[Backport] CVE-2021-21138: Use after free in DevTools

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2437383:
Do not pause on breaks while installing additional command line API

A break may cause the session disconnect (and therefore agents destruction)
on a nested message loop. The runtime agent code is generally prepared to
handle this during evaluate, but the code outside of it may be not. Besides,
having a break before the console API installed is generally not what
user wants or expects, so just disable all breaks while installing the API.

Bug: chromium:1122487
Change-Id: I1d40f5007f2e1e4ec07a50ef57988513d0309b7e
Commit-Queue: Andrey Kosyakov <[email protected]>
Reviewed-by: Yang Guo <[email protected]>
Cr-Commit-Position: refs/heads/master@{#70209}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
Reviewed-by: Michal Klocek <[email protected]>

Author: caseq

chromium/v8/src/api.cc

@@ -10072,6 +10072,12 @@ debug::PostponeInterruptsScope::PostponeInterruptsScope(v8::Isolate* isolate)
 
 debug::PostponeInterruptsScope::~PostponeInterruptsScope() {}
 
+debug::DisableBreakScope::DisableBreakScope(v8::Isolate* isolate)
+    : scope_(std::make_unique<i::DisableBreak>(
+          reinterpret_cast<i::Isolate*>(isolate)->debug())) {}
+debug::DisableBreakScope::~DisableBreakScope() = default;
+
+
 Local<String> CpuProfileNode::GetFunctionName() const {
   const i::ProfileNode* node = reinterpret_cast<const i::ProfileNode*>(this);
   i::Isolate* isolate = node->isolate();

chromium/v8/src/debug/debug-interface.h

@@ -21,6 +21,7 @@ struct CoverageScript;
 struct TypeProfileEntry;
 struct TypeProfileScript;
 class Coverage;
+class DisableBreak;
 class PostponeInterruptsScope;
 class Script;
 class TypeProfile;
@@ -502,6 +503,15 @@ class PostponeInterruptsScope {
   std::unique_ptr<i::PostponeInterruptsScope> scope_;
 };
 
+class DisableBreakScope {
+ public:
+  explicit DisableBreakScope(v8::Isolate* isolate);
+  ~DisableBreakScope();
+ private:
+  std::unique_ptr<i::DisableBreak> scope_;
+};
+
+
 }  // namespace debug
 }  // namespace v8
 

chromium/v8/src/inspector/injected-script.cc

@@ -31,6 +31,8 @@
 #include "src/inspector/injected-script.h"
 
 #include "src/inspector/injected-script-source.h"
+#include "include/v8-inspector.h"
+#include "src/debug/debug-interface.h"
 #include "src/inspector/inspected-context.h"
 #include "src/inspector/protocol/Protocol.h"
 #include "src/inspector/remote-object-id.h"
@@ -43,8 +45,6 @@
 #include "src/inspector/v8-stack-trace-impl.h"
 #include "src/inspector/v8-value-utils.h"
 
-#include "include/v8-inspector.h"
-
 namespace v8_inspector {
 
 namespace {
@@ -638,6 +638,7 @@ Response InjectedScript::wrapEvaluateResult(
 
 v8::Local<v8::Object> InjectedScript::commandLineAPI() {
   if (m_commandLineAPI.IsEmpty()) {
+    v8::debug::DisableBreakScope disable_break(m_context->isolate());
     m_commandLineAPI.Reset(
         m_context->isolate(),
         m_context->inspector()->console()->createCommandLineAPI(