Message ID | 20230609140908.3465521-4-yogita.urade@windriver.com |
---|---|
State | New, archived |
Headers | show |
Series | [kirkstone,V2,1/6] webkitgtk: fix CVE-2022-46691 | expand |
On Fri, Jun 9, 2023 at 4:09 AM Urade, Yogita via lists.openembedded.org <Yogita.Urade=windriver.com@lists.openembedded.org> wrote: > > A type confusion issue was addressed with improved state handling. > This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, > iOS 15.7.2 and iPadOS 15.7.2, iOS 16.1.2. Processing maliciously > crafted web content may lead to arbitrary code execution. Apple is > aware of a report that this issue may have been actively exploited > against versions of iOS released before iOS 15.1. > > References: > https://support.apple.com/en-us/HT213531 > > Signed-off-by: Yogita Urade <yogita.urade@windriver.com> > --- > .../webkit/webkitgtk/CVE-2022-42856.patch | 110 ++++++++++++++++++ > meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 1 + > 2 files changed, 111 insertions(+) > create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch > > diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch > new file mode 100644 > index 0000000000..97d58c955a > --- /dev/null > +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch > @@ -0,0 +1,110 @@ > +From 71cdc1c09ef199db74b2b60ed5de781250d96a56 Mon Sep 17 00:00:00 2001 > +From: Mark Lam <mark.lam@apple.com> > +Date: Wed, 23 Nov 2022 13:48:49 -0800 > +Subject: [PATCH] The provenType filtering in FTL's speculateRealNumber is > + incorrect. https://bugs.webkit.org/show_bug.cgi?id=248266 > + <rdar://problem/102531234> > + > +Reviewed by Justin Michaud. > + > +speculateRealNumber does a doubleEqual compare, which filters out double values which > +are not NaN. NaN values will fall through to the `intCase` block. In the `intCase` block, > +the isNotInt32() check there was given a proven type that wrongly filters out ~SpecFullDouble. > + > +Consider a scenario where the edge was proven to be { SpecInt32Only, SpecDoubleReal, > +SpecDoublePureNaN }. SpecFullDouble is defined as SpecDoubleReal | SpecDoubleNaN, and > +SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN. Hence, the filtering > +of the proven type with ~SpecFullDouble means that isNotInt32() will effectively be given > +a proven type of > + > + { SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { SpecDoubleReal, SpecDoublePureNaN } > + > +which yields > + > + { SpecInt32Only }. > + > +As a result, the compiler will think that that isNotIn32() check will always fail. This > +is not correct if the actual incoming value for that edge is actually a PureNaN. In this > +case, speculateRealNumber should have OSR exited, but it doesn't because it thinks that > +the isNotInt32() check will always fail and elide the check altogether. > + > +In this patch, we fix this by replacing the ~SpecFullDouble with ~SpecDoubleReal. We also > +rename the `intCase` block to `intOrNaNCase` to document what it actually handles. > + > +* JSTests/stress/speculate-real-number-in-object-is.js: Added. > +(test.object_is_opt): > +(test): > +* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp: > +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): > + > +Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch > + > +CVE: CVE-2022-42856 > + > +Upstream-Status: Backport > +[https://github.com/WebKit/WebKit/commit/71cdc1c09ef199db74b2b60ed5de781250d96a56] > + > +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> > +--- > + .../speculate-real-number-in-object-is.js | 22 +++++++++++++++++++ > + Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp | 8 +++---- > + 2 files changed, 26 insertions(+), 4 deletions(-) > + create mode 100644 JSTests/stress/speculate-real-number-in-object-is.js > + > +diff --git a/JSTests/stress/speculate-real-number-in-object-is.js b/JSTests/stress/speculate-real-number-in-object-is.js > +new file mode 100644 > +index 000000000000..0b10799954da > +--- /dev/null > ++++ b/JSTests/stress/speculate-real-number-in-object-is.js > +@@ -0,0 +1,22 @@ > ++function test() { > ++ function object_is_opt(value) { > ++ const tmp = {p0: value}; > ++ > ++ if (Object.is(value, NaN)) > ++ return 0; > ++ > ++ return value; > ++ } > ++ > ++ object_is_opt(NaN); > ++ > ++ for (let i = 0; i < 0x20000; i++) > ++ object_is_opt(1.1); > ++ > ++ return isNaN(object_is_opt(NaN)); > ++} > ++ > ++resultIsNaN = test(); > ++if (resultIsNaN) > ++ throw "FAILED"; > ++ > +diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp > +index 8621b554d578..588298eba350 100644 > +--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp > ++++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp > +@@ -20285,18 +20285,18 @@ IGNORE_CLANG_WARNINGS_END > + LValue value = lowJSValue(edge, ManualOperandSpeculation); > + LValue doubleValue = unboxDouble(value); > + > +- LBasicBlock intCase = m_out.newBlock(); > ++ LBasicBlock intOrNaNCase = m_out.newBlock(); > + LBasicBlock continuation = m_out.newBlock(); > + > + m_out.branch( > + m_out.doubleEqual(doubleValue, doubleValue), > +- usually(continuation), rarely(intCase)); > ++ usually(continuation), rarely(intOrNaNCase)); > + > +- LBasicBlock lastNext = m_out.appendTo(intCase, continuation); > ++ LBasicBlock lastNext = m_out.appendTo(intOrNaNCase, continuation); > + > + typeCheck( > + jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber, > +- isNotInt32(value, provenType(m_node->child1()) & ~SpecFullDouble)); > ++ isNotInt32(value, provenType(m_node->child1()) & ~SpecDoubleReal)); > + m_out.jump(continuation); > + > + m_out.appendTo(continuation, lastNext); > +-- > +2.35.5 > diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb > index 062f209932..cf1b8b2cc0 100644 > --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb > +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb > @@ -20,6 +20,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \ > file://CVE-2022-46691.patch \ > file://CVE-2022-46699.patch \ > file://CVE-2022-42867.patch \ > + file://CVE-2022-42856.patch \ The patch fails to apply at build time: ERROR: webkitgtk-2.36.8-r0 do_patch: Applying patch 'CVE-2022-42856.patch' on target directory '/home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/webkitgtk/2.36.8-r0/webkitgtk-2.36.8' CmdError('quilt --quiltrc /home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/webkitgtk/2.36.8-r0/recipe-sysroot-native/etc/quiltrc push', 0, 'stdout: Applying patch CVE-2022-42856.patch patching file JSTests/stress/speculate-real-number-in-object-is.js patching file Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp Hunk #1 FAILED at 20285. 1 out of 1 hunk FAILED -- rejects in file Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp Patch CVE-2022-42856.patch does not apply (enforce with -f) stderr: ') ERROR: Logfile of failure stored in: /home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/webkitgtk/2.36.8-r0/temp/log.do_patch.313789 ERROR: Task (/home/steve/builds/poky-contrib-kirkstone/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb:do_patch) failed with exit code '1' Steve > " > SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437" > > -- > 2.40.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#182554): https://lists.openembedded.org/g/openembedded-core/message/182554 > Mute This Topic: https://lists.openembedded.org/mt/99429024/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Fri, Jun 9, 2023 at 5:54 AM Steve Sakoman via lists.openembedded.org <steve=sakoman.com@lists.openembedded.org> wrote: > > On Fri, Jun 9, 2023 at 4:09 AM Urade, Yogita via > lists.openembedded.org > <Yogita.Urade=windriver.com@lists.openembedded.org> wrote: > > > > A type confusion issue was addressed with improved state handling. > > This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, > > iOS 15.7.2 and iPadOS 15.7.2, iOS 16.1.2. Processing maliciously > > crafted web content may lead to arbitrary code execution. Apple is > > aware of a report that this issue may have been actively exploited > > against versions of iOS released before iOS 15.1. > > > > References: > > https://support.apple.com/en-us/HT213531 > > > > Signed-off-by: Yogita Urade <yogita.urade@windriver.com> > > --- > > .../webkit/webkitgtk/CVE-2022-42856.patch | 110 ++++++++++++++++++ > > meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 1 + > > 2 files changed, 111 insertions(+) > > create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch > > > > diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch > > new file mode 100644 > > index 0000000000..97d58c955a > > --- /dev/null > > +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch > > @@ -0,0 +1,110 @@ > > +From 71cdc1c09ef199db74b2b60ed5de781250d96a56 Mon Sep 17 00:00:00 2001 > > +From: Mark Lam <mark.lam@apple.com> > > +Date: Wed, 23 Nov 2022 13:48:49 -0800 > > +Subject: [PATCH] The provenType filtering in FTL's speculateRealNumber is > > + incorrect. https://bugs.webkit.org/show_bug.cgi?id=248266 > > + <rdar://problem/102531234> > > + > > +Reviewed by Justin Michaud. > > + > > +speculateRealNumber does a doubleEqual compare, which filters out double values which > > +are not NaN. NaN values will fall through to the `intCase` block. In the `intCase` block, > > +the isNotInt32() check there was given a proven type that wrongly filters out ~SpecFullDouble. > > + > > +Consider a scenario where the edge was proven to be { SpecInt32Only, SpecDoubleReal, > > +SpecDoublePureNaN }. SpecFullDouble is defined as SpecDoubleReal | SpecDoubleNaN, and > > +SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN. Hence, the filtering > > +of the proven type with ~SpecFullDouble means that isNotInt32() will effectively be given > > +a proven type of > > + > > + { SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { SpecDoubleReal, SpecDoublePureNaN } > > + > > +which yields > > + > > + { SpecInt32Only }. > > + > > +As a result, the compiler will think that that isNotIn32() check will always fail. This > > +is not correct if the actual incoming value for that edge is actually a PureNaN. In this > > +case, speculateRealNumber should have OSR exited, but it doesn't because it thinks that > > +the isNotInt32() check will always fail and elide the check altogether. > > + > > +In this patch, we fix this by replacing the ~SpecFullDouble with ~SpecDoubleReal. We also > > +rename the `intCase` block to `intOrNaNCase` to document what it actually handles. > > + > > +* JSTests/stress/speculate-real-number-in-object-is.js: Added. > > +(test.object_is_opt): > > +(test): > > +* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp: > > +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): > > + > > +Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch > > + > > +CVE: CVE-2022-42856 > > + > > +Upstream-Status: Backport > > +[https://github.com/WebKit/WebKit/commit/71cdc1c09ef199db74b2b60ed5de781250d96a56] > > + > > +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> > > +--- > > + .../speculate-real-number-in-object-is.js | 22 +++++++++++++++++++ > > + Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp | 8 +++---- > > + 2 files changed, 26 insertions(+), 4 deletions(-) > > + create mode 100644 JSTests/stress/speculate-real-number-in-object-is.js > > + > > +diff --git a/JSTests/stress/speculate-real-number-in-object-is.js b/JSTests/stress/speculate-real-number-in-object-is.js > > +new file mode 100644 > > +index 000000000000..0b10799954da > > +--- /dev/null > > ++++ b/JSTests/stress/speculate-real-number-in-object-is.js > > +@@ -0,0 +1,22 @@ > > ++function test() { > > ++ function object_is_opt(value) { > > ++ const tmp = {p0: value}; > > ++ > > ++ if (Object.is(value, NaN)) > > ++ return 0; > > ++ > > ++ return value; > > ++ } > > ++ > > ++ object_is_opt(NaN); > > ++ > > ++ for (let i = 0; i < 0x20000; i++) > > ++ object_is_opt(1.1); > > ++ > > ++ return isNaN(object_is_opt(NaN)); > > ++} > > ++ > > ++resultIsNaN = test(); > > ++if (resultIsNaN) > > ++ throw "FAILED"; > > ++ > > +diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp > > +index 8621b554d578..588298eba350 100644 > > +--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp > > ++++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp > > +@@ -20285,18 +20285,18 @@ IGNORE_CLANG_WARNINGS_END > > + LValue value = lowJSValue(edge, ManualOperandSpeculation); > > + LValue doubleValue = unboxDouble(value); > > + > > +- LBasicBlock intCase = m_out.newBlock(); > > ++ LBasicBlock intOrNaNCase = m_out.newBlock(); > > + LBasicBlock continuation = m_out.newBlock(); > > + > > + m_out.branch( > > + m_out.doubleEqual(doubleValue, doubleValue), > > +- usually(continuation), rarely(intCase)); > > ++ usually(continuation), rarely(intOrNaNCase)); > > + > > +- LBasicBlock lastNext = m_out.appendTo(intCase, continuation); > > ++ LBasicBlock lastNext = m_out.appendTo(intOrNaNCase, continuation); > > + > > + typeCheck( > > + jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber, > > +- isNotInt32(value, provenType(m_node->child1()) & ~SpecFullDouble)); > > ++ isNotInt32(value, provenType(m_node->child1()) & ~SpecDoubleReal)); > > + m_out.jump(continuation); > > + > > + m_out.appendTo(continuation, lastNext); > > +-- > > +2.35.5 > > diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb > > index 062f209932..cf1b8b2cc0 100644 > > --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb > > +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb > > @@ -20,6 +20,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \ > > file://CVE-2022-46691.patch \ > > file://CVE-2022-46699.patch \ > > file://CVE-2022-42867.patch \ > > + file://CVE-2022-42856.patch \ I wasn't able to take this patch due to the below error. Please submit a v2 with this corrected. Thanks! Steve > The patch fails to apply at build time: > > ERROR: webkitgtk-2.36.8-r0 do_patch: Applying patch > 'CVE-2022-42856.patch' on target directory > '/home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/webkitgtk/2.36.8-r0/webkitgtk-2.36.8' > CmdError('quilt --quiltrc > /home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/webkitgtk/2.36.8-r0/recipe-sysroot-native/etc/quiltrc > push', 0, 'stdout: Applying patch CVE-2022-42856.patch > patching file JSTests/stress/speculate-real-number-in-object-is.js > patching file Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp > Hunk #1 FAILED at 20285. > 1 out of 1 hunk FAILED -- rejects in file > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp > Patch CVE-2022-42856.patch does not apply (enforce with -f) > > stderr: ') > ERROR: Logfile of failure stored in: > /home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/webkitgtk/2.36.8-r0/temp/log.do_patch.313789 > ERROR: Task (/home/steve/builds/poky-contrib-kirkstone/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb:do_patch) > failed with exit code '1' > > Steve > > > " > > SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437" > > > > -- > > 2.40.0 > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#182565): https://lists.openembedded.org/g/openembedded-core/message/182565 > Mute This Topic: https://lists.openembedded.org/mt/99429024/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch new file mode 100644 index 0000000000..97d58c955a --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch @@ -0,0 +1,110 @@ +From 71cdc1c09ef199db74b2b60ed5de781250d96a56 Mon Sep 17 00:00:00 2001 +From: Mark Lam <mark.lam@apple.com> +Date: Wed, 23 Nov 2022 13:48:49 -0800 +Subject: [PATCH] The provenType filtering in FTL's speculateRealNumber is + incorrect. https://bugs.webkit.org/show_bug.cgi?id=248266 + <rdar://problem/102531234> + +Reviewed by Justin Michaud. + +speculateRealNumber does a doubleEqual compare, which filters out double values which +are not NaN. NaN values will fall through to the `intCase` block. In the `intCase` block, +the isNotInt32() check there was given a proven type that wrongly filters out ~SpecFullDouble. + +Consider a scenario where the edge was proven to be { SpecInt32Only, SpecDoubleReal, +SpecDoublePureNaN }. SpecFullDouble is defined as SpecDoubleReal | SpecDoubleNaN, and +SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN. Hence, the filtering +of the proven type with ~SpecFullDouble means that isNotInt32() will effectively be given +a proven type of + + { SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { SpecDoubleReal, SpecDoublePureNaN } + +which yields + + { SpecInt32Only }. + +As a result, the compiler will think that that isNotIn32() check will always fail. This +is not correct if the actual incoming value for that edge is actually a PureNaN. In this +case, speculateRealNumber should have OSR exited, but it doesn't because it thinks that +the isNotInt32() check will always fail and elide the check altogether. + +In this patch, we fix this by replacing the ~SpecFullDouble with ~SpecDoubleReal. We also +rename the `intCase` block to `intOrNaNCase` to document what it actually handles. + +* JSTests/stress/speculate-real-number-in-object-is.js: Added. +(test.object_is_opt): +(test): +* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): + +Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch + +CVE: CVE-2022-42856 + +Upstream-Status: Backport +[https://github.com/WebKit/WebKit/commit/71cdc1c09ef199db74b2b60ed5de781250d96a56] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + .../speculate-real-number-in-object-is.js | 22 +++++++++++++++++++ + Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp | 8 +++---- + 2 files changed, 26 insertions(+), 4 deletions(-) + create mode 100644 JSTests/stress/speculate-real-number-in-object-is.js + +diff --git a/JSTests/stress/speculate-real-number-in-object-is.js b/JSTests/stress/speculate-real-number-in-object-is.js +new file mode 100644 +index 000000000000..0b10799954da +--- /dev/null ++++ b/JSTests/stress/speculate-real-number-in-object-is.js +@@ -0,0 +1,22 @@ ++function test() { ++ function object_is_opt(value) { ++ const tmp = {p0: value}; ++ ++ if (Object.is(value, NaN)) ++ return 0; ++ ++ return value; ++ } ++ ++ object_is_opt(NaN); ++ ++ for (let i = 0; i < 0x20000; i++) ++ object_is_opt(1.1); ++ ++ return isNaN(object_is_opt(NaN)); ++} ++ ++resultIsNaN = test(); ++if (resultIsNaN) ++ throw "FAILED"; ++ +diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp +index 8621b554d578..588298eba350 100644 +--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp ++++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp +@@ -20285,18 +20285,18 @@ IGNORE_CLANG_WARNINGS_END + LValue value = lowJSValue(edge, ManualOperandSpeculation); + LValue doubleValue = unboxDouble(value); + +- LBasicBlock intCase = m_out.newBlock(); ++ LBasicBlock intOrNaNCase = m_out.newBlock(); + LBasicBlock continuation = m_out.newBlock(); + + m_out.branch( + m_out.doubleEqual(doubleValue, doubleValue), +- usually(continuation), rarely(intCase)); ++ usually(continuation), rarely(intOrNaNCase)); + +- LBasicBlock lastNext = m_out.appendTo(intCase, continuation); ++ LBasicBlock lastNext = m_out.appendTo(intOrNaNCase, continuation); + + typeCheck( + jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber, +- isNotInt32(value, provenType(m_node->child1()) & ~SpecFullDouble)); ++ isNotInt32(value, provenType(m_node->child1()) & ~SpecDoubleReal)); + m_out.jump(continuation); + + m_out.appendTo(continuation, lastNext); +-- +2.35.5 diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 062f209932..cf1b8b2cc0 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb @@ -20,6 +20,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \ file://CVE-2022-46691.patch \ file://CVE-2022-46699.patch \ file://CVE-2022-42867.patch \ + file://CVE-2022-42856.patch \ " SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
A type confusion issue was addressed with improved state handling. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.1.2. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1. References: https://support.apple.com/en-us/HT213531 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> --- .../webkit/webkitgtk/CVE-2022-42856.patch | 110 ++++++++++++++++++ meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 1 + 2 files changed, 111 insertions(+) create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch