From e54c1076009a61d8885457fec2f6541ad2a856bd Mon Sep 17 00:00:00 2001 From: Stephan Herhut Date: Tue, 8 Jan 2019 11:15:10 +0100 Subject: [Backport] Security Bug 919572 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Enfore valid register for SignExtendWord8ToInt32. On ia32, the instruction selector uses movsx_b to compile the wasm SignExtendWord8ToInt32 instruction. movsx_b requires a byte register as input. However, not all allocatable registers on ia32 are. As we cannot currently express constraints on subsets of registers, this change now forces the input to movsx_b into eax. Bug: chromium:919572 Reviewed-on: https://chromium-review.googlesource.com/c/1400409 Change-Id: I40b128958b5994bdcba5c313a8d5f1986565fa64 Reviewed-by: Michael BrĂ¼ning --- chromium/v8/src/compiler/ia32/instruction-selector-ia32.cc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chromium/v8/src/compiler/ia32/instruction-selector-ia32.cc b/chromium/v8/src/compiler/ia32/instruction-selector-ia32.cc index 41442542850..d523a70e99a 100644 --- a/chromium/v8/src/compiler/ia32/instruction-selector-ia32.cc +++ b/chromium/v8/src/compiler/ia32/instruction-selector-ia32.cc @@ -174,7 +174,11 @@ namespace { void VisitRO(InstructionSelector* selector, Node* node, ArchOpcode opcode) { IA32OperandGenerator g(selector); - selector->Emit(opcode, g.DefineAsRegister(node), g.Use(node->InputAt(0))); + Node* input = node->InputAt(0); + // We have to use a byte register as input to movsxb. + InstructionOperand input_op = + opcode == kIA32Movsxbl ? g.UseFixed(input, eax) : g.Use(input); + selector->Emit(opcode, g.DefineAsRegister(node), input_op); } -- cgit v1.2.1