diff options
author | Jana Grill <janagrill@google.com> | 2021-04-13 16:54:14 +0200 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-04-21 10:48:42 +0000 |
commit | 0cf8a1fb9846d3ad80a39e5f0a650f5926483748 (patch) | |
tree | 264012e8079d202f013952f0829798206f4ab69f | |
parent | f06ec0465b8713e44414379de32ac4a7d2e57071 (diff) |
[Backport] CVE-2021-21225: Out of bounds memory access in V8 (2/2)
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2821961:
[LTS-M86][builtins] Harden Array.prototype.concat.
Defence in depth patch to prevent JavaScript from executing
from within IterateElements.
R=ishell@chromium.org
R=cbruni@chromium.org
(cherry picked from commit 8284359ed0607e452a4dda2ce89811fb019b4aaa)
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Bug: chromium:1195977
Change-Id: Ie59d468b73b94818cea986a3ded0804f6dddd10b
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#73898}
Commit-Queue: Jana Grill <janagrill@chromium.org>
Reviewed-by: Victor-Gabriel Savu <vsavu@google.com>
Cr-Commit-Position: refs/branch-heads/8.6@{#76}
Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/v8/AUTHORS | 1 | ||||
-rw-r--r-- | chromium/v8/src/builtins/builtins-array.cc | 9 |
2 files changed, 10 insertions, 0 deletions
diff --git a/chromium/v8/AUTHORS b/chromium/v8/AUTHORS index 36abcfba774..e037b20bbba 100644 --- a/chromium/v8/AUTHORS +++ b/chromium/v8/AUTHORS @@ -69,6 +69,7 @@ Ben Newman <ben@meteor.com> Ben Noordhuis <info@bnoordhuis.nl> Benjamin Tan <demoneaux@gmail.com> Bert Belder <bertbelder@gmail.com> +Brendon Tiszka <btiszka@gmail.com> Burcu Dogan <burcujdogan@gmail.com> Caitlin Potter <caitpotter88@gmail.com> Craig Schlenter <craig.schlenter@gmail.com> diff --git a/chromium/v8/src/builtins/builtins-array.cc b/chromium/v8/src/builtins/builtins-array.cc index 938fb96c1d4..8055d8382d4 100644 --- a/chromium/v8/src/builtins/builtins-array.cc +++ b/chromium/v8/src/builtins/builtins-array.cc @@ -1083,6 +1083,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver, case HOLEY_SEALED_ELEMENTS: case HOLEY_NONEXTENSIBLE_ELEMENTS: case HOLEY_ELEMENTS: { + // Disallow execution so the cached elements won't change mid execution. + DisallowJavascriptExecution no_js(isolate); + // Run through the elements FixedArray and use HasElement and GetElement // to check the prototype for missing elements. Handle<FixedArray> elements(FixedArray::cast(array->elements()), isolate); @@ -1109,6 +1112,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver, } case HOLEY_DOUBLE_ELEMENTS: case PACKED_DOUBLE_ELEMENTS: { + // Disallow execution so the cached elements won't change mid execution. + DisallowJavascriptExecution no_js(isolate); + // Empty array is FixedArray but not FixedDoubleArray. if (length == 0) break; // Run through the elements FixedArray and use HasElement and GetElement @@ -1145,6 +1151,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver, } case DICTIONARY_ELEMENTS: { + // Disallow execution so the cached dictionary won't change mid execution. + DisallowJavascriptExecution no_js(isolate); + Handle<NumberDictionary> dict(array->element_dictionary(), isolate); std::vector<uint32_t> indices; indices.reserve(dict->Capacity() / 2); |