[Backport] CVE-2024-12693: Out of bounds memory access in V8

DadaIsCrazy · mibrunin · commit fabc804b4c3b · 2025-01-22T15:20:34.000Z
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/6084686: Merged: [maglev] Avoid retagging loop phi backedges too early When we decide that a loop phi should remain tagged, we call EnsurePhiInputsTagged to ensures that it only has tagged inputs, which calls EnsurePhiTagged, which might cause retagging of any untagged phi it has as input. In order to avoid retagging multiple times the same Phi, we have a SnaphotTable (`phi_taggings_`), which records existing tagging in the predecessors, and in which EnsurePhiTagged looks to avoid creating new retagging nodes. For loop phis, the backedge predecessor won't have an entry yet in this SnapshotTable (since we only visit loops once, this has to be the first time we visit the header and thus we can't have already visited the backedge block), and we should thus not call EnsurePhiTagged on the backedge. Note that the backedge input will anyways be properly tagged when FixLoopPhisBackedge is later called from the JumpLoop backedge. Fixed: chromium:382190919 (cherry picked from commit e4ecfc909687511aeb20b88ce6ae2a7a1a80afe5) Change-Id: Ib24f311cb443eabe278f537c00bbc3274bf82415 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6084686 Auto-Submit: Olivier Flückiger <olivf@chromium.org> Commit-Queue: Olivier Flückiger <olivf@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/branch-heads/13.0@{#41} Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1} Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/615318 Reviewed-by: Anu Aliyas <anu.aliyas@qt.io>
diff --git a/chromium/v8/src/maglev/maglev-phi-representation-selector.cc b/chromium/v8/src/maglev/maglev-phi-representation-selector.cc
@@ -334,7 +334,8 @@ void MaglevPhiRepresentationSelector::EnsurePhiInputsTagged(Phi* phi) {
   // should be tagged. We'll thus insert tagging operation on the untagged phi
   // inputs of {phi}.
 
-  for (int i = 0; i < phi->input_count(); i++) {
+  const int skip_backedge = phi->is_loop_phi() ? 1 : 0;
+  for (int i = 0; i < phi->input_count() - skip_backedge; i++) {
     ValueNode* input = phi->input(i).node();
     if (Phi* phi_input = input->TryCast<Phi>()) {
       phi->change_input(i, EnsurePhiTagged(phi_input, phi->predecessor_at(i),
