On Fri, Jun 9, 2023 at 4:09 AM Urade, Yogita via
lists.openembedded.org
<[email protected]> wrote:
>
> A type confusion issue was addressed with improved state handling.
> This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1,
> iOS 15.7.2 and iPadOS 15.7.2, iOS 16.1.2. Processing maliciously
> crafted web content may lead to arbitrary code execution. Apple is
> aware of a report that this issue may have been actively exploited
> against versions of iOS released before iOS 15.1.
>
> References:
> https://support.apple.com/en-us/HT213531
>
> Signed-off-by: Yogita Urade <[email protected]>
> ---
> .../webkit/webkitgtk/CVE-2022-42856.patch | 110 ++++++++++++++++++
> meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 1 +
> 2 files changed, 111 insertions(+)
> create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
>
> diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
> b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
> new file mode 100644
> index 0000000000..97d58c955a
> --- /dev/null
> +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
> @@ -0,0 +1,110 @@
> +From 71cdc1c09ef199db74b2b60ed5de781250d96a56 Mon Sep 17 00:00:00 2001
> +From: Mark Lam <[email protected]>
> +Date: Wed, 23 Nov 2022 13:48:49 -0800
> +Subject: [PATCH] The provenType filtering in FTL's speculateRealNumber is
> + incorrect. https://bugs.webkit.org/show_bug.cgi?id=248266
> + <rdar://problem/102531234>
> +
> +Reviewed by Justin Michaud.
> +
> +speculateRealNumber does a doubleEqual compare, which filters out double
> values which
> +are not NaN. NaN values will fall through to the `intCase` block. In the
> `intCase` block,
> +the isNotInt32() check there was given a proven type that wrongly filters
> out ~SpecFullDouble.
> +
> +Consider a scenario where the edge was proven to be { SpecInt32Only,
> SpecDoubleReal,
> +SpecDoublePureNaN }. SpecFullDouble is defined as SpecDoubleReal |
> SpecDoubleNaN, and
> +SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN. Hence,
> the filtering
> +of the proven type with ~SpecFullDouble means that isNotInt32() will
> effectively be given
> +a proven type of
> +
> + { SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { SpecDoubleReal,
> SpecDoublePureNaN }
> +
> +which yields
> +
> + { SpecInt32Only }.
> +
> +As a result, the compiler will think that that isNotIn32() check will always
> fail. This
> +is not correct if the actual incoming value for that edge is actually a
> PureNaN. In this
> +case, speculateRealNumber should have OSR exited, but it doesn't because it
> thinks that
> +the isNotInt32() check will always fail and elide the check altogether.
> +
> +In this patch, we fix this by replacing the ~SpecFullDouble with
> ~SpecDoubleReal. We also
> +rename the `intCase` block to `intOrNaNCase` to document what it actually
> handles.
> +
> +* JSTests/stress/speculate-real-number-in-object-is.js: Added.
> +(test.object_is_opt):
> +(test):
> +* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
> +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
> +
> +Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch
> +
> +CVE: CVE-2022-42856
> +
> +Upstream-Status: Backport
> +[https://github.com/WebKit/WebKit/commit/71cdc1c09ef199db74b2b60ed5de781250d96a56]
> +
> +Signed-off-by: Yogita Urade <[email protected]>
> +---
> + .../speculate-real-number-in-object-is.js | 22 +++++++++++++++++++
> + Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp | 8 +++----
> + 2 files changed, 26 insertions(+), 4 deletions(-)
> + create mode 100644 JSTests/stress/speculate-real-number-in-object-is.js
> +
> +diff --git a/JSTests/stress/speculate-real-number-in-object-is.js
> b/JSTests/stress/speculate-real-number-in-object-is.js
> +new file mode 100644
> +index 000000000000..0b10799954da
> +--- /dev/null
> ++++ b/JSTests/stress/speculate-real-number-in-object-is.js
> +@@ -0,0 +1,22 @@
> ++function test() {
> ++ function object_is_opt(value) {
> ++ const tmp = {p0: value};
> ++
> ++ if (Object.is(value, NaN))
> ++ return 0;
> ++
> ++ return value;
> ++ }
> ++
> ++ object_is_opt(NaN);
> ++
> ++ for (let i = 0; i < 0x20000; i++)
> ++ object_is_opt(1.1);
> ++
> ++ return isNaN(object_is_opt(NaN));
> ++}
> ++
> ++resultIsNaN = test();
> ++if (resultIsNaN)
> ++ throw "FAILED";
> ++
> +diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
> b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
> +index 8621b554d578..588298eba350 100644
> +--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
> ++++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
> +@@ -20285,18 +20285,18 @@ IGNORE_CLANG_WARNINGS_END
> + LValue value = lowJSValue(edge, ManualOperandSpeculation);
> + LValue doubleValue = unboxDouble(value);
> +
> +- LBasicBlock intCase = m_out.newBlock();
> ++ LBasicBlock intOrNaNCase = m_out.newBlock();
> + LBasicBlock continuation = m_out.newBlock();
> +
> + m_out.branch(
> + m_out.doubleEqual(doubleValue, doubleValue),
> +- usually(continuation), rarely(intCase));
> ++ usually(continuation), rarely(intOrNaNCase));
> +
> +- LBasicBlock lastNext = m_out.appendTo(intCase, continuation);
> ++ LBasicBlock lastNext = m_out.appendTo(intOrNaNCase, continuation);
> +
> + typeCheck(
> + jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber,
> +- isNotInt32(value, provenType(m_node->child1()) &
> ~SpecFullDouble));
> ++ isNotInt32(value, provenType(m_node->child1()) &
> ~SpecDoubleReal));
> + m_out.jump(continuation);
> +
> + m_out.appendTo(continuation, lastNext);
> +--
> +2.35.5
> diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> index 062f209932..cf1b8b2cc0 100644
> --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> @@ -20,6 +20,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
> file://CVE-2022-46691.patch \
> file://CVE-2022-46699.patch \
> file://CVE-2022-42867.patch \
> + file://CVE-2022-42856.patch \
The patch fails to apply at build time:
ERROR: webkitgtk-2.36.8-r0 do_patch: Applying patch
'CVE-2022-42856.patch' on target directory
'/home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/webkitgtk/2.36.8-r0/webkitgtk-2.36.8'
CmdError('quilt --quiltrc
/home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/webkitgtk/2.36.8-r0/recipe-sysroot-native/etc/quiltrc
push', 0, 'stdout: Applying patch CVE-2022-42856.patch
patching file JSTests/stress/speculate-real-number-in-object-is.js
patching file Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Hunk #1 FAILED at 20285.
1 out of 1 hunk FAILED -- rejects in file
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Patch CVE-2022-42856.patch does not apply (enforce with -f)
stderr: ')
ERROR: Logfile of failure stored in:
/home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/webkitgtk/2.36.8-r0/temp/log.do_patch.313789
ERROR: Task
(/home/steve/builds/poky-contrib-kirkstone/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb:do_patch)
failed with exit code '1'
Steve
> "
> SRC_URI[sha256sum] =
> "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
>
> --
> 2.40.0
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182565):
https://lists.openembedded.org/g/openembedded-core/message/182565
Mute This Topic: https://lists.openembedded.org/mt/99429024/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
