[Backport] CVE-2021-21201: Use after free in permissions

Partial backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2791431: Use IDType for permission change subscriptions. Bug: 1025683 Change-Id: I3b44ba7833138e8a657a4192e1a36c978695db32 Reviewed-by: Richard Coles <torne@chromium.org> Reviewed-by: Yuchen Liu <yucliu@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Reviewed-by: Fabrice de Gans-Riberi <fdegans@chromium.org> Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Illia Klimov <elklm@google.com> Auto-Submit: Balazs Engedy <engedy@chromium.org> Commit-Queue: Balazs Engedy <engedy@chromium.org> Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Balazs Engedy <engedy@chromium.org> 2021-03-31 07:47:19 +0000
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2021-05-12 12:45:15 +0200
commit: 07af1bb4559d63ffe80a15603622dc2b75792da7 (patch)
tree: 4084ca537f1d9651872156546938602eb281663e /chromium/content/browser/permissions/permission_controller_impl.h
parent: 7b8cc71693eb46cd9736ecd7def065376d009faf (diff)
download: qtwebengine-chromium-07af1bb4559d63ffe80a15603622dc2b75792da7.tar.gz
1 files changed, 10 insertions, 3 deletions
diff --git a/chromium/content/browser/permissions/permission_controller_impl.h b/chromium/content/browser/permissions/permission_controller_impl.h
index 7ebf3c48a0e..d85788867f7 100644
--- a/chromium/content/browser/permissions/permission_controller_impl.h
+++ b/chromium/content/browser/permissions/permission_controller_impl.h
@@ -72,18 +72,19 @@ class CONTENT_EXPORT PermissionControllerImpl : public PermissionController {
                        const GURL& requesting_origin,
                        const GURL& embedding_origin);
 
-  int SubscribePermissionStatusChange(
+  SubscriptionId SubscribePermissionStatusChange(
       PermissionType permission,
       RenderFrameHost* render_frame_host,
       const GURL& requesting_origin,
       const base::RepeatingCallback<void(blink::mojom::PermissionStatus)>&
           callback);
 
-  void UnsubscribePermissionStatusChange(int subscription_id);
+  void UnsubscribePermissionStatusChange(SubscriptionId subscription_id);
 
  private:
   struct Subscription;
-  using SubscriptionsMap = base::IDMap<std::unique_ptr<Subscription>>;
+  using SubscriptionsMap =
+      base::IDMap<std::unique_ptr<Subscription>, SubscriptionId>;
   using SubscriptionsStatusMap =
       base::flat_map<SubscriptionsMap::KeyType, blink::mojom::PermissionStatus>;
 
@@ -98,7 +99,13 @@ class CONTENT_EXPORT PermissionControllerImpl : public PermissionController {
       const base::Optional<url::Origin>& origin);
 
   DevToolsPermissionOverrides devtools_permission_overrides_;
+
+  // Note that SubscriptionId is distinct from
+  // PermissionControllerDelegate::SubscriptionId, and the concrete ID values
+  // may be different as well.
   SubscriptionsMap subscriptions_;
+  SubscriptionId::Generator subscription_id_generator_;
+
   BrowserContext* browser_context_;
 
   DISALLOW_COPY_AND_ASSIGN(PermissionControllerImpl);
author	Balazs Engedy <engedy@chromium.org>	2021-03-31 07:47:19 +0000
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2021-05-12 12:45:15 +0200
commit	07af1bb4559d63ffe80a15603622dc2b75792da7 (patch)
tree	4084ca537f1d9651872156546938602eb281663e /chromium/content/browser/permissions/permission_controller_impl.h
parent	7b8cc71693eb46cd9736ecd7def065376d009faf (diff)
download	qtwebengine-chromium-07af1bb4559d63ffe80a15603622dc2b75792da7.tar.gz