[Backport] CVE-2024-12695: Out of bounds write in V8

o- · mibrunin · commit ce8700de33d2 · 2025-01-22T15:20:47.000Z
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/6097572: Merged: [ic] fix Object.assign clearing object hashes The Object.assign fastcase should not override the hash of the to object. Bug: 383647255 (cherry picked from commit 357d0dd4bc7f64eb81cdf49c5cf3699cf151909d) Change-Id: I2bbf10614d7997a396800cef33144875309010d9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6097572 Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/branch-heads/13.0@{#43} Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1} Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/615320 Reviewed-by: Anu Aliyas <anu.aliyas@qt.io>
diff --git a/chromium/v8/src/builtins/builtins-object-gen.cc b/chromium/v8/src/builtins/builtins-object-gen.cc
@@ -511,6 +511,13 @@ TF_BUILTIN(ObjectAssign, ObjectBuiltinsAssembler) {
     GotoIfNot(TaggedEqual(LoadElements(CAST(to)), EmptyFixedArrayConstant()),
               &slow_path);
 
+    // Ensure the properties field is not used to store a hash.
+    TNode<Object> properties = LoadJSReceiverPropertiesOrHash(to);
+    GotoIf(TaggedIsSmi(properties), &slow_path);
+    CSA_DCHECK(this,
+               Word32Or(TaggedEqual(properties, EmptyFixedArrayConstant()),
+                        IsPropertyArray(CAST(properties))));
+
     Label continue_fast_path(this), runtime_map_lookup(this, Label::kDeferred);
 
     // Check if our particular source->target combination is fast clonable.
