From 303423e441580cd3f1cdca90c4f72e20181defcc Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Wed, 11 Jan 2023 04:34:11 -0500 Subject: [PATCH] import webkit2gtk3-2.36.7-1.el8_7.1 --- SOURCES/CVE-2022-42856.patch | 78 ++++++++++++++++++++++++++++++++++++ SPECS/webkit2gtk3.spec | 46 +++++++++++++++++++-- 2 files changed, 121 insertions(+), 3 deletions(-) create mode 100644 SOURCES/CVE-2022-42856.patch diff --git a/SOURCES/CVE-2022-42856.patch b/SOURCES/CVE-2022-42856.patch new file mode 100644 index 0000000..34f4d74 --- /dev/null +++ b/SOURCES/CVE-2022-42856.patch @@ -0,0 +1,78 @@ +From 98940f219ba0e3eb6d958af483b73dd9cc75c28c Mon Sep 17 00:00:00 2001 +From: Mark Lam +Date: Mon, 19 Dec 2022 17:32:15 -0800 +Subject: [PATCH] Cherry-pick 252432.839@safari-7614-branch (71cdc1c09ef1). + rdar://102531234 + + The provenType filtering in FTL's speculateRealNumber is incorrect. + https://bugs.webkit.org/show_bug.cgi?id=248266 + + + Reviewed by Justin Michaud. + + speculateRealNumber does a doubleEqual compare, which filters out double values which + are not NaN. NaN values will fall through to the `intCase` block. In the `intCase` block, + the isNotInt32() check there was given a proven type that wrongly filters out ~SpecFullDouble. + + Consider a scenario where the edge was proven to be { SpecInt32Only, SpecDoubleReal, + SpecDoublePureNaN }. SpecFullDouble is defined as SpecDoubleReal | SpecDoubleNaN, and + SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN. Hence, the filtering + of the proven type with ~SpecFullDouble means that isNotInt32() will effectively be given + a proven type of + + { SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { SpecDoubleReal, SpecDoublePureNaN } + + which yields + + { SpecInt32Only }. + + As a result, the compiler will think that that isNotIn32() check will always fail. This + is not correct if the actual incoming value for that edge is actually a PureNaN. In this + case, speculateRealNumber should have OSR exited, but it doesn't because it thinks that + the isNotInt32() check will always fail and elide the check altogether. + + In this patch, we fix this by replacing the ~SpecFullDouble with ~SpecDoubleReal. We also + rename the `intCase` block to `intOrNaNCase` to document what it actually handles. + + * JSTests/stress/speculate-real-number-in-object-is.js: Added. + (test.object_is_opt): + (test): + * Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): + + Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch + +Canonical link: https://commits.webkit.org/258113@main +--- + .../speculate-real-number-in-object-is.js | 22 +++++++++++++++++++ + Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp | 8 +++---- + 2 files changed, 26 insertions(+), 4 deletions(-) + create mode 100644 JSTests/stress/speculate-real-number-in-object-is.js + +diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp +index 3ba2d21b8072..18d13f1941bb 100644 +--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp ++++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp +@@ -20574,18 +20574,18 @@ IGNORE_CLANG_WARNINGS_END + LValue value = lowJSValue(edge, ManualOperandSpeculation); + LValue doubleValue = unboxDouble(value); + +- LBasicBlock intCase = m_out.newBlock(); ++ LBasicBlock intOrNaNCase = m_out.newBlock(); + LBasicBlock continuation = m_out.newBlock(); + + m_out.branch( + m_out.doubleEqual(doubleValue, doubleValue), +- usually(continuation), rarely(intCase)); ++ usually(continuation), rarely(intOrNaNCase)); + +- LBasicBlock lastNext = m_out.appendTo(intCase, continuation); ++ LBasicBlock lastNext = m_out.appendTo(intOrNaNCase, continuation); + + typeCheck( + jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber, +- isNotInt32(value, provenType(m_node->child1()) & ~SpecFullDouble)); ++ isNotInt32(value, provenType(m_node->child1()) & ~SpecDoubleReal)); + m_out.jump(continuation); + + m_out.appendTo(continuation, lastNext); diff --git a/SPECS/webkit2gtk3.spec b/SPECS/webkit2gtk3.spec index 53a269d..b8d8ca4 100644 --- a/SPECS/webkit2gtk3.spec +++ b/SPECS/webkit2gtk3.spec @@ -12,7 +12,7 @@ Name: webkit2gtk3 Version: 2.36.7 -Release: 1%{?dist} +Release: 1%{?dist}.1 Summary: GTK Web content engine library License: LGPLv2 @@ -34,6 +34,9 @@ Patch1: aarch64-page-size.patch # https://bugs.webkit.org/show_bug.cgi?id=235367 Patch2: icu60.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2153683 +Patch3: CVE-2022-42856.patch + BuildRequires: bison BuildRequires: cmake BuildRequires: flex @@ -303,9 +306,46 @@ export NINJA_STATUS="[%f/%t][%e] " %endif %changelog -* Fri Sep 02 2022 Michael Catanzaro - 2.36.7-1 +* Wed Dec 21 2022 Michael Catanzaro - 2.36.7-1.1 +- Add patch for CVE-2022-42856 + Resolves: #2153735 + +* Wed Aug 24 2022 Michael Catanzaro - 2.36.7-1 - Update to 2.36.7 - Related: #2123429 + Related: #2061994 + +* Tue Aug 09 2022 Michael Catanzaro - 2.36.6-1 +- Update to 2.36.6 + Related: #2061994 + +* Tue Aug 02 2022 Michael Catanzaro - 2.36.5-2 +- Fix Eclipse after update to 2.36.5 + Related: #2061994 + +* Thu Jul 28 2022 Michael Catanzaro - 2.36.5-1 +- Update to 2.36.5 + Related: #2061994 + Resolves: #2099334 + +* Tue Jul 05 2022 Michael Catanzaro - 2.36.4-1 +- Update to 2.36.4 + Related: #2061994 + +* Thu Jun 02 2022 Michael Catanzaro - 2.36.3-1 +- Update to 2.36.3 +- Related: #2061994 +- Resolves: #2092748 + +* Wed May 18 2022 Michael Catanzaro - 2.36.2-1 +- Update to 2.36.2 + Related: #2061994 + +* Thu Apr 21 2022 Michael Catanzaro - 2.36.1-1 +- Update to 2.36.1 + Related: #2061994 +- Resolves: #2075492 +- Resolves: #2075494 +- Resolves: #2075496 * Thu Feb 17 2022 Michael Catanzaro - 2.34.6-1 - Update to 2.34.6