diff options
author | Georg Neis <neis@chromium.org> | 2021-04-12 09:42:03 +0200 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-04-14 12:50:09 +0000 |
commit | 94be4331d0b76b7204eed46e3e6bcf44f8078352 (patch) | |
tree | ae8277733918955523246e9efa0457bb975fe2f4 | |
parent | 2419957e28c095bbc86ac1df87744d2087356a8f (diff) |
[Backport] CVE-2021-21220: Insufficient validation of untrusted input in V8 for x86_64
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2821959:
Fix bug in InstructionSelector::ChangeInt32ToInt64
(cherry picked from commit 02f84c745fc0cae5927a66dc4a3e81334e8f60a6)
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Bug: chromium:1196683
Change-Id: Ib4ea738b47b64edc81450583be4c80a41698c3d1
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#73903}
Commit-Queue: Jana Grill <janagrill@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Victor-Gabriel Savu <vsavu@google.com>
Cr-Commit-Position: refs/branch-heads/8.6@{#75}
Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/v8/src/compiler/backend/x64/instruction-selector-x64.cc | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/chromium/v8/src/compiler/backend/x64/instruction-selector-x64.cc b/chromium/v8/src/compiler/backend/x64/instruction-selector-x64.cc index db212677ea8..11c78a9d72a 100644 --- a/chromium/v8/src/compiler/backend/x64/instruction-selector-x64.cc +++ b/chromium/v8/src/compiler/backend/x64/instruction-selector-x64.cc @@ -1279,7 +1279,9 @@ void InstructionSelector::VisitChangeInt32ToInt64(Node* node) { opcode = load_rep.IsSigned() ? kX64Movsxwq : kX64Movzxwq; break; case MachineRepresentation::kWord32: - opcode = load_rep.IsSigned() ? kX64Movsxlq : kX64Movl; + // ChangeInt32ToInt64 must interpret its input as a _signed_ 32-bit + // integer, so here we must sign-extend the loaded value in any case. + opcode = kX64Movsxlq; break; default: UNREACHABLE(); |