[v8/el6: 2/3] Backport CVE-2013-6650 incorrect handling of popular pages
T.C. Hollingsworth
patches at fedoraproject.org
Thu Feb 27 05:38:17 UTC 2014
commit 3d7deedb88134439d8736a840107280dc0dc0723
Author: Tomáš Hrčka <thrcka at redhat.com>
Date: Mon Feb 24 09:47:46 2014 +0100
Backport CVE-2013-6650 incorrect handling of popular pages
v8-3.14.5.10-CVE-2013-6650.patch | 80 ++++++++++++++++++++++++++++++++++++++
v8.spec | 10 ++++-
2 files changed, 89 insertions(+), 1 deletions(-)
---
diff --git a/v8-3.14.5.10-CVE-2013-6650.patch b/v8-3.14.5.10-CVE-2013-6650.patch
new file mode 100644
index 0000000..d44811f
--- /dev/null
+++ b/v8-3.14.5.10-CVE-2013-6650.patch
@@ -0,0 +1,80 @@
+From 3928813f014d3cdaed83fefc3a454078272f114b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hr=C4=8Dka?= <thrcka at redhat.com>
+Date: Tue, 18 Feb 2014 00:23:04 +0100
+Subject: [PATCH] Backport Fix for CVE-2013-6650 Original patch
+ https://code.google.com/p/v8/source/detail?r=18483
+
+Resolve: rhbz#1059070
+---
+ src/store-buffer.cc | 2 +-
+ test/mjsunit/regress/regress-331444.js | 45 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+), 1 deletion(-)
+ create mode 100644 test/mjsunit/regress/regress-331444.js
+
+diff --git a/src/store-buffer.cc b/src/store-buffer.cc
+index 66488ae..b9055f8 100644
+--- a/src/store-buffer.cc
++++ b/src/store-buffer.cc
+@@ -242,7 +242,7 @@ void StoreBuffer::ExemptPopularPages(int prime_sample_step, int threshold) {
+ containing_chunk = MemoryChunk::FromAnyPointerAddress(addr);
+ }
+ int old_counter = containing_chunk->store_buffer_counter();
+- if (old_counter == threshold) {
++ if (old_counter >= threshold) {
+ containing_chunk->set_scan_on_scavenge(true);
+ created_new_scan_on_scavenge_pages = true;
+ }
+diff --git a/test/mjsunit/regress/regress-331444.js b/test/mjsunit/regress/regress-331444.js
+new file mode 100644
+index 0000000..3df0a08
+--- /dev/null
++++ b/test/mjsunit/regress/regress-331444.js
+@@ -0,0 +1,45 @@
++// Copyright 2014 the V8 project authors. All rights reserved.
++// Redistribution and use in source and binary forms, with or without
++// modification, are permitted provided that the following conditions are
++// met:
++//
++// * Redistributions of source code must retain the above copyright
++// notice, this list of conditions and the following disclaimer.
++// * Redistributions in binary form must reproduce the above
++// copyright notice, this list of conditions and the following
++// disclaimer in the documentation and/or other materials provided
++// with the distribution.
++// * Neither the name of Google Inc. nor the names of its
++// contributors may be used to endorse or promote products derived
++// from this software without specific prior written permission.
++//
++// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
++// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
++// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++
++// Flags: --expose-gc
++
++
++function boom() {
++ var args = [];
++ for (var i = 0; i < 125000; i++)
++ args.push(i);
++ return Array.apply(Array, args);
++}
++var array = boom();
++function fib(n) {
++ var f0 = 0, f1 = 1;
++ for (; n > 0; n = n - 1) {
++ f0 + f1;
++ f0 = array;
++ }
++}
++fib(12);
+--
+1.8.3.1
+
diff --git a/v8.spec b/v8.spec
index 2a88a51..e85be91 100644
--- a/v8.spec
+++ b/v8.spec
@@ -23,7 +23,7 @@
Name: v8
Version: %{somajor}.%{sominor}.%{sobuild}.%{sotiny}
-Release: 5%{?dist}
+Release: 6%{?dist}
Epoch: 1
Summary: JavaScript Engine
Group: System Environment/Libraries
@@ -47,6 +47,10 @@ Patch3: v8-3.14.5.10-CVE-2013-6640.patch
# https://codereview.chromium.org/11362182
Patch4: v8-3.14.5.10-enumeration.patch
+#backport fix for CVE-2013-6640 (RHBZ#1059070)
+Patch5: v8-3.14.5.10-CVE-2013-6650.patch
+
+
%description
V8 is Google's open source JavaScript engine. V8 is written in C++ and is used
in Google Chrome, the open source browser from Google. V8 implements ECMAScript
@@ -66,6 +70,7 @@ Development headers and libraries for v8.
%patch2 -p1
%patch3 -p1
%patch4 -p1
+%patch5 -p1
# -fno-strict-aliasing is needed with gcc 4.4 to get past some ugly code
PARSED_OPT_FLAGS=`echo \'$RPM_OPT_FLAGS -fPIC -fno-strict-aliasing -Wno-unused-parameter -Wno-error=strict-overflow -Wno-error=unused-local-typedefs -Wno-unused-but-set-variable\'| sed "s/ /',/g" | sed "s/',/', '/g"`
@@ -223,6 +228,9 @@ rm -rf %{buildroot}
%{python_sitelib}/j*.py*
%changelog
+* Mon Feb 24 2014 Tomas Hrcka <thrcka at redhat.com> - 1:3.14.5.10-6
+- Backport fix for incorrect handling of popular pages (RHBZ#1059070; CVE-2013-6640)
+
* Fri Feb 14 2014 T.C. Hollingsworth <tchollingsworth at gmail.com> - 1:3.14.5.10-5
- rebuild for icu-52
More information about the scm-commits
mailing list