Fix potential UAF in Session Storage

This was fixed for StorageAreaImpl usage in the Local Storage implementation, but Session Storage was overlooked. It turns out that Session Storage namespaces also own StorageAreaImpl objects, and these too can outlive their backing database. This ensures that the map of namespaces is cleared before SessionStorageImpl resets its database, avoiding the UAF. Bug: 1152800 Change-Id: I946841b20fa73754e8b8ac611b352db0319ce4d0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2617239 Commit-Queue: Ken Rockot <rockot@google.com> Commit-Queue: Victor Costan <pwnall@chromium.org> Reviewed-by: Victor Costan <pwnall@chromium.org> Cr-Commit-Position: refs/heads/master@{#841363}

Fix potential UAF in Session Storage
This was fixed for StorageAreaImpl usage in the Local Storage implementation, but Session Storage was overlooked. It turns out that Session Storage namespaces also own StorageAreaImpl objects, and these too can outlive their backing database. This ensures that the map of namespaces is cleared before SessionStorageImpl resets its database, avoiding the UAF. Bug: 1152800 Change-Id: I946841b20fa73754e8b8ac611b352db0319ce4d0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2617239 Commit-Queue: Ken Rockot <rockot@google.com> Commit-Queue: Victor Costan <pwnall@chromium.org> Reviewed-by: Victor Costan <pwnall@chromium.org> Cr-Commit-Position: refs/heads/master@{#841363}
d3cf8403 · Ken Rockot · Chromium LUCI CQ · 5719e284 · d3cf8403 · d3cf8403
Commit d3cf8403 authored Jan 08, 2021 by Ken Rockot Committed by Chromium LUCI CQ Jan 08, 2021
2 changed files
--- a/components/services/storage/dom_storage/session_storage_impl.cc
+++ b/components/services/storage/dom_storage/session_storage_impl.cc
@@ -995,19 +995,21 @@ void SessionStorageImpl::OnConnectionFinished() {
    std::move(callbacks[i]).Run();
 }

+void SessionStorageImpl::PurgeAllNamespaces() {
+  for (const auto& it : data_maps_)
+    it.second->storage_area()->CancelAllPendingRequests();
+  for (const auto& namespace_pair : namespaces_)
+    namespace_pair.second->Reset();
+  DCHECK(data_maps_.empty());
+}
+
 void SessionStorageImpl::DeleteAndRecreateDatabase(const char* histogram_name) {
  if (connection_state_ == CONNECTION_SHUTDOWN)
    return;

  // We're about to set database_ to null, so delete the StorageAreas
  // that might still be using the old database.
-  for (const auto& it : data_maps_)
-    it.second->storage_area()->CancelAllPendingRequests();
-
-  for (const auto& namespace_pair : namespaces_) {
-    namespace_pair.second->Reset();
-  }
-  DCHECK(data_maps_.empty());
+  PurgeAllNamespaces();

  // Reset state to be in process of connecting. This will cause requests for
  // StorageAreas to be queued until the connection is complete.
@@ -1059,6 +1061,7 @@ void SessionStorageImpl::OnDBDestroyed(bool recreate_in_memory,
 void SessionStorageImpl::OnShutdownComplete() {
  DCHECK(shutdown_complete_callback_);
  // Flush any final tasks on the DB task runner before invoking the callback.
+  PurgeAllNamespaces();
  database_.reset();
  leveldb_task_runner_->PostTaskAndReply(
      FROM_HERE, base::DoNothing(), std::move(shutdown_complete_callback_));

--- a/components/services/storage/dom_storage/session_storage_impl.h
+++ b/components/services/storage/dom_storage/session_storage_impl.h
@@ -221,6 +221,7 @@ class SessionStorageImpl : public base::trace_event::MemoryDumpProvider,
  MetadataParseResult ParseNextMapId(ValueAndStatus next_map_id);

  void OnConnectionFinished();
+  void PurgeAllNamespaces();
  void DeleteAndRecreateDatabase(const char* histogram_name);
  void OnDBDestroyed(bool recreate_in_memory, leveldb::Status status);