On Fri, Jun 9, 2023 at 5:54 AM Steve Sakoman via
lists.openembedded.org <[email protected]>
wrote:
>
> On Fri, Jun 9, 2023 at 4:09 AM Urade, Yogita via
> lists.openembedded.org
> <[email protected]> wrote:
> >
> > A type confusion issue was addressed with improved state handling.
> > This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1,
> > iOS 15.7.2 and iPadOS 15.7.2, iOS 16.1.2. Processing maliciously
> > crafted web content may lead to arbitrary code execution. Apple is
> > aware of a report that this issue may have been actively exploited
> > against versions of iOS released before iOS 15.1.
> >
> > References:
> > https://support.apple.com/en-us/HT213531
> >
> > Signed-off-by: Yogita Urade <[email protected]>
> > ---
> > .../webkit/webkitgtk/CVE-2022-42856.patch | 110 ++++++++++++++++++
> > meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 1 +
> > 2 files changed, 111 insertions(+)
> > create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
> >
> > diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
> > b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
> > new file mode 100644
> > index 0000000000..97d58c955a
> > --- /dev/null
> > +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
> > @@ -0,0 +1,110 @@
> > +From 71cdc1c09ef199db74b2b60ed5de781250d96a56 Mon Sep 17 00:00:00 2001
> > +From: Mark Lam <[email protected]>
> > +Date: Wed, 23 Nov 2022 13:48:49 -0800
> > +Subject: [PATCH] The provenType filtering in FTL's speculateRealNumber is
> > + incorrect. https://bugs.webkit.org/show_bug.cgi?id=248266
> > + <rdar://problem/102531234>
> > +
> > +Reviewed by Justin Michaud.
> > +
> > +speculateRealNumber does a doubleEqual compare, which filters out double
> > values which
> > +are not NaN. NaN values will fall through to the `intCase` block. In the
> > `intCase` block,
> > +the isNotInt32() check there was given a proven type that wrongly filters
> > out ~SpecFullDouble.
> > +
> > +Consider a scenario where the edge was proven to be { SpecInt32Only,
> > SpecDoubleReal,
> > +SpecDoublePureNaN }. SpecFullDouble is defined as SpecDoubleReal |
> > SpecDoubleNaN, and
> > +SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN.
> > Hence, the filtering
> > +of the proven type with ~SpecFullDouble means that isNotInt32() will
> > effectively be given
> > +a proven type of
> > +
> > + { SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - {
> > SpecDoubleReal, SpecDoublePureNaN }
> > +
> > +which yields
> > +
> > + { SpecInt32Only }.
> > +
> > +As a result, the compiler will think that that isNotIn32() check will
> > always fail. This
> > +is not correct if the actual incoming value for that edge is actually a
> > PureNaN. In this
> > +case, speculateRealNumber should have OSR exited, but it doesn't because
> > it thinks that
> > +the isNotInt32() check will always fail and elide the check altogether.
> > +
> > +In this patch, we fix this by replacing the ~SpecFullDouble with
> > ~SpecDoubleReal. We also
> > +rename the `intCase` block to `intOrNaNCase` to document what it actually
> > handles.
> > +
> > +* JSTests/stress/speculate-real-number-in-object-is.js: Added.
> > +(test.object_is_opt):
> > +(test):
> > +* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
> > +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
> > +
> > +Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch
> > +
> > +CVE: CVE-2022-42856
> > +
> > +Upstream-Status: Backport
> > +[https://github.com/WebKit/WebKit/commit/71cdc1c09ef199db74b2b60ed5de781250d96a56]
> > +
> > +Signed-off-by: Yogita Urade <[email protected]>
> > +---
> > + .../speculate-real-number-in-object-is.js | 22 +++++++++++++++++++
> > + Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp | 8 +++----
> > + 2 files changed, 26 insertions(+), 4 deletions(-)
> > + create mode 100644 JSTests/stress/speculate-real-number-in-object-is.js
> > +
> > +diff --git a/JSTests/stress/speculate-real-number-in-object-is.js
> > b/JSTests/stress/speculate-real-number-in-object-is.js
> > +new file mode 100644
> > +index 000000000000..0b10799954da
> > +--- /dev/null
> > ++++ b/JSTests/stress/speculate-real-number-in-object-is.js
> > +@@ -0,0 +1,22 @@
> > ++function test() {
> > ++ function object_is_opt(value) {
> > ++ const tmp = {p0: value};
> > ++
> > ++ if (Object.is(value, NaN))
> > ++ return 0;
> > ++
> > ++ return value;
> > ++ }
> > ++
> > ++ object_is_opt(NaN);
> > ++
> > ++ for (let i = 0; i < 0x20000; i++)
> > ++ object_is_opt(1.1);
> > ++
> > ++ return isNaN(object_is_opt(NaN));
> > ++}
> > ++
> > ++resultIsNaN = test();
> > ++if (resultIsNaN)
> > ++ throw "FAILED";
> > ++
> > +diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
> > b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
> > +index 8621b554d578..588298eba350 100644
> > +--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
> > ++++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
> > +@@ -20285,18 +20285,18 @@ IGNORE_CLANG_WARNINGS_END
> > + LValue value = lowJSValue(edge, ManualOperandSpeculation);
> > + LValue doubleValue = unboxDouble(value);
> > +
> > +- LBasicBlock intCase = m_out.newBlock();
> > ++ LBasicBlock intOrNaNCase = m_out.newBlock();
> > + LBasicBlock continuation = m_out.newBlock();
> > +
> > + m_out.branch(
> > + m_out.doubleEqual(doubleValue, doubleValue),
> > +- usually(continuation), rarely(intCase));
> > ++ usually(continuation), rarely(intOrNaNCase));
> > +
> > +- LBasicBlock lastNext = m_out.appendTo(intCase, continuation);
> > ++ LBasicBlock lastNext = m_out.appendTo(intOrNaNCase, continuation);
> > +
> > + typeCheck(
> > + jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber,
> > +- isNotInt32(value, provenType(m_node->child1()) &
> > ~SpecFullDouble));
> > ++ isNotInt32(value, provenType(m_node->child1()) &
> > ~SpecDoubleReal));
> > + m_out.jump(continuation);
> > +
> > + m_out.appendTo(continuation, lastNext);
> > +--
> > +2.35.5
> > diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> > b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> > index 062f209932..cf1b8b2cc0 100644
> > --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> > +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> > @@ -20,6 +20,7 @@ SRC_URI =
> > "https://www.webkitgtk.org/releases/${BP}.tar.xz \
> > file://CVE-2022-46691.patch \
> > file://CVE-2022-46699.patch \
> > file://CVE-2022-42867.patch \
> > + file://CVE-2022-42856.patch \
I wasn't able to take this patch due to the below error. Please
submit a v2 with this corrected.
Thanks!
Steve
> The patch fails to apply at build time:
>
> ERROR: webkitgtk-2.36.8-r0 do_patch: Applying patch
> 'CVE-2022-42856.patch' on target directory
> '/home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/webkitgtk/2.36.8-r0/webkitgtk-2.36.8'
> CmdError('quilt --quiltrc
> /home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/webkitgtk/2.36.8-r0/recipe-sysroot-native/etc/quiltrc
> push', 0, 'stdout: Applying patch CVE-2022-42856.patch
> patching file JSTests/stress/speculate-real-number-in-object-is.js
> patching file Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
> Hunk #1 FAILED at 20285.
> 1 out of 1 hunk FAILED -- rejects in file
> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
> Patch CVE-2022-42856.patch does not apply (enforce with -f)
>
> stderr: ')
> ERROR: Logfile of failure stored in:
> /home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/webkitgtk/2.36.8-r0/temp/log.do_patch.313789
> ERROR: Task
> (/home/steve/builds/poky-contrib-kirkstone/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb:do_patch)
> failed with exit code '1'
>
> Steve
>
> > "
> > SRC_URI[sha256sum] =
> > "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
> >
> > --
> > 2.40.0
> >
> >
> >
> >
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183111):
https://lists.openembedded.org/g/openembedded-core/message/183111
Mute This Topic: https://lists.openembedded.org/mt/99429024/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
