[Backport] CVE-2021-30541: Use after free in V8

victorgomes · mibrunin · commit 95f2f82f7d6e · 2021-09-03T12:05:39.000Z
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/3067222: Fix GC issue in BuildJsonObject We must ensure that the sweeper is not running or has already swept mutable_double_buffer. Otherwise the GC can add it to the free list. (cherry picked from commit 81181a8ad80ac978a6a8732d05f615c645df95d2) Bug: v8:11837 Bug: chromium:1214842 No-Try: true No-Presubmit: true No-Tree-Checks: true Change-Id: Ifd9cf15f1c94f664fd6489c70bb38b59730cdd78 Commit-Queue: Victor Gomes <victorgomes@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#74859} Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com> Reviewed-by: Achuith Bhandarkar <achuith@chromium.org> Reviewed-by: Jana Grill <janagrill@google.com> Cr-Commit-Position: refs/branch-heads/9.0@{#68} Cr-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1} Cr-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
diff --git a/chromium/v8/src/heap/heap.cc b/chromium/v8/src/heap/heap.cc
@@ -2117,6 +2117,10 @@ void Heap::CompleteSweepingYoung(GarbageCollector collector) {
   array_buffer_sweeper()->EnsureFinished();
 }
 
+void Heap::EnsureSweepingCompleted() {
+  mark_compact_collector()->EnsureSweepingCompleted();
+}
+
 void Heap::UpdateCurrentEpoch(GarbageCollector collector) {
   if (IsYoungGenerationCollector(collector)) {
     epoch_young_ = next_epoch();
diff --git a/chromium/v8/src/heap/heap.h b/chromium/v8/src/heap/heap.h
@@ -1068,6 +1068,8 @@ class Heap {
   void CompleteSweepingFull();
   void CompleteSweepingYoung(GarbageCollector collector);
 
+  void EnsureSweepingCompleted();
+
   IncrementalMarking* incremental_marking() {
     return incremental_marking_.get();
   }
diff --git a/chromium/v8/src/json/json-parser.cc b/chromium/v8/src/json/json-parser.cc
@@ -620,6 +620,11 @@ Handle<Object> JsonParser<Char>::BuildJsonObject(
         DCHECK_EQ(mutable_double_address, end);
       }
 #endif
+      // Before setting the length of mutable_double_buffer back to zero, we
+      // must ensure that the sweeper is not running or has already swept the
+      // object's page. Otherwise the GC can add the contents of
+      // mutable_double_buffer to the free list.
+      isolate()->heap()->EnsureSweepingCompleted();
       mutable_double_buffer->set_length(0);
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -1068,6 +1068,8 @@ class Heap {`
`1068`	`1068`	`void CompleteSweepingFull();`
`1069`	`1069`	`void CompleteSweepingYoung(GarbageCollector collector);`
`1070`	`1070`
	`1071`	`+ void EnsureSweepingCompleted();`
	`1072`	`+`
`1071`	`1073`	`IncrementalMarking* incremental_marking() {`
`1072`	`1074`	`return incremental_marking_.get();`
`1073`	`1075`	`}`
Original file line number	Diff line number	Diff line change
`@@ -620,6 +620,11 @@ Handle<Object> JsonParser<Char>::BuildJsonObject(`
`620`	`620`	`DCHECK_EQ(mutable_double_address, end);`
`621`	`621`	`}`
`622`	`622`	`#endif`
	`623`	`+ // Before setting the length of mutable_double_buffer back to zero, we`
	`624`	`+ // must ensure that the sweeper is not running or has already swept the`
	`625`	`+ // object's page. Otherwise the GC can add the contents of`
	`626`	`+ // mutable_double_buffer to the free list.`
	`627`	`+ isolate()->heap()->EnsureSweepingCompleted();`
`623`	`628`	`mutable_double_buffer->set_length(0);`
`624`	`629`	`}`
`625`	`630`	`}`