Fix UAF in Local Storage shutdown

This ensures that dangling AsyncDomStorageDatabase references are properly cleaned up when the database is freed during LocalStorageImpl shutdown, preventing UAFs in potentially already-scheduled tasks which would otherwise attempt to use those references. Fixed: 1152800 Change-Id: Ic98a00d4605aed61f3dee4a2cb9b0c14f3ebf868 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2565711 Auto-Submit: Ken Rockot <rockot@google.com> Reviewed-by: Victor Costan <pwnall@chromium.org> Commit-Queue: Ken Rockot <rockot@google.com> Cr-Commit-Position: refs/heads/master@{#832146}

Fix UAF in Local Storage shutdown
This ensures that dangling AsyncDomStorageDatabase references are properly cleaned up when the database is freed during LocalStorageImpl shutdown, preventing UAFs in potentially already-scheduled tasks which would otherwise attempt to use those references. Fixed: 1152800 Change-Id: Ic98a00d4605aed61f3dee4a2cb9b0c14f3ebf868 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2565711 Auto-Submit: Ken Rockot <rockot@google.com> Reviewed-by: Victor Costan <pwnall@chromium.org> Commit-Queue: Ken Rockot <rockot@google.com> Cr-Commit-Position: refs/heads/master@{#832146}
6b04ff4e · Ken Rockot · Chromium LUCI CQ · 1eee18ab · 6b04ff4e · 6b04ff4e
Commit 6b04ff4e authored Dec 01, 2020 by Ken Rockot Committed by Chromium LUCI CQ Dec 01, 2020
2 changed files
--- a/components/services/storage/dom_storage/local_storage_impl.cc
+++ b/components/services/storage/dom_storage/local_storage_impl.cc
@@ -796,6 +796,12 @@ void LocalStorageImpl::RunWhenConnected(base::OnceClosure callback) {
  std::move(callback).Run();
 }
+void LocalStorageImpl::PurgeAllStorageAreas() {
+  for (const auto& it : areas_)
+    it.second->storage_area()->CancelAllPendingRequests();
+  areas_.clear();
+}
 void LocalStorageImpl::InitiateConnection(bool in_memory_only) {
  if (connection_state_ == CONNECTION_SHUTDOWN)
    return;
@@ -922,9 +928,7 @@ void LocalStorageImpl::DeleteAndRecreateDatabase(const char* histogram_name) {
  // We're about to set database_ to null, so delete the StorageAreaImpls
  // that might still be using the old database.
-  for (const auto& it : areas_)
+  PurgeAllStorageAreas();
-    it.second->storage_area()->CancelAllPendingRequests();
-  areas_.clear();
  // Reset state to be in process of connecting. This will cause requests for
  // StorageAreas to be queued until the connection is complete.
@@ -1100,6 +1104,7 @@ void LocalStorageImpl::OnShutdownComplete() {
  // Flush any final tasks on the DB task runner before invoking the callback.
  leveldb_task_runner_->PostTaskAndReply(
      FROM_HERE, base::DoNothing(), std::move(shutdown_complete_callback_));
+  PurgeAllStorageAreas();
  database_.reset();
 }

--- a/components/services/storage/dom_storage/local_storage_impl.h
+++ b/components/services/storage/dom_storage/local_storage_impl.h
@@ -112,6 +112,10 @@ class LocalStorageImpl : public base::trace_event::MemoryDumpProvider,
  // Initiates connecting to the database if no connection is in progres yet.
  void RunWhenConnected(base::OnceClosure callback);
+  // StorageAreas held by this LocalStorageImpl retain an unmanaged reference to
+  // `database_`. This deletes them and is used any time `database_` is reset.
+  void PurgeAllStorageAreas();
  // Part of our asynchronous directory opening called from RunWhenConnected().
  void InitiateConnection(bool in_memory_only = false);
  void OnDatabaseOpened(leveldb::Status status);