Issue metadata
Sign in to add a comment
|
Security: OOB reads due to missing map check |
||||||||||||||||||||||
Issue description
Fast-path of Array#indexOf does not check map type, this allows OOB reads.
Repro:
const o = {x:9};
o.__proto__ = Array.prototype;
function foo(o) {
return o.indexOf(undefined);
}
print(foo(o));
print(foo(o));
%OptimizeFunctionOnNextCall(foo);
print(foo(o));
,
May 16 2018
,
May 16 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f651409fee71393d5c858c732349b7ec14f8c248 commit f651409fee71393d5c858c732349b7ec14f8c248 Author: Sigurd Schneider <sigurds@chromium.org> Date: Wed May 16 14:01:30 2018 [turbofan] Add missing check in JSCallReducer Bug: chromium:843543 Change-Id: I709c4be330e7d45e597b3ca4ae9db8a960b07bbc Reviewed-on: https://chromium-review.googlesource.com/1061463 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Cr-Commit-Position: refs/heads/master@{#53216} [modify] https://crrev.com/f651409fee71393d5c858c732349b7ec14f8c248/src/compiler/js-call-reducer.cc [add] https://crrev.com/f651409fee71393d5c858c732349b7ec14f8c248/test/mjsunit/regress/regress-843543.js
,
May 16 2018
This is an obvious one-line fix.
,
May 16 2018
This bug requires manual review: We are only 12 days from stable. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 16 2018
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 16 2018
+awhalley@ (Security TPM) for M67 merge review
,
May 16 2018
,
May 17 2018
,
May 21 2018
govind@ - good for 67
,
May 21 2018
Approving merge to M67 branch 3396 based on comment #10. Please merge ASAP so we can pick it up for this week last M67 beta release on Wednesday. Thank you.
,
May 21 2018
,
May 21 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/4327cb43a23775ae10b8b96cee88c9f36435afa4 commit 4327cb43a23775ae10b8b96cee88c9f36435afa4 Author: Jakob Kummerow <jkummerow@chromium.org> Date: Mon May 21 21:35:47 2018 Merged: [turbofan] Add missing check in JSCallReducer Revision: f651409fee71393d5c858c732349b7ec14f8c248 BUG= chromium:843543 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=gsathya@chromium.org Change-Id: I83a588aae72287a501cb7f7ead30183ccad90138 Reviewed-on: https://chromium-review.googlesource.com/1067856 Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/branch-heads/6.7@{#79} Cr-Branched-From: 8457e810efd34381448d51d93f50079cf1f6a812-refs/heads/6.7.288@{#2} Cr-Branched-From: e921be5c4f2c6407936bde750992dedbf47c1016-refs/heads/master@{#52547} [modify] https://crrev.com/4327cb43a23775ae10b8b96cee88c9f36435afa4/src/compiler/js-call-reducer.cc [add] https://crrev.com/4327cb43a23775ae10b8b96cee88c9f36435afa4/test/mjsunit/regress/regress-843543.js
,
May 21 2018
,
May 22 2018
,
Jun 20 2018
,
Jun 26 2018
,
Jun 26 2018
,
Aug 23
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sigurds@chromium.org
, May 16 2018