[webkit-changes] [WebKit/WebKit] 623870: [WebDriver][GLIB] Potential use after free due to ...

Wed, 13 Nov 2024 01:59:38 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 623870b2aa3cc186f3f7929f36a4b87adabd0bf0
      
https://github.com/WebKit/WebKit/commit/623870b2aa3cc186f3f7929f36a4b87adabd0bf0
  Author: Lauro Moura <[email protected]>
  Date:   2024-11-13 (Wed, 13 Nov 2024)

  Changed paths:
    M Source/WebDriver/Session.cpp
    M Source/WebDriver/Session.h
    M Source/WebDriver/SessionHost.cpp
    M Source/WebDriver/SessionHost.h
    M Source/WebDriver/WebDriverService.cpp
    M Source/WebDriver/WebDriverService.h
    M Source/WebDriver/glib/SessionHostGlib.cpp

  Log Message:
  -----------
  [WebDriver][GLIB] Potential use after free due to early SessionHost 
destruction
https://bugs.webkit.org/show_bug.cgi?id=282910

Reviewed by Carlos Garcia Campos.

Make SessionHost refcounted, to ensure it lives through while
dispatching the pending commands.

Namely, WebDriverService::deleteSession transfers the ownership of the
Session instance to the completionHandler passed to Session::close. When
the SessionHost gets a DidClose message due to, for example, the browser
exiting, it'll dispatch the pending commands, which can delete the
Session instance, taking its unique_ptr SessionHost alongside.

This fixes the issue on the SessionHost destructor side, but valgrind
is still reporting the GSocketMonitor invalid write inside
socketSourceCallback as reported in the bug, but this will be fixed
on a separate patch.

* Source/WebDriver/Session.cpp:
(WebDriver::Session::Session):
* Source/WebDriver/Session.h:
(WebDriver::Session::create):
* Source/WebDriver/SessionHost.cpp:
(WebDriver::SessionHost::inspectorDisconnected):
* Source/WebDriver/SessionHost.h:
(WebDriver::SessionHost::SessionHost): Deleted.
(WebDriver::SessionHost::setHostAddress): Deleted.
(WebDriver::SessionHost::sessionID const): Deleted.
(WebDriver::SessionHost::capabilities const): Deleted.
* Source/WebDriver/WebDriverService.cpp:
(WebDriver::WebDriverService::connectToBrowser):
(WebDriver::WebDriverService::createSession):
* Source/WebDriver/WebDriverService.h:
* Source/WebDriver/glib/SessionHostGlib.cpp:
(WebDriver::SessionHost::connectionDidClose):

Canonical link: https://commits.webkit.org/286523@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to