[regexp] Fix UAF in RegExpMacroAssembler

.. by turning `masm_` into a unique_ptr s.t. it's freed after the NoRootArrayScope which references it. Fixed: chromium:1252620 Change-Id: I24580c5a96d76a973b2b083e7a76b95f93bb6068 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3185459 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Patrick Thier <pthier@chromium.org> Auto-Submit: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Patrick Thier <pthier@chromium.org> Cr-Commit-Position: refs/heads/main@{#77082}

[regexp] Fix UAF in RegExpMacroAssembler
.. by turning `masm_` into a unique_ptr s.t. it's freed after the NoRootArrayScope which references it. Fixed: chromium:1252620 Change-Id: I24580c5a96d76a973b2b083e7a76b95f93bb6068 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3185459 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Patrick Thier <pthier@chromium.org> Auto-Submit: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Patrick Thier <pthier@chromium.org> Cr-Commit-Position: refs/heads/main@{#77082}
c1700c56 · Jakob Gruber · V8 LUCI CQ · ae16d614 · c1700c56 · c1700c56
Commit c1700c56 authored Sep 27, 2021 by Jakob Gruber Committed by V8 LUCI CQ Sep 27, 2021
10 changed files
--- a/src/regexp/arm/regexp-macro-assembler-arm.cc
+++ b/src/regexp/arm/regexp-macro-assembler-arm.cc
@@ -95,9 +95,10 @@ RegExpMacroAssemblerARM::RegExpMacroAssemblerARM(Isolate* isolate, Zone* zone,
                                                 Mode mode,
                                                 int registers_to_save)
    : NativeRegExpMacroAssembler(isolate, zone),
-      masm_(new MacroAssembler(isolate, CodeObjectRequired::kYes,
+      masm_(std::make_unique<MacroAssembler>(
-                               NewAssemblerBuffer(kRegExpCodeSize))),
+          isolate, CodeObjectRequired::kYes,
-      no_root_array_scope_(masm_),
+          NewAssemblerBuffer(kRegExpCodeSize))),
+      no_root_array_scope_(masm_.get()),
      mode_(mode),
      num_registers_(registers_to_save),
      num_saved_registers_(registers_to_save),
@@ -112,7 +113,6 @@ RegExpMacroAssemblerARM::RegExpMacroAssemblerARM(Isolate* isolate, Zone* zone,
 }
 RegExpMacroAssemblerARM::~RegExpMacroAssemblerARM() {
-  delete masm_;
  // Unuse labels in case we throw away the assembler without calling GetCode.
  entry_label_.Unuse();
  start_label_.Unuse();
@@ -332,7 +332,7 @@ void RegExpMacroAssemblerARM::CheckNotBackReferenceIgnoreCase(
    __ mov(r3, Operand(ExternalReference::isolate_address(isolate())));
    {
-      AllowExternalCallThatCantCauseGC scope(masm_);
+      AllowExternalCallThatCantCauseGC scope(masm_.get());
      ExternalReference function =
          unicode ? ExternalReference::re_case_insensitive_compare_unicode(
                        isolate())
@@ -660,7 +660,7 @@ Handle<HeapObject> RegExpMacroAssemblerARM::GetCode(Handle<String> source) {
  // Tell the system that we have a stack frame.  Because the type is MANUAL, no
  // is generated.
-  FrameScope scope(masm_, StackFrame::MANUAL);
+  FrameScope scope(masm_.get(), StackFrame::MANUAL);
  // Actually emit code to start a new stack frame.
  // Push arguments

--- a/src/regexp/arm/regexp-macro-assembler-arm.h
+++ b/src/regexp/arm/regexp-macro-assembler-arm.h
@@ -186,7 +186,7 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerARM
  Isolate* isolate() const { return masm_->isolate(); }
-  MacroAssembler* const masm_;
+  const std::unique_ptr<MacroAssembler> masm_;
  const NoRootArrayScope no_root_array_scope_;
  // Which mode to generate code for (Latin1 or UC16).

--- a/src/regexp/arm64/regexp-macro-assembler-arm64.cc
+++ b/src/regexp/arm64/regexp-macro-assembler-arm64.cc
@@ -108,9 +108,10 @@ RegExpMacroAssemblerARM64::RegExpMacroAssemblerARM64(Isolate* isolate,
                                                     Zone* zone, Mode mode,
                                                     int registers_to_save)
    : NativeRegExpMacroAssembler(isolate, zone),
-      masm_(new MacroAssembler(isolate, CodeObjectRequired::kYes,
+      masm_(std::make_unique<MacroAssembler>(
-                               NewAssemblerBuffer(kRegExpCodeSize))),
+          isolate, CodeObjectRequired::kYes,
-      no_root_array_scope_(masm_),
+          NewAssemblerBuffer(kRegExpCodeSize))),
+      no_root_array_scope_(masm_.get()),
      mode_(mode),
      num_registers_(registers_to_save),
      num_saved_registers_(registers_to_save),
@@ -130,7 +131,6 @@ RegExpMacroAssemblerARM64::RegExpMacroAssemblerARM64(Isolate* isolate,
 }
 RegExpMacroAssemblerARM64::~RegExpMacroAssemblerARM64() {
-  delete masm_;
  // Unuse labels in case we throw away the assembler without calling GetCode.
  entry_label_.Unuse();
  start_label_.Unuse();
@@ -190,7 +190,7 @@ void RegExpMacroAssemblerARM64::Backtrack() {
  CheckPreemption();
  if (has_backtrack_limit()) {
    Label next;
-    UseScratchRegisterScope temps(masm_);
+    UseScratchRegisterScope temps(masm_.get());
    Register scratch = temps.AcquireW();
    __ Ldr(scratch, MemOperand(frame_pointer(), kBacktrackCount));
    __ Add(scratch, scratch, 1);
@@ -421,7 +421,7 @@ void RegExpMacroAssemblerARM64::CheckNotBackReferenceIgnoreCase(
    __ Mov(x3, ExternalReference::isolate_address(isolate()));
    {
-      AllowExternalCallThatCantCauseGC scope(masm_);
+      AllowExternalCallThatCantCauseGC scope(masm_.get());
      ExternalReference function =
          unicode ? ExternalReference::re_case_insensitive_compare_unicode(
                        isolate())
@@ -754,7 +754,7 @@ Handle<HeapObject> RegExpMacroAssemblerARM64::GetCode(Handle<String> source) {
  // Tell the system that we have a stack frame.  Because the type is MANUAL, no
  // code is generated.
-  FrameScope scope(masm_, StackFrame::MANUAL);
+  FrameScope scope(masm_.get(), StackFrame::MANUAL);
  // Push registers on the stack, only push the argument registers that we need.
  CPURegList argument_registers(x0, x5, x6, x7);

--- a/src/regexp/arm64/regexp-macro-assembler-arm64.h
+++ b/src/regexp/arm64/regexp-macro-assembler-arm64.h
@@ -267,7 +267,7 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerARM64
  Isolate* isolate() const { return masm_->isolate(); }
-  MacroAssembler* const masm_;
+  const std::unique_ptr<MacroAssembler> masm_;
  const NoRootArrayScope no_root_array_scope_;
  // Which mode to generate code for (LATIN1 or UC16).

--- a/src/regexp/ia32/regexp-macro-assembler-ia32.cc
+++ b/src/regexp/ia32/regexp-macro-assembler-ia32.cc
@@ -85,9 +85,10 @@ RegExpMacroAssemblerIA32::RegExpMacroAssemblerIA32(Isolate* isolate, Zone* zone,
                                                   Mode mode,
                                                   int registers_to_save)
    : NativeRegExpMacroAssembler(isolate, zone),
-      masm_(new MacroAssembler(isolate, CodeObjectRequired::kYes,
+      masm_(std::make_unique<MacroAssembler>(
-                               NewAssemblerBuffer(kRegExpCodeSize))),
+          isolate, CodeObjectRequired::kYes,
-      no_root_array_scope_(masm_),
+          NewAssemblerBuffer(kRegExpCodeSize))),
+      no_root_array_scope_(masm_.get()),
      mode_(mode),
      num_registers_(registers_to_save),
      num_saved_registers_(registers_to_save),
@@ -102,7 +103,6 @@ RegExpMacroAssemblerIA32::RegExpMacroAssemblerIA32(Isolate* isolate, Zone* zone,
 }
 RegExpMacroAssemblerIA32::~RegExpMacroAssemblerIA32() {
-  delete masm_;
  // Unuse labels in case we throw away the assembler without calling GetCode.
  entry_label_.Unuse();
  start_label_.Unuse();
@@ -334,7 +334,7 @@ void RegExpMacroAssemblerIA32::CheckNotBackReferenceIgnoreCase(
    __ mov(Operand(esp, 0 * kSystemPointerSize), edx);
    {
-      AllowExternalCallThatCantCauseGC scope(masm_);
+      AllowExternalCallThatCantCauseGC scope(masm_.get());
      ExternalReference compare =
          unicode ? ExternalReference::re_case_insensitive_compare_unicode(
                        isolate())
@@ -693,7 +693,7 @@ Handle<HeapObject> RegExpMacroAssemblerIA32::GetCode(Handle<String> source) {
  // Tell the system that we have a stack frame.  Because the type is MANUAL, no
  // code is generated.
-  FrameScope scope(masm_, StackFrame::MANUAL);
+  FrameScope scope(masm_.get(), StackFrame::MANUAL);
  // Actually emit code to start a new stack frame.
  __ push(ebp);

--- a/src/regexp/ia32/regexp-macro-assembler-ia32.h
+++ b/src/regexp/ia32/regexp-macro-assembler-ia32.h
@@ -182,7 +182,7 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerIA32
  Isolate* isolate() const { return masm_->isolate(); }
-  MacroAssembler* const masm_;
+  const std::unique_ptr<MacroAssembler> masm_;
  const NoRootArrayScope no_root_array_scope_;
  // Which mode to generate code for (LATIN1 or UC16).

--- a/src/regexp/ppc/regexp-macro-assembler-ppc.cc
+++ b/src/regexp/ppc/regexp-macro-assembler-ppc.cc
@@ -99,9 +99,10 @@ RegExpMacroAssemblerPPC::RegExpMacroAssemblerPPC(Isolate* isolate, Zone* zone,
                                                 Mode mode,
                                                 int registers_to_save)
    : NativeRegExpMacroAssembler(isolate, zone),
-      masm_(new MacroAssembler(isolate, CodeObjectRequired::kYes,
+      masm_(std::make_unique<MacroAssembler>(
-                               NewAssemblerBuffer(kRegExpCodeSize))),
+          isolate, CodeObjectRequired::kYes,
-      no_root_array_scope_(masm_),
+          NewAssemblerBuffer(kRegExpCodeSize))),
+      no_root_array_scope_(masm_.get()),
      mode_(mode),
      num_registers_(registers_to_save),
      num_saved_registers_(registers_to_save),
@@ -124,7 +125,6 @@ RegExpMacroAssemblerPPC::RegExpMacroAssemblerPPC(Isolate* isolate, Zone* zone,
 }
 RegExpMacroAssemblerPPC::~RegExpMacroAssemblerPPC() {
-  delete masm_;
  // Unuse labels in case we throw away the assembler without calling GetCode.
  entry_label_.Unuse();
  start_label_.Unuse();
@@ -360,7 +360,7 @@ void RegExpMacroAssemblerPPC::CheckNotBackReferenceIgnoreCase(
    __ mov(r6, Operand(ExternalReference::isolate_address(isolate())));
    {
-      AllowExternalCallThatCantCauseGC scope(masm_);
+      AllowExternalCallThatCantCauseGC scope(masm_.get());
      ExternalReference function =
          unicode ? ExternalReference::re_case_insensitive_compare_unicode(
                        isolate())
@@ -704,7 +704,7 @@ Handle<HeapObject> RegExpMacroAssemblerPPC::GetCode(Handle<String> source) {
    // Tell the system that we have a stack frame.  Because the type
    // is MANUAL, no is generated.
-    FrameScope scope(masm_, StackFrame::MANUAL);
+    FrameScope scope(masm_.get(), StackFrame::MANUAL);
    // Ensure register assigments are consistent with callee save mask
    DCHECK(r25.bit() & kRegExpCalleeSaved);

--- a/src/regexp/ppc/regexp-macro-assembler-ppc.h
+++ b/src/regexp/ppc/regexp-macro-assembler-ppc.h
@@ -184,7 +184,7 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerPPC
  Isolate* isolate() const { return masm_->isolate(); }
-  MacroAssembler* const masm_;
+  const std::unique_ptr<MacroAssembler> masm_;
  const NoRootArrayScope no_root_array_scope_;
  // Which mode to generate code for (Latin1 or UC16).

--- a/src/regexp/s390/regexp-macro-assembler-s390.cc
+++ b/src/regexp/s390/regexp-macro-assembler-s390.cc
@@ -101,9 +101,10 @@ RegExpMacroAssemblerS390::RegExpMacroAssemblerS390(Isolate* isolate, Zone* zone,
                                                   Mode mode,
                                                   int registers_to_save)
    : NativeRegExpMacroAssembler(isolate, zone),
-      masm_(new MacroAssembler(isolate, CodeObjectRequired::kYes,
+      masm_(std::make_unique<MacroAssembler>(
-                               NewAssemblerBuffer(kRegExpCodeSize))),
+          isolate, CodeObjectRequired::kYes,
-      no_root_array_scope_(masm_),
+          NewAssemblerBuffer(kRegExpCodeSize))),
+      no_root_array_scope_(masm_.get()),
      mode_(mode),
      num_registers_(registers_to_save),
      num_saved_registers_(registers_to_save),
@@ -125,7 +126,6 @@ RegExpMacroAssemblerS390::RegExpMacroAssemblerS390(Isolate* isolate, Zone* zone,
 }
 RegExpMacroAssemblerS390::~RegExpMacroAssemblerS390() {
-  delete masm_;
  // Unuse labels in case we throw away the assembler without calling GetCode.
  entry_label_.Unuse();
  start_label_.Unuse();
@@ -351,7 +351,7 @@ void RegExpMacroAssemblerS390::CheckNotBackReferenceIgnoreCase(
    __ mov(r5, Operand(ExternalReference::isolate_address(isolate())));
    {
-      AllowExternalCallThatCantCauseGC scope(masm_);
+      AllowExternalCallThatCantCauseGC scope(masm_.get());
      ExternalReference function =
          unicode ? ExternalReference::re_case_insensitive_compare_unicode(
                        isolate())
@@ -675,7 +675,7 @@ Handle<HeapObject> RegExpMacroAssemblerS390::GetCode(Handle<String> source) {
  // Tell the system that we have a stack frame.  Because the type
  // is MANUAL, no is generated.
-  FrameScope scope(masm_, StackFrame::MANUAL);
+  FrameScope scope(masm_.get(), StackFrame::MANUAL);
  // Ensure register assigments are consistent with callee save mask
  DCHECK(r6.bit() & kRegExpCalleeSaved);

--- a/src/regexp/s390/regexp-macro-assembler-s390.h
+++ b/src/regexp/s390/regexp-macro-assembler-s390.h
@@ -182,7 +182,7 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerS390
  Isolate* isolate() const { return masm_->isolate(); }
-  MacroAssembler* const masm_;
+  const std::unique_ptr<MacroAssembler> masm_;
  const NoRootArrayScope no_root_array_scope_;
  // Which mode to generate code for (Latin1 or UC16).