[webkit-changes] [WebKit/WebKit] cf373f: Fix WASM inlining UAF

Justin Michaud Tue, 07 Mar 2023 20:58:33 -0800

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: cf373f0fc0d0c70de65eba6b01a49665edb2dc2c
      
https://github.com/WebKit/WebKit/commit/cf373f0fc0d0c70de65eba6b01a49665edb2dc2c
  Author: Justin Michaud <[email protected]>
  Date:   2023-03-07 (Tue, 07 Mar 2023)


  Changed paths:
    M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmFunctionParser.h

  Log Message:
  -----------
  Fix WASM inlining UAF
https://bugs.webkit.org/show_bug.cgi?id=253550
rdar://106390154

Reviewed by Yusuke Suzuki.

B3IRGenerator cannot be stored in a Vector because its pointer needs
to be protected against moving.

This is caught by simple-inline-exception-inlinee-catch-with-tag-arg.wat
in asan, aggressive-inline mode.

* Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::emitInlineDirectCall):

Canonical link: https://commits.webkit.org/261357@main


_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [WebKit/WebKit] cf373f: Fix WASM inlining UAF

Reply via email to