[Backport] CVE-2021-30536: Out of bounds read in V8

isheludko · mibrunin · commit 8b6c2cc8db1d · 2021-08-02T10:11:39.000Z
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/2800111: Create internal frame before throwing StackOverflow ... in CallBoundFunction builtin. Bug: chromium:1194358 Change-Id: I8ddd4fff39cf399d4af332cff8eddc40e217cfdb Auto-Submit: Igor Sheludko <ishell@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#73775} Reviewed-by: Michal Klocek <michal.klocek@qt.io>
diff --git a/chromium/v8/src/builtins/ia32/builtins-ia32.cc b/chromium/v8/src/builtins/ia32/builtins-ia32.cc
@@ -2522,6 +2522,7 @@ void Generate_PushBoundArguments(MacroAssembler* masm) {
       __ bind(&stack_overflow);
       {
         FrameScope frame(masm, StackFrame::MANUAL);
+        __ EnterFrame(StackFrame::INTERNAL);
         __ CallRuntime(Runtime::kThrowStackOverflow);
         __ int3();
       }

Original file line number	Diff line number	Diff line change
`@@ -2522,6 +2522,7 @@ void Generate_PushBoundArguments(MacroAssembler* masm) {`
`2522`	`2522`	`__ bind(&stack_overflow);`
`2523`	`2523`	`{`
`2524`	`2524`	`FrameScope frame(masm, StackFrame::MANUAL);`
	`2525`	`+ __ EnterFrame(StackFrame::INTERNAL);`
`2525`	`2526`	`__ CallRuntime(Runtime::kThrowStackOverflow);`
`2526`	`2527`	`__ int3();`
`2527`	`2528`	`}`