[Backport] CVE-2024-9959: Use after free in DevTools

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/5886170:
Fix accessing disposed V8 session in page agent

Scripts running as part of Page.evaluateScriptOnNewDocument can pause
the page. During a pause we can detach the DevTools session, but the
page agent is still in the middle of running the
"DidCreateMainWorldContext" probe. This means any additional
Page.evaluateScriptOnNewDocument scripts would attempt to eval on
a detached V8 session.

This CL fixes this by overriding InspectorBaseAgent::Dispose in the
page agent and resetting `v8_session_` to a nullptr which we can
check for before evaling more scripts.

This check is only necessary for page agent methods that execute
more than one JS script as for all the others we wouldn't call
the probes on a disposed agent in the first place.

[email protected], [email protected]

Fixed: 368672129
Change-Id: I4c3361c8116a64343206da991e503aaa6bd917f6
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5886170
Reviewed-by: Danil Somsikov <[email protected]>
Reviewed-by: Andrey Kosyakov <[email protected]>
Commit-Queue: Simon Zünd <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1359730}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/597921
Reviewed-by: Michal Klocek <[email protected]>

Author: szuend

chromium/third_party/blink/renderer/core/inspector/inspector_page_agent.cc

@@ -1036,7 +1036,7 @@ void InspectorPageAgent::DidCreateMainWorldContext(LocalFrame* frame) {
     return;
   }
   ScriptState* script_state = ToScriptStateForMainWorld(frame);
-  if (!script_state) {
+  if (!script_state || !v8_session_) {
     return;
   }
 
@@ -1061,7 +1061,7 @@ void InspectorPageAgent::EvaluateScriptOnNewDocument(
                       *DOMWrapperWorld::EnsureIsolatedWorld(
                           ToIsolate(window->GetFrame()), world->GetWorldId()));
   }
-  if (!script_state) {
+  if (!script_state || !v8_session_) {
     return;
   }
 
@@ -1972,6 +1972,11 @@ void InspectorPageAgent::Trace(Visitor* visitor) const {
   InspectorBaseAgent::Trace(visitor);
 }
 
+void InspectorPageAgent::Dispose() {
+  InspectorBaseAgent::Dispose();
+  v8_session_ = nullptr;
+}
+
 protocol::Response InspectorPageAgent::getOriginTrials(
     const String& frame_id,
     std::unique_ptr<protocol::Array<protocol::Page::OriginTrial>>*

chromium/third_party/blink/renderer/core/inspector/inspector_page_agent.h

@@ -269,6 +269,7 @@ class CORE_EXPORT InspectorPageAgent final
   bool ScreencastEnabled();
 
   void Trace(Visitor*) const override;
+  void Dispose() override;
 
  private:
   struct IsolatedWorldRequest;