[Backport] CVE-2023-2935: Type Confusion in V8

Partial manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/4567879: [M108-LTS][runtime] Fix handling of interceptors Drive-by: simplify creation of LookupIterator copies. (cherry picked from commit d125c7329f6e22af4523de3c55de3a22f168acc9) Bug: chromium:1440695 Change-Id: Icadab9c8b682f87524eed4c508e27be3a8c5b2d7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4537324 Commit-Queue: Igor Sheludko <[email protected]> Cr-Original-Commit-Position: refs/heads/main@{#87701} Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4567879 Commit-Queue: Roger Felipe Zanoni da Silva <[email protected]> Reviewed-by: Igor Sheludko <[email protected]> Cr-Commit-Position: refs/branch-heads/10.8@{#60} Cr-Branched-From: f1bc03fd6b4c201abd9f0fd9d51fb989150f97b9-refs/heads/10.8.168@{#1} Cr-Branched-From: 237de893e1c0a0628a57d0f5797483d3add7f005-refs/heads/main@{#83672} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/481571 Reviewed-by: Michal Klocek <[email protected]>
qt · Jun 15, 2023 · 9ac66f4 · 9ac66f4
1 parent 5ee06c3
commit 9ac66f4
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 4 deletions.
diff --git a/chromium/v8/src/objects/lookup-inl.h b/chromium/v8/src/objects/lookup-inl.h
@@ -118,6 +118,29 @@ LookupIterator::Key::Key(Isolate* isolate, double index) {
 #endif
 }
 
+LookupIterator::Key::Key(Isolate* isolate, Handle<Name> name, size_t index)
+    : name_(name), index_(index) {
+  DCHECK_IMPLIES(index_ == LookupIterator::kInvalidIndex, !name_.is_null());
+#if V8_TARGET_ARCH_32_BIT
+  DCHECK_IMPLIES(index_ != LookupIterator::kInvalidIndex,
+                 index_ <= JSObject::kMaxElementIndex);
+#endif
+#if DEBUG
+  if (index_ != LookupIterator::kInvalidIndex && !name_.is_null()) {
+    // If both valid index and name are given then the name is a string
+    // representation of the same index.
+    size_t integer_index;
+    CHECK(name_->AsIntegerIndex(&integer_index));
+    CHECK_EQ(index_, integer_index);
+  } else if (index_ == LookupIterator::kInvalidIndex) {
+    // If only name is given it must not be a string representing an integer
+    // index.
+    size_t integer_index;
+    CHECK(!name_->AsIntegerIndex(&integer_index));
+  }
+#endif
+}
+
 LookupIterator::Key::Key(Isolate* isolate, Handle<Name> name) {
   if (name->AsIntegerIndex(&index_)) {
     name_ = name;
@@ -150,6 +173,10 @@ Handle<Name> LookupIterator::Key::GetName(Isolate* isolate) {
   return name_;
 }
 
+LookupIterator::Key LookupIterator::GetKey() const {
+  return LookupIterator::Key(isolate_, name_, index_);
+}
+
 Handle<Name> LookupIterator::name() const {
   DCHECK(!IsElement(*holder_));
   return name_;

diff --git a/chromium/v8/src/objects/lookup.h b/chromium/v8/src/objects/lookup.h
@@ -61,6 +61,11 @@ class V8_EXPORT_PRIVATE LookupIterator final {
     inline Handle<Name> GetName(Isolate* isolate);
 
    private:
+    friend LookupIterator;
+
+    // Shortcut for constructing Key from an active LookupIterator.
+    inline Key(Isolate* isolate, Handle<Name> name, size_t index);
+
     Handle<Name> name_;
     size_t index_;
   };
@@ -101,6 +106,9 @@ class V8_EXPORT_PRIVATE LookupIterator final {
     return static_cast<uint32_t>(index_);
   }
 
+  // Helper method for creating a copy of of the iterator.
+  inline Key GetKey() const;
+
   // Returns true if this LookupIterator has an index in the range
   // [0, size_t::max).
   bool IsElement() const { return index_ != kInvalidIndex; }

diff --git a/chromium/v8/src/objects/objects.cc b/chromium/v8/src/objects/objects.cc
@@ -2621,10 +2621,8 @@ Maybe<bool> Object::SetSuperProperty(LookupIterator* it, Handle<Object> value,
 
   // Note, the callers rely on the fact that this code is redoing the full own
   // lookup from scratch.
-  LookupIterator::Configuration c = LookupIterator::OWN;
-  LookupIterator own_lookup =
-      it->IsElement() ? LookupIterator(isolate, receiver, it->index(), c)
-                      : LookupIterator(isolate, receiver, it->name(), c);
+  LookupIterator own_lookup(isolate, receiver, it->GetKey(),
+                            LookupIterator::OWN);
 
   for (; own_lookup.IsFound(); own_lookup.Next()) {
     switch (own_lookup.state()) {
@@ -2662,6 +2660,8 @@ Maybe<bool> Object::SetSuperProperty(LookupIterator* it, Handle<Object> value,
             JSReceiver::GetOwnPropertyDescriptor(&own_lookup, &desc);
         MAYBE_RETURN(owned, Nothing<bool>());
         if (!owned.FromJust()) {
+          // |own_lookup| might become outdated at this point anyway.
+          own_lookup.Restart();
           return JSReceiver::CreateDataProperty(&own_lookup, value,
                                                 should_throw);
         }