[Backport] CVE-2023-6702: Type Confusion in V8

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/5110982: Fix the case when the closure has run M114 changes: - replace IsNativeContext(*context) by context->IsNativeContext() We were using the closure pointing to NativeContext as a marker that the closure has run, but async stack trace code was confused about it. (cherry picked from commit bde3d360097607f36cd1d17cbe8412b84eae0a7f) Bug: chromium:1501326 Change-Id: I30d438f3b2e3fdd7562ea9a79dde4561ce9b0083 Cr-Original-Commit-Position: refs/heads/main@{#90949} Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5110982 Commit-Queue: Marja Hölttä <[email protected]> Auto-Submit: Marja Hölttä <[email protected]> Cr-Commit-Position: refs/branch-heads/12.0@{#18} Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1} Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651} (cherry picked from commit cbd09b2ca928f1fd929ef52e173aa81213e38cb8) Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/526350 Reviewed-by: Michal Klocek <[email protected]>
qt · Jan 8, 2024 · d9c96af · d9c96af
1 parent 400d873
commit d9c96af
Showing 1 changed file with 21 additions and 3 deletions.
diff --git a/chromium/v8/src/execution/isolate.cc b/chromium/v8/src/execution/isolate.cc
@@ -1022,7 +1022,13 @@ void CaptureAsyncStackTrace(Isolate* isolate, Handle<JSPromise> promise,
                                     isolate);
       builder->AppendPromiseCombinatorFrame(function, combinator);
 
-      // Now peak into the Promise.all() resolve element context to
+      if (context->IsNativeContext()) {
+        // NativeContext is used as a marker that the closure was already
+        // called. We can't access the reject element context any more.
+        return;
+      }
+
+      // Now peek into the Promise.all() resolve element context to
       // find the promise capability that's being resolved when all
       // the concurrent promises resolve.
       int const index =
@@ -1041,7 +1047,13 @@ void CaptureAsyncStackTrace(Isolate* isolate, Handle<JSPromise> promise,
           context->native_context().promise_all_settled(), isolate);
       builder->AppendPromiseCombinatorFrame(function, combinator);
 
-      // Now peak into the Promise.allSettled() resolve element context to
+      if (context->IsNativeContext()) {
+        // NativeContext is used as a marker that the closure was already
+        // called. We can't access the reject element context any more.
+        return;
+      }
+
+      // Now peek into the Promise.allSettled() resolve element context to
       // find the promise capability that's being resolved when all
       // the concurrent promises resolve.
       int const index =
@@ -1059,7 +1071,13 @@ void CaptureAsyncStackTrace(Isolate* isolate, Handle<JSPromise> promise,
                                     isolate);
       builder->AppendPromiseCombinatorFrame(function, combinator);
 
-      // Now peak into the Promise.any() reject element context to
+      if (context->IsNativeContext()) {
+        // NativeContext is used as a marker that the closure was already
+        // called. We can't access the reject element context any more.
+        return;
+      }
+
+      // Now peek into the Promise.any() reject element context to
       // find the promise capability that's being resolved when any of
       // the concurrent promises resolve.
       int const index = PromiseBuiltins::kPromiseAnyRejectElementCapabilitySlot;