[CellularSetup] Fix UAF in chrome://cellular-setup.

This CL fixes UAF in CellularSetupImpl class. This was caused because of callbacks bound with Unretained reference. Fixed this using WeakPtrFactory so that callbacks will not be referenced after CellularSetupImpl is destroyed. Fixes: 1114066 Change-Id: I6d9e2b7676e21f28861cf5ba78308e3400a4fe6d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2347923Reviewed-by: Kyle Horimoto <khorimoto@chromium.org> Commit-Queue: Azeem Arshad <azeemarshad@chromium.org> Cr-Commit-Position: refs/heads/master@{#796649}

[CellularSetup] Fix UAF in chrome://cellular-setup.
This CL fixes UAF in CellularSetupImpl class. This was caused because of callbacks bound with Unretained reference. Fixed this using WeakPtrFactory so that callbacks will not be referenced after CellularSetupImpl is destroyed. Fixes: 1114066 Change-Id: I6d9e2b7676e21f28861cf5ba78308e3400a4fe6d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2347923Reviewed-by: Kyle Horimoto <khorimoto@chromium.org> Commit-Queue: Azeem Arshad <azeemarshad@chromium.org> Cr-Commit-Position: refs/heads/master@{#796649}
c8220686 · Azeem Arshad · Commit Bot · 30f19bbf · c8220686 · c8220686
Commit c8220686 authored Aug 11, 2020 by Azeem Arshad Committed by Commit Bot Aug 11, 2020
3 changed files
--- a/chrome/browser/ui/webui/chrome_url_data_manager_browsertest.cc
+++ b/chrome/browser/ui/webui/chrome_url_data_manager_browsertest.cc
@@ -273,6 +273,7 @@ static constexpr const char* const kChromeUrls[] = {
    "chrome://add-supervision",
    "chrome://assistant-optin",
    "chrome://bluetooth-pairing",
+    "chrome://cellular-setup",
    "chrome://certificate-manager",
    "chrome://crostini-credits",
    "chrome://crostini-installer",

--- a/chromeos/services/cellular_setup/cellular_setup_impl.cc
+++ b/chromeos/services/cellular_setup/cellular_setup_impl.cc
@@ -31,7 +31,7 @@ void CellularSetupImpl::StartActivation(
      OtaActivatorImpl::Factory::Create(
          std::move(delegate),
          base::BindOnce(&CellularSetupImpl::OnActivationAttemptFinished,
-                         base::Unretained(this), request_id),
+                         weak_ptr_factory_.GetWeakPtr(), request_id),
          network_handler->network_state_handler(),
          network_handler->network_connection_handler(),
          network_handler->network_activation_handler());

--- a/chromeos/services/cellular_setup/cellular_setup_impl.h
+++ b/chromeos/services/cellular_setup/cellular_setup_impl.h
@@ -9,6 +9,7 @@

 #include "base/containers/id_map.h"
 #include "base/macros.h"
+#include "base/memory/weak_ptr.h"
 #include "chromeos/services/cellular_setup/cellular_setup_base.h"
 #include "mojo/public/cpp/bindings/pending_remote.h"

@@ -35,6 +36,7 @@ class CellularSetupImpl : public CellularSetupBase {

  size_t next_request_id_ = 0u;
  base::IDMap<std::unique_ptr<OtaActivator>, size_t> ota_activator_map_;
+  base::WeakPtrFactory<CellularSetupImpl> weak_ptr_factory_{this};

  DISALLOW_COPY_AND_ASSIGN(CellularSetupImpl);
 };