diff options
author | Tobias Tebbi <tebbi@chromium.org> | 2022-04-13 16:30:36 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-04-20 13:17:22 +0000 |
commit | b26a6a0a3dc94290bf8262955c973595a1405e5d (patch) | |
tree | cce5c83aa84bb9ccca4be3737ddc9ab7ddc1e4ae | |
parent | 9d1f359b0af97b73917e2865436de94fe530c673 (diff) | |
download | qtwebengine-chromium-b26a6a0a3dc94290bf8262955c973595a1405e5d.tar.gz |
[Backport] CVE-2022-1364: Type Confusion in V8
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3584531:
mark receiver and function as escaping
(cherry picked from commit 8081a5ffa7ebdb0e5b35cf63aa0490ad3578b940)
Bug: chromium:1315901
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: Ic44bfcae32aba202ba25c5f59fe579214a444584
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#79968}
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/9.6@{#62}
Cr-Branched-From: 0b7bda016178bf438f09b3c93da572ae3663a1f7-refs/heads/9.6.180@{#1}
Cr-Branched-From: 41a5a247d9430b953e38631e88d17790306f7a4c-refs/heads/main@{#77244}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/v8/src/compiler/escape-analysis.cc | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/chromium/v8/src/compiler/escape-analysis.cc b/chromium/v8/src/compiler/escape-analysis.cc index 7ff6ab684fc..316db298da8 100644 --- a/chromium/v8/src/compiler/escape-analysis.cc +++ b/chromium/v8/src/compiler/escape-analysis.cc @@ -5,10 +5,12 @@ #include "src/compiler/escape-analysis.h" #include "src/codegen/tick-counter.h" +#include "src/compiler/frame-states.h" #include "src/compiler/linkage.h" #include "src/compiler/node-matchers.h" #include "src/compiler/operator-properties.h" #include "src/compiler/simplified-operator.h" +#include "src/compiler/state-values-utils.h" #include "src/handles/handles-inl.h" #include "src/init/bootstrapper.h" #include "src/objects/map-inl.h" @@ -224,6 +226,11 @@ class EscapeAnalysisTracker : public ZoneObject { return tracker_->ResolveReplacement( NodeProperties::GetContextInput(current_node())); } + // Accessing the current node is fine for `FrameState nodes. + Node* CurrentNode() { + DCHECK_EQ(current_node()->opcode(), IrOpcode::kFrameState); + return current_node(); + } void SetReplacement(Node* replacement) { replacement_ = replacement; @@ -796,9 +803,25 @@ void ReduceNode(const Operator* op, EscapeAnalysisTracker::Scope* current, break; } case IrOpcode::kStateValues: - case IrOpcode::kFrameState: // These uses are always safe. break; + case IrOpcode::kFrameState: { + // We mark the receiver as escaping due to the non-standard `.getThis` + // API. + FrameState frame_state{current->CurrentNode()}; + if (frame_state.frame_state_info().type() != + FrameStateType::kUnoptimizedFunction) + break; + StateValuesAccess::iterator it = + StateValuesAccess(frame_state.parameters()).begin(); + if (!it.done()) { + if (Node* receiver = it.node()) { + current->SetEscaped(receiver); + } + current->SetEscaped(frame_state.function()); + } + break; + } default: { // For unknown nodes, treat all value inputs as escaping. int value_input_count = op->ValueInputCount(); |