[mickledore,2/2] webkitgtk: fix CVE-2023-32435

Message ID	20230907162155.2441494-2-kai.kang@windriver.com
State	New
Headers	show Return-Path: <kai.kang@eng.windriver.com> ip: 205.220.178.238, mailfrom: prvs=76142ca2fc=kai.kang@windriver.com) From: <kai.kang@windriver.com> To: <openembedded-core@lists.openembedded.org> Subject: [mickledore][PATCH 2/2] webkitgtk: fix CVE-2023-32435 Date: Fri, 8 Sep 2023 00:21:55 +0800 Message-ID: <20230907162155.2441494-2-kai.kang@windriver.com> In-Reply-To: <20230907162155.2441494-1-kai.kang@windriver.com> References: <20230907162155.2441494-1-kai.kang@windriver.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[mickledore,1/2] webkitgtk: fix CVE-2023-32439 \| expand [mickledore,1/2] webkitgtk: fix CVE-2023-32439 [mickledore,2/2] webkitgtk: fix CVE-2023-32435

Message ID

20230907162155.2441494-2-kai.kang@windriver.com

State

New

Headers

From: <kai.kang@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: [mickledore][PATCH 2/2] webkitgtk: fix CVE-2023-32435
Date: Fri, 8 Sep 2023 00:21:55 +0800
Message-ID: <20230907162155.2441494-2-kai.kang@windriver.com>
In-Reply-To: <20230907162155.2441494-1-kai.kang@windriver.com>
References: <20230907162155.2441494-1-kai.kang@windriver.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

[mickledore,1/2] webkitgtk: fix CVE-2023-32439 | expand

Commit Message

Kai Sept. 7, 2023, 4:21 p.m. UTC

From: Kai Kang <kai.kang@windriver.com>

Backport and rebase patch to fix CVE-2023-32435 for webkitgtk 2.38.6:

* drop the patches for the files WasmAirIRGenerator64.cpp and
  WasmAirIRGeneratorBase.h which are involved in 2.40.0
* drop test cases as well

CVE: CVE-2023-32435

Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
 .../webkit/webkitgtk/CVE-2023-32435.patch     | 59 +++++++++++++++++++
 meta/recipes-sato/webkit/webkitgtk_2.38.6.bb  |  1 +
 2 files changed, 60 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2023-32435.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32435.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32435.patch
new file mode 100644
index 0000000000..c6ac6b4a1c
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32435.patch
@@ -0,0 +1,59 @@ 
+CVE: CVE-2023-32435
+
+Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/50c7aae]
+
+Backport and rebase patch to fix CVE-2023-32435 for webkitgtk 2.38.6:
+
+* drop the patches for the files WasmAirIRGenerator64.cpp and
+  WasmAirIRGeneratorBase.h which are involved in 2.40.0
+* drop test cases as well
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From 50c7aaec2f53ab3b960f1b299aad5009df6f1967 Mon Sep 17 00:00:00 2001
+From: Justin Michaud <justin_michaud@apple.com>
+Date: Wed, 8 Feb 2023 14:41:34 -0800
+Subject: [PATCH] Fixup air pointer args if they are not valid in BBQ
+ https://bugs.webkit.org/show_bug.cgi?id=251890 rdar://105079565
+
+Reviewed by Mark Lam and Yusuke Suzuki.
+
+We are not fixing up air args if their offsets don't fit into the instruction
+in a few cases.
+
+Here are some examples:
+
+MoveDouble 28480(%sp), %q16 ; too big
+MoveVector 248(%sp), %q16 ; not 16-byte aligned
+
+Let's fix up these arguments. We also fix a missing validation check
+when parsing exception tags exposed by this test.
+
+* Source/JavaScriptCore/wasm/WasmAirIRGenerator64.cpp:
+(JSC::Wasm::AirIRGenerator64::addReturn):
+* Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h:
+(JSC::Wasm::AirIRGeneratorBase::emitPatchpoint):
+
+oops
+
+Canonical link: https://commits.webkit.org/260038@main
+---
+ Source/JavaScriptCore/wasm/WasmSectionParser.cpp  |  2 +
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
+index 6b8f9016..a5f3a88b 100644
+--- a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
++++ b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
+@@ -917,6 +917,8 @@ auto SectionParser::parseException() -> PartialResult
+         WASM_PARSER_FAIL_IF(!parseVarUInt32(typeNumber), "can't get ", exceptionNumber, "th Exception's type number");
+         WASM_PARSER_FAIL_IF(typeNumber >= m_info->typeCount(), exceptionNumber, "th Exception type number is invalid ", typeNumber);
+         TypeIndex typeIndex = TypeInformation::get(m_info->typeSignatures[typeNumber]);
++        auto signature = TypeInformation::getFunctionSignature(typeIndex);
++        WASM_PARSER_FAIL_IF(!signature.returnsVoid(), exceptionNumber, "th Exception type cannot have a non-void return type ", typeNumber);
+         m_info->internalExceptionTypeIndices.uncheckedAppend(typeIndex);
+     }
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb b/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb
index 4cef133c19..813198df5f 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb
@@ -14,6 +14,7 @@  SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \
            file://reproducibility.patch \
            file://0d3344e17d258106617b0e6d783d073b188a2548.patch \
            file://d318bb461f040b90453bc4e100dcf967243ecd98.patch \
+           file://CVE-2023-32435.patch \
            file://CVE-2023-32439.patch \
            "
 SRC_URI[sha256sum] = "1c614c9589389db1a79ea9ba4293bbe8ac3ab0a2234cac700935fae0724ad48b"