Commit b825f430 authored by Benedikt Meurer's avatar Benedikt Meurer Committed by Commit Bot

[builtins] Also sanity check promise reactions in CSA code.

Add some additional safety net to the CSA code for triggering promise
reactions to make sure we catch security bugs (specifically related
to misuse of the V8 Extras API) on the fast-path.

Bug: chromium:931640, chromium:931949
Change-Id: I76b5dc6653e2404411a29dcd9c54245d7c43d883
Reviewed-on: https://chromium-review.googlesource.com/c/1485972Reviewed-by: 's avatarYang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59829}
parent de0a8c78
...@@ -479,12 +479,21 @@ Node* PromiseBuiltinsAssembler::TriggerPromiseReactions( ...@@ -479,12 +479,21 @@ Node* PromiseBuiltinsAssembler::TriggerPromiseReactions(
VARIABLE(var_reversed, MachineRepresentation::kTagged, VARIABLE(var_reversed, MachineRepresentation::kTagged,
SmiConstant(Smi::zero())); SmiConstant(Smi::zero()));
// As an additional safety net against misuse of the V8 Extras API, we
// sanity check the {reactions} to make sure that they are actually
// PromiseReaction instances and not actual JavaScript values (which
// would indicate that we're rejecting or resolving an already settled
// promise), see https://crbug.com/931640 for details on this.
TNode<Map> promise_reaction_map =
CAST(LoadRoot(RootIndex::kPromiseReactionMap));
Label loop(this, {&var_current, &var_reversed}), done_loop(this); Label loop(this, {&var_current, &var_reversed}), done_loop(this);
Goto(&loop); Goto(&loop);
BIND(&loop); BIND(&loop);
{ {
Node* current = var_current.value(); Node* current = var_current.value();
GotoIf(TaggedIsSmi(current), &done_loop); GotoIf(TaggedIsSmi(current), &done_loop);
CSA_CHECK(this, WordEqual(LoadMap(CAST(current)), promise_reaction_map));
var_current.Bind(LoadObjectField(current, PromiseReaction::kNextOffset)); var_current.Bind(LoadObjectField(current, PromiseReaction::kNextOffset));
StoreObjectField(current, PromiseReaction::kNextOffset, StoreObjectField(current, PromiseReaction::kNextOffset,
var_reversed.value()); var_reversed.value());
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment