Chrome Version: 71.0.3578.98
Chrome Commit: c2bec8045f7ad3ece1c5d80236183a21c1fac3f5
V8 Version: 7.1.302.31
V8 Commit: b5a5d900a5385d6429edefb11ece72bfa649ca47
Turbofan types arguments.length as range(0,65534). However, the spread operator can cause arguments.length to be larger if spreading an array with a large enough length. This bad typing led to OOB access.
The initial patch was submitted on Nov 22nd, 2018; it was merged to stable on January 29th, 2019.
--- a/src/compiler/type-cache.h
+++ b/src/compiler/type-cache.h
// The valid number of arguments for JavaScript functions.
- Type const kArgumentsLengthType =
- Type::Range(0.0, Code::kMaxArguments, zone());
+ Type const kArgumentsLengthType = Type::Unsigned30();
// The JSArrayIterator::kind property always contains an integer in the
--- a/src/compiler/verifier.cc
+++ b/src/compiler/verifier.cc
case IrOpcode::kNewArgumentsElements:
CheckValueInputIs(node, 0, Type::ExternalPointer());
- CheckValueInputIs(node, 1, Type::Range(-Code::kMaxArguments,
- Code::kMaxArguments, zone));
+ CheckValueInputIs(node, 1, Type::Unsigned30());
CheckTypeIs(node, Type::OtherInternal());
break;
8e4588915ba7a9d9d744075781cea114d49f0c7b
Using the PoC, build the following primitives (in order):
- Array OOB
addr_of- Arbitrary R/W
- Arbitrary Code Exec