Attachment 866900 Details for Bug 1059070 – Backport fix with test

[patch] Backport fix with test

0001-Backport-CVE-2013-6650-incorrect-handling-of-popular.patch (text/plain), 5.35 KB, created by Tomas Hrcka on 2014-02-24 08:54:59 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Tomas Hrcka

Created: 2014-02-24 08:54:59 UTC

Size: 5.35 KB

patch

obsolete

>From b1b75b0206a174b91766f3cc3198b8f2d3c70feb Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hr=C4=8Dka?= <thrcka@redhat.com>
>Date: Mon, 24 Feb 2014 09:47:46 +0100
>Subject: [PATCH] Backport CVE-2013-6650 incorrect handling of popular pages
>
>---
> v8-3.14.5.10-CVE-2013-6650.patch | 80 ++++++++++++++++++++++++++++++++++++++++
> v8.spec                          | 10 ++++-
> 2 files changed, 89 insertions(+), 1 deletion(-)
> create mode 100644 v8-3.14.5.10-CVE-2013-6650.patch
>
>diff --git a/v8-3.14.5.10-CVE-2013-6650.patch b/v8-3.14.5.10-CVE-2013-6650.patch
>new file mode 100644
>index 0000000..d44811f
>--- /dev/null
>+++ b/v8-3.14.5.10-CVE-2013-6650.patch
>@@ -0,0 +1,80 @@
>+From 3928813f014d3cdaed83fefc3a454078272f114b Mon Sep 17 00:00:00 2001
>+From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hr=C4=8Dka?= <thrcka@redhat.com>
>+Date: Tue, 18 Feb 2014 00:23:04 +0100
>+Subject: [PATCH] Backport Fix for CVE-2013-6650 Original patch
>+ https://code.google.com/p/v8/source/detail?r=18483
>+
>+Resolve: rhbz#1059070
>+---
>+ src/store-buffer.cc                    |  2 +-
>+ test/mjsunit/regress/regress-331444.js | 45 ++++++++++++++++++++++++++++++++++
>+ 2 files changed, 46 insertions(+), 1 deletion(-)
>+ create mode 100644 test/mjsunit/regress/regress-331444.js
>+
>+diff --git a/src/store-buffer.cc b/src/store-buffer.cc
>+index 66488ae..b9055f8 100644
>+--- a/src/store-buffer.cc
>++++ b/src/store-buffer.cc
>+@@ -242,7 +242,7 @@ void StoreBuffer::ExemptPopularPages(int prime_sample_step, int threshold) {
>+       containing_chunk = MemoryChunk::FromAnyPointerAddress(addr);
>+     }
>+     int old_counter = containing_chunk->store_buffer_counter();
>+-    if (old_counter == threshold) {
>++    if (old_counter >= threshold) {
>+       containing_chunk->set_scan_on_scavenge(true);
>+       created_new_scan_on_scavenge_pages = true;
>+     }
>+diff --git a/test/mjsunit/regress/regress-331444.js b/test/mjsunit/regress/regress-331444.js
>+new file mode 100644
>+index 0000000..3df0a08
>+--- /dev/null
>++++ b/test/mjsunit/regress/regress-331444.js
>+@@ -0,0 +1,45 @@
>++// Copyright 2014 the V8 project authors. All rights reserved.
>++// Redistribution and use in source and binary forms, with or without
>++// modification, are permitted provided that the following conditions are
>++// met:
>++//
>++//     * Redistributions of source code must retain the above copyright
>++//       notice, this list of conditions and the following disclaimer.
>++//     * Redistributions in binary form must reproduce the above
>++//       copyright notice, this list of conditions and the following
>++//       disclaimer in the documentation and/or other materials provided
>++//       with the distribution.
>++//     * Neither the name of Google Inc. nor the names of its
>++//       contributors may be used to endorse or promote products derived
>++//       from this software without specific prior written permission.
>++//
>++// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
>++// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
>++// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
>++// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
>++// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
>++// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
>++// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>++// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>++// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>++// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
>++// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>++
>++// Flags: --expose-gc
>++
>++
>++function boom() {
>++  var args = [];
>++  for (var i = 0; i < 125000; i++)
>++    args.push(i);
>++  return Array.apply(Array, args);
>++}
>++var array = boom();
>++function fib(n) {
>++  var f0 = 0, f1 = 1;
>++  for (; n > 0; n = n - 1) {
>++    f0 + f1;
>++    f0 = array;
>++  }
>++}
>++fib(12);
>+-- 
>+1.8.3.1
>+
>diff --git a/v8.spec b/v8.spec
>index 2a88a51..33d892d 100644
>--- a/v8.spec
>+++ b/v8.spec
>@@ -23,7 +23,7 @@
> 
> Name:		v8
> Version:	%{somajor}.%{sominor}.%{sobuild}.%{sotiny}
>-Release:	5%{?dist}
>+Release:	6%{?dist}
> Epoch:		1
> Summary:	JavaScript Engine
> Group:		System Environment/Libraries
>@@ -47,6 +47,10 @@ Patch3:     v8-3.14.5.10-CVE-2013-6640.patch
> #   https://codereview.chromium.org/11362182
> Patch4:     v8-3.14.5.10-enumeration.patch
> 
>+#backport fix for CVE-2013-6640 (RHBZ#1059070)
>+Patch5:     v8-3.14.5.10-CVE-2013-6650.patch
>+
>+
> %description
> V8 is Google's open source JavaScript engine. V8 is written in C++ and is used 
> in Google Chrome, the open source browser from Google. V8 implements ECMAScript 
>@@ -66,6 +70,7 @@ Development headers and libraries for v8.
> %patch2 -p1
> %patch3 -p1
> %patch4 -p1
>+%patch5 -p1
> 
> # -fno-strict-aliasing is needed with gcc 4.4 to get past some ugly code
> PARSED_OPT_FLAGS=`echo \'$RPM_OPT_FLAGS -fPIC -fno-strict-aliasing -Wno-unused-parameter -Wno-error=strict-overflow -Wno-error=unused-local-typedefs -Wno-unused-but-set-variable\'| sed "s/ /',/g" | sed "s/',/', '/g"`
>@@ -223,6 +228,9 @@ rm -rf %{buildroot}
> %{python_sitelib}/j*.py*
> 
> %changelog
>+* Mon Feb 24 2014 Tomas Hrcka <thrcka@redhat.com> - 1:3.14.5.10-6
>+- Backport CVE-2013-6650 incorrect handling of popular pages
>+
> * Fri Feb 14 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> - 1:3.14.5.10-5
> - rebuild for icu-52
> 
>-- 
>1.8.3.1
>

Actions: View | Diff

Attachments on bug 1059070: 866900