Issue 11428052: [android_webview] Fix use after free in intercepted requests.

Issue 11428052: [android_webview] Fix use after free in intercepted requests. (Closed)

Created:
8 years ago by mkosiba (inactive)

Modified:
8 years ago

Reviewers:
joth, mnaganov (inactive)

CC:
chromium-reviews, cbentzel+watch_chromium.org, darin-cc_chromium.org, android-webview-reviews_chromium.org

Base URL:
svn://svn.chromium.org/chrome/trunk/src

Visibility:
Public.

More Reviews

Description

[android_webview] Fix use after free in intercepted requests. This fixes the use after free problem that can occur if the Seek or Read request on the worker thread runs after the job has been deleted. TEST=AndroidWebViewTests,android_webview_unittests BUG=None R=mnaganov@chromium.org Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=170505

Patch Set 1 #

Total comments: 2

Patch Set 2 : #

Total comments: 15

Patch Set 3 : #

Patch Set 4 : rebase #

Created: 8 years ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+129 lines, -77 lines)			Patch
M	android_webview/browser/input_stream.h	View	1	1 chunk	+3 lines, -0 lines	0 comments	Download
M	android_webview/browser/net/android_stream_reader_url_request_job.h	View	1 2	4 chunks	+6 lines, -5 lines	0 comments	Download
M	android_webview/browser/net/android_stream_reader_url_request_job.cc	View	1 2	8 chunks	+82 lines, -27 lines	0 comments	Download
M	android_webview/browser/net/android_stream_reader_url_request_job_unittest.cc	View	1 2	16 chunks	+25 lines, -27 lines	0 comments	Download
M	android_webview/browser/net/input_stream_reader.h	View		2 chunks	+2 lines, -7 lines	0 comments	Download
M	android_webview/browser/net/input_stream_reader_unittest.cc	View		1 chunk	+4 lines, -4 lines	0 comments	Download
M	android_webview/native/android_protocol_handler.cc	View	1 2	4 chunks	+5 lines, -5 lines	0 comments	Download
M	android_webview/native/intercepted_request_data_impl.cc	View	1 2	1 chunk	+2 lines, -2 lines	0 comments	Download

Messages

Total messages: 8 (0 generated)

Expand Messages | Collapse Messages

mnaganov (inactive)

I assume it's OK for the InputStream implementation to have an instance deleted on a ...

8 years ago (2012-11-29 10:46:55 UTC) #2

mkosiba (inactive)

The InputStream should be safe to delete on a different thread (it's using a GlobalJavaRef ...

8 years ago (2012-11-29 15:39:22 UTC) #3

mnaganov (inactive)

LGTM with a comment https://codereview.chromium.org/11428052/diff/5002/android_webview/browser/net/android_stream_reader_url_request_job.cc File android_webview/browser/net/android_stream_reader_url_request_job.cc (right): https://codereview.chromium.org/11428052/diff/5002/android_webview/browser/net/android_stream_reader_url_request_job.cc#newcode64 android_webview/browser/net/android_stream_reader_url_request_job.cc:64: scoped_ptr<android_webview::InputStreamReader> input_stream_reader_; nit: please add ...

8 years ago (2012-11-29 17:05:22 UTC) #4

joth

lgtm with couple questions & nits/ https://codereview.chromium.org/11428052/diff/5002/android_webview/browser/net/android_stream_reader_url_request_job.cc File android_webview/browser/net/android_stream_reader_url_request_job.cc (right): https://codereview.chromium.org/11428052/diff/5002/android_webview/browser/net/android_stream_reader_url_request_job.cc#newcode34 android_webview/browser/net/android_stream_reader_url_request_job.cc:34: // Thread-safe ref ...

8 years ago (2012-11-29 17:44:09 UTC) #5

mkosiba (inactive)

https://codereview.chromium.org/11428052/diff/5002/android_webview/browser/net/android_stream_reader_url_request_job.cc File android_webview/browser/net/android_stream_reader_url_request_job.cc (right): https://codereview.chromium.org/11428052/diff/5002/android_webview/browser/net/android_stream_reader_url_request_job.cc#newcode34 android_webview/browser/net/android_stream_reader_url_request_job.cc:34: // Thread-safe ref counting is used to ensure that ...

8 years ago (2012-11-29 18:54:11 UTC) #6

https://codereview.chromium.org/11428052/diff/5002/android_webview/browser/ne...
File android_webview/browser/net/android_stream_reader_url_request_job.cc
(right):

https://codereview.chromium.org/11428052/diff/5002/android_webview/browser/ne...
android_webview/browser/net/android_stream_reader_url_request_job.cc:34: //
Thread-safe ref counting is used to ensure that the data is still there
On 2012/11/29 17:44:09, joth wrote:
> nit: by 'the data' you specifically mean the InputStream object?

umm.. I mean the InputStream and InputStreamReader instances, will update
comment.

https://codereview.chromium.org/11428052/diff/5002/android_webview/browser/ne...
android_webview/browser/net/android_stream_reader_url_request_job.cc:37: public
base::RefCountedThreadSafe<InputStreamReaderWrapper> {
On 2012/11/29 17:44:09, joth wrote:
> URLRequestJob is already refcounted thread safe. Did you consider just adding
> the methods below as private methods in AndroidStreamReaderURLRequestJob?

unfortunately URLRequestJob is only RefCounted (not threadsafe).

https://codereview.chromium.org/11428052/diff/5002/android_webview/browser/ne...
android_webview/browser/net/android_stream_reader_url_request_job.cc:43:
input_stream_reader_(input_stream_reader.Pass()) {
On 2012/11/29 17:44:09, joth wrote:
> nit: indent initializers again

Done.

https://codereview.chromium.org/11428052/diff/5002/android_webview/browser/ne...
android_webview/browser/net/android_stream_reader_url_request_job.cc:59:
private:
On 2012/11/29 17:44:09, joth wrote:
> nit: \n before

Done.

https://codereview.chromium.org/11428052/diff/5002/android_webview/browser/ne...
android_webview/browser/net/android_stream_reader_url_request_job.cc:64:
scoped_ptr<android_webview::InputStreamReader> input_stream_reader_;
On 2012/11/29 17:05:22, Mikhail Naganov (Chromium) wrote:
> nit: please add DISALLOW_COPY_AND_ASSIGN (sorry for not pointing this out at
the
> first review)

Done.

https://codereview.chromium.org/11428052/diff/5002/android_webview/browser/ne...
android_webview/browser/net/android_stream_reader_url_request_job.cc:180:
base::Unretained(dest),
On 2012/11/29 17:44:09, joth wrote:
> if the job may be killed before the task runs, how do we know that |dest| is
> going to still be alive then too?

I was mislead by the docs on net::URLRequest which sort of imply that dest will
be valid until the job calls NotifyReadComplete. The docs on net::IOBuffer say
it's refcountedthreadsafe exactly for this reason so dropping the Unretained.

https://codereview.chromium.org/11428052/diff/5002/android_webview/native/and...
File android_webview/native/android_protocol_handler.cc (right):

https://codereview.chromium.org/11428052/diff/5002/android_webview/native/and...
android_webview/native/android_protocol_handler.cc:57: InputStream& stream,
On 2012/11/29 17:44:09, joth wrote:
> use pointer: non-const references not allowed. 

ah, well, back to ye olde pointer then

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/mkosiba@chromium.org/11428052/9001

8 years ago (2012-11-30 17:14:54 UTC) #7

Message was sent while issue was closed.

Change committed as 170505

Expand Messages | Collapse Messages