src/builtins · e6d2edd71081b5e35bb50419325a9f2e35ade600 · Linshizhi / V8

Harden Map.prototype.delete and related methods · 66c8de2c

Samuel Groß authored Apr 19, 2022

These can be tricked into corrupting memory when an attacker can leak
the "hole" value due to a bug. This CL simply adds CHECKs to prevent
this. A longer-term solution might be to introduce "special-purpose
holes" so that a leaked "hole" value can no longer be used to confuse
unrelated code like the JSMap implementation because that would then use
a different "hole" value.

Bug: chromium:1315901
Change-Id: Id6c432d39fb97002fa67efe90d34014fc5408ba3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3593783Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80201}

66c8de2c

Name	Last commit	Last update
..
arm		Loading commit data...
arm64		Loading commit data...
ia32		Loading commit data...
loong64		Loading commit data...
mips		Loading commit data...
mips64		Loading commit data...
ppc		Loading commit data...
riscv64		Loading commit data...
s390		Loading commit data...
x64		Loading commit data...
DIR_METADATA		Loading commit data...
OWNERS		Loading commit data...
accessors.cc		Loading commit data...
accessors.h		Loading commit data...
aggregate-error.tq		Loading commit data...
array-at.tq		Loading commit data...
array-concat.tq		Loading commit data...
array-copywithin.tq		Loading commit data...
array-every.tq		Loading commit data...
array-filter.tq		Loading commit data...
array-find.tq		Loading commit data...
array-findindex.tq		Loading commit data...
array-findlast.tq		Loading commit data...
array-findlastindex.tq		Loading commit data...
array-foreach.tq		Loading commit data...
array-from.tq		Loading commit data...
array-isarray.tq		Loading commit data...
array-join.tq		Loading commit data...
array-lastindexof.tq		Loading commit data...
array-map.tq		Loading commit data...
array-of.tq		Loading commit data...
array-reduce-right.tq		Loading commit data...
array-reduce.tq		Loading commit data...
array-reverse.tq		Loading commit data...
array-shift.tq		Loading commit data...
array-slice.tq		Loading commit data...
array-some.tq		Loading commit data...
array-splice.tq		Loading commit data...
array-unshift.tq		Loading commit data...
array.tq		Loading commit data...
arraybuffer.tq		Loading commit data...
base.tq		Loading commit data...
boolean.tq		Loading commit data...
builtins-api.cc		Loading commit data...
builtins-array-gen.cc		Loading commit data...
builtins-array-gen.h		Loading commit data...
builtins-array.cc		Loading commit data...
builtins-arraybuffer.cc		Loading commit data...
builtins-async-function-gen.cc		Loading commit data...
builtins-async-gen.cc		Loading commit data...
builtins-async-gen.h		Loading commit data...
builtins-async-generator-gen.cc		Loading commit data...
builtins-async-iterator-gen.cc		Loading commit data...
builtins-async-module.cc		Loading commit data...
builtins-bigint-gen.cc		Loading commit data...
builtins-bigint-gen.h		Loading commit data...
builtins-bigint.cc		Loading commit data...
builtins-bigint.tq		Loading commit data...
builtins-call-gen.cc		Loading commit data...
builtins-call-gen.h		Loading commit data...
builtins-callsite.cc		Loading commit data...
builtins-collections-gen.cc		Loading commit data...
builtins-collections-gen.h		Loading commit data...
builtins-collections.cc		Loading commit data...
builtins-console.cc		Loading commit data...
builtins-constructor-gen.cc		Loading commit data...
builtins-constructor-gen.h		Loading commit data...
builtins-constructor.h		Loading commit data...
builtins-conversion-gen.cc		Loading commit data...
builtins-data-view-gen.h		Loading commit data...
builtins-dataview.cc		Loading commit data...
builtins-date-gen.cc		Loading commit data...
builtins-date.cc		Loading commit data...
builtins-definitions.h		Loading commit data...
builtins-descriptors.h		Loading commit data...
builtins-error.cc		Loading commit data...
builtins-function.cc		Loading commit data...
builtins-generator-gen.cc		Loading commit data...
builtins-global-gen.cc		Loading commit data...
builtins-global.cc		Loading commit data...
builtins-handler-gen.cc		Loading commit data...
builtins-ic-gen.cc		Loading commit data...
builtins-internal-gen.cc		Loading commit data...
builtins-internal.cc		Loading commit data...
builtins-interpreter-gen.cc		Loading commit data...
builtins-intl-gen.cc		Loading commit data...
builtins-intl.cc		Loading commit data...
builtins-iterator-gen.cc		Loading commit data...
builtins-iterator-gen.h		Loading commit data...
builtins-json.cc		Loading commit data...
builtins-lazy-gen.cc		Loading commit data...
builtins-lazy-gen.h		Loading commit data...
builtins-microtask-queue-gen.cc		Loading commit data...
builtins-number-gen.cc		Loading commit data...
builtins-number.cc		Loading commit data...
builtins-object-gen.cc		Loading commit data...
builtins-object.cc		Loading commit data...
builtins-promise-gen.cc		Loading commit data...
builtins-promise-gen.h		Loading commit data...
builtins-promise.h		Loading commit data...
builtins-proxy-gen.cc		Loading commit data...
builtins-proxy-gen.h		Loading commit data...
builtins-reflect.cc		Loading commit data...
builtins-regexp-gen.cc		Loading commit data...
builtins-regexp-gen.h		Loading commit data...
builtins-regexp.cc		Loading commit data...
builtins-shadow-realm-gen.cc		Loading commit data...
builtins-shadow-realm.cc		Loading commit data...
builtins-sharedarraybuffer-gen.cc		Loading commit data...
builtins-sharedarraybuffer.cc		Loading commit data...
builtins-string-gen.cc		Loading commit data...
builtins-string-gen.h		Loading commit data...
builtins-string.cc		Loading commit data...
builtins-string.tq		Loading commit data...
builtins-struct.cc		Loading commit data...
builtins-symbol.cc		Loading commit data...
builtins-temporal-gen.cc		Loading commit data...
builtins-temporal.cc		Loading commit data...
builtins-trace.cc		Loading commit data...
builtins-typed-array-gen.cc		Loading commit data...
builtins-typed-array-gen.h		Loading commit data...
builtins-typed-array.cc		Loading commit data...
builtins-utils-gen.h		Loading commit data...
builtins-utils-inl.h		Loading commit data...
builtins-utils.h		Loading commit data...
builtins-wasm-gen.cc		Loading commit data...
builtins-wasm-gen.h		Loading commit data...
builtins-weak-refs.cc		Loading commit data...
builtins-web-snapshots.cc		Loading commit data...
builtins.cc		Loading commit data...
builtins.h		Loading commit data...
cast.tq		Loading commit data...
collections.tq		Loading commit data...
console.tq		Loading commit data...
constants-table-builder.cc		Loading commit data...
constants-table-builder.h		Loading commit data...
constructor.tq		Loading commit data...
conversion.tq		Loading commit data...
convert.tq		Loading commit data...
data-view.tq		Loading commit data...
finalization-registry.tq		Loading commit data...
frame-arguments.tq		Loading commit data...
frames.tq		Loading commit data...
function.tq		Loading commit data...
generate-bytecodes-builtins-list.cc		Loading commit data...
growable-fixed-array-gen.cc		Loading commit data...
growable-fixed-array-gen.h		Loading commit data...
growable-fixed-array.tq		Loading commit data...
ic-callable.tq		Loading commit data...
ic.tq		Loading commit data...
internal-coverage.tq		Loading commit data...
internal.tq		Loading commit data...
iterator.tq		Loading commit data...
math.tq		Loading commit data...
number.tq		Loading commit data...
object-fromentries.tq		Loading commit data...
object.tq		Loading commit data...
profile-data-reader.cc		Loading commit data...
profile-data-reader.h		Loading commit data...
promise-abstract-operations.tq		Loading commit data...
promise-all-element-closure.tq		Loading commit data...
promise-all.tq		Loading commit data...
promise-any.tq		Loading commit data...
promise-constructor.tq		Loading commit data...
promise-finally.tq		Loading commit data...
promise-jobs.tq		Loading commit data...
promise-misc.tq		Loading commit data...
promise-race.tq		Loading commit data...
promise-reaction-job.tq		Loading commit data...
promise-resolve.tq		Loading commit data...
promise-then.tq		Loading commit data...
proxy-constructor.tq		Loading commit data...
proxy-delete-property.tq		Loading commit data...
proxy-get-property.tq		Loading commit data...
proxy-get-prototype-of.tq		Loading commit data...
proxy-has-property.tq		Loading commit data...
proxy-is-extensible.tq		Loading commit data...
proxy-prevent-extensions.tq		Loading commit data...
proxy-revocable.tq		Loading commit data...
proxy-revoke.tq		Loading commit data...
proxy-set-property.tq		Loading commit data...
proxy-set-prototype-of.tq		Loading commit data...
proxy.tq		Loading commit data...
reflect.tq		Loading commit data...
regexp-exec.tq		Loading commit data...
regexp-match-all.tq		Loading commit data...
regexp-match.tq		Loading commit data...
regexp-replace.tq		Loading commit data...
regexp-search.tq		Loading commit data...
regexp-source.tq		Loading commit data...
regexp-split.tq		Loading commit data...
regexp-test.tq		Loading commit data...
regexp.tq		Loading commit data...
setup-builtins-internal.cc		Loading commit data...
string-at.tq		Loading commit data...
string-endswith.tq		Loading commit data...
string-html.tq		Loading commit data...
string-includes.tq		Loading commit data...
string-indexof.tq		Loading commit data...
string-iterator.tq		Loading commit data...
string-match-search.tq		Loading commit data...
string-pad.tq		Loading commit data...
string-repeat.tq		Loading commit data...
string-replaceall.tq		Loading commit data...
string-slice.tq		Loading commit data...
string-startswith.tq		Loading commit data...
string-substr.tq		Loading commit data...
string-substring.tq		Loading commit data...
string-trim.tq		Loading commit data...
symbol.tq		Loading commit data...
torque-csa-header-includes.h		Loading commit data...
torque-internal.tq		Loading commit data...
typed-array-at.tq		Loading commit data...
typed-array-createtypedarray.tq		Loading commit data...
typed-array-entries.tq		Loading commit data...
typed-array-every.tq		Loading commit data...
typed-array-filter.tq		Loading commit data...
typed-array-find.tq		Loading commit data...
typed-array-findindex.tq		Loading commit data...
typed-array-findlast.tq		Loading commit data...
typed-array-findlastindex.tq		Loading commit data...
typed-array-foreach.tq		Loading commit data...
typed-array-from.tq		Loading commit data...
typed-array-keys.tq		Loading commit data...
typed-array-of.tq		Loading commit data...
typed-array-reduce.tq		Loading commit data...
typed-array-reduceright.tq		Loading commit data...
typed-array-set.tq		Loading commit data...
typed-array-slice.tq		Loading commit data...
typed-array-some.tq		Loading commit data...
typed-array-sort.tq		Loading commit data...
typed-array-subarray.tq		Loading commit data...
typed-array-values.tq		Loading commit data...
typed-array.tq		Loading commit data...
wasm.tq		Loading commit data...
weak-ref.tq		Loading commit data...