From 70cc64ba16bd4e27c92c0621054b75715591656d Mon Sep 17 00:00:00 2001
From: Andreas Haas <ahaas@chromium.org>
Date: Tue, 13 Feb 2024 14:14:59 +0100
Subject: [PATCH] [Backport] CVE-2024-1938: Type Confusion in V8

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5300311:
Merged: [wasm] Use correct signature index for tier-up of wasm-to-js wrapper

The wasm-to-js wrapper tierup used the canonicalized signature id lookup
for module-independent signatures to look up the canonicalized signature
id of module-specific signatures. With this CL the signature id is
looked up with the function index of imported functions and from the
dispatch table for indirect function calls instead.

R=jkummerow@chromium.org

Bug: 324596281
(cherry picked from commit 2109613ad4622028778a38fb418956fab8b478b6)

Change-Id: I3fb7e4f02596f62e13ffe60015f96bac5efbc598
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5300311
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/branch-heads/12.2@{#32}
Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1}
Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/546082
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 chromium/v8/src/runtime/runtime-wasm.cc | 28 +++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/chromium/v8/src/runtime/runtime-wasm.cc b/chromium/v8/src/runtime/runtime-wasm.cc
index 60d9e0516847..84f382932665 100644
--- a/chromium/v8/src/runtime/runtime-wasm.cc
+++ b/chromium/v8/src/runtime/runtime-wasm.cc
@@ -20,6 +20,7 @@
 #include "src/wasm/wasm-constants.h"
 #include "src/wasm/wasm-debug.h"
 #include "src/wasm/wasm-engine.h"
+#include "src/wasm/wasm-module.h"
 #include "src/wasm/wasm-objects.h"
 #include "src/wasm/wasm-subtyping.h"
 #include "src/wasm/wasm-value.h"
@@ -470,10 +471,29 @@ RUNTIME_FUNCTION(Runtime_TierUpWasmToJSWrapper) {
     instance = handle(WasmInstanceObject::cast(tuple->value1()), isolate);
     origin = handle(tuple->value2(), isolate);
   }
-  // Get the function's canonical signature index. Note that the function's
-  // signature may not be present in the importing module.
-  uint32_t canonical_sig_index =
-      wasm::GetTypeCanonicalizer()->AddRecursiveGroup(&sig);
+
+  uint32_t canonical_sig_index = std::numeric_limits<uint32_t>::max();
+  const wasm::WasmModule* module = instance->module();
+  if (WasmApiFunctionRef::CallOriginIsImportIndex(origin)) {
+    int func_index = WasmApiFunctionRef::CallOriginAsIndex(origin);
+    canonical_sig_index =
+        module->isorecursive_canonical_type_ids[module->functions[func_index]
+                                                    .sig_index];
+  } else {
+    // Indirect function table index.
+    int entry_index = WasmApiFunctionRef::CallOriginAsIndex(origin);
+    int table_count = instance->indirect_function_tables()->length();
+    // We have to find the table which contains the correct entry.
+    for (int table_index = 0; table_index < table_count; ++table_index) {
+      Handle<WasmIndirectFunctionTable> table =
+          instance->GetIndirectFunctionTable(isolate, table_index);
+      if (table->refs()->get(entry_index) == *ref) {
+        canonical_sig_index = table->sig_ids()->get(entry_index);
+        break;
+      }
+    }
+  }
+  DCHECK_NE(canonical_sig_index, std::numeric_limits<uint32_t>::max());
 
   // Compile a wrapper for the target callable.
   Handle<JSReceiver> callable(JSReceiver::cast(ref->callable()), isolate);