[Backport] CVE-2023-0473: Type Confusion in ServiceWorker API

Cherry-pick of patch originallt reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/4159531: Ensure v8::Value type is v8::Function in FetchHandlerType(). In the previous code, we did not confirm the returned v8::Value is v8::Function or not in ServiceWorkerGlobalScope::FetchHandlerType(). If non function type is set as an fetch event listener, it causes misbehavior. (cherry picked from commit f68e9991d68d7ee36eb679cf5ffec06ab89569ac) Bug: 1404639 Change-Id: I7bc32f91108b2ffd3c5e8dc0464f2fa4adc41e8a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4137870 Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Commit-Queue: Yoshisato Yanagisawa <yyanagisawa@chromium.org> Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#1089635} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4159531 Reviewed-by: Minoru Chikamune <chikamune@chromium.org> Reviewed-by: Shunya Shishido <sisidovski@chromium.org> Cr-Commit-Position: refs/branch-heads/5359@{#1328} Cr-Branched-From: 27d3765d341b09369006d030f83f582a29eb57ae-refs/heads/main@{#1058933} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/456884 Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Yoshisato Yanagisawa <yyanagisawa@chromium.org> 2023-01-13 00:14:55 +0000
committer: Michal Klocek <michal.klocek@qt.io> 2023-02-02 10:34:20 +0000
commit: 05ea098dd348a752a5aee98ed4b6a2dd5fcd7527 (patch)
tree: 56755f7ec3ec67f279471516ae8eae6296a9593d
parent: 163ca80e46f20b4f73b393148acd6ae97131db19 (diff)
download: qtwebengine-chromium-05ea098dd348a752a5aee98ed4b6a2dd5fcd7527.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/chromium/third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc b/chromium/third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc
index 72f98ac40a6..c66d232a655 100644
--- a/chromium/third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc
+++ b/chromium/third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc
@@ -2610,7 +2610,8 @@ ServiceWorkerGlobalScope::FetchHandlerType() {
     EventTarget* et = EventTarget::Create(ScriptController()->GetScriptState());
     v8::Local<v8::Value> v =
         To<JSBasedEventListener>(e.Callback())->GetEffectiveFunction(*et);
-    if (!v.As<v8::Function>()->Experimental_IsNopFunction()) {
+    if (!v->IsFunction() ||
+        !v.As<v8::Function>()->Experimental_IsNopFunction()) {
       return mojom::blink::ServiceWorkerFetchHandlerType::kNotSkippable;
     }
   }
author	Yoshisato Yanagisawa <yyanagisawa@chromium.org>	2023-01-13 00:14:55 +0000
committer	Michal Klocek <michal.klocek@qt.io>	2023-02-02 10:34:20 +0000
commit	05ea098dd348a752a5aee98ed4b6a2dd5fcd7527 (patch)
tree	56755f7ec3ec67f279471516ae8eae6296a9593d
parent	163ca80e46f20b4f73b393148acd6ae97131db19 (diff)
download	qtwebengine-chromium-05ea098dd348a752a5aee98ed4b6a2dd5fcd7527.tar.gz