[Backport] CVE-2024-1938: Type Confusion in V8

gahaas · mibrunin · commit 70cc64ba16bd · 2024-03-12T13:17:06.000Z
Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/5300311: Merged: [wasm] Use correct signature index for tier-up of wasm-to-js wrapper The wasm-to-js wrapper tierup used the canonicalized signature id lookup for module-independent signatures to look up the canonicalized signature id of module-specific signatures. With this CL the signature id is looked up with the function index of imported functions and from the dispatch table for indirect function calls instead. R=jkummerow@chromium.org Bug: 324596281 (cherry picked from commit 2109613ad4622028778a38fb418956fab8b478b6) Change-Id: I3fb7e4f02596f62e13ffe60015f96bac5efbc598 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5300311 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/branch-heads/12.2@{#32} Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1} Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/546082 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> Reviewed-by: Michal Klocek <michal.klocek@qt.io>
diff --git a/chromium/v8/src/runtime/runtime-wasm.cc b/chromium/v8/src/runtime/runtime-wasm.cc
@@ -20,6 +20,7 @@
 #include "src/wasm/wasm-constants.h"
 #include "src/wasm/wasm-debug.h"
 #include "src/wasm/wasm-engine.h"
+#include "src/wasm/wasm-module.h"
 #include "src/wasm/wasm-objects.h"
 #include "src/wasm/wasm-subtyping.h"
 #include "src/wasm/wasm-value.h"
@@ -470,10 +471,29 @@ RUNTIME_FUNCTION(Runtime_TierUpWasmToJSWrapper) {
     instance = handle(WasmInstanceObject::cast(tuple->value1()), isolate);
     origin = handle(tuple->value2(), isolate);
   }
-  // Get the function's canonical signature index. Note that the function's
-  // signature may not be present in the importing module.
-  uint32_t canonical_sig_index =
-      wasm::GetTypeCanonicalizer()->AddRecursiveGroup(&sig);
+
+  uint32_t canonical_sig_index = std::numeric_limits<uint32_t>::max();
+  const wasm::WasmModule* module = instance->module();
+  if (WasmApiFunctionRef::CallOriginIsImportIndex(origin)) {
+    int func_index = WasmApiFunctionRef::CallOriginAsIndex(origin);
+    canonical_sig_index =
+        module->isorecursive_canonical_type_ids[module->functions[func_index]
+                                                    .sig_index];
+  } else {
+    // Indirect function table index.
+    int entry_index = WasmApiFunctionRef::CallOriginAsIndex(origin);
+    int table_count = instance->indirect_function_tables()->length();
+    // We have to find the table which contains the correct entry.
+    for (int table_index = 0; table_index < table_count; ++table_index) {
+      Handle<WasmIndirectFunctionTable> table =
+          instance->GetIndirectFunctionTable(isolate, table_index);
+      if (table->refs()->get(entry_index) == *ref) {
+        canonical_sig_index = table->sig_ids()->get(entry_index);
+        break;
+      }
+    }
+  }
+  DCHECK_NE(canonical_sig_index, std::numeric_limits<uint32_t>::max());
 
   // Compile a wrapper for the target callable.
   Handle<JSReceiver> callable(JSReceiver::cast(ref->callable()), isolate);
