[Backport] Security bug 366635354

Liedtke · mibrunin · commit 04f45e2cd392 · 2024-10-21T07:46:21.000Z
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/5872631: Merged: [wasm] Do not inline wrappers with 'ref extern' parameter type This was introduced in https://crrev.com/c/4212394. The wrapper would need to test for null and throw a type error but doesn't do that correctly. (The test case added only tested that a null check happens either in the wrapper or in the cast instruction because the test case was trying to test both cases without duplicating too much which was a bad design choice.) For simplicity, just disallow inlining of wrappers with parameters typed 'ref extern'. (Users should use `externref` aka 'ref null extern' instead anyways as the non-nullability doesn't add any benefits.) (cherry picked from commit 3eee872739ac3523af126d7f25a623c18f5bee39) Bug: 366635354 Change-Id: I58deec223e9c01c5292239eebee895febc880215 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5872631 Auto-Submit: Matthias Liedtke <mliedtke@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/branch-heads/13.0@{#2} Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1} Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/597922 Reviewed-by: Michal Klocek <michal.klocek@qt.io>
diff --git a/chromium/v8/src/compiler/js-call-reducer.cc b/chromium/v8/src/compiler/js-call-reducer.cc
@@ -3718,14 +3718,13 @@ bool CanInlineJSToWasmCall(const wasm::FunctionSig* wasm_signature) {
     return false;
   }
 
-  wasm::ValueType externRefNonNull = wasm::kWasmExternRef.AsNonNull();
   for (auto type : wasm_signature->all()) {
 #if defined(V8_TARGET_ARCH_32_BIT)
     if (type == wasm::kWasmI64) return false;
 #endif
     if (type != wasm::kWasmI32 && type != wasm::kWasmI64 &&
         type != wasm::kWasmF32 && type != wasm::kWasmF64 &&
-        type != wasm::kWasmExternRef && type != externRefNonNull) {
+        type != wasm::kWasmExternRef) {
       return false;
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -3718,14 +3718,13 @@ bool CanInlineJSToWasmCall(const wasm::FunctionSig* wasm_signature) {`
`3718`	`3718`	`return false;`
`3719`	`3719`	`}`
`3720`	`3720`
`3721`		`- wasm::ValueType externRefNonNull = wasm::kWasmExternRef.AsNonNull();`
`3722`	`3721`	`for (auto type : wasm_signature->all()) {`
`3723`	`3722`	`#if defined(V8_TARGET_ARCH_32_BIT)`
`3724`	`3723`	`if (type == wasm::kWasmI64) return false;`
`3725`	`3724`	`#endif`
`3726`	`3725`	`if (type != wasm::kWasmI32 && type != wasm::kWasmI64 &&`
`3727`	`3726`	`type != wasm::kWasmF32 && type != wasm::kWasmF64 &&`
`3728`		`- type != wasm::kWasmExternRef && type != externRefNonNull) {`
	`3727`	`+ type != wasm::kWasmExternRef) {`
`3729`	`3728`	`return false;`
`3730`	`3729`	`}`
`3731`	`3730`	`}`