From 52be6f4ec3405a8d8053926220e64f52a631792d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=8E=8B=E5=BF=A0=E9=BD=90?= <wangzhongqi5@huawei.com>
Date: Mon, 28 Jul 2025 14:21:35 +0800
Subject: [PATCH] fix uaf in OH_JSVM_CloseHandleScope
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: 王忠齐 <wangzhongqi5@huawei.com>
---
 src/js_native_api_v8.cc |  1 +
 src/js_native_api_v8.h  | 27 ++++++++++++++++++++-------
 2 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/src/js_native_api_v8.cc b/src/js_native_api_v8.cc
index 47241a83..24f680d9 100644
--- a/src/js_native_api_v8.cc
+++ b/src/js_native_api_v8.cc
@@ -5091,6 +5091,7 @@ JSVM_Status JSVM_CDECL OH_JSVM_RetainScript(JSVM_Env env, JSVM_Script script) {
   jsvmData->taggedPointer = v8::Global<v8::Script>(
     env->isolate, jsvmData->ToV8Local<v8::Script>(env->isolate));
 
+  env->RetainJsvmData(jsvmData);
   jsvmData->isGlobal = true;
   return jsvm_clear_last_error(env);
 }
diff --git a/src/js_native_api_v8.h b/src/js_native_api_v8.h
index b9111dff..575e4e95 100644
--- a/src/js_native_api_v8.h
+++ b/src/js_native_api_v8.h
@@ -1,6 +1,7 @@
 #ifndef SRC_JS_NATIVE_API_V8_H_
 #define SRC_JS_NATIVE_API_V8_H_
 
+#include <list>
 #include <variant>
 #include "jsvm_types.h"
 #include "js_native_api_v8_internals.h"
@@ -194,24 +195,36 @@ struct JSVM_Env__ {
 
   template<typename T>
   JSVM_Data__ *NewJsvmData(T srcPtr, JSVM_Data__::DataType type = JSVM_Data__::kJsvmScript) {
-    if (dataStack.empty() || open_handle_scopes != dataStack.top().first) {
-      dataStack.emplace(open_handle_scopes, std::vector<JSVM_Data__*>());
+    if (dataStack.size() == 0 || open_handle_scopes != dataStack.back().first) {
+      dataStack.emplace_back(open_handle_scopes, std::list<JSVM_Data__*>());
     }
     auto newData = new JSVM_Data__(srcPtr, false, type);
-    dataStack.top().second.push_back(newData);
+    dataStack.back().second.push_back(newData);
     return newData;
   }
 
   void ReleaseJsvmData() {
-    if (dataStack.empty() || open_handle_scopes != dataStack.top().first) {
+    if (dataStack.size() == 0 || open_handle_scopes != dataStack.back().first) {
       return;
     }
-    for (auto data : dataStack.top().second) {
+    for (auto data : dataStack.back().second) {
       if (!data->isGlobal) {
         delete data;
       }
     }
-    dataStack.pop();
+    dataStack.pop_back();
+  }
+
+  void RetainJsvmData(JSVM_Data__* data)
+  {
+      for (auto iter = dataStack.rbegin(); iter != dataStack.rend(); ++iter) {
+          auto& current = iter->second;
+          auto globalData = std::find(current.begin(), current.end(), data);
+          if (globalData != current.end()) {
+              current.erase(globalData);
+              break;
+          }
+      }
   }
 
   v8::Isolate* const isolate;  // Shortcut for context()->GetIsolate()
@@ -234,7 +247,7 @@ struct JSVM_Env__ {
   int32_t module_api_version = NODE_API_DEFAULT_MODULE_API_VERSION;
   bool in_gc_finalizer = false;
   v8::Locker* locker = nullptr;
-  std::stack<std::pair<int, std::vector<JSVM_Data__*>>> dataStack;
+  std::vector<std::pair<int, std::list<JSVM_Data__*>>> dataStack;
 
  private:
   v8impl::Agent* inspector_agent_;
-- 
Gitee