8000 chore: cherry-pick 6bb320d134b1 from chromium by ppontes · Pull Request #32172 · electron/electron · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

chore: cherry-pick 6bb320d134b1 from chromium #32172

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jan 10, 2022
Merged

chore: cherry-pick 6bb320d134b1 from chromium #32172

merged 3 commits into from
Jan 10, 2022

Conversation

ppontes
Copy link
Member
@ppontes ppontes commented Dec 14, 2021
edited
Loading

M96: Storage Foundation: Share FileState ownership with I/O threads.

blink::NativeIOFile methods implementing the Storage Foundation
JavaScript API pass raw pointers to NativeIOFile::FileState instances to
their corresponding blink::NativeIOFile::Do*() methods, which rely on
that CrossThreadPersistent arguments to keep the
underlying NativeIOFile::FileState instances alive.

CrossThreadPersistent can be used across threads to keep a garbage
collected object alive, together with any non-garbage-collected objects
that it owns. However, relying on CrossThreadPersistent existence to
access the owned objects on a different thread is not safe.
cppgc::subtle::CrossThreadPersistent (blink::CrossThreadPersistent is an
alias to that) has comments explaining that the garbage collected heap
can go away while the CrossThreadPersistent instance exists.

This CL fixes the problem by having the ownership of
NativeIOFile::FileState be shared between the corresponding NativeIOFile
instance and any threads doing I/O on the FileState.

(cherry picked from commit 7dc02206707362f3f92cea93f8eb2fa4af0d375f)

Bug: 1240593
Change-Id: I5c9c818bcb23316fe1fd5afa57ed9c3fdb034377
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3269947
Commit-Queue: Victor Costan pwnall@chromium.org
Reviewed-by: Austin Sullivan asully@chromium.org
Reviewed-by: Marijn Kruisselbrink mek@chromium.org
Reviewed-by: enne enne@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#940130}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3272672
Bot-Commit: Rubber Stamper rubber-stamper@appspot.gserviceaccount.com
Cr-Commit-Position: refs/branch-heads/4664@{#945}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}

Notes: Backported fix for CVE-2021-38006.

@ppontes ppontes requested a review from a team as a code owner December 14, 2021 09:48
@ppontes ppontes added 13-x-y backport-check-skip Skip trop's backport validity checking semver/patch backwards-compatible bug fixes labels Dec 14, 2021
@electron-cation electron-cation bot added new-pr 🌱 PR opened recently and removed new-pr 🌱 PR opened recently labels Dec 14, 2021
@jkleinsc
Copy link
Member

@jkleinsc jkleinsc merged commit a8b0985 into 13-x-y Jan 10, 2022
@jkleinsc jkleinsc deleted the cherry-pick/13-x-y/chromium/6bb320d134b1 branch January 10, 2022 21:03
@release-clerk
Copy link
release-clerk bot commented Jan 10, 2022

Release Notes Persisted

Backported fix for CVE-2021-38006.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkleinsc jkleinsc jkleinsc approved these changes

@codebytere codebytere codebytere approved these changes

Assignees
No one assigned
Labels
13-x-y backport-check-skip Skip trop's backport validity checking security 🔒 semver/patch backwards-compatible bug fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ppontes @jkleinsc @codebytere @electron-bot
0