[Backport] CVE-2024-3156: Inappropriate implementation in V8.

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/5410311: Merged: [wasm][gc] Scan the code field of the WasmInternalFunction The code field in the WasmInternalFunction is a code pointer since https://crrev.com/c/5110559, so it has to be scanned explicitly. Bug: 329130358 (cherry picked from commit b93975a48c722c2e5fe9b39437738eb2e23dac74) Change-Id: I0795d2188a8af3480c513d1dbaccfcef1da04473 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5410311 Reviewed-by: Deepti Gandluri <gdeepti@chromium.org> Commit-Queue: Deepti Gandluri <gdeepti@chromium.org> Auto-Submit: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/branch-heads/12.2@{#54} Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1} Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554648 Reviewed-by: Michal Klocek <michal.klocek@qt.io>
qt · Jun 11, 2024 · a66bb24 · a66bb24
1 parent 343d270
commit a66bb24
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/chromium/v8/src/objects/objects-body-descriptors-inl.h b/chromium/v8/src/objects/objects-body-descriptors-inl.h
@@ -791,6 +791,7 @@ class WasmInternalFunction::BodyDescriptor final : public BodyDescriptorBase {
     v->VisitExternalPointer(
         obj, obj->RawExternalPointerField(kCallTargetOffset,
                                           kWasmInternalFunctionCallTargetTag));
+    IterateCodePointer(obj, kCodeOffset, v, IndirectPointerMode::kStrong);
   }
 
   static inline int SizeOf(Tagged<Map> map, Tagged<HeapObject> object) {