BrowserContext should not be deleted until all RenderProcessHosts using it are gone
Bug #1431484 reported by
Chris Coulson
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Oxide |
Fix Released
|
High
|
Chris Coulson | ||
| 1.5 |
Fix Released
|
High
|
Chris Coulson | ||
| 1.6 |
Fix Released
|
High
|
Chris Coulson | ||
Bug Description
Currently Oxide keeps a BrowserContext alive as long as there are WebContents that are still using it (WebContents being owned by the WebView). However, deleting all WebContents isn't a guarantee that any associated RenderProcessHost instances are also deleted, as a render process can be kept alive by shared / service workers that are busy. In this case, RenderProcessHost will be left with a dangling pointer to its BrowserContext, resulting in a potentially exploitable use-after-free in the browser process.
CVE References
| Changed in oxide: | |
| importance: | Undecided → High |
| status: | New → Triaged |
| assignee: | nobody → Chris Coulson (chrisccoulson) |
Revision history for this message
| Marc Deslauriers (mdeslaur) wrote | #1 |
| Changed in oxide: | |
| milestone: | none → branch-1.7 |
| Changed in oxide: | |
| status: | Triaged → Fix Released |
| information type: | Private Security → Public Security |
To post a comment you must log in.
This is CVE-2015-1317