diff options
| author | Shu-yu Guo <syg@chromium.org> | 2022-10-28 10:21:27 -0700 |
|---|---|---|
| committer | Michael Brüning <michael.bruning@qt.io> | 2022-12-06 15:44:59 +0000 |
| commit | 9146f5c3a5bef1734c3c5e72cd46057f430fcbe2 (patch) | |
| tree | 98894377f28c3ca00596f0c484ca62db1233916a | |
| parent | a0f47d475cd2411cacc985ebee6f20c0692a2969 (diff) | |
| download | qtwebengine-chromium-9146f5c3a5bef1734c3c5e72cd46057f430fcbe2.tar.gz | |
[Backport] CVE-2022-4174: Type Confusion in V8
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/4020423:
[M102-LTS] Reland "[Promise.any] Fix errors allocation"
M102 merge issues:
Conflicts on tools/v8heapconst.py; Reverted the conflicting
changes and generated a new v8heapconst.py following the
tests/mkgrokdump/README instructions
This is a reland of commit e08fa94bbcc49f3a5c3aa1371986c6365e5a09fb
Changes since revert:
Use max(remainingElements - 1, index + 1) instead of index + 1 as
newCapacity computation to avoid excessive allocations causing the
timeout.
Original change's description:
> [Promise.any] Fix errors allocation
>
> Bug: chromium:1379054
> Change-Id: Ibfcdd4ddc3c9a26471094074c8e7810d93abc898
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3988924
> Commit-Queue: Marja Hölttä <marja@chromium.org>
> Auto-Submit: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83968}
Bug: chromium:1379054
Change-Id: Ic788b8d0b42f4e24eaf8b2f2d05b24390fda247b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3990627
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83987}
(cherry picked from commit 8b35091b2d244c975975e1c78e4cd09cb479b5dc)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/446478
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/v8/src/builtins/promise-any.tq | 15 | ||||
| -rw-r--r-- | chromium/v8/tools/v8heapconst.py | 42 |
2 files changed, 35 insertions, 22 deletions
diff --git a/chromium/v8/src/builtins/promise-any.tq b/chromium/v8/src/builtins/promise-any.tq index ffb285a06a8..7e707e649f1 100644 --- a/chromium/v8/src/builtins/promise-any.tq +++ b/chromium/v8/src/builtins/promise-any.tq @@ -119,7 +119,19 @@ PromiseAnyRejectElementClosure( kPromiseAnyRejectElementRemainingSlot); // 9. Set errors[index] to x. - const newCapacity = IntPtrMax(SmiUntag(remainingElementsCount), index + 1); + + // The max computation below is an optimization to avoid excessive allocations + // in the case of input promises being asynchronously rejected in ascending + // index order. + // + // Note that subtracting 1 from remainingElementsCount is intentional. The + // value of remainingElementsCount is 1 larger than the actual value during + // iteration. So in the case of synchronous rejection, newCapacity is the + // correct size by subtracting 1. In the case of asynchronous rejection this + // is 1 smaller than the correct size, but is not incorrect as it is maxed + // with index + 1. + const newCapacity = + IntPtrMax(SmiUntag(remainingElementsCount) - 1, index + 1); if (newCapacity > errors.length_intptr) deferred { errors = ExtractFixedArray(errors, 0, errors.length_intptr, newCapacity); *ContextSlot( @@ -306,6 +318,7 @@ Reject(JSAny) { PromiseAnyRejectElementContextSlots:: kPromiseAnyRejectElementErrorsSlot); + check(errors.length == index - 1); const error = ConstructAggregateError(errors); // 3. Return ThrowCompletion(error). goto Reject(error); diff --git a/chromium/v8/tools/v8heapconst.py b/chromium/v8/tools/v8heapconst.py index 66466b7e820..abe901ee330 100644 --- a/chromium/v8/tools/v8heapconst.py +++ b/chromium/v8/tools/v8heapconst.py @@ -538,27 +538,27 @@ KNOWN_OBJECTS = { ("old_space", 0x04b39): "StringSplitCache", ("old_space", 0x04f41): "RegExpMultipleCache", ("old_space", 0x05349): "BuiltinsConstantsTable", - ("old_space", 0x05775): "AsyncFunctionAwaitRejectSharedFun", - ("old_space", 0x05799): "AsyncFunctionAwaitResolveSharedFun", - ("old_space", 0x057bd): "AsyncGeneratorAwaitRejectSharedFun", - ("old_space", 0x057e1): "AsyncGeneratorAwaitResolveSharedFun", - ("old_space", 0x05805): "AsyncGeneratorYieldResolveSharedFun", - ("old_space", 0x05829): "AsyncGeneratorReturnResolveSharedFun", - ("old_space", 0x0584d): "AsyncGeneratorReturnClosedRejectSharedFun", - ("old_space", 0x05871): "AsyncGeneratorReturnClosedResolveSharedFun", - ("old_space", 0x05895): "AsyncIteratorValueUnwrapSharedFun", - ("old_space", 0x058b9): "PromiseAllResolveElementSharedFun", - ("old_space", 0x058dd): "PromiseAllSettledResolveElementSharedFun", - ("old_space", 0x05901): "PromiseAllSettledRejectElementSharedFun", - ("old_space", 0x05925): "PromiseAnyRejectElementSharedFun", - ("old_space", 0x05949): "PromiseCapabilityDefaultRejectSharedFun", - ("old_space", 0x0596d): "PromiseCapabilityDefaultResolveSharedFun", - ("old_space", 0x05991): "PromiseCatchFinallySharedFun", - ("old_space", 0x059b5): "PromiseGetCapabilitiesExecutorSharedFun", - ("old_space", 0x059d9): "PromiseThenFinallySharedFun", - ("old_space", 0x059fd): "PromiseThrowerFinallySharedFun", - ("old_space", 0x05a21): "PromiseValueThunkFinallySharedFun", - ("old_space", 0x05a45): "ProxyRevokeSharedFun", + ("old_space", 0x05779): "AsyncFunctionAwaitRejectSharedFun", + ("old_space", 0x0579d): "AsyncFunctionAwaitResolveSharedFun", + ("old_space", 0x057c1): "AsyncGeneratorAwaitRejectSharedFun", + ("old_space", 0x057e5): "AsyncGeneratorAwaitResolveSharedFun", + ("old_space", 0x05809): "AsyncGeneratorYieldResolveSharedFun", + ("old_space", 0x0582d): "AsyncGeneratorReturnResolveSharedFun", + ("old_space", 0x05851): "AsyncGeneratorReturnClosedRejectSharedFun", + ("old_space", 0x05875): "AsyncGeneratorReturnClosedResolveSharedFun", + ("old_space", 0x05899): "AsyncIteratorValueUnwrapSharedFun", + ("old_space", 0x058bd): "PromiseAllResolveElementSharedFun", + ("old_space", 0x058e1): "PromiseAllSettledResolveElementSharedFun", + ("old_space", 0x05905): "PromiseAllSettledRejectElementSharedFun", + ("old_space", 0x05929): "PromiseAnyRejectElementSharedFun", + ("old_space", 0x0594d): "PromiseCapabilityDefaultRejectSharedFun", + ("old_space", 0x05971): "PromiseCapabilityDefaultResolveSharedFun", + ("old_space", 0x05995): "PromiseCatchFinallySharedFun", + ("old_space", 0x059b9): "PromiseGetCapabilitiesExecutorSharedFun", + ("old_space", 0x059dd): "PromiseThenFinallySharedFun", + ("old_space", 0x05a01): "PromiseThrowerFinallySharedFun", + ("old_space", 0x05a25): "PromiseValueThunkFinallySharedFun", + ("old_space", 0x05a49): "ProxyRevokeSharedFun", } # Lower 32 bits of first page addresses for various heap spaces. |