[Backport] CVE-2024-9603: Type Confusion in V8

victorgomes · mibrunin · commit fb65b88f6e76 · 2024-10-21T07:45:53.000Z
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/5901846: Consider WasmStruct in InferHasInPrototypeChain Drive-by: add some CHECKs in not _clearly_ safe uses of AsJSObject to turn possible vulnerablities into crashes. Fixed: 367818758 Change-Id: Ib0464658152ce87141fa137dc6562f17b84bb6be Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5901846 Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Auto-Submit: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org> Cr-Commit-Position: refs/heads/main@{#96386} (cherry picked from commit 81155a8f3b20fbfc7e36c2419f5326f1d0ad7d75) Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/597918 Reviewed-by: Michal Klocek <michal.klocek@qt.io>
diff --git a/chromium/v8/src/compiler/access-info.cc b/chromium/v8/src/compiler/access-info.cc
@@ -915,6 +915,7 @@ PropertyAccessInfo AccessInfoFactory::ComputePropertyAccessInfo(
       return PropertyAccessInfo::NotFound(zone(), receiver_map, holder);
     }
 
+    CHECK(prototype.IsJSObject());
     holder = prototype.AsJSObject();
     map = map_prototype_map;
 
diff --git a/chromium/v8/src/compiler/heap-refs.cc b/chromium/v8/src/compiler/heap-refs.cc
@@ -1631,6 +1631,7 @@ HolderLookupResult FunctionTemplateInfoRef::LookupHolderOfExpectedType(
   if (!expected_receiver_type->IsTemplateFor(prototype.object()->map())) {
     return not_found;
   }
+  CHECK(prototype.IsJSObject());
   return HolderLookupResult(CallOptimization::kHolderFound,
                             prototype.AsJSObject());
 }
diff --git a/chromium/v8/src/compiler/js-native-context-specialization.cc b/chromium/v8/src/compiler/js-native-context-specialization.cc
@@ -879,7 +879,9 @@ JSNativeContextSpecialization::InferHasInPrototypeChain(
       // might be a different object each time, so it's much simpler to include
       // {prototype}. That does, however, mean that we must check {prototype}'s
       // map stability.
-      if (!prototype.map(broker()).is_stable()) return kMayBeInPrototypeChain;
+      if (!prototype.IsJSObject() || !prototype.map(broker()).is_stable()) {
+        return kMayBeInPrototypeChain;
+      }
       last_prototype = prototype.AsJSObject();
     }
     WhereToStart start = result == NodeProperties::kUnreliableMaps

Original file line number	Diff line number	Diff line change
`@@ -915,6 +915,7 @@ PropertyAccessInfo AccessInfoFactory::ComputePropertyAccessInfo(`
`915`	`915`	`return PropertyAccessInfo::NotFound(zone(), receiver_map, holder);`
`916`	`916`	`}`
`917`	`917`
	`918`	`+ CHECK(prototype.IsJSObject());`
`918`	`919`	`holder = prototype.AsJSObject();`
`919`	`920`	`map = map_prototype_map;`
`920`	`921`
Original file line number	Diff line number	Diff line change
`@@ -1631,6 +1631,7 @@ HolderLookupResult FunctionTemplateInfoRef::LookupHolderOfExpectedType(`
`1631`	`1631`	`if (!expected_receiver_type->IsTemplateFor(prototype.object()->map())) {`
`1632`	`1632`	`return not_found;`
`1633`	`1633`	`}`
	`1634`	`+ CHECK(prototype.IsJSObject());`
`1634`	`1635`	`return HolderLookupResult(CallOptimization::kHolderFound,`
`1635`	`1636`	`prototype.AsJSObject());`
`1636`	`1637`	`}`