[turbofan] Add bounds checks to fast API calls

The interface for ArgumentInfo was allowing out-of-bounds read from the returned array. Improved that by passing the index explicitly as a parameter and checking against the expected bounds. Bug: v8:10267 Change-Id: Ic1022def3e338598cd9bd9e6582d67a62836d0db Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2078578Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Michael Stanton <mvstanton@chromium.org> Commit-Queue: Maya Lekova <mslekova@chromium.org> Cr-Commit-Position: refs/heads/master@{#66499}

[turbofan] Add bounds checks to fast API calls
The interface for ArgumentInfo was allowing out-of-bounds read from the returned array. Improved that by passing the index explicitly as a parameter and checking against the expected bounds. Bug: v8:10267 Change-Id: Ic1022def3e338598cd9bd9e6582d67a62836d0db Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2078578Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Michael Stanton <mvstanton@chromium.org> Commit-Queue: Maya Lekova <mslekova@chromium.org> Cr-Commit-Position: refs/heads/master@{#66499}
cca9dd10 · Maya Lekova · Commit Bot · 9945e908 · cca9dd10 · cca9dd10
Commit cca9dd10 authored Feb 27, 2020 by Maya Lekova Committed by Commit Bot Feb 28, 2020
Showing with 14 additions and 9 deletions

v8-fast-api-calls.h include/v8-fast-api-calls.h +8 -3

api.cc src/api/api.cc +3 -3

js-call-reducer.cc src/compiler/js-call-reducer.cc +1 -1

simplified-lowering.cc src/compiler/simplified-lowering.cc +2 -2

No files found.
--- a/include/v8-fast-api-calls.h
+++ b/include/v8-fast-api-calls.h
@@ -241,7 +241,7 @@ class CFunctionInfo {
 public:
  virtual const CTypeInfo& ReturnInfo() const = 0;
  virtual unsigned int ArgumentCount() const = 0;
-  virtual const CTypeInfo* ArgumentInfo() const = 0;
+  virtual const CTypeInfo& ArgumentInfo(unsigned int index) const = 0;
 };

 template <typename T>
@@ -345,7 +345,10 @@ class CFunctionInfoImpl : public CFunctionInfo {

  const CTypeInfo& ReturnInfo() const override { return return_info_; }
  unsigned int ArgumentCount() const override { return arg_count_; }
-  const CTypeInfo* ArgumentInfo() const override { return arg_info_; }
+  const CTypeInfo& ArgumentInfo(unsigned int index) const override {
+    CHECK_LT(index, ArgumentCount());
+    return arg_info_[index];
+  }

 private:
  CTypeInfo return_info_;
@@ -359,7 +362,9 @@ class V8_EXPORT CFunction {
 public:
  const CTypeInfo& ReturnInfo() const { return type_info_->ReturnInfo(); }

-  const CTypeInfo* ArgumentInfo() const { return type_info_->ArgumentInfo(); }
+  const CTypeInfo& ArgumentInfo(unsigned int index) const {
+    return type_info_->ArgumentInfo(index);
+  }

  unsigned int ArgumentCount() const { return type_info_->ArgumentCount(); }


--- a/src/api/api.cc
+++ b/src/api/api.cc
@@ -10874,12 +10874,12 @@ CFunction::CFunction(const void* address, const CFunctionInfo* type_info)
    : address_(address), type_info_(type_info) {
  CHECK_NOT_NULL(address_);
  CHECK_NOT_NULL(type_info_);
-  for (size_t i = 0; i < type_info_->ArgumentCount(); ++i) {
-    if (type_info_->ArgumentInfo()[i].IsArray()) {
+  for (unsigned int i = 0; i < type_info_->ArgumentCount(); ++i) {
+    if (type_info_->ArgumentInfo(i).IsArray()) {
      // Array args require an integer passed for their length
      // as the next argument.
      DCHECK_LT(i + 1, type_info_->ArgumentCount());
-      switch (type_info_->ArgumentInfo()[i + 1].GetType()) {
+      switch (type_info_->ArgumentInfo(i + 1).GetType()) {
        case CTypeInfo::Type::kInt32:
        case CTypeInfo::Type::kUint32:
        case CTypeInfo::Type::kInt64:

--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@@ -890,7 +890,7 @@ class FastApiCallReducerAssembler : public JSCallReducerAssembler {
    for (int i = 0; i < c_arg_count; ++i) {
      if (i + kFunctionArgCount < ValueInputCount()) {
        inputs.emplace_back(ConvertArgumentIfJSWrapper(
-            c_signature_->ArgumentInfo()[i].GetType(),
+            c_signature_->ArgumentInfo(i).GetType(),
            ValueInput(i + kFunctionArgCount), wrapper_object_index));
      } else {
        inputs.emplace_back(UndefinedConstant());

--- a/src/compiler/simplified-lowering.cc
+++ b/src/compiler/simplified-lowering.cc
@@ -1764,7 +1764,7 @@ class RepresentationSelector {
    // Propagate representation information from TypeInfo.
    for (int i = 0; i < c_arg_count; i++) {
      arg_use_info[i] = UseInfoForFastApiCallArgument(
-          c_signature->ArgumentInfo()[i].GetType(), params.feedback());
+          c_signature->ArgumentInfo(i).GetType(), params.feedback());
      ProcessInput(node, i + 1, arg_use_info[i]);
    }

@@ -1777,7 +1777,7 @@ class RepresentationSelector {
      builder.AddReturn(return_type);
      for (int i = 0; i < c_arg_count; ++i) {
        MachineType machine_type =
-            MachineTypeFor(c_signature->ArgumentInfo()[i].GetType());
+            MachineTypeFor(c_signature->ArgumentInfo(i).GetType());
        // Here the arg_use_info are indexed starting from 1 because of the
        // function input, while this loop is only over the actual arguments.
        DCHECK_EQ(arg_use_info[i].representation(),