[Backport] Merged: [wasm] Fix Memory.grow when shared with asm.js modulesv5.10.0-rc1

Revision: 5f960dfc06a7c95af69e2b09f772b2280168469b BUG=chromium:776677 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=adamk@chromium.org, bradnelson@chromium.org Reviewed-on: https://chromium-review.googlesource.com/752195 (CVE-2017-15399) Change-Id: I18aadae07fcc6b1d4e0edd7a576f1b9d0f087fa8 Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2017-11-08 12:40:32 +0100
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2017-11-09 18:34:02 +0000
commit: 2366767e6c6f333ef090667aa6838d6781725a78 (patch)
tree: 5e490af7e001c531ec7777634a85ad14c2933cea
parent: ef44fe23e9452af7a02b8656fb284b1f0af036b7 (diff)
8 files changed, 16 insertions, 12 deletions
diff --git a/chromium/v8/src/asmjs/asm-js.cc b/chromium/v8/src/asmjs/asm-js.cc
index fb257e316ea..d09645f1194 100644
--- a/chromium/v8/src/asmjs/asm-js.cc
+++ b/chromium/v8/src/asmjs/asm-js.cc
@@ -293,6 +293,7 @@ MaybeHandle<Object> AsmJs::InstantiateAsmWasm(Isolate* isolate,
       ReportInstantiationFailure(script, position, "Requires heap buffer");
       return MaybeHandle<Object>();
     }
+    memory->set_is_growable(false);
     size_t size = NumberToSize(memory->byte_length());
     // TODO(mstarzinger): We currently only limit byte length of the buffer to
     // be a multiple of 8, we should enforce the stricter spec limits here.
diff --git a/chromium/v8/src/objects-inl.h b/chromium/v8/src/objects-inl.h
index 6bb5ac42470..79a60f270ea 100644
--- a/chromium/v8/src/objects-inl.h
+++ b/chromium/v8/src/objects-inl.h
@@ -5172,12 +5172,12 @@ void JSArrayBuffer::set_has_guard_region(bool value) {
   set_bit_field(HasGuardRegion::update(bit_field(), value));
 }
 
-bool JSArrayBuffer::is_wasm_buffer() {
-  return IsWasmBuffer::decode(bit_field());
+bool JSArrayBuffer::is_growable() {
+  return IsGrowable::decode(bit_field());
 }
 
-void JSArrayBuffer::set_is_wasm_buffer(bool value) {
-  set_bit_field(IsWasmBuffer::update(bit_field(), value));
+void JSArrayBuffer::set_is_growable(bool value) {
+  set_bit_field(IsGrowable::update(bit_field(), value));
 }
 
 Object* JSArrayBufferView::byte_offset() const {
diff --git a/chromium/v8/src/objects-printer.cc b/chromium/v8/src/objects-printer.cc
index 187f56ecdeb..426c8b0e7f1 100644
--- a/chromium/v8/src/objects-printer.cc
+++ b/chromium/v8/src/objects-printer.cc
@@ -989,7 +989,7 @@ void JSArrayBuffer::JSArrayBufferPrint(std::ostream& os) {  // NOLINT
   if (was_neutered()) os << "\n - neutered";
   if (is_shared()) os << "\n - shared";
   if (has_guard_region()) os << "\n - has_guard_region";
-  if (is_wasm_buffer()) os << "\n - wasm_buffer";
+  if (is_growable()) os << "\n - growable";
   JSObjectPrintBody(os, this, !was_neutered());
 }
 
diff --git a/chromium/v8/src/objects.h b/chromium/v8/src/objects.h
index ba02ebeefed..f04910d68e3 100644
--- a/chromium/v8/src/objects.h
+++ b/chromium/v8/src/objects.h
@@ -6575,10 +6575,8 @@ class JSArrayBuffer: public JSObject {
   inline bool has_guard_region() const;
   inline void set_has_guard_region(bool value);
 
-  // TODO(gdeepti): This flag is introduced to disable asm.js optimizations in
-  // js-typer-lowering.cc, remove when the asm.js case is fixed.
-  inline bool is_wasm_buffer();
-  inline void set_is_wasm_buffer(bool value);
+  inline bool is_growable();
+  inline void set_is_growable(bool value);
 
   DECL_CAST(JSArrayBuffer)
 
@@ -6638,7 +6636,7 @@ class JSArrayBuffer: public JSObject {
   class WasNeutered : public BitField<bool, 3, 1> {};
   class IsShared : public BitField<bool, 4, 1> {};
   class HasGuardRegion : public BitField<bool, 5, 1> {};
-  class IsWasmBuffer : public BitField<bool, 6, 1> {};
+  class IsGrowable : public BitField<bool, 6, 1> {};
 
  private:
   DISALLOW_IMPLICIT_CONSTRUCTORS(JSArrayBuffer);
diff --git a/chromium/v8/src/wasm/module-compiler.cc b/chromium/v8/src/wasm/module-compiler.cc
index 77700b2abe2..7c6db4c6937 100644
--- a/chromium/v8/src/wasm/module-compiler.cc
+++ b/chromium/v8/src/wasm/module-compiler.cc
@@ -913,7 +913,6 @@ MaybeHandle<WasmInstanceObject> InstanceBuilder::Build() {
     Handle<JSArrayBuffer> memory = memory_.ToHandleChecked();
     // Set externally passed ArrayBuffer non neuterable.
     memory->set_is_neuterable(false);
-    memory->set_is_wasm_buffer(true);
 
     DCHECK_IMPLIES(EnableGuardRegions(),
                    module_->is_asm_js() || memory->has_guard_region());
diff --git a/chromium/v8/src/wasm/wasm-js.cc b/chromium/v8/src/wasm/wasm-js.cc
index 5f775f0d35f..a32e871f91d 100644
--- a/chromium/v8/src/wasm/wasm-js.cc
+++ b/chromium/v8/src/wasm/wasm-js.cc
@@ -770,6 +770,10 @@ void WebAssemblyMemoryGrow(const v8::FunctionCallbackInfo<v8::Value>& args) {
     max_size64 = i::FLAG_wasm_max_mem_pages;
   }
   i::Handle<i::JSArrayBuffer> old_buffer(receiver->array_buffer());
+  if (!old_buffer->is_growable()) {
+    thrower.RangeError("This memory cannot be grown");
+    return;
+  }
   uint32_t old_size =
       old_buffer->byte_length()->Number() / i::wasm::kSpecMaxWasmMemoryPages;
   int64_t new_size64 = old_size + delta_size;
diff --git a/chromium/v8/src/wasm/wasm-module.cc b/chromium/v8/src/wasm/wasm-module.cc
index 7901a6b6191..b9fea3e35c4 100644
--- a/chromium/v8/src/wasm/wasm-module.cc
+++ b/chromium/v8/src/wasm/wasm-module.cc
@@ -227,7 +227,7 @@ Handle<JSArrayBuffer> wasm::SetupArrayBuffer(
                        allocation_length, backing_store, static_cast<int>(size),
                        shared);
   buffer->set_is_neuterable(false);
-  buffer->set_is_wasm_buffer(true);
+  buffer->set_is_growable(true);
   buffer->set_has_guard_region(enable_guard_regions);
   return buffer;
 }
diff --git a/chromium/v8/src/wasm/wasm-objects.cc b/chromium/v8/src/wasm/wasm-objects.cc
index 71839ba27cf..1f00b4c7028 100644
--- a/chromium/v8/src/wasm/wasm-objects.cc
+++ b/chromium/v8/src/wasm/wasm-objects.cc
@@ -256,6 +256,7 @@ Handle<JSArrayBuffer> GrowMemoryBuffer(Isolate* isolate,
   Address old_mem_start = nullptr;
   uint32_t old_size = 0;
   if (!old_buffer.is_null()) {
+    if (!old_buffer->is_growable()) return Handle<JSArrayBuffer>::null();
     old_mem_start = static_cast<Address>(old_buffer->backing_store());
     CHECK(old_buffer->byte_length()->ToUint32(&old_size));
   }
@@ -358,6 +359,7 @@ int32_t WasmMemoryObject::Grow(Isolate* isolate,
                                Handle<WasmMemoryObject> memory_object,
                                uint32_t pages) {
   Handle<JSArrayBuffer> old_buffer(memory_object->array_buffer());
+  if (!old_buffer->is_growable()) return -1;
   uint32_t old_size = 0;
   CHECK(old_buffer->byte_length()->ToUint32(&old_size));
   Handle<JSArrayBuffer> new_buffer;
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2017-11-08 12:40:32 +0100
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2017-11-09 18:34:02 +0000
commit	2366767e6c6f333ef090667aa6838d6781725a78 (patch)
tree	5e490af7e001c531ec7777634a85ad14c2933cea
parent	ef44fe23e9452af7a02b8656fb284b1f0af036b7 (diff)