[Backport] CVE-2023-2133: Out of bounds memory access in Service Worker API.

yoshisatoyanagisawa · mibrunin · commit b2e45eb044ca · 2023-05-02T08:59:39.000Z
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/4405896: Use ScriptState::Scope instead of setting HandleScope. M108 merge issues: third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc: Conflicting declarations for isolate content_unittests_bundle_data.filelist: Not present in 108, skipped; Only used in iOS tests on main Since `GetEffectiveFunction` may call `Get` if the given v8 listener is an object, we need to prepare `v8::Context::Scope` before calling it. Blink already have a helper class to prepare the environment for the script execution, which has already been used used in other ServiceWorkerGlobalScope member functions. It is `ScriptState::Scope` This CL also use it instead. (cherry picked from commit 299385e09d41d5ce3abd434879b5f9b0a8880cd7) Bug: 1429197 Change-Id: Idbcfdfa9c06160a18b57155a9540f72eed4ec0b8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4387655 Commit-Queue: Yoshisato Yanagisawa <yyanagisawa@chromium.org> Commit-Queue: Kouhei Ueno <kouhei@chromium.org> Auto-Submit: Yoshisato Yanagisawa <yyanagisawa@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#1125148} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4405896 Reviewed-by: Yoshisato Yanagisawa <yyanagisawa@chromium.org> Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com> Cr-Commit-Position: refs/branch-heads/5359@{#1448} Cr-Branched-From: 27d3765d341b09369006d030f83f582a29eb57ae-refs/heads/main@{#1058933} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/474620 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
diff --git a/chromium/third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc b/chromium/third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc
@@ -2602,12 +2602,15 @@ ServiceWorkerGlobalScope::FetchHandlerType() {
   if (!elv) {
     return mojom::blink::ServiceWorkerFetchHandlerType::kNoHandler;
   }
-  v8::Isolate* isolate = v8::Isolate::GetCurrent();
-  v8::HandleScope handle_scope(isolate);
+
+  ScriptState* script_state = ScriptController()->GetScriptState();
+  // Do not remove this, |scope| is needed by `GetEffectiveFunction`.
+  ScriptState::Scope scope(script_state);
+
   // TODO(crbug.com/1349613): revisit the way to implement this.
   // The following code returns kEmptyFetchHandler if all handlers are nop.
   for (RegisteredEventListener& e : *elv) {
-    EventTarget* et = EventTarget::Create(ScriptController()->GetScriptState());
+    EventTarget* et = EventTarget::Create(script_state);
     v8::Local<v8::Value> v =
         To<JSBasedEventListener>(e.Callback())->GetEffectiveFunction(*et);
     if (!v->IsFunction() ||
