Skip to content

Commit

Permalink
[Backport] CVE-2024-3159: Out of bounds memory access in V8
Browse files Browse the repository at this point in the history
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5401859:
Merged: [runtime] Recreate enum cache on map update if any previous map had one

If any previous map in the transition tree had an enum cache, then we
recreate one when updating the map.

Bug: 330760873
(cherry picked from commit 807cf7d0b7d96212c98ed2119e07f9b2c6a23f61)

Change-Id: Ia9ea4cf17fef60166a0c037318eb539866aac37a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5401859
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/branch-heads/12.2@{#52}
Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1}
Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/553307
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
  • Loading branch information
DadaIsCrazy authored and mibrunin committed Apr 9, 2024
1 parent c028214 commit 5e927a6
Showing 1 changed file with 10 additions and 3 deletions.
13 changes: 10 additions & 3 deletions chromium/v8/src/objects/map-updater.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1031,14 +1031,21 @@ MapUpdater::State MapUpdater::ConstructNewMap() {
Handle<Map> new_map =
Map::AddMissingTransitions(isolate_, split_map, new_descriptors);

bool had_any_enum_cache =
split_map->instance_descriptors(isolate_)
.enum_cache()
.keys()
.length() > 0 ||
old_descriptors_->enum_cache().keys().length() > 0;

// Deprecated part of the transition tree is no longer reachable, so replace
// current instance descriptors in the "survived" part of the tree with
// the new descriptors to maintain descriptors sharing invariant.
split_map->ReplaceDescriptors(isolate_, *new_descriptors);

// If the old descriptors had an enum cache, make sure the new ones do too.
if (old_descriptors_->enum_cache().keys().length() > 0 &&
new_map->NumberOfEnumerableProperties() > 0) {
// If the old descriptors had an enum cache (or if {split_map}'s descriptors
// had one), make sure the new ones do too.
if (had_any_enum_cache && new_map->NumberOfEnumerableProperties() > 0) {
FastKeyAccumulator::InitializeFastPropertyEnumCache(
isolate_, new_map, new_map->NumberOfEnumerableProperties());
}
Expand Down

0 comments on commit 5e927a6

Please sign in to comment.