Fix D8 Realm.navigate after Realm.detachGlobal

Realm.navigate hits a UAF when it's called after Realm.detachGlobal, and that's hit a clusterfuzz test. Bug: chromium:952749 Change-Id: Icf0f0d0b845bc5a2d1ddd80ab52756dae97b982f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1567583Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Taiju Tsuiki <tzik@chromium.org> Cr-Commit-Position: refs/heads/master@{#60896}

Fix D8 Realm.navigate after Realm.detachGlobal
Realm.navigate hits a UAF when it's called after Realm.detachGlobal, and that's hit a clusterfuzz test. Bug: chromium:952749 Change-Id: Icf0f0d0b845bc5a2d1ddd80ab52756dae97b982f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1567583Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Taiju Tsuiki <tzik@chromium.org> Cr-Commit-Position: refs/heads/master@{#60896}
f41f6d74 · tzik · Commit Bot · 468e36ba · f41f6d74
Commit f41f6d74 authored Apr 15, 2019 by tzik Committed by Commit Bot Apr 17, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

d8.cc src/d8.cc +11 -0

No files found.
--- a/src/d8.cc
+++ b/src/d8.cc
@@ -1117,6 +1117,17 @@ void Shell::RealmNavigate(const v8::FunctionCallbackInfo<v8::Value>& args) {

  Local<Context> context = Local<Context>::New(isolate, data->realms_[index]);
  v8::MaybeLocal<Value> global_object = context->Global();
+
+  // Context::Global doesn't return JSGlobalProxy if DetachGlobal is called in
+  // advance.
+  if (!global_object.IsEmpty()) {
+    HandleScope scope(isolate);
+    if (!Utils::OpenHandle(*global_object.ToLocalChecked())
+             ->IsJSGlobalProxy()) {
+      global_object = v8::MaybeLocal<Value>();
+    }
+  }
+
  DisposeRealm(args, index);
  CreateRealm(args, index, global_object);
 }