Skip to content

Commit

Permalink
[Backport] CVE-2021-21227: Insufficient data validation in V8
Browse files Browse the repository at this point in the history
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2839559:
Merged: [compiler] Fix a bug in VisitSpeculativeIntegerAdditiveOp

Revision: 9313c4ce3f32ad81df1c65becccec7e129181ce3

BUG=chromium:1199345
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
[email protected]

Change-Id: I0ee9f13815b1a7d248d4caa506c6930697e1866c
Commit-Queue: Georg Neis <[email protected]>
Reviewed-by: Nico Hartmann <[email protected]>
Cr-Commit-Position: refs/branch-heads/9.0@{#41}
Cr-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1}
Cr-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
GeorgNeis authored and mibrunin committed May 7, 2021

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent 68da9a7 commit bc38ef7
Showing 1 changed file with 8 additions and 3 deletions.
11 changes: 8 additions & 3 deletions chromium/v8/src/compiler/simplified-lowering.cc
Original file line number Diff line number Diff line change
@@ -1318,10 +1318,15 @@ class RepresentationSelector {
Type right_feedback_type = TypeOf(node->InputAt(1));

// Using Signed32 as restriction type amounts to promising there won't be
// signed overflow. This is incompatible with relying on a Word32
// truncation in order to skip the overflow check.
// signed overflow. This is incompatible with relying on a Word32 truncation
// in order to skip the overflow check. Similarly, we must not drop -0 from
// the result type unless we deopt for -0 inputs.
Type const restriction =
truncation.IsUsedAsWord32() ? Type::Any() : Type::Signed32();
truncation.IsUsedAsWord32()
? Type::Any()
: (truncation.identify_zeros() == kIdentifyZeros)
? Type::Signed32OrMinusZero()
: Type::Signed32();

// Handle the case when no int32 checks on inputs are necessary (but
// an overflow check is needed on the output). Note that we do not

0 comments on commit bc38ef7

Please sign in to comment.