From 2abd3ca82deef66c5011e8c7df26f0eac66cc5bb Mon Sep 17 00:00:00 2001
From: Andrey Kosyakov <caseq@chromium.org>
Date: Tue, 30 Mar 2021 08:04:11 +0000
Subject: [Backport] CVE-2021-21202: Use after free in extensions.

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2787756:
DevTools: expect PageHandler may be destroyed during Page.navigate

Bug: 1188889
Change-Id: I5c2fcca84834d66c46d77a70683212c2330177a5
Commit-Queue: Andrey Kosyakov <caseq@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Reviewed-by: Karan Bhatia <karandeepb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#867507}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 chromium/content/browser/devtools/protocol/page_handler.cc           | 5 +++++
 .../content/browser/devtools/render_frame_devtools_agent_host.cc     | 5 ++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/chromium/content/browser/devtools/protocol/page_handler.cc b/chromium/content/browser/devtools/protocol/page_handler.cc
index 47f8c012923..9dfbf12b793 100644
--- a/chromium/content/browser/devtools/protocol/page_handler.cc
+++ b/chromium/content/browser/devtools/protocol/page_handler.cc
@@ -508,7 +508,12 @@ void PageHandler::Navigate(const std::string& url,
       Referrer(GURL(referrer.fromMaybe("")), blink::kWebReferrerPolicyDefault);
   params.transition_type = type;
   params.frame_tree_node_id = frame_tree_node->frame_tree_node_id();
+  // Handler may be destroyed while navigating if the session
+  // gets disconnected as a result of access checks.
+  base::WeakPtr<PageHandler> weak_self = weak_factory_.GetWeakPtr();
   frame_tree_node->navigator()->GetController()->LoadURLWithParams(params);
+  if (!weak_self)
+    return;
 
   base::UnguessableToken frame_token = frame_tree_node->devtools_frame_token();
   auto navigate_callback = navigate_callbacks_.find(frame_token);
diff --git a/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc b/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc
index 9493103481a..a05538c3c8b 100644
--- a/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc
+++ b/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc
@@ -612,8 +612,11 @@ void RenderFrameDevToolsAgentHost::UpdateFrameHost(
       restricted_sessions.push_back(session);
   }
 
-  if (!restricted_sessions.empty())
+  scoped_refptr<RenderFrameDevToolsAgentHost> protect;
+  if (!restricted_sessions.empty()) {
+    protect = this;
     ForceDetachRestrictedSessions(restricted_sessions);
+  }
 
   if (!render_frame_alive_) {
     render_frame_alive_ = true;
-- 
cgit v1.2.1