[Backport] CVE-2024-2173: Out of bounds memory access in V8

Manual cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/5323850: Merged: [wasm] Add bounds check in tier-up of wasm-to-js wrapper The entry index in the WasmApiFunctionRef was used to look for the given WasmApiFunctionRef in the indirect function tables, but it was not considered that the indirect function tables can have different lengths. [email protected] Bug: 325893559 (cherry picked from commit 7330f46163e8a2c10a3d40ecbf554656f0ac55e8) Change-Id: I52355890e21490c75566216985680c64e0b0db75 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5323850 Commit-Queue: Andreas Haas <[email protected]> Reviewed-by: Thibaud Michaud <[email protected]> Cr-Commit-Position: refs/branch-heads/12.2@{#38} Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1} Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/546083 Reviewed-by: Allan Sandfeld Jensen <[email protected]> Reviewed-by: Michal Klocek <[email protected]>
qt · Mar 12, 2024 · 93e1687 · 93e1687
1 parent 70cc64b
commit 93e1687
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/chromium/v8/src/runtime/runtime-wasm.cc b/chromium/v8/src/runtime/runtime-wasm.cc
@@ -487,7 +487,8 @@ RUNTIME_FUNCTION(Runtime_TierUpWasmToJSWrapper) {
     for (int table_index = 0; table_index < table_count; ++table_index) {
       Handle<WasmIndirectFunctionTable> table =
           instance->GetIndirectFunctionTable(isolate, table_index);
-      if (table->refs()->get(entry_index) == *ref) {
+      if (entry_index < table->refs()->length() &&
+          table->refs()->get(entry_index) == *ref) {
         canonical_sig_index = table->sig_ids()->get(entry_index);
         break;
       }
@@ -552,7 +553,8 @@ RUNTIME_FUNCTION(Runtime_TierUpWasmToJSWrapper) {
     for (int table_index = 0; table_index < table_count; ++table_index) {
       Handle<WasmIndirectFunctionTable> table =
           instance->GetIndirectFunctionTable(isolate, table_index);
-      if (table->refs()->get(entry_index) == *ref) {
+      if (entry_index < table->refs()->length() &&
+          table->refs()->get(entry_index) == *ref) {
         table->targets()
             ->set<ExternalPointerTag::kWasmIndirectFunctionTargetTag>(
                 entry_index, isolate, wasm_code->instruction_start());