[Backport] CVE-2021-30548: Use after free in Loader

yutakahirano · mibrunin · commit 9ab150d5ae5c · 2021-09-03T12:04:00.000Z
Manual cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2945126: [M90-LTS][LongTaskDetector] Remove container mutation during iteration On LongTaskDetector, we call OnLongTaskDetected for all registered observers. Some observers call LongTaskDetector::UnregisterObserver in the callback, which is problematic because container mutation is not allowed during iteration. Copy the observer set to avoid the violation. (cherry picked from commit 702f4d4ddb963cafb0d133972282dfc803510b75) (cherry picked from commit e88c656a9fb4a7bb1c66ddcedae8049a448ebef4) Bug: 1210487 Change-Id: Iccea748ac144def6884be8cf542cdc3572bed81a Reviewed-by: Deep Roy <dproy@chromium.org> Reviewed-by: Nicolás Peña Moreno <npm@chromium.org> Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Cr-Original-Original-Commit-Position: refs/heads/master@{#885033} Auto-Submit: Yutaka Hirano <yhirano@chromium.org> Owners-Override: Prudhvi Kumar Bommana <pbommana@google.com> Reviewed-by: Prudhvi Kumar Bommana <pbommana@google.com> Cr-Original-Commit-Position: refs/branch-heads/4472@{#1443} Cr-Original-Branched-From: 3d60439cfb36485e76a1c5bb7f513d3721b20da1-refs/heads/master@{#870763} Owners-Override: Victor-Gabriel Savu <vsavu@google.com> Reviewed-by: Artem Sumaneev <asumaneev@google.com> Commit-Queue: Victor-Gabriel Savu <vsavu@google.com> Cr-Commit-Position: refs/branch-heads/4430@{#1518} Cr-Branched-From: e5ce7dc4f7518237b3d9bb93cccca35d25216cbe-refs/heads/master@{#857950} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
diff --git a/chromium/third_party/blink/renderer/core/loader/long_task_detector.cc b/chromium/third_party/blink/renderer/core/loader/long_task_detector.cc
@@ -49,7 +49,10 @@ void LongTaskDetector::DidProcessTask(base::TimeTicks start_time,
     return;
 
   iterating_ = true;
-  for (auto& observer : observers_) {
+  // We copy `observers_` because it might be mutated in OnLongTaskDetected,
+  // and container mutation is not allowed during iteration.
+  const HeapHashSet<Member<LongTaskObserver>> observers = observers_;
+  for (auto& observer : observers) {
     observer->OnLongTaskDetected(start_time, end_time);
   }
   iterating_ = false;
