From 6564b7124809f45ff4abe0743599ada5f14d25c8 Mon Sep 17 00:00:00 2001 From: Thibaud Michaud Date: Wed, 26 Oct 2022 17:03:36 +0200 Subject: [Backport] CVE-2022-3885: Use after free in V8 Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/3982115: [wasm] Reload cached instance fields in catch handler The memory start and size are reloaded after a call in case the call grows the memory. We should also reload them when the call throws. We don't need to reload in the 'delegate' case since this will be handled by the catch handler that it delegates to. R=jkummerow@chromium.org Bug: chromium:1377816 Change-Id: Ied1cdb6ed83c1de6a5992df21d776aca9ccf02e6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3982115 Commit-Queue: Thibaud Michaud Reviewed-by: Jakob Kummerow Cr-Commit-Position: refs/heads/main@{#83959} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/443346 Reviewed-by: Michal Klocek --- chromium/v8/src/wasm/graph-builder-interface.cc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/chromium/v8/src/wasm/graph-builder-interface.cc b/chromium/v8/src/wasm/graph-builder-interface.cc index 3fc6b066bb2..3b9741eb41d 100644 --- a/chromium/v8/src/wasm/graph-builder-interface.cc +++ b/chromium/v8/src/wasm/graph-builder-interface.cc @@ -89,6 +89,7 @@ class WasmGraphBuildingInterface { struct TryInfo : public ZoneObject { SsaEnv* catch_env; TFNode* exception = nullptr; + bool first_catch = true; bool might_throw() const { return exception != nullptr; } @@ -603,6 +604,10 @@ class WasmGraphBuildingInterface { } SetEnv(block->try_info->catch_env); + if (block->try_info->first_catch) { + LoadContextIntoSsa(ssa_env_); + block->try_info->first_catch = false; + } DCHECK_NOT_NULL(block->try_info->exception); exception->node = block->try_info->exception; } -- cgit v1.2.1