[v8] actually commit the patch
T.C. Hollingsworth
patches at fedoraproject.org
Fri Dec 13 18:53:44 UTC 2013
commit e24c8b7efe72b92264cd2e6cd04c10f229e1676b
Author: T.C. Hollingsworth <tchollingsworth at gmail.com>
Date: Fri Dec 13 11:53:24 2013 -0700
actually commit the patch
v8-3.14.5.10-CVE-2013-6640.patch | 316 ++++++++++++++++++++++++++++++++++++++
1 files changed, 316 insertions(+), 0 deletions(-)
---
diff --git a/v8-3.14.5.10-CVE-2013-6640.patch b/v8-3.14.5.10-CVE-2013-6640.patch
new file mode 100644
index 0000000..1a2a420
--- /dev/null
+++ b/v8-3.14.5.10-CVE-2013-6640.patch
@@ -0,0 +1,316 @@
+From 520f94a1da96b0f1fd3d0e0c0b82e4d7c1e7d58f Mon Sep 17 00:00:00 2001
+From: "T.C. Hollingsworth" <tchollingsworth at gmail.com>
+Date: Fri, 13 Dec 2013 00:45:27 -0700
+Subject: [PATCH] Limit size of dehoistable array indices
+
+backported from upstream r17801
+---
+ src/elements-kind.cc | 30 ++++++++++++++++
+ src/elements-kind.h | 2 ++
+ src/hydrogen-instructions.h | 9 +++++
+ src/hydrogen.cc | 2 +-
+ src/lithium.cc | 30 ----------------
+ src/lithium.h | 3 --
+ test/mjsunit/regress/regress-crbug-319835.js | 51 ++++++++++++++++++++++++++++
+ test/mjsunit/regress/regress-crbug-319860.js | 47 +++++++++++++++++++++++++
+ 8 files changed, 140 insertions(+), 34 deletions(-)
+ create mode 100644 test/mjsunit/regress/regress-crbug-319835.js
+ create mode 100644 test/mjsunit/regress/regress-crbug-319860.js
+
+diff --git a/src/elements-kind.cc b/src/elements-kind.cc
+index 655a23b..c93a602 100644
+--- a/src/elements-kind.cc
++++ b/src/elements-kind.cc
+@@ -35,6 +35,36 @@ namespace v8 {
+ namespace internal {
+
+
++int ElementsKindToShiftSize(ElementsKind elements_kind) {
++ switch (elements_kind) {
++ case EXTERNAL_BYTE_ELEMENTS:
++ case EXTERNAL_PIXEL_ELEMENTS:
++ case EXTERNAL_UNSIGNED_BYTE_ELEMENTS:
++ return 0;
++ case EXTERNAL_SHORT_ELEMENTS:
++ case EXTERNAL_UNSIGNED_SHORT_ELEMENTS:
++ return 1;
++ case EXTERNAL_INT_ELEMENTS:
++ case EXTERNAL_UNSIGNED_INT_ELEMENTS:
++ case EXTERNAL_FLOAT_ELEMENTS:
++ return 2;
++ case EXTERNAL_DOUBLE_ELEMENTS:
++ case FAST_DOUBLE_ELEMENTS:
++ case FAST_HOLEY_DOUBLE_ELEMENTS:
++ return 3;
++ case FAST_SMI_ELEMENTS:
++ case FAST_ELEMENTS:
++ case FAST_HOLEY_SMI_ELEMENTS:
++ case FAST_HOLEY_ELEMENTS:
++ case DICTIONARY_ELEMENTS:
++ case NON_STRICT_ARGUMENTS_ELEMENTS:
++ return kPointerSizeLog2;
++ }
++ UNREACHABLE();
++ return 0;
++}
++
++
+ void PrintElementsKind(FILE* out, ElementsKind kind) {
+ ElementsAccessor* accessor = ElementsAccessor::ForKind(kind);
+ PrintF(out, "%s", accessor->name());
+diff --git a/src/elements-kind.h b/src/elements-kind.h
+index 3be7711..c5d9df8 100644
+--- a/src/elements-kind.h
++++ b/src/elements-kind.h
+@@ -77,6 +77,8 @@ const int kElementsKindCount = LAST_ELEMENTS_KIND - FIRST_ELEMENTS_KIND + 1;
+ const int kFastElementsKindCount = LAST_FAST_ELEMENTS_KIND -
+ FIRST_FAST_ELEMENTS_KIND + 1;
+
++int ElementsKindToShiftSize(ElementsKind elements_kind);
++
+ void PrintElementsKind(FILE* out, ElementsKind kind);
+
+ ElementsKind GetInitialFastElementsKind();
+diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h
+index 015212d..a1e5b97 100644
+--- a/src/hydrogen-instructions.h
++++ b/src/hydrogen-instructions.h
+@@ -4240,6 +4240,7 @@ class ArrayInstructionInterface {
+ virtual HValue* GetKey() = 0;
+ virtual void SetKey(HValue* key) = 0;
+ virtual void SetIndexOffset(uint32_t index_offset) = 0;
++ virtual int MaxIndexOffsetBits() = 0;
+ virtual bool IsDehoisted() = 0;
+ virtual void SetDehoisted(bool is_dehoisted) = 0;
+ virtual ~ArrayInstructionInterface() { };
+@@ -4274,6 +4275,7 @@ class HLoadKeyedFastElement
+ void SetIndexOffset(uint32_t index_offset) {
+ bit_field_ = IndexOffsetField::update(bit_field_, index_offset);
+ }
++ int MaxIndexOffsetBits() { return 25; }
+ HValue* GetKey() { return key(); }
+ void SetKey(HValue* key) { SetOperandAt(1, key); }
+ bool IsDehoisted() { return IsDehoistedField::decode(bit_field_); }
+@@ -4343,6 +4345,7 @@ class HLoadKeyedFastDoubleElement
+ HValue* dependency() { return OperandAt(2); }
+ uint32_t index_offset() { return index_offset_; }
+ void SetIndexOffset(uint32_t index_offset) { index_offset_ = index_offset; }
++ int MaxIndexOffsetBits() { return 25; }
+ HValue* GetKey() { return key(); }
+ void SetKey(HValue* key) { SetOperandAt(1, key); }
+ bool IsDehoisted() { return is_dehoisted_; }
+@@ -4420,6 +4423,7 @@ class HLoadKeyedSpecializedArrayElement
+ ElementsKind elements_kind() const { return elements_kind_; }
+ uint32_t index_offset() { return index_offset_; }
+ void SetIndexOffset(uint32_t index_offset) { index_offset_ = index_offset; }
++ int MaxIndexOffsetBits() { return 25; }
+ HValue* GetKey() { return key(); }
+ void SetKey(HValue* key) { SetOperandAt(1, key); }
+ bool IsDehoisted() { return is_dehoisted_; }
+@@ -4595,6 +4599,7 @@ class HStoreKeyedFastElement
+ }
+ uint32_t index_offset() { return index_offset_; }
+ void SetIndexOffset(uint32_t index_offset) { index_offset_ = index_offset; }
++ int MaxIndexOffsetBits() { return 25; }
+ HValue* GetKey() { return key(); }
+ void SetKey(HValue* key) { SetOperandAt(1, key); }
+ bool IsDehoisted() { return is_dehoisted_; }
+@@ -4648,6 +4653,7 @@ class HStoreKeyedFastDoubleElement
+ HValue* value() { return OperandAt(2); }
+ uint32_t index_offset() { return index_offset_; }
+ void SetIndexOffset(uint32_t index_offset) { index_offset_ = index_offset; }
++ int MaxIndexOffsetBits() { return 25; }
+ HValue* GetKey() { return key(); }
+ void SetKey(HValue* key) { SetOperandAt(1, key); }
+ bool IsDehoisted() { return is_dehoisted_; }
+@@ -4706,6 +4712,9 @@ class HStoreKeyedSpecializedArrayElement
+ ElementsKind elements_kind() const { return elements_kind_; }
+ uint32_t index_offset() { return index_offset_; }
+ void SetIndexOffset(uint32_t index_offset) { index_offset_ = index_offset; }
++ int MaxIndexOffsetBits() {
++ return 31 - ElementsKindToShiftSize(elements_kind_);
++ }
+ HValue* GetKey() { return key(); }
+ void SetKey(HValue* key) { SetOperandAt(1, key); }
+ bool IsDehoisted() { return is_dehoisted_; }
+diff --git a/src/hydrogen.cc b/src/hydrogen.cc
+index 8393e51..e3f79ee 100644
+--- a/src/hydrogen.cc
++++ b/src/hydrogen.cc
+@@ -3737,7 +3737,7 @@ static void DehoistArrayIndex(ArrayInstructionInterface* array_operation) {
+ int32_t value = constant->Integer32Value() * sign;
+ // We limit offset values to 30 bits because we want to avoid the risk of
+ // overflows when the offset is added to the object header size.
+- if (value >= 1 << 30 || value < 0) return;
++ if (value >= 1 << array_operation->MaxIndexOffsetBits() || value < 0) return;
+ array_operation->SetKey(subexpression);
+ if (index->HasNoUses()) {
+ index->DeleteAndReplaceWith(NULL);
+diff --git a/src/lithium.cc b/src/lithium.cc
+index eb2198d..1232bf1 100644
+--- a/src/lithium.cc
++++ b/src/lithium.cc
+@@ -227,36 +227,6 @@ void LPointerMap::PrintTo(StringStream* stream) {
+ }
+
+
+-int ElementsKindToShiftSize(ElementsKind elements_kind) {
+- switch (elements_kind) {
+- case EXTERNAL_BYTE_ELEMENTS:
+- case EXTERNAL_PIXEL_ELEMENTS:
+- case EXTERNAL_UNSIGNED_BYTE_ELEMENTS:
+- return 0;
+- case EXTERNAL_SHORT_ELEMENTS:
+- case EXTERNAL_UNSIGNED_SHORT_ELEMENTS:
+- return 1;
+- case EXTERNAL_INT_ELEMENTS:
+- case EXTERNAL_UNSIGNED_INT_ELEMENTS:
+- case EXTERNAL_FLOAT_ELEMENTS:
+- return 2;
+- case EXTERNAL_DOUBLE_ELEMENTS:
+- case FAST_DOUBLE_ELEMENTS:
+- case FAST_HOLEY_DOUBLE_ELEMENTS:
+- return 3;
+- case FAST_SMI_ELEMENTS:
+- case FAST_ELEMENTS:
+- case FAST_HOLEY_SMI_ELEMENTS:
+- case FAST_HOLEY_ELEMENTS:
+- case DICTIONARY_ELEMENTS:
+- case NON_STRICT_ARGUMENTS_ELEMENTS:
+- return kPointerSizeLog2;
+- }
+- UNREACHABLE();
+- return 0;
+-}
+-
+-
+ LLabel* LChunk::GetLabel(int block_id) const {
+ HBasicBlock* block = graph_->blocks()->at(block_id);
+ int first_instruction = block->first_instruction_index();
+diff --git a/src/lithium.h b/src/lithium.h
+index 089926e..a29d9d0 100644
+--- a/src/lithium.h
++++ b/src/lithium.h
+@@ -704,9 +704,6 @@ class LChunk: public ZoneObject {
+ };
+
+
+-int ElementsKindToShiftSize(ElementsKind elements_kind);
+-
+-
+ } } // namespace v8::internal
+
+ #endif // V8_LITHIUM_H_
+diff --git a/test/mjsunit/regress/regress-crbug-319835.js b/test/mjsunit/regress/regress-crbug-319835.js
+new file mode 100644
+index 0000000..48f871f
+--- /dev/null
++++ b/test/mjsunit/regress/regress-crbug-319835.js
+@@ -0,0 +1,51 @@
++// Copyright 2013 the V8 project authors. All rights reserved.
++// Redistribution and use in source and binary forms, with or without
++// modification, are permitted provided that the following conditions are
++// met:
++//
++// * Redistributions of source code must retain the above copyright
++// notice, this list of conditions and the following disclaimer.
++// * Redistributions in binary form must reproduce the above
++// copyright notice, this list of conditions and the following
++// disclaimer in the documentation and/or other materials provided
++// with the distribution.
++// * Neither the name of Google Inc. nor the names of its
++// contributors may be used to endorse or promote products derived
++// from this software without specific prior written permission.
++//
++// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
++// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
++// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++
++// Flags: --allow-natives-syntax
++
++try {} catch(e) {} // No need to optimize the top level.
++
++var size = 0x20000;
++var a = new Float64Array(size);
++var training = new Float64Array(10);
++function store(a, index) {
++ var offset = 0x20000000;
++ for (var i = 0; i < 1; i++) {
++ a[index + offset] = 0xcc;
++ }
++}
++
++store(training, -0x20000000);
++store(training, -0x20000000 + 1);
++store(training, -0x20000000);
++store(training, -0x20000000 + 1);
++%OptimizeFunctionOnNextCall(store);
++
++// Segfault maybe?
++for (var i = -0x20000000; i < -0x20000000 + size; i++) {
++ store(a, i);
++}
+diff --git a/test/mjsunit/regress/regress-crbug-319860.js b/test/mjsunit/regress/regress-crbug-319860.js
+new file mode 100644
+index 0000000..b81fb85
+--- /dev/null
++++ b/test/mjsunit/regress/regress-crbug-319860.js
+@@ -0,0 +1,47 @@
++// Copyright 2013 the V8 project authors. All rights reserved.
++// Redistribution and use in source and binary forms, with or without
++// modification, are permitted provided that the following conditions are
++// met:
++//
++// * Redistributions of source code must retain the above copyright
++// notice, this list of conditions and the following disclaimer.
++// * Redistributions in binary form must reproduce the above
++// copyright notice, this list of conditions and the following
++// disclaimer in the documentation and/or other materials provided
++// with the distribution.
++// * Neither the name of Google Inc. nor the names of its
++// contributors may be used to endorse or promote products derived
++// from this software without specific prior written permission.
++//
++// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
++// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
++// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++
++// Flags: --allow-natives-syntax
++
++function read(a, index) {
++ var offset = 0x2000000;
++ var result;
++ for (var i = 0; i < 1; i++) {
++ result = a[index + offset];
++ }
++ return result;
++}
++
++var a = new Int8Array(0x2000001);
++read(a, 0);
++read(a, 0);
++%OptimizeFunctionOnNextCall(read);
++
++// Segfault maybe?
++for (var i = 0; i > -1000000; --i) {
++ read(a, i);
++}
+--
+1.8.4.2
+
More information about the scm-commits
mailing list