[ServiceWorker] Fix a use-after-free in ServiceWorkerGlobalScope

Putting ElidedString().Utf8().data() to a trace object leads to UAF! Because Utf8() generates a temporary CString, but its .data() (a char*) is kept/used by the trace object without awareness that the CString is already gone. BUG=968558 Change-Id: I55187f3de2954fea2419707a45d92d53f56c5344 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1637240 Commit-Queue: Leon Han <leon.han@intel.com> Commit-Queue: Makoto Shimazu <shimazu@chromium.org> Auto-Submit: Leon Han <leon.han@intel.com> Reviewed-by: Makoto Shimazu <shimazu@chromium.org> Cr-Commit-Position: refs/heads/master@{#665048}

[ServiceWorker] Fix a use-after-free in ServiceWorkerGlobalScope
Putting ElidedString().Utf8().data() to a trace object leads to UAF! Because Utf8() generates a temporary CString, but its .data() (a char*) is kept/used by the trace object without awareness that the CString is already gone. BUG=968558 Change-Id: I55187f3de2954fea2419707a45d92d53f56c5344 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1637240 Commit-Queue: Leon Han <leon.han@intel.com> Commit-Queue: Makoto Shimazu <shimazu@chromium.org> Auto-Submit: Leon Han <leon.han@intel.com> Reviewed-by: Makoto Shimazu <shimazu@chromium.org> Cr-Commit-Position: refs/heads/master@{#665048}
8e522297 · Leon Han · Commit Bot · 7f5894b4 · 8e522297
Commit 8e522297 authored May 31, 2019 by Leon Han Committed by Commit Bot May 31, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc ...rer/modules/service_worker/service_worker_global_scope.cc +2 -2

No files found.
--- a/third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc
+++ b/third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc
@@ -692,7 +692,7 @@ void ServiceWorkerGlobalScope::DispatchOrQueueFetchEvent(
  DCHECK(IsContextThread());
  TRACE_EVENT2("ServiceWorker",
               "ServiceWorkerGlobalScope::DispatchOrQueueFetchEvent", "url",
-               params->request->url.ElidedString().Utf8().data(), "queued",
+               params->request->url.ElidedString().Utf8(), "queued",
               RequestedTermination() ? "true" : "false");
  if (RequestedTermination()) {
    timeout_timer_->PushPendingTask(WTF::Bind(
@@ -1581,7 +1581,7 @@ void ServiceWorkerGlobalScope::DispatchFetchEvent(
      TRACE_ID_WITH_SCOPE(kServiceWorkerGlobalScopeTraceScope,
                          TRACE_ID_LOCAL(event_id)),
      TRACE_EVENT_FLAG_FLOW_OUT, "url",
-      params->request->url.ElidedString().Utf8().data());
+      params->request->url.ElidedString().Utf8());

  // Set up for navigation preload (FetchEvent#preloadResponse) if needed.
  const bool navigation_preload_sent = !!params->preload_handle;