[v8/el6: 3/4] backport security fix for memory corruption and stack overflow (RHBZ#1125464)
T.C. Hollingsworth
patches at fedoraproject.org
Fri Aug 1 00:01:05 UTC 2014
commit c762358c3530057e8d58ac4913eabcef42193501
Author: T.C. Hollingsworth <tchollingsworth at gmail.com>
Date: Thu Jul 31 16:58:40 2014 -0700
backport security fix for memory corruption and stack overflow (RHBZ#1125464)
https://groups.google.com/d/msg/nodejs/-siJEObdp10/2xcqqmTHiEMJ
v8-3.14.5.10-mem-corruption-stack-overflow.patch | 33 ++++++++++++++++++++++
v8.spec | 11 ++++++-
2 files changed, 43 insertions(+), 1 deletions(-)
---
diff --git a/v8-3.14.5.10-mem-corruption-stack-overflow.patch b/v8-3.14.5.10-mem-corruption-stack-overflow.patch
new file mode 100644
index 0000000..452464b
--- /dev/null
+++ b/v8-3.14.5.10-mem-corruption-stack-overflow.patch
@@ -0,0 +1,33 @@
+From 530af9cb8e700e7596b3ec812bad123c9fa06356 Mon Sep 17 00:00:00 2001
+From: Fedor Indutny <fedor at indutny.com>
+Date: Wed, 30 Jul 2014 15:33:52 -0700
+Subject: [PATCH] v8: Interrupts must not mask stack overflow.
+
+Backport of https://codereview.chromium.org/339883002
+---
+ src/isolate.h | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/src/isolate.h b/src/isolate.h
+index b90191d..2769ca7 100644
+--- a/src/isolate.h
++++ b/src/isolate.h
+@@ -1392,14 +1392,9 @@ class StackLimitCheck BASE_EMBEDDED {
+ public:
+ explicit StackLimitCheck(Isolate* isolate) : isolate_(isolate) { }
+
+- bool HasOverflowed() const {
++ inline bool HasOverflowed() const {
+ StackGuard* stack_guard = isolate_->stack_guard();
+- // Stack has overflowed in C++ code only if stack pointer exceeds the C++
+- // stack guard and the limits are not set to interrupt values.
+- // TODO(214): Stack overflows are ignored if a interrupt is pending. This
+- // code should probably always use the initial C++ limit.
+- return (reinterpret_cast<uintptr_t>(this) < stack_guard->climit()) &&
+- stack_guard->IsStackOverflow();
++ return reinterpret_cast<uintptr_t>(this) < stack_guard->real_climit();
+ }
+ private:
+ Isolate* isolate_;
+--
+2.0.3
diff --git a/v8.spec b/v8.spec
index d5b232c..4731146 100644
--- a/v8.spec
+++ b/v8.spec
@@ -23,7 +23,7 @@
Name: v8
Version: %{somajor}.%{sominor}.%{sobuild}.%{sotiny}
-Release: 10%{?dist}
+Release: 11%{?dist}
Epoch: 1
Summary: JavaScript Engine
Group: System Environment/Libraries
@@ -67,6 +67,10 @@ Patch7: v8-3.14.5.10-use-clock_gettime.patch
# https://github.com/joyent/node/issues/7528
Patch8: v8-3.14.5.10-x64-compare-stubs.patch
+# backport security fix for memory corruption/stack overflow (RHBZ#1125464)
+# https://groups.google.com/d/msg/nodejs/-siJEObdp10/2xcqqmTHiEMJ
+# https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356
+Patch9: v8-3.14.5.10-mem-corruption-stack-overflow.patch
%description
V8 is Google's open source JavaScript engine. V8 is written in C++ and is used
@@ -91,6 +95,7 @@ Development headers and libraries for v8.
%patch6 -p1
%patch7 -p1
%patch8 -p1
+%patch9 -p1
#Patch7 needs -lrt on glibc < 2.17 (RHEL <= 6)
%if (0%{?rhel} > 6 || 0%{?fedora} > 18)
@@ -255,6 +260,10 @@ rm -rf %{buildroot}
%{python_sitelib}/j*.py*
%changelog
+* Thu Jul 31 2014 T.C. Hollingsworth <tchollingsworth at gmail.com> - 1:3.14.5.10-11
+- backport security fix for memory corruption and stack overflow (RHBZ#1125464)
+ https://groups.google.com/d/msg/nodejs/-siJEObdp10/2xcqqmTHiEMJ
+
* Thu Jun 19 2014 T.C. Hollingsworth <tchollingsworth at gmail.com> - 1:3.14.5.10-10
- fix corner case in integer comparisons (v8 bug#2416; nodejs bug#7528)
More information about the scm-commits
mailing list