From eb3c33bf36498891c057e24d815444fc134c04ff Mon Sep 17 00:00:00 2001
From: Georg Neis <neis@chromium.org>
Date: Mon, 12 Apr 2021 09:42:03 +0200
Subject: [Backport] CVE-2021-21220: Insufficient validation of untrusted input
 in V8 for x86_64
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2820971:
[compiler][x64] Fix bug in InstructionSelector::ChangeInt32ToInt64

Bug: chromium:1196683
Change-Id: Ib4ea738b47b64edc81450583be4c80a41698c3d1
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73903}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
---
 chromium/v8/src/compiler/x64/instruction-selector-x64.cc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/chromium/v8/src/compiler/x64/instruction-selector-x64.cc b/chromium/v8/src/compiler/x64/instruction-selector-x64.cc
index b3dfb91991f..b9495417d54 100644
--- a/chromium/v8/src/compiler/x64/instruction-selector-x64.cc
+++ b/chromium/v8/src/compiler/x64/instruction-selector-x64.cc
@@ -1116,7 +1116,9 @@ void InstructionSelector::VisitChangeInt32ToInt64(Node* node) {
         opcode = load_rep.IsSigned() ? kX64Movsxwq : kX64Movzxwq;
         break;
       case MachineRepresentation::kWord32:
-        opcode = load_rep.IsSigned() ? kX64Movsxlq : kX64Movl;
+        // ChangeInt32ToInt64 must interpret its input as a _signed_ 32-bit
+        // integer, so here we must sign-extend the loaded value in any case.
+        opcode = kX64Movsxlq;
         break;
       default:
         UNREACHABLE();
-- 
cgit v1.2.3