BrowserContext should not be deleted until all RenderProcessHosts using it are gone
Bug #1431484 reported by
Chris Coulson
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Oxide |
Fix Released
|
High
|
Chris Coulson | ||
1.5 |
Fix Released
|
High
|
Chris Coulson | ||
1.6 |
Fix Released
|
High
|
Chris Coulson |
Bug Description
Currently Oxide keeps a BrowserContext alive as long as there are WebContents that are still using it (WebContents being owned by the WebView). However, deleting all WebContents isn't a guarantee that any associated RenderProcessHost instances are also deleted, as a render process can be kept alive by shared / service workers that are busy. In this case, RenderProcessHost will be left with a dangling pointer to its BrowserContext, resulting in a potentially exploitable use-after-free in the browser process.
CVE References
Changed in oxide: | |
importance: | Undecided → High |
status: | New → Triaged |
assignee: | nobody → Chris Coulson (chrisccoulson) |
Changed in oxide: | |
milestone: | none → branch-1.7 |
Changed in oxide: | |
status: | Triaged → Fix Released |
information type: | Private Security → Public Security |
To post a comment you must log in.
This is CVE-2015-1317