[v8/el6: 2/3] Backport CVE-2013-6650 incorrect handling of popular pages

T.C. Hollingsworth patches at fedoraproject.org
Thu Feb 27 05:38:17 UTC 2014 

commit 3d7deedb88134439d8736a840107280dc0dc0723
Author: Tomáš Hrčka <thrcka at redhat.com>
Date:   Mon Feb 24 09:47:46 2014 +0100

    Backport CVE-2013-6650 incorrect handling of popular pages

 v8-3.14.5.10-CVE-2013-6650.patch |   80 ++++++++++++++++++++++++++++++++++++++
 v8.spec                          |   10 ++++-
 2 files changed, 89 insertions(+), 1 deletions(-)
---
diff --git a/v8-3.14.5.10-CVE-2013-6650.patch b/v8-3.14.5.10-CVE-2013-6650.patch
new file mode 100644
index 0000000..d44811f
--- /dev/null
+++ b/v8-3.14.5.10-CVE-2013-6650.patch
@@ -0,0 +1,80 @@
+From 3928813f014d3cdaed83fefc3a454078272f114b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hr=C4=8Dka?= <thrcka at redhat.com>
+Date: Tue, 18 Feb 2014 00:23:04 +0100
+Subject: [PATCH] Backport Fix for CVE-2013-6650 Original patch
+ https://code.google.com/p/v8/source/detail?r=18483
+
+Resolve: rhbz#1059070
+---
+ src/store-buffer.cc                    |  2 +-
+ test/mjsunit/regress/regress-331444.js | 45 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+), 1 deletion(-)
+ create mode 100644 test/mjsunit/regress/regress-331444.js
+
+diff --git a/src/store-buffer.cc b/src/store-buffer.cc
+index 66488ae..b9055f8 100644
+--- a/src/store-buffer.cc
++++ b/src/store-buffer.cc
+@@ -242,7 +242,7 @@ void StoreBuffer::ExemptPopularPages(int prime_sample_step, int threshold) {
+       containing_chunk = MemoryChunk::FromAnyPointerAddress(addr);
+     }
+     int old_counter = containing_chunk->store_buffer_counter();
+-    if (old_counter == threshold) {
++    if (old_counter >= threshold) {
+       containing_chunk->set_scan_on_scavenge(true);
+       created_new_scan_on_scavenge_pages = true;
+     }
+diff --git a/test/mjsunit/regress/regress-331444.js b/test/mjsunit/regress/regress-331444.js
+new file mode 100644
+index 0000000..3df0a08
+--- /dev/null
++++ b/test/mjsunit/regress/regress-331444.js
+@@ -0,0 +1,45 @@
++// Copyright 2014 the V8 project authors. All rights reserved.
++// Redistribution and use in source and binary forms, with or without
++// modification, are permitted provided that the following conditions are
++// met:
++//
++//     * Redistributions of source code must retain the above copyright
++//       notice, this list of conditions and the following disclaimer.
++//     * Redistributions in binary form must reproduce the above
++//       copyright notice, this list of conditions and the following
++//       disclaimer in the documentation and/or other materials provided
++//       with the distribution.
++//     * Neither the name of Google Inc. nor the names of its
++//       contributors may be used to endorse or promote products derived
++//       from this software without specific prior written permission.
++//
++// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
++// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
++// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++
++// Flags: --expose-gc
++
++
++function boom() {
++  var args = [];
++  for (var i = 0; i < 125000; i++)
++    args.push(i);
++  return Array.apply(Array, args);
++}
++var array = boom();
++function fib(n) {
++  var f0 = 0, f1 = 1;
++  for (; n > 0; n = n - 1) {
++    f0 + f1;
++    f0 = array;
++  }
++}
++fib(12);
+-- 
+1.8.3.1
+
diff --git a/v8.spec b/v8.spec
index 2a88a51..e85be91 100644
--- a/v8.spec
+++ b/v8.spec
@@ -23,7 +23,7 @@
 
 Name:		v8
 Version:	%{somajor}.%{sominor}.%{sobuild}.%{sotiny}
-Release:	5%{?dist}
+Release:	6%{?dist}
 Epoch:		1
 Summary:	JavaScript Engine
 Group:		System Environment/Libraries
@@ -47,6 +47,10 @@ Patch3:     v8-3.14.5.10-CVE-2013-6640.patch
 #   https://codereview.chromium.org/11362182
 Patch4:     v8-3.14.5.10-enumeration.patch
 
+#backport fix for CVE-2013-6640 (RHBZ#1059070)
+Patch5:     v8-3.14.5.10-CVE-2013-6650.patch
+
+
 %description
 V8 is Google's open source JavaScript engine. V8 is written in C++ and is used 
 in Google Chrome, the open source browser from Google. V8 implements ECMAScript 
@@ -66,6 +70,7 @@ Development headers and libraries for v8.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 
 # -fno-strict-aliasing is needed with gcc 4.4 to get past some ugly code
 PARSED_OPT_FLAGS=`echo \'$RPM_OPT_FLAGS -fPIC -fno-strict-aliasing -Wno-unused-parameter -Wno-error=strict-overflow -Wno-error=unused-local-typedefs -Wno-unused-but-set-variable\'| sed "s/ /',/g" | sed "s/',/', '/g"`
@@ -223,6 +228,9 @@ rm -rf %{buildroot}
 %{python_sitelib}/j*.py*
 
 %changelog
+* Mon Feb 24 2014 Tomas Hrcka <thrcka at redhat.com> - 1:3.14.5.10-6
+- Backport fix for incorrect handling of popular pages (RHBZ#1059070; CVE-2013-6640)
+
 * Fri Feb 14 2014 T.C. Hollingsworth <tchollingsworth at gmail.com> - 1:3.14.5.10-5
 - rebuild for icu-52

More information about the scm-commits mailing list