Skip to content

Commit 0cf8a1f

Browse files
Jana Grillmibrunin
Jana Grill
authored andcommitted
[Backport] CVE-2021-21225: Out of bounds memory access in V8 (2/2)
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/2821961: [LTS-M86][builtins] Harden Array.prototype.concat. Defence in depth patch to prevent JavaScript from executing from within IterateElements. [email protected] [email protected] (cherry picked from commit 8284359ed0607e452a4dda2ce89811fb019b4aaa) No-Try: true No-Presubmit: true No-Tree-Checks: true Bug: chromium:1195977 Change-Id: Ie59d468b73b94818cea986a3ded0804f6dddd10b Reviewed-by: Camillo Bruni <[email protected]> Reviewed-by: Igor Sheludko <[email protected]> Commit-Queue: Igor Sheludko <[email protected]> Cr-Original-Commit-Position: refs/heads/master@{#73898} Commit-Queue: Jana Grill <[email protected]> Reviewed-by: Victor-Gabriel Savu <[email protected]> Cr-Commit-Position: refs/branch-heads/8.6@{#76} Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1} Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472} Reviewed-by: Allan Sandfeld Jensen <[email protected]>
1 parent f06ec04 commit 0cf8a1f

File tree

2 files changed

+10
-0
lines changed

2 files changed

+10
-0
lines changed

chromium/v8/AUTHORS

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,7 @@ Ben Newman <[email protected]>
6969
Ben Noordhuis <[email protected]>
7070
Benjamin Tan <[email protected]>
7171
Bert Belder <[email protected]>
72+
Brendon Tiszka <[email protected]>
7273
Burcu Dogan <[email protected]>
7374
Caitlin Potter <[email protected]>
7475
Craig Schlenter <[email protected]>

chromium/v8/src/builtins/builtins-array.cc

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1083,6 +1083,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
10831083
case HOLEY_SEALED_ELEMENTS:
10841084
case HOLEY_NONEXTENSIBLE_ELEMENTS:
10851085
case HOLEY_ELEMENTS: {
1086+
// Disallow execution so the cached elements won't change mid execution.
1087+
DisallowJavascriptExecution no_js(isolate);
1088+
10861089
// Run through the elements FixedArray and use HasElement and GetElement
10871090
// to check the prototype for missing elements.
10881091
Handle<FixedArray> elements(FixedArray::cast(array->elements()), isolate);
@@ -1109,6 +1112,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
11091112
}
11101113
case HOLEY_DOUBLE_ELEMENTS:
11111114
case PACKED_DOUBLE_ELEMENTS: {
1115+
// Disallow execution so the cached elements won't change mid execution.
1116+
DisallowJavascriptExecution no_js(isolate);
1117+
11121118
// Empty array is FixedArray but not FixedDoubleArray.
11131119
if (length == 0) break;
11141120
// Run through the elements FixedArray and use HasElement and GetElement
@@ -1145,6 +1151,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
11451151
}
11461152

11471153
case DICTIONARY_ELEMENTS: {
1154+
// Disallow execution so the cached dictionary won't change mid execution.
1155+
DisallowJavascriptExecution no_js(isolate);
1156+
11481157
Handle<NumberDictionary> dict(array->element_dictionary(), isolate);
11491158
std::vector<uint32_t> indices;
11501159
indices.reserve(dict->Capacity() / 2);

0 commit comments

Comments
 (0)