[Backport] Dependency for CVE-2022-4180: Use after free in Mojo

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3853657:
Mojo: Fix null deref in ChannelMac

In ShutDownOnIOThread, ChannelMac's `send_buffer_` is invalidated, but
an IO thread task to run SendPendingMessages() may have already been
posted. In that case the task will attempt to dereference a null
`send_buffer_` and crash.

This changes ChannelMac to also set `reject_writes_` on shutdown,
ensuring that all subsequent write or flush attempts are ignored.

Bug: None
Change-Id: I40ebdafa0a67da9339d80ca968eb53f2ddc390f9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3853657
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Ken Rockot <rockot@google.com>
Cr-Commit-Position: refs/heads/main@{#1038946}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/446485
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 3 insertions, 1 deletions

diff --git a/chromium/mojo/core/channel_mac.cc b/chromium/mojo/core/channel_mac.cc
index 686dea5c783..a2104601b50 100644
--- a/chromium/mojo/core/channel_mac.cc
+++ b/chromium/mojo/core/channel_mac.cc
@@ -210,6 +210,7 @@ class ChannelMac : public Channel,
     send_buffer_.reset();
     receive_buffer_.reset();
     incoming_handles_.clear();
+    reject_writes_ = true;
 
     if (leak_handles_) {
       std::ignore = receive_port_.release();
@@ -700,7 +701,8 @@ class ChannelMac : public Channel,
 
   // Lock that protects the following members.
   base::Lock write_lock_;
-  // Whether writes should be rejected due to an internal error.
+  // Whether writes should be rejected due to an internal error or channel
+  // shutdown.
   bool reject_writes_ = false;
   // IO buffer for sending Mach messages.
   base::mac::ScopedMachVM send_buffer_;