potentially exploitable use-after-free in the browser process.

Changed in oxide:
importance: Undecided → High
status: New → Triaged
assignee: nobody → Chris Coulson (chrisccoulson)
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2015-1317

Changed in oxide:
milestone: none → branch-1.7
Changed in oxide:
status: Triaged → Fix Released
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers