From patchwork Fri Jun 9 14:09:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 25331 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04320C7EE43 for ; Fri, 9 Jun 2023 14:09:39 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.14322.1686319772253579886 for ; Fri, 09 Jun 2023 07:09:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=pps06212021 header.b=rPfasoXX; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=5524cb4a3f=yogita.urade@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 359DpxhZ027824 for ; Fri, 9 Jun 2023 07:09:32 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding : content-type; s=PPS06212021; bh=R/2Hh73LCW48D9yKSMvfHztutV8dEQXNBNeYp2eL4So=; b=rPfasoXXfpZ5bOKuDk4UqrqHvkybtSNfHer9oXw9w7LD4v8ugvIFf65NAMzu0TyIvsrU NugPh1cIuJCYcYFxCTChH/g1rbwxvUQQRPNsnqUHTrT4zYqnvYliXg4TuNpTNJAQfbMw 2AddDNYS4veEd3QAte1H6Fn/l7pD9iH9IR+VEc9vCl5Rze5Z8039M1+lwCYedHJ33jdF AIBbqmG3G7DNf6TAHOmfnn0bUaQhLzjcwgDGmajI9zO5+cNjMj16+ZjHtLJKn5qFGHvn mmtJG9IqSLnNZUxWKWo2VitR3+88NgasapyAL618xG7BOFhCy4tj3QoWOCeurjZDQnpb tQ== Received: from ala-exchng01.corp.ad.wrs.com (unknown-82-252.windriver.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3r2a80trdn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 09 Jun 2023 07:09:31 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Fri, 9 Jun 2023 07:09:29 -0700 From: Yogita Urade To: CC: Subject: [oe-core][kirkstone][PATCH V2 1/6] webkitgtk: fix CVE-2022-46691 Date: Fri, 9 Jun 2023 14:09:03 +0000 Message-ID: <20230609140908.3465521-1-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Proofpoint-GUID: 0mkdnHQoD6OdWQLufefdjS5sveH8U63Y X-Proofpoint-ORIG-GUID: 0mkdnHQoD6OdWQLufefdjS5sveH8U63Y X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-06-09_10,2023-06-09_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxlogscore=873 adultscore=0 impostorscore=0 lowpriorityscore=0 clxscore=1015 mlxscore=0 phishscore=0 malwarescore=0 spamscore=0 priorityscore=1501 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2305260000 definitions=main-2306090120 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 09 Jun 2023 14:09:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/182551 A memory consumption issue was addressed with improved memory handling. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution. References: https://nvd.nist.gov/vuln/detail/CVE-2022-46691 https://support.apple.com/en-us/HT213531 Signed-off-by: Yogita Urade --- .../webkit/webkitgtk/CVE-2022-46691.patch | 43 +++++++++++++++++++ meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 1 + 2 files changed, 44 insertions(+) create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch new file mode 100644 index 0000000000..ff9df40433 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch @@ -0,0 +1,43 @@ +From fd57a49d07c9c285780495344073350182fd7c7c Mon Sep 17 00:00:00 2001 +From: Yijia Huang +Date: Mon, 10 Oct 2022 15:42:34 -0700 +Subject: [PATCH] [JSC] Should model BigInt with side effects + https://bugs.webkit.org/show_bug.cgi?id=246291 rdar://100494823 + +Reviewed by Yusuke Suzuki. + +Operations with two BigInt operands have side effects, +which should not be hoisted from loops. + +* Source/JavaScriptCore/dfg/DFGClobberize.cpp: +(JSC::DFG::doesWrites): +* Source/JavaScriptCore/dfg/DFGClobberize.h: +(JSC::DFG::clobberize): + +Canonical link: https://commits.webkit.org/255368@main + +CVE: CVE-2022-46691 + +Upstream-Status: Backport +[https://github.com/WebKit/WebKit/commit/fd57a49d07c9c285780495344073350182fd7c7c] + +Signed-off-by: Yogita Urade +--- + Source/JavaScriptCore/dfg/DFGClobberize.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h +index 0363ab20dcd8..4b1bcfea1fd7 100644 +--- a/Source/JavaScriptCore/dfg/DFGClobberize.h ++++ b/Source/JavaScriptCore/dfg/DFGClobberize.h +@@ -811,6 +811,8 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu + case ValueBitRShift: + // FIXME: this use of single-argument isBinaryUseKind would prevent us from specializing (for example) for a HeapBigInt left-operand and a BigInt32 right-operand. + if (node->isBinaryUseKind(AnyBigIntUse) || node->isBinaryUseKind(BigInt32Use) || node->isBinaryUseKind(HeapBigIntUse)) { ++ read(World); ++ write(SideState); + def(PureValue(node)); + return; + } +-- +2.40.0 diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 1dac4f5677..02258f84e4 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb @@ -17,6 +17,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \ file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \ file://CVE-2022-32888.patch \ file://CVE-2022-32923.patch \ + file://CVE-2022-46691.patch \ " SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437" From patchwork Fri Jun 9 14:09:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 25335 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 057B4C83003 for ; Fri, 9 Jun 2023 14:09:39 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.14323.1686319773195900841 for ; Fri, 09 Jun 2023 07:09:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=pps06212021 header.b=ANN8MBoB; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=5524cb4a3f=yogita.urade@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 359DxcZk004916 for ; Fri, 9 Jun 2023 07:09:33 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=PPS06212021; bh=kT5H1+a/m/Pe3ztuSP63Y08srIBWzc68m7ybLESzw00=; b=ANN8MBoB+iAHUf020kvSrz2xzQ8DzLnRINEZiBp5QsenrwtvZND5Houvbwp15Vf9XqCF Nv/KzlZyWScnL5vy4kMJImrztXUsJs9pvT2SXaWdpDq7+ki/NgXf6y/7FI5K/s+NeeCa BrIO8VCDVPhPIK98d0xuKL2NoUdjKOt3NoZA6a+cW3k3KqHOc55bpP3M0rtMOk8R+Qdp 0iYvY8YWYbzR9Fk5HbnNeXL7pLJsCYbsjQ2ErbpZ8j3BwfRGa+Y7J6lEQ8gYZfHbkyYz jH267qE8bP8Guimge6xVdjb9EiKklgQBOZyRX3znNyn1+CjpNP9ZEpsxfKLo8tGp654O og== Received: from ala-exchng01.corp.ad.wrs.com (unknown-82-252.windriver.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3r2av7aqpk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 09 Jun 2023 07:09:32 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Fri, 9 Jun 2023 07:09:30 -0700 From: Yogita Urade To: CC: Subject: [oe-core][kirkstone][PATCH V2 2/6] webkitgtk: fix CVE-2022-46699 Date: Fri, 9 Jun 2023 14:09:04 +0000 Message-ID: <20230609140908.3465521-2-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230609140908.3465521-1-yogita.urade@windriver.com> References: <20230609140908.3465521-1-yogita.urade@windriver.com> MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Proofpoint-ORIG-GUID: MCY9hLuKbgLZFyDS4VYBfAbReNWzdfDH X-Proofpoint-GUID: MCY9hLuKbgLZFyDS4VYBfAbReNWzdfDH X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-06-09_10,2023-06-09_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 spamscore=0 impostorscore=0 suspectscore=0 bulkscore=0 priorityscore=1501 adultscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 phishscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2305260000 definitions=main-2306090120 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 09 Jun 2023 14:09:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/182552 A memory corruption issue was addressed with improved state management. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution. References: https://nvd.nist.gov/vuln/detail/CVE-2022-46699 https://support.apple.com/en-us/HT213537 Signed-off-by: Yogita Urade --- .../webkit/webkitgtk/CVE-2022-46699.patch | 136 ++++++++++++++++++ meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 1 + 2 files changed, 137 insertions(+) create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch new file mode 100644 index 0000000000..0752b9c0e2 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch @@ -0,0 +1,136 @@ +From 28686e63de0d3d7270a49b0d6b656467bc4fbf68 Mon Sep 17 00:00:00 2001 +From: Justin Michaud +Date: Wed, 9 Nov 2022 19:20:41 -0800 +Subject: [PATCH] Error() ICs should not cache special properties. + https://bugs.webkit.org/show_bug.cgi?id=247699 + +Reviewed by Yusuke Suzuki. + +HasOwnProperty/DeleteProperty are not always cacheable for special Error() +properties like column. These special properties are materialized on-demand +in materializeErrorInfoIfNeeded, but this function's behaviour can be changed +by Error.stackTraceLimit without causing a structure transition or firing watchpoints. + +That is, we cannot cache property misses, and we cannot assume HasOwnProperty is deterministic +for a given structure if we are using one of these properties. + +* Source/JavaScriptCore/runtime/ErrorInstance.cpp: +(JSC::ErrorInstance::deleteProperty): +* Source/JavaScriptCore/runtime/ErrorInstance.h: + +Canonical link: https://commits.webkit.org/256519@main + +CVE: CVE-2022-46699 + +Upstream-Status: Backport +[https://github.com/WebKit/WebKit/commit/28686e63de0d3d7270a49b0d6b656467bc4fbf68] + +Signed-off-by: Yogita Urade +--- + JSTests/stress/delete-cache-error.js | 19 ++++++++++++++++++ + .../get-own-property-slot-cache-error.js | 6 ++++++ + JSTests/stress/get-property-cache-error.js | 20 +++++++++++++++++++ + .../JavaScriptCore/runtime/ErrorInstance.cpp | 4 +++- + Source/JavaScriptCore/runtime/ErrorInstance.h | 3 ++- + 5 files changed, 50 insertions(+), 2 deletions(-) + create mode 100644 JSTests/stress/delete-cache-error.js + create mode 100644 JSTests/stress/get-own-property-slot-cache-error.js + create mode 100644 JSTests/stress/get-property-cache-error.js + +diff --git a/JSTests/stress/delete-cache-error.js b/JSTests/stress/delete-cache-error.js +new file mode 100644 +index 000000000000..d77c09185a13 +--- /dev/null ++++ b/JSTests/stress/delete-cache-error.js +@@ -0,0 +1,19 @@ ++delete Error.stackTraceLimit ++ ++// sourceURL is not materialized ++function cacheColumn(o) { ++ delete o.sourceURL ++} ++noInline(cacheColumn) ++ ++for (let i = 0; i < 200; ++i) { ++ let e = Error() ++ cacheColumn(e) ++ if (e.sourceURL !== undefined) ++ throw "Test failed on iteration " + i + " " + e.sourceURL ++ ++ if (i == 197) { ++ // now it is ++ Error.stackTraceLimit = 10 ++ } ++} +\ No newline at end of file +diff --git a/JSTests/stress/get-own-property-slot-cache-error.js b/JSTests/stress/get-own-property-slot-cache-error.js +new file mode 100644 +index 000000000000..f8202213bf79 +--- /dev/null ++++ b/JSTests/stress/get-own-property-slot-cache-error.js +@@ -0,0 +1,6 @@ ++delete Error.stackTraceLimit ++// GetOwnPropertySlot does not materializeErrorInfoIfNeeded because stackString is null. ++Object.hasOwn(Error(), "column") ++Error.stackTraceLimit = 10 ++// Now it does ++Object.hasOwn(Error(), "column") +\ No newline at end of file +diff --git a/JSTests/stress/get-property-cache-error.js b/JSTests/stress/get-property-cache-error.js +new file mode 100644 +index 000000000000..b35272ea6fe2 +--- /dev/null ++++ b/JSTests/stress/get-property-cache-error.js +@@ -0,0 +1,20 @@ ++// GetOwnPropertySlot does not materializeErrorInfoIfNeeded because stackString is null. ++delete Error.stackTraceLimit ++expected = undefined ++ ++function cacheColumn(o) { ++ return o.column ++} ++noInline(cacheColumn) ++ ++for (let i = 0; i < 1000; ++i) { ++ let val = cacheColumn(Error()) ++ if (val !== expected) ++ throw "Test failed on iteration " + i + ": " + val ++ ++ if (i == 900) { ++ // now it does ++ Error.stackTraceLimit = 10 ++ expected = 32 ++ } ++} +\ No newline at end of file +diff --git a/Source/JavaScriptCore/runtime/ErrorInstance.cpp b/Source/JavaScriptCore/runtime/ErrorInstance.cpp +index ddf96869e84a..8e5373257d34 100644 +--- a/Source/JavaScriptCore/runtime/ErrorInstance.cpp ++++ b/Source/JavaScriptCore/runtime/ErrorInstance.cpp +@@ -303,7 +303,9 @@ bool ErrorInstance::deleteProperty(JSCell* cell, JSGlobalObject* globalObject, P + { + VM& vm = globalObject->vm(); + ErrorInstance* thisObject = jsCast(cell); +- thisObject->materializeErrorInfoIfNeeded(vm, propertyName); ++ bool materializedProperties = thisObject->materializeErrorInfoIfNeeded(vm, propertyName); ++ if (materializedProperties) ++ slot.disableCaching(); + return Base::deleteProperty(thisObject, globalObject, propertyName, slot); + } + +diff --git a/Source/JavaScriptCore/runtime/ErrorInstance.h b/Source/JavaScriptCore/runtime/ErrorInstance.h +index 28807b4ea33e..2afb153a7442 100644 +--- a/Source/JavaScriptCore/runtime/ErrorInstance.h ++++ b/Source/JavaScriptCore/runtime/ErrorInstance.h +@@ -30,7 +30,8 @@ namespace JSC { + class ErrorInstance : public JSNonFinalObject { + public: + using Base = JSNonFinalObject; +- static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames | OverridesPut; ++ ++ static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames | OverridesPut | GetOwnPropertySlotIsImpureForPropertyAbsence; + static constexpr bool needsDestruction = true; + + static void destroy(JSCell* cell) +-- +2.40.0 diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 02258f84e4..8f6514a82b 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb @@ -18,6 +18,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \ file://CVE-2022-32888.patch \ file://CVE-2022-32923.patch \ file://CVE-2022-46691.patch \ + file://CVE-2022-46699.patch \ " SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437" From patchwork Fri Jun 9 14:09:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 25332 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 00783C7EE25 for ; Fri, 9 Jun 2023 14:09:39 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.14324.1686319774889659811 for ; Fri, 09 Jun 2023 07:09:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=pps06212021 header.b=nPpKDeMT; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=5524cb4a3f=yogita.urade@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 359Dpxha027824 for ; Fri, 9 Jun 2023 07:09:34 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=PPS06212021; bh=/w4agdmJAIWoui+8csze8bq4GfZx8IUoDM77IEfYteE=; b=nPpKDeMTrgrPzelr7KBeil8zV7olZKmM7V2FPn5hZ0XUuE3mJTRki8lD/1HsLaoSvPKE 90HulvGngEjHi1L38rmM2w+CwIdKSAd9AxnSaME8D4ZjoJZE0Iv3dqiU0ZKtjmeGSZC1 2Y4BmkH0bC01O+j4NeC2wYkqZhCUYPnzclrrwtVL6Z4rtm0Jdt3LU0fsY0AwrNrUnldZ adJdzrS7XTp5WxFlq8N6+oJ26qwRDtqI1CjYWiyM+oCWsYjLO13xxjfM5wwvbsRTiKGz w8z36WJOtAybPFAagZ5XB5P6KwCrdiAX4cLng6KIaQsxgK3u/jPR6Q0vRJ7JHQ/bUeH4 SA== Received: from ala-exchng01.corp.ad.wrs.com (unknown-82-252.windriver.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3r2a80trdu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 09 Jun 2023 07:09:34 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Fri, 9 Jun 2023 07:09:32 -0700 From: Yogita Urade To: CC: Subject: [oe-core][kirkstone][PATCH V2 3/6] webkitgtk: fix CVE-2022-42867 Date: Fri, 9 Jun 2023 14:09:05 +0000 Message-ID: <20230609140908.3465521-3-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230609140908.3465521-1-yogita.urade@windriver.com> References: <20230609140908.3465521-1-yogita.urade@windriver.com> MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Proofpoint-GUID: uxg9IBhYAiM_j2RaNLJqc1i4OtY3LX6v X-Proofpoint-ORIG-GUID: uxg9IBhYAiM_j2RaNLJqc1i4OtY3LX6v X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-06-09_10,2023-06-09_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxlogscore=840 adultscore=0 impostorscore=0 lowpriorityscore=0 clxscore=1015 mlxscore=0 phishscore=0 malwarescore=0 spamscore=0 priorityscore=1501 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2305260000 definitions=main-2306090120 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 09 Jun 2023 14:09:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/182553 A use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-42867 https://support.apple.com/en-us/HT213537 Signed-off-by: Yogita Urade --- .../webkit/webkitgtk/CVE-2022-42867.patch | 104 ++++++++++++++++++ meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 1 + 2 files changed, 105 insertions(+) create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch new file mode 100644 index 0000000000..bf06809051 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch @@ -0,0 +1,104 @@ +From f67a882170609d15836204a689dc552322fbe653 Mon Sep 17 00:00:00 2001 +From: Yogita Urade +Date: Wed, 7 Jun 2023 08:15:11 +0000 +Subject: [oe-core][kirkstone][PATCH 1/1] RenderElement::updateFillImages + should take pointer arguments like other similar functions + https://bugs.webkit.org/show_bug.cgi?id=247317 rdar://100273147 + +Reviewed by Alan Baradlay. + +* Source/WebCore/rendering/RenderElement.cpp: +(WebCore::RenderElement::updateFillImages): +(WebCore::RenderElement::styleDidChange): +* Source/WebCore/rendering/RenderElement.h: + +Canonical link: https://commits.webkit.org/256215@main + +CVE: CVE-2022-42867 + +Upstream-Status: Backport +[https://github.com/WebKit/WebKit/commit/091a04e55c801ac6ba13f4b328fbee2eece853fc] + +Signed-off-by: Yogita Urade +--- + Source/WebCore/rendering/RenderElement.cpp | 27 ++++++++++++++-------- + Source/WebCore/rendering/RenderElement.h | 2 +- + 2 files changed, 19 insertions(+), 10 deletions(-) + +diff --git a/Source/WebCore/rendering/RenderElement.cpp b/Source/WebCore/rendering/RenderElement.cpp +index da43bf3d..931686b8 100644 +--- a/Source/WebCore/rendering/RenderElement.cpp ++++ b/Source/WebCore/rendering/RenderElement.cpp +@@ -358,7 +358,7 @@ inline bool RenderElement::shouldRepaintForStyleDifference(StyleDifference diff) + return diff == StyleDifference::Repaint || (diff == StyleDifference::RepaintIfTextOrBorderOrOutline && hasImmediateNonWhitespaceTextChildOrBorderOrOutline()); + } + +-void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer& newLayers) ++void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer* newLayers) + { + auto fillImagesAreIdentical = [](const FillLayer* layer1, const FillLayer* layer2) -> bool { + if (layer1 == layer2) +@@ -379,7 +379,7 @@ void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer + }; + + auto isRegisteredWithNewFillImages = [&]() -> bool { +- for (auto* layer = &newLayers; layer; layer = layer->next()) { ++ for (auto* layer = newLayers; layer; layer = layer->next()) { + if (layer->image() && !layer->image()->hasClient(*this)) + return false; + } +@@ -388,11 +388,11 @@ void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer + + // If images have the same characteristics and this element is already registered as a + // client to the new images, there is nothing to do. +- if (fillImagesAreIdentical(oldLayers, &newLayers) && isRegisteredWithNewFillImages()) ++ if (fillImagesAreIdentical(oldLayers, newLayers) && isRegisteredWithNewFillImages()) + return; + + // Add before removing, to avoid removing all clients of an image that is in both sets. +- for (auto* layer = &newLayers; layer; layer = layer->next()) { ++ for (auto* layer = newLayers; layer; layer = layer->next()) { + if (layer->image()) + layer->image()->addClient(*this); + } +@@ -937,11 +937,20 @@ static inline bool areCursorsEqual(const RenderStyle* a, const RenderStyle* b) + + void RenderElement::styleDidChange(StyleDifference diff, const RenderStyle* oldStyle) + { +- updateFillImages(oldStyle ? &oldStyle->backgroundLayers() : nullptr, m_style.backgroundLayers()); +- updateFillImages(oldStyle ? &oldStyle->maskLayers() : nullptr, m_style.maskLayers()); +- updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, m_style.borderImage().image()); +- updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, m_style.maskBoxImage().image()); +- updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, m_style.shapeOutside()); ++ auto registerImages = [this](auto* style, auto* oldStyle) { ++ if (!style && !oldStyle) ++ return; ++ updateFillImages(oldStyle ? &oldStyle->backgroundLayers() : nullptr, style ? &style->backgroundLayers() : nullptr); ++ updateFillImages(oldStyle ? &oldStyle->maskLayers() : nullptr, style ? &style->maskLayers() : nullptr); ++ updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, style ? style->borderImage().image() : nullptr); ++ updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, style ? style->maskBoxImage().image() : nullptr); ++ updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, style ? style->shapeOutside() : nullptr); ++ }; ++ ++ registerImages(&style(), oldStyle); ++ ++ // Are there other pseudo-elements that need the resources to be registered? ++ registerImages(style().getCachedPseudoStyle(PseudoId::FirstLine), oldStyle ? oldStyle->getCachedPseudoStyle(PseudoId::FirstLine) : nullptr); + + SVGRenderSupport::styleChanged(*this, oldStyle); + +diff --git a/Source/WebCore/rendering/RenderElement.h b/Source/WebCore/rendering/RenderElement.h +index f376cecb..d6ba2cdf 100644 +--- a/Source/WebCore/rendering/RenderElement.h ++++ b/Source/WebCore/rendering/RenderElement.h +@@ -349,7 +349,7 @@ private: + bool shouldRepaintForStyleDifference(StyleDifference) const; + bool hasImmediateNonWhitespaceTextChildOrBorderOrOutline() const; + +- void updateFillImages(const FillLayer*, const FillLayer&); ++ void updateFillImages(const FillLayer*, const FillLayer*); + void updateImage(StyleImage*, StyleImage*); + void updateShapeImage(const ShapeValue*, const ShapeValue*); + +-- +2.35.5 diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 8f6514a82b..062f209932 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb @@ -19,6 +19,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \ file://CVE-2022-32923.patch \ file://CVE-2022-46691.patch \ file://CVE-2022-46699.patch \ + file://CVE-2022-42867.patch \ " SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437" From patchwork Fri Jun 9 14:09:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 25333 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 142F7C83005 for ; Fri, 9 Jun 2023 14:09:39 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.14325.1686319776711791260 for ; Fri, 09 Jun 2023 07:09:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=pps06212021 header.b=g7TyJ36F; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=5524cb4a3f=yogita.urade@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 359DAkBV020473 for ; Fri, 9 Jun 2023 07:09:36 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=PPS06212021; bh=ET+nXfNLJwJZ7haR/R1RXdwWlaC1xHw+GV6h+YQQpyw=; b=g7TyJ36FbhwQKaNovqv5GriddCTVVDpo7gXGgfrkuNyP1ktjHMwRwvwbDdh6Hfb+M3SD 6CCBOqa3i3VzKolCRk1RnWXzlZpYO4lZzW7wz6He+TCLsceWFUO8S+jJEeKTc2ZmRxTl 9uk+cFcuM1wQSczCilhaHh1uPsu9X+U0nqsYDkjBknqKlOcXDIPNfTajoyd8TYlBphYt Y5U6+gZn22rVD1S4ahQx9u92ku4RaoruIsg28JUCeEnNCyUIBRkkCWRhANSbCZv/va0k 1o0v9xVZ9UiV6QJ1wzqpMIazoa83GQJx/6fwz7VpZWFE3vOAGYx2Yrdn8bA4QsbKsVWH vg== Received: from ala-exchng01.corp.ad.wrs.com (unknown-82-252.windriver.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3r2a80tre1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 09 Jun 2023 07:09:36 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Fri, 9 Jun 2023 07:09:34 -0700 From: Yogita Urade To: CC: Subject: [oe-core][kirkstone][PATCH V2 4/6] webkitgtk: fix CVE-2022-42856 Date: Fri, 9 Jun 2023 14:09:06 +0000 Message-ID: <20230609140908.3465521-4-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230609140908.3465521-1-yogita.urade@windriver.com> References: <20230609140908.3465521-1-yogita.urade@windriver.com> MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Proofpoint-GUID: P7FFyh8-6G7lRz7ZHFHJJyW7ZJpPaVdu X-Proofpoint-ORIG-GUID: P7FFyh8-6G7lRz7ZHFHJJyW7ZJpPaVdu X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-06-09_10,2023-06-09_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxlogscore=999 adultscore=0 impostorscore=0 lowpriorityscore=0 clxscore=1015 mlxscore=0 phishscore=0 malwarescore=0 spamscore=0 priorityscore=1501 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2305260000 definitions=main-2306090120 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 09 Jun 2023 14:09:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/182554 A type confusion issue was addressed with improved state handling. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.1.2. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1. References: https://support.apple.com/en-us/HT213531 Signed-off-by: Yogita Urade --- .../webkit/webkitgtk/CVE-2022-42856.patch | 110 ++++++++++++++++++ meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 1 + 2 files changed, 111 insertions(+) create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch new file mode 100644 index 0000000000..97d58c955a --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch @@ -0,0 +1,110 @@ +From 71cdc1c09ef199db74b2b60ed5de781250d96a56 Mon Sep 17 00:00:00 2001 +From: Mark Lam +Date: Wed, 23 Nov 2022 13:48:49 -0800 +Subject: [PATCH] The provenType filtering in FTL's speculateRealNumber is + incorrect. https://bugs.webkit.org/show_bug.cgi?id=248266 + + +Reviewed by Justin Michaud. + +speculateRealNumber does a doubleEqual compare, which filters out double values which +are not NaN. NaN values will fall through to the `intCase` block. In the `intCase` block, +the isNotInt32() check there was given a proven type that wrongly filters out ~SpecFullDouble. + +Consider a scenario where the edge was proven to be { SpecInt32Only, SpecDoubleReal, +SpecDoublePureNaN }. SpecFullDouble is defined as SpecDoubleReal | SpecDoubleNaN, and +SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN. Hence, the filtering +of the proven type with ~SpecFullDouble means that isNotInt32() will effectively be given +a proven type of + + { SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { SpecDoubleReal, SpecDoublePureNaN } + +which yields + + { SpecInt32Only }. + +As a result, the compiler will think that that isNotIn32() check will always fail. This +is not correct if the actual incoming value for that edge is actually a PureNaN. In this +case, speculateRealNumber should have OSR exited, but it doesn't because it thinks that +the isNotInt32() check will always fail and elide the check altogether. + +In this patch, we fix this by replacing the ~SpecFullDouble with ~SpecDoubleReal. We also +rename the `intCase` block to `intOrNaNCase` to document what it actually handles. + +* JSTests/stress/speculate-real-number-in-object-is.js: Added. +(test.object_is_opt): +(test): +* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): + +Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch + +CVE: CVE-2022-42856 + +Upstream-Status: Backport +[https://github.com/WebKit/WebKit/commit/71cdc1c09ef199db74b2b60ed5de781250d96a56] + +Signed-off-by: Yogita Urade +--- + .../speculate-real-number-in-object-is.js | 22 +++++++++++++++++++ + Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp | 8 +++---- + 2 files changed, 26 insertions(+), 4 deletions(-) + create mode 100644 JSTests/stress/speculate-real-number-in-object-is.js + +diff --git a/JSTests/stress/speculate-real-number-in-object-is.js b/JSTests/stress/speculate-real-number-in-object-is.js +new file mode 100644 +index 000000000000..0b10799954da +--- /dev/null ++++ b/JSTests/stress/speculate-real-number-in-object-is.js +@@ -0,0 +1,22 @@ ++function test() { ++ function object_is_opt(value) { ++ const tmp = {p0: value}; ++ ++ if (Object.is(value, NaN)) ++ return 0; ++ ++ return value; ++ } ++ ++ object_is_opt(NaN); ++ ++ for (let i = 0; i < 0x20000; i++) ++ object_is_opt(1.1); ++ ++ return isNaN(object_is_opt(NaN)); ++} ++ ++resultIsNaN = test(); ++if (resultIsNaN) ++ throw "FAILED"; ++ +diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp +index 8621b554d578..588298eba350 100644 +--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp ++++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp +@@ -20285,18 +20285,18 @@ IGNORE_CLANG_WARNINGS_END + LValue value = lowJSValue(edge, ManualOperandSpeculation); + LValue doubleValue = unboxDouble(value); + +- LBasicBlock intCase = m_out.newBlock(); ++ LBasicBlock intOrNaNCase = m_out.newBlock(); + LBasicBlock continuation = m_out.newBlock(); + + m_out.branch( + m_out.doubleEqual(doubleValue, doubleValue), +- usually(continuation), rarely(intCase)); ++ usually(continuation), rarely(intOrNaNCase)); + +- LBasicBlock lastNext = m_out.appendTo(intCase, continuation); ++ LBasicBlock lastNext = m_out.appendTo(intOrNaNCase, continuation); + + typeCheck( + jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber, +- isNotInt32(value, provenType(m_node->child1()) & ~SpecFullDouble)); ++ isNotInt32(value, provenType(m_node->child1()) & ~SpecDoubleReal)); + m_out.jump(continuation); + + m_out.appendTo(continuation, lastNext); +-- +2.35.5 diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 062f209932..cf1b8b2cc0 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb @@ -20,6 +20,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \ file://CVE-2022-46691.patch \ file://CVE-2022-46699.patch \ file://CVE-2022-42867.patch \ + file://CVE-2022-42856.patch \ " SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437" From patchwork Fri Jun 9 14:09:07 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 25334 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1472FC8300C for ; Fri, 9 Jun 2023 14:09:39 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.14326.1686319778469596414 for ; Fri, 09 Jun 2023 07:09:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=pps06212021 header.b=KAqM3WSs; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=5524cb4a3f=yogita.urade@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 359CfDbg030787 for ; Fri, 9 Jun 2023 07:09:38 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=PPS06212021; bh=KDqLrx5qImSU5TL2bHwHhQYcpsyShnKuQFZqaI2wQrI=; b=KAqM3WSsa0mk++06KRXt/zUkVrlFn8F+HwNHmtmExiL7kPcNrBUo/NIUkE7kMuz4808R +mXWe7XapReSKzh6DEssiY9YJgbT/UcTia68F4v0nJYCK26nwKlNOQ1cCk+/ia/W9P9H EaHYa+4pjmLVSZnzd5kyVKNhyc1kRXknEnR0NAEu9CWwBw8mOSmmcmjC63Ibfvs370wt iyy+8sUYfZwAOqe+dG4DzlwjaI2O46uYpXqYwW57nFxbosY2j4WZIgqX/tzC+fjZACpl HjUcSj2sAUckuK/tx2o3pPtT7ggLX5tmbSSFEHVYZhiIif0zsE+wJwnRNoY65KoDtJg1 4g== Received: from ala-exchng01.corp.ad.wrs.com (unknown-82-252.windriver.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3r2a80tre5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 09 Jun 2023 07:09:38 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Fri, 9 Jun 2023 07:09:36 -0700 From: Yogita Urade To: CC: Subject: [oe-core][kirkstone][PATCH V2 5/6] webkitgtk: fix CVE-2023-23517 CVE-2023-23518 Date: Fri, 9 Jun 2023 14:09:07 +0000 Message-ID: <20230609140908.3465521-5-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230609140908.3465521-1-yogita.urade@windriver.com> References: <20230609140908.3465521-1-yogita.urade@windriver.com> MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Proofpoint-GUID: XqSWBlcnNXq4Xdlz4TkZ3iGUg30PKJ50 X-Proofpoint-ORIG-GUID: XqSWBlcnNXq4Xdlz4TkZ3iGUg30PKJ50 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-06-09_10,2023-06-09_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxlogscore=999 adultscore=0 impostorscore=0 lowpriorityscore=0 clxscore=1015 mlxscore=0 phishscore=0 malwarescore=0 spamscore=0 priorityscore=1501 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2305260000 definitions=main-2306090120 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 09 Jun 2023 14:09:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/182555 The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.2, macOS Monterey 12.6.3, tvOS 16.3, Safari 16.3, watchOS 9.3, iOS 16.3 and iPadOS 16.3, macOS Big Sur 11.7.3. Processing maliciously crafted web content may lead to arbitrary code execution. References: https://nvd.nist.gov/vuln/detail/CVE-2023-23517 https://support.apple.com/en-us/HT213638 https://bugs.webkit.org/show_bug.cgi?id=248268 https://github.com/WebKit/WebKit/pull/6756 Signed-off-by: Yogita Urade --- .../CVE-2023-23517-CVE-2023-23518.patch | 131 ++++++++++++++++++ meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 1 + 2 files changed, 132 insertions(+) create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch new file mode 100644 index 0000000000..721f045e0d --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch @@ -0,0 +1,131 @@ +From f44648f07471b6c34f61993baa8997f7519a18a1 Mon Sep 17 00:00:00 2001 +From: Youenn Fablet +Date: Mon, 28 Nov 2022 00:43:35 -0800 +Subject: [PATCH] Type getter is not needed for internal ReadableStream sources + https://bugs.webkit.org/show_bug.cgi?id=248268 rdar://102338913 + +Reviewed by Eric Carlson. + +Make ReadableStreamSource method privates. +In ReadableStream, use @getters instead of private getters to allow getting private values from prototype. +Covered by added test. + +* LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt: Added. +* LayoutTests/http/wpt/fetch/fetch-stream-source.html: Added. +* Source/WebCore/Modules/streams/ReadableStream.js: +(initializeReadableStream): +* Source/WebCore/Modules/streams/ReadableStreamSource.idl: +* Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h: +(WebCore::IDLOperationReturningPromise::call): + +Canonical link: https://commits.webkit.org/257063@main + +CVE: CVE-2023-23517 CVE-2023-23518 + +Upstream-Status: Backport +[https://github.com/WebKit/WebKit/commit/f44648f07471b6c34f61993baa8997f7519a18a1] + +Signed-off-by: Yogita Urade +--- + .../fetch/fetch-stream-source-expected.txt | 3 +++ + .../http/wpt/fetch/fetch-stream-source.html | 24 +++++++++++++++++++ + .../WebCore/Modules/streams/ReadableStream.js | 4 ++-- + .../Modules/streams/ReadableStreamSource.idl | 8 +++---- + .../js/JSDOMOperationReturningPromise.h | 4 +++- + 5 files changed, 36 insertions(+), 7 deletions(-) + create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt + create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source.html + +diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt +new file mode 100644 +index 000000000000..856ea8180ca2 +--- /dev/null ++++ b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt +@@ -0,0 +1,3 @@ ++ ++PASS Only JS streams should check type ++ +diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source.html b/LayoutTests/http/wpt/fetch/fetch-stream-source.html +new file mode 100644 +index 000000000000..fbebfa5e524f +--- /dev/null ++++ b/LayoutTests/http/wpt/fetch/fetch-stream-source.html +@@ -0,0 +1,24 @@ ++ ++ ++ ++ ++ Fetch and source ++ ++ ++ ++ ++ ++ ++ +diff --git a/Source/WebCore/Modules/streams/ReadableStream.js b/Source/WebCore/Modules/streams/ReadableStream.js +index ddef56ecd460..7f0def325d84 100644 +--- a/Source/WebCore/Modules/streams/ReadableStream.js ++++ b/Source/WebCore/Modules/streams/ReadableStream.js +@@ -48,10 +48,10 @@ function initializeReadableStream(underlyingSource, strategy) + + // FIXME: We should introduce https://streams.spec.whatwg.org/#create-readable-stream. + // For now, we emulate this with underlyingSource with private properties. +- if (@getByIdDirectPrivate(underlyingSource, "pull") !== @undefined) { ++ if (underlyingSource.@pull !== @undefined) { + const size = @getByIdDirectPrivate(strategy, "size"); + const highWaterMark = @getByIdDirectPrivate(strategy, "highWaterMark"); +- @setupReadableStreamDefaultController(this, underlyingSource, size, highWaterMark !== @undefined ? highWaterMark : 1, @getByIdDirectPrivate(underlyingSource, "start"), @getByIdDirectPrivate(underlyingSource, "pull"), @getByIdDirectPrivate(underlyingSource, "cancel")); ++ @setupReadableStreamDefaultController(this, underlyingSource, size, highWaterMark !== @undefined ? highWaterMark : 1, underlyingSource.@start, underlyingSource.@pull, underlyingSource.@cancel); + return this; + } + +diff --git a/Source/WebCore/Modules/streams/ReadableStreamSource.idl b/Source/WebCore/Modules/streams/ReadableStreamSource.idl +index cce9ea37ce80..ae7f1403b8ac 100644 +--- a/Source/WebCore/Modules/streams/ReadableStreamSource.idl ++++ b/Source/WebCore/Modules/streams/ReadableStreamSource.idl +@@ -30,10 +30,10 @@ + LegacyNoInterfaceObject, + SkipVTableValidation + ] interface ReadableStreamSource { +- [Custom] Promise start(ReadableStreamDefaultController controller); +- [Custom] Promise pull(ReadableStreamDefaultController controller); +- undefined cancel(any reason); ++ [Custom, PrivateIdentifier] Promise start(ReadableStreamDefaultController controller); ++ [Custom, PrivateIdentifier] Promise pull(ReadableStreamDefaultController controller); ++ [PrivateIdentifier] undefined cancel(any reason); + + // Place holder to keep the controller linked to the source. +- [CachedAttribute, CustomGetter] readonly attribute any controller; ++ [CachedAttribute, CustomGetter, PrivateIdentifier] readonly attribute any controller; + }; +diff --git a/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h b/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h +index c4d1513ad5c4..1dda9d3834f7 100644 +--- a/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h ++++ b/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h +@@ -43,8 +43,10 @@ public: + if constexpr (shouldThrow != CastedThisErrorBehavior::Assert) { + if (UNLIKELY(!thisObject)) + return rejectPromiseWithThisTypeError(promise.get(), JSClass::info()->className, operationName); +- } else ++ } else { ++ UNUSED_PARAM(operationName); + ASSERT(thisObject); ++ } + + ASSERT_GC_OBJECT_INHERITS(thisObject, JSClass::info()); + +-- +2.40.0 diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index cf1b8b2cc0..69663c1cb7 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb @@ -21,6 +21,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \ file://CVE-2022-46699.patch \ file://CVE-2022-42867.patch \ file://CVE-2022-42856.patch \ + file://CVE-2023-23517-CVE-2023-23518.patch \ " SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437" From patchwork Fri Jun 9 14:09:08 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: yurade X-Patchwork-Id: 25336 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F262EC7EE25 for ; Fri, 9 Jun 2023 14:09:48 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.14327.1686319780176286064 for ; Fri, 09 Jun 2023 07:09:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=pps06212021 header.b=ehjJ5wJC; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=5524cb4a3f=yogita.urade@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 359DAV0S000425 for ; Fri, 9 Jun 2023 07:09:40 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=PPS06212021; bh=e3FTvNw0yHF5I26JDTUE2XhGpPqYEMxGChJXwHPCCo4=; b=ehjJ5wJC3uwZwUVdLhP1Gs5GU5XLElq4CfRnTWSUCGioCn5+PWDS8nbssd2oJ49Tyk20 xZrkHV4xjGp58p1qk72HaorDZ2WnM5iI7Hr70UeAWErPuhPOzJ0RBqAJzXCNvENWKFdB gS1n7d1RRU+E1uN3jJn8V8uWfpLt1QY/EpqpKvq8r2xXeFNOw1xroNLI5+ip2sewPLyc Hco2bARIcuuFY+XVFWCAJztvEgfEcTCcbAZT+tn0UahDVBYqr+a7qxm7Ql/KydacIO6S SdAFzgDUpDpc7Q8fyNmEUvcJdDzKwNayP9dVZpdBW2PJu57h132OM5COJXczDyZLmVOz Lg== Received: from ala-exchng01.corp.ad.wrs.com (unknown-82-252.windriver.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3r2av7aqq5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 09 Jun 2023 07:09:39 -0700 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Fri, 9 Jun 2023 07:09:37 -0700 From: Yogita Urade To: CC: Subject: [oe-core][kirkstone][PATCH V2 6/6] webkitgtk: fix CVE-2022-46700 Date: Fri, 9 Jun 2023 14:09:08 +0000 Message-ID: <20230609140908.3465521-6-yogita.urade@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230609140908.3465521-1-yogita.urade@windriver.com> References: <20230609140908.3465521-1-yogita.urade@windriver.com> MIME-Version: 1.0 X-Originating-IP: [147.11.136.210] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) To ala-exchng01.corp.ad.wrs.com (147.11.82.252) X-Proofpoint-ORIG-GUID: HL_SGfqLXuT6Vfuun2PtoqJSj6w_xbBN X-Proofpoint-GUID: HL_SGfqLXuT6Vfuun2PtoqJSj6w_xbBN X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-06-09_10,2023-06-09_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 spamscore=0 impostorscore=0 suspectscore=0 bulkscore=0 priorityscore=1501 adultscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 phishscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2305260000 definitions=main-2306090120 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 09 Jun 2023 14:09:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/182556 A memory corruption issue was addressed with improved input validation. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution. References: https://support.apple.com/en-us/HT213531 https://bugs.webkit.org/show_bug.cgi?id=247562 https://github.com/WebKit/WebKit/pull/6266 Signed-off-by: Yogita Urade --- .../webkit/webkitgtk/CVE-2022-46700.patch | 67 +++++++++++++++++++ meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch new file mode 100644 index 0000000000..242b8337fa --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch @@ -0,0 +1,67 @@ +From 86fbeb6fcd638e2350b09a43dde355f9830e75da Mon Sep 17 00:00:00 2001 +From: David Degazio +Date: Tue, 8 Nov 2022 19:54:33 -0800 +Subject: [PATCH] Intl.Locale.prototype.hourCycles leaks empty JSValue to + script https://bugs.webkit.org/show_bug.cgi?id=247562 rdar://102031379 + +Reviewed by Mark Lam. + +We currently don't check if IntlLocale::hourCycles returns a null JSArray, which allows it +to be encoded as an empty JSValue and exposed to user code. This patch throws a TypeError +when udatpg_open returns a failed status. + +* JSTests/stress/intl-locale-invalid-hourCycles.js: Added. +(main): +* Source/JavaScriptCore/runtime/IntlLocale.cpp: +(JSC::IntlLocale::hourCycles): + +Canonical link: https://commits.webkit.org/256473@main + +CVE:CVE-2022-46700 + +Upstream-Status: Backport +[https://github.com/WebKit/WebKit/commit/86fbeb6fcd638e2350b09a43dde355f9830e75da] + +Signed-off-by: Yogita Urade +--- + JSTests/stress/intl-locale-invalid-hourCycles.js | 12 ++++++++++++ + Source/JavaScriptCore/runtime/IntlLocale.cpp | 4 +++- + 2 files changed, 15 insertions(+), 1 deletion(-) + create mode 100644 JSTests/stress/intl-locale-invalid-hourCycles.js + +diff --git a/JSTests/stress/intl-locale-invalid-hourCycles.js b/JSTests/stress/intl-locale-invalid-hourCycles.js +new file mode 100644 +index 000000000000..7b94eb844764 +--- /dev/null ++++ b/JSTests/stress/intl-locale-invalid-hourCycles.js +@@ -0,0 +1,12 @@ ++function main() { ++ const v24 = new Intl.Locale("trimEnd", { 'numberingSystem': "foobar" }); ++ let empty = v24.hourCycles; ++ print(empty); ++} ++ ++try { ++ main(); ++} catch (e) { ++ if (!(e instanceof TypeError)) ++ throw e; ++} +diff --git a/Source/JavaScriptCore/runtime/IntlLocale.cpp b/Source/JavaScriptCore/runtime/IntlLocale.cpp +index c3c346163a18..bef424727a8a 100644 +--- a/Source/JavaScriptCore/runtime/IntlLocale.cpp ++++ b/Source/JavaScriptCore/runtime/IntlLocale.cpp +@@ -632,8 +632,10 @@ JSArray* IntlLocale::hourCycles(JSGlobalObject* globalObject) + + UErrorCode status = U_ZERO_ERROR; + auto generator = std::unique_ptr>(udatpg_open(m_localeID.data(), &status)); +- if (U_FAILURE(status)) ++ if (U_FAILURE(status)) { ++ throwTypeError(globalObject, scope, "invalid locale"_s); + return nullptr; ++ } + + // Use "j" skeleton and parse pattern to retrieve the configured hour-cycle information. + constexpr const UChar skeleton[] = { 'j', 0 }; +-- +2.40.0 diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 69663c1cb7..e9dd0d0a8d 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb @@ -22,6 +22,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \ file://CVE-2022-42867.patch \ file://CVE-2022-42856.patch \ file://CVE-2023-23517-CVE-2023-23518.patch \ + file://CVE-2022-46700.patch \ " SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"