[Backport] CVE-2022-3885: Use after free in V8

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3982115:
[wasm] Reload cached instance fields in catch handler

The memory start and size are reloaded after a call in case the call
grows the memory. We should also reload them when the call throws.

We don't need to reload in the 'delegate' case since this will be
handled by the catch handler that it delegates to.

R=jkummerow@chromium.org

Bug: chromium:1377816
Change-Id: Ied1cdb6ed83c1de6a5992df21d776aca9ccf02e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3982115
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83959}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/443346
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 5 insertions, 0 deletions

diff --git a/chromium/v8/src/wasm/graph-builder-interface.cc b/chromium/v8/src/wasm/graph-builder-interface.cc
index 3fc6b066bb2..3b9741eb41d 100644
--- a/chromium/v8/src/wasm/graph-builder-interface.cc
+++ b/chromium/v8/src/wasm/graph-builder-interface.cc
@@ -89,6 +89,7 @@ class WasmGraphBuildingInterface {
   struct TryInfo : public ZoneObject {
     SsaEnv* catch_env;
     TFNode* exception = nullptr;
+    bool first_catch = true;
 
     bool might_throw() const { return exception != nullptr; }
 
@@ -603,6 +604,10 @@ class WasmGraphBuildingInterface {
     }
 
     SetEnv(block->try_info->catch_env);
+    if (block->try_info->first_catch) {
+      LoadContextIntoSsa(ssa_env_);
+      block->try_info->first_catch = false;
+    }
     DCHECK_NOT_NULL(block->try_info->exception);
     exception->node = block->try_info->exception;
   }