mirror of
https://git.yoctoproject.org/poky
synced 2026-06-03 13:49:49 +00:00
webkitgtk: fix CVE-2023-32439
Backport patch to fix CVE-2023-32439 for webkitgtk. CVE: CVE-2023-32439 (From OE-Core rev: 71edb4ec115208950ae5da5305b5fd75823121ec) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Kai Kang
Steve Sakoman
@@ -0,0 +1,128 @@
|
|||||||
|
CVE: CVE-2023-32439
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/ebefb9e]
|
||||||
|
|
||||||
|
Signed-off-by: Kai Kang <kai.kang@windriver.com>
|
||||||
|
|
||||||
|
From ebefb9e6b7e7440ab6bb29452f4ac6350bd8b975 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Yijia Huang <yijia_huang@apple.com>
|
||||||
|
Date: Wed, 10 May 2023 09:41:48 -0700
|
||||||
|
Subject: [PATCH] Cherry-pick 263909@main (52fe95e5805c).
|
||||||
|
https://bugs.webkit.org/show_bug.cgi?id=256567
|
||||||
|
|
||||||
|
EnumeratorNextUpdateIndexAndMode and HasIndexedProperty should have different heap location kinds
|
||||||
|
https://bugs.webkit.org/show_bug.cgi?id=256567
|
||||||
|
rdar://109089013
|
||||||
|
|
||||||
|
Reviewed by Yusuke Suzuki.
|
||||||
|
|
||||||
|
EnumeratorNextUpdateIndexAndMode and HasIndexedProperty are different DFG nodes. However,
|
||||||
|
they might introduce the same heap location kind in DFGClobberize.h which might lead to
|
||||||
|
hash collision. We should introduce a new locationn kind for EnumeratorNextUpdateIndexAndMode.
|
||||||
|
|
||||||
|
* JSTests/stress/heap-location-collision-dfg-clobberize.js: Added.
|
||||||
|
(foo):
|
||||||
|
* Source/JavaScriptCore/dfg/DFGClobberize.h:
|
||||||
|
(JSC::DFG::clobberize):
|
||||||
|
* Source/JavaScriptCore/dfg/DFGHeapLocation.cpp:
|
||||||
|
(WTF::printInternal):
|
||||||
|
* Source/JavaScriptCore/dfg/DFGHeapLocation.h:
|
||||||
|
|
||||||
|
Canonical link: https://commits.webkit.org/263909@main
|
||||||
|
|
||||||
|
Canonical link: https://commits.webkit.org/260527.376@webkitglib/2.40
|
||||||
|
---
|
||||||
|
.../stress/heap-location-collision-dfg-clobberize.js | 12 ++++++++++++
|
||||||
|
Source/JavaScriptCore/dfg/DFGClobberize.h | 7 ++++---
|
||||||
|
Source/JavaScriptCore/dfg/DFGHeapLocation.cpp | 4 ++++
|
||||||
|
Source/JavaScriptCore/dfg/DFGHeapLocation.h | 1 +
|
||||||
|
4 files changed, 21 insertions(+), 3 deletions(-)
|
||||||
|
create mode 100644 JSTests/stress/heap-location-collision-dfg-clobberize.js
|
||||||
|
|
||||||
|
diff --git a/JSTests/stress/heap-location-collision-dfg-clobberize.js b/JSTests/stress/heap-location-collision-dfg-clobberize.js
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000000..ed40601ea37f
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/JSTests/stress/heap-location-collision-dfg-clobberize.js
|
||||||
|
@@ -0,0 +1,12 @@
|
||||||
|
+//@ runDefault("--watchdog=300", "--watchdog-exception-ok")
|
||||||
|
+const arr = [0];
|
||||||
|
+
|
||||||
|
+function foo() {
|
||||||
|
+ for (let _ in arr) {
|
||||||
|
+ 0 in arr;
|
||||||
|
+ while(1);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+foo();
|
||||||
|
diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h
|
||||||
|
index e4db64155316..5ec334787c0c 100644
|
||||||
|
--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
|
||||||
|
+++ b/Source/JavaScriptCore/dfg/DFGClobberize.h
|
||||||
|
@@ -383,6 +383,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
|
||||||
|
|
||||||
|
read(JSObject_butterfly);
|
||||||
|
ArrayMode mode = node->arrayMode();
|
||||||
|
+ LocationKind locationKind = node->op() == EnumeratorNextUpdateIndexAndMode ? EnumeratorNextUpdateIndexAndModeLoc : HasIndexedPropertyLoc;
|
||||||
|
switch (mode.type()) {
|
||||||
|
case Array::ForceExit: {
|
||||||
|
write(SideState);
|
||||||
|
@@ -392,7 +393,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
|
||||||
|
if (mode.isInBounds()) {
|
||||||
|
read(Butterfly_publicLength);
|
||||||
|
read(IndexedInt32Properties);
|
||||||
|
- def(HeapLocation(HasIndexedPropertyLoc, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
|
||||||
|
+ def(HeapLocation(locationKind, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
@@ -402,7 +403,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
|
||||||
|
if (mode.isInBounds()) {
|
||||||
|
read(Butterfly_publicLength);
|
||||||
|
read(IndexedDoubleProperties);
|
||||||
|
- def(HeapLocation(HasIndexedPropertyLoc, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
|
||||||
|
+ def(HeapLocation(locationKind, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
@@ -412,7 +413,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
|
||||||
|
if (mode.isInBounds()) {
|
||||||
|
read(Butterfly_publicLength);
|
||||||
|
read(IndexedContiguousProperties);
|
||||||
|
- def(HeapLocation(HasIndexedPropertyLoc, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
|
||||||
|
+ def(HeapLocation(locationKind, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
diff --git a/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp b/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
|
||||||
|
index 0661e5b826b7..698a6d4b6062 100644
|
||||||
|
--- a/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
|
||||||
|
+++ b/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
|
||||||
|
@@ -134,6 +134,10 @@ void printInternal(PrintStream& out, LocationKind kind)
|
||||||
|
out.print("HasIndexedPorpertyLoc");
|
||||||
|
return;
|
||||||
|
|
||||||
|
+ case EnumeratorNextUpdateIndexAndModeLoc:
|
||||||
|
+ out.print("EnumeratorNextUpdateIndexAndModeLoc");
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
case IndexedPropertyDoubleLoc:
|
||||||
|
out.print("IndexedPropertyDoubleLoc");
|
||||||
|
return;
|
||||||
|
diff --git a/Source/JavaScriptCore/dfg/DFGHeapLocation.h b/Source/JavaScriptCore/dfg/DFGHeapLocation.h
|
||||||
|
index 40fb71673284..7238491b02c9 100644
|
||||||
|
--- a/Source/JavaScriptCore/dfg/DFGHeapLocation.h
|
||||||
|
+++ b/Source/JavaScriptCore/dfg/DFGHeapLocation.h
|
||||||
|
@@ -46,6 +46,7 @@ enum LocationKind {
|
||||||
|
DirectArgumentsLoc,
|
||||||
|
GetterLoc,
|
||||||
|
GlobalVariableLoc,
|
||||||
|
+ EnumeratorNextUpdateIndexAndModeLoc,
|
||||||
|
HasIndexedPropertyLoc,
|
||||||
|
IndexedPropertyDoubleLoc,
|
||||||
|
IndexedPropertyDoubleSaneChainLoc,
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
@@ -14,6 +14,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \
|
|||||||
file://reproducibility.patch \
|
file://reproducibility.patch \
|
||||||
file://0d3344e17d258106617b0e6d783d073b188a2548.patch \
|
file://0d3344e17d258106617b0e6d783d073b188a2548.patch \
|
||||||
file://d318bb461f040b90453bc4e100dcf967243ecd98.patch \
|
file://d318bb461f040b90453bc4e100dcf967243ecd98.patch \
|
||||||
|
file://CVE-2023-32439.patch \
|
||||||
"
|
"
|
||||||
SRC_URI[sha256sum] = "1c614c9589389db1a79ea9ba4293bbe8ac3ab0a2234cac700935fae0724ad48b"
|
SRC_URI[sha256sum] = "1c614c9589389db1a79ea9ba4293bbe8ac3ab0a2234cac700935fae0724ad48b"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user