From 8bc9af59126df2f325e4f8aa78116e05a71a46d6 Mon Sep 17 00:00:00 2001 From: Cheng Zhao Date: Wed, 18 Aug 2021 11:01:05 +0900 Subject: [PATCH 1/2] chore: cherry-pick fix for 1234764 from v8 --- patches/v8/.patches | 1 + patches/v8/cherry-pick-1234764.patch | 42 ++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 patches/v8/cherry-pick-1234764.patch diff --git a/patches/v8/.patches b/patches/v8/.patches index 1f6a9e89bd817..bed7b8cd25f2d 100644 --- a/patches/v8/.patches +++ b/patches/v8/.patches @@ -7,3 +7,4 @@ workaround_an_undefined_symbol_error.patch do_not_export_private_v8_symbols_on_windows.patch fix_build_deprecated_attirbute_for_older_msvc_versions.patch cherry-pick-e38d55313ad9.patch +cherry-pick-1234764.patch diff --git a/patches/v8/cherry-pick-1234764.patch b/patches/v8/cherry-pick-1234764.patch new file mode 100644 index 0000000000000..617a3d1b41ff6 --- /dev/null +++ b/patches/v8/cherry-pick-1234764.patch @@ -0,0 +1,42 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Georg Neis +Date: Tue Aug 10 09:29:33 2021 +0200 +Subject: Merged: [compiler] Harden JSCallReducer::ReduceArrayIteratorPrototypeNext + +Revision: 65b20a0e65e1078f5dd230a5203e231bec790ab4 + +BUG=chromium:1234764 +NOTRY=true +NOPRESUBMIT=true +NOTREECHECKS=true +R=vahl@chromium.org + +Change-Id: I45faf253695011092de144c8e29bafac5337adec +Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3084363 +Reviewed-by: Lutz Vahl +Commit-Queue: Georg Neis +Cr-Commit-Position: refs/branch-heads/9.2@{#53} +Cr-Branched-From: 51238348f95a1f5e0acc321efac7942d18a687a2-refs/heads/9.2.230@{#1} +Cr-Branched-From: 587a04f02ab0487d194b55a7137dc2045e071597-refs/heads/master@{#74656} + +diff --git a/src/compiler/js-call-reducer.cc b/src/compiler/js-call-reducer.cc +index bb7a11d16d..459c7fcfab 100644 +--- a/src/compiler/js-call-reducer.cc ++++ b/src/compiler/js-call-reducer.cc +@@ -5947,11 +5947,12 @@ Reduction JSCallReducer::ReduceArrayIteratorPrototypeNext(Node* node) { + Node* etrue = effect; + Node* if_true = graph()->NewNode(common()->IfTrue(), branch); + { +- // We know that the {index} is range of the {length} now. ++ // This extra check exists to refine the type of {index} but also to break ++ // an exploitation technique that abuses typer mismatches. + index = etrue = graph()->NewNode( +- common()->TypeGuard( +- Type::Range(0.0, length_access.type.Max() - 1.0, graph()->zone())), +- index, etrue, if_true); ++ simplified()->CheckBounds(p.feedback(), ++ CheckBoundsFlag::kAbortOnOutOfBounds), ++ index, length, etrue, if_true); + + done_true = jsgraph()->FalseConstant(); + if (iteration_kind == IterationKind::kKeys) { From 68d41ac37913a3e65df721c9d3ac9036ec4ae221 Mon Sep 17 00:00:00 2001 From: PatchUp <73610968+patchup[bot]@users.noreply.github.com> Date: Wed, 18 Aug 2021 02:12:14 +0000 Subject: [PATCH 2/2] chore: update patches --- patches/v8/cherry-pick-1234764.patch | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/patches/v8/cherry-pick-1234764.patch b/patches/v8/cherry-pick-1234764.patch index 617a3d1b41ff6..598dee0f62ea7 100644 --- a/patches/v8/cherry-pick-1234764.patch +++ b/patches/v8/cherry-pick-1234764.patch @@ -1,7 +1,8 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Georg Neis -Date: Tue Aug 10 09:29:33 2021 +0200 -Subject: Merged: [compiler] Harden JSCallReducer::ReduceArrayIteratorPrototypeNext +Date: Tue, 10 Aug 2021 09:29:33 +0200 +Subject: Merged: [compiler] Harden + JSCallReducer::ReduceArrayIteratorPrototypeNext Revision: 65b20a0e65e1078f5dd230a5203e231bec790ab4 @@ -20,7 +21,7 @@ Cr-Branched-From: 51238348f95a1f5e0acc321efac7942d18a687a2-refs/heads/9.2.230@{# Cr-Branched-From: 587a04f02ab0487d194b55a7137dc2045e071597-refs/heads/master@{#74656} diff --git a/src/compiler/js-call-reducer.cc b/src/compiler/js-call-reducer.cc -index bb7a11d16d..459c7fcfab 100644 +index bb7a11d16dc70ef5747b3c0b9f1d99acb0be7adf..459c7fcfab156026f383abe086646e1046abd5cc 100644 --- a/src/compiler/js-call-reducer.cc +++ b/src/compiler/js-call-reducer.cc @@ -5947,11 +5947,12 @@ Reduction JSCallReducer::ReduceArrayIteratorPrototypeNext(Node* node) {