Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: cherry-pick 3 changes from Release-5-M120 #41013

Merged
merged 2 commits into from Jan 17, 2024
Merged

chore: cherry-pick 3 changes from Release-5-M120 #41013

merged 2 commits into from Jan 17, 2024

Conversation

VerteDinde
Copy link
Member

electron/security#451 - 46cb67e3b296 from v8 [codegen] Install BytecodeArray last in SharedFunctionInfo

Maglev assumes that when a SharedFunctionInfo has a BytecodeArray,
then it should also have FeedbackMetadata. However, this may not
hold with concurrent compilation when the SharedFunctionInfo is
re-compiled after being flushed. Here the BytecodeArray was installed
on the SFI before the FeedbackMetadata and a concurrent thread could
observe the BytecodeArray but not the FeedbackMetadata.

Drive-by: Reset the age field before setting the BytecodeArray as
well. This ensures that the concurrent marker will not observe the
old age for the new BytecodeArray.

Bug: chromium:1507412
Change-Id: I8855ed7ecc50c4a47d2c89043d62ac053858bc75
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5125960
Reviewed-by: Leszek Swirski leszeks@chromium.org
Commit-Queue: Dominik Inführ dinfuehr@chromium.org
Cr-Commit-Position: refs/heads/main@{#91568}

electron/security#452 - c1cda70a433a from chromium Speculative fix for UAF in content::WebContentsImpl::ExitFullscreenMode

Bug: 1506535, 854815
Change-Id: Iace64d63f8cea2dbfbc761ad233db42451ec101c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5146875
Commit-Queue: John Abd-El-Malek jam@chromium.org
Auto-Submit: Mike Wasserman msw@chromium.org
Reviewed-by: John Abd-El-Malek jam@chromium.org
Cr-Commit-Position: refs/heads/main@{#1240353}

electron/security#450 - 78dd4b31847a from v8 [maglev] Fix allocation folding in derived constructors

Bug: v8:7700
Change-Id: Ia33724d39d1397c7d47c36d14071abce6ed4b0fc
Fixed: chromium:1515930
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5173470
Commit-Queue: Patrick Thier pthier@chromium.org
Reviewed-by: Patrick Thier pthier@chromium.org
Commit-Queue: Leszek Swirski leszeks@chromium.org
Auto-Submit: Leszek Swirski leszeks@chromium.org
Cr-Commit-Position: refs/heads/main@{#91709}

Notes:

@VerteDinde
chore: [28-x-y] cherry-pick 3 changes from Release-5-M120
373a0cd 
* 46cb67e3b296 from v8
* c1cda70a433a from chromium
* 78dd4b31847a from v8
@VerteDinde VerteDinde requested a review from a team as a code owner January 16, 2024 23:21
@VerteDinde VerteDinde added security 🔒 semver/patch backwards-compatible bug fixes backport-check-skip Skip trop's backport validity checking 28-x-y labels Jan 16, 2024
@VerteDinde VerteDinde merged commit 8f90259 into 28-x-y Jan 17, 2024
12 of 13 checks passed
@VerteDinde VerteDinde deleted the cherry-pick/security/28-x-y/release-5-m120 branch January 17, 2024 02:43
@release-clerk Release Clerk
Copy link

release-clerk bot commented Jan 17, 2024

Release Notes Persisted

  • Security: backported fix for CVE-2024-0518.
  • Security: backported fix for 1506535.
  • Security: backported fix for CVE-2024-0517.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MarshallOfSound MarshallOfSound MarshallOfSound approved these changes

@codebytere codebytere Awaiting requested review from codebytere

@ppontes ppontes Awaiting requested review from ppontes

Assignees
No one assigned
Labels
28-x-y backport-check-skip Skip trop's backport validity checking security 🔒 semver/patch backwards-compatible bug fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@VerteDinde @MarshallOfSound