Chrome StoragePartitionService Double-Destruction Race

Posted by deepcore on March 20, 2019 – 9:40 pm

There’s a race condition in the destruction of the BindingState for bindings to the StoragePartitionService in Chrome. It looks like the root cause of the issue is that since we can get two concurrent calls to callbacks returned from mojo::BindingSet::GetBadMessageCallback() from the same BindingSet, which results in a data race destroying the same BindingState.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« JFrog Artifactory Pro 6.5.9 Signature Validation Microsoft Windows IE11 VBScript Execution Policy Bypass In MSHTML »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Chrome StoragePartitionService Double-Destruction Race

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL