[Backport] CVE-2021-30536: Out of bounds read in V8

isheludko · mibrunin · commit b0d6e444a0bb · 2021-09-01T10:59:57.000Z
Manual cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/2800111: [builtins][ia32] Create internal frame before throwing StackOverflow ... in CallBoundFunction builtin. Bug: chromium:1194358 Change-Id: I8ddd4fff39cf399d4af332cff8eddc40e217cfdb Auto-Submit: Igor Sheludko <ishell@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#73775} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
diff --git a/chromium/v8/src/builtins/ia32/builtins-ia32.cc b/chromium/v8/src/builtins/ia32/builtins-ia32.cc
@@ -2255,6 +2255,7 @@ void Generate_PushBoundArguments(MacroAssembler* masm) {
       __ bind(&stack_overflow);
       {
         FrameScope frame(masm, StackFrame::MANUAL);
+        __ EnterFrame(StackFrame::INTERNAL);
         __ CallRuntime(Runtime::kThrowStackOverflow);
         __ int3();
       }

Original file line number	Diff line number	Diff line change
`@@ -2255,6 +2255,7 @@ void Generate_PushBoundArguments(MacroAssembler* masm) {`
`2255`	`2255`	`__ bind(&stack_overflow);`
`2256`	`2256`	`{`
`2257`	`2257`	`FrameScope frame(masm, StackFrame::MANUAL);`
	`2258`	`+ __ EnterFrame(StackFrame::INTERNAL);`
`2258`	`2259`	`__ CallRuntime(Runtime::kThrowStackOverflow);`
`2259`	`2260`	`__ int3();`
`2260`	`2261`	`}`