webkitgtk: fix CVE-2023-32439

A type confusion issue was addressed with improved checks.
This issue is fixed in iOS 16.5.1 and iPadOS 16.5.1, Safari
16.5.1, macOS Ventura 13.4.1, iOS 15.7.7 and iPadOS 15.7.7.
Processing maliciously crafted web content may lead to
arbitrary code execution. Apple is aware of a report that
this issue may have been actively exploited.

(From OE-Core rev: cdbc3c1548299eb78aeebb94909224eca8410158)

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

2 files changed, 128 insertions, 0 deletions

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch
new file mode 100644
index 0000000000..f8d7b613fa
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch
@@ -0,0 +1,127 @@
+From ebefb9e6b7e7440ab6bb29452f4ac6350bd8b975 Mon Sep 17 00:00:00 2001
+From: Yijia Huang <yijia_huang@apple.com>
+Date: Tue, 26 Sep 2023 09:23:31 +0000
+Subject: [PATCH] Cherry-pick 263909@main (52fe95e5805c).
+ https://bugs.webkit.org/show_bug.cgi?id=256567
+
+    EnumeratorNextUpdateIndexAndMode and HasIndexedProperty should have different heap location kinds
+    https://bugs.webkit.org/show_bug.cgi?id=256567
+    rdar://109089013
+
+    Reviewed by Yusuke Suzuki.
+
+    EnumeratorNextUpdateIndexAndMode and HasIndexedProperty are different DFG nodes. However,
+    they might introduce the same heap location kind in DFGClobberize.h which might lead to
+    hash collision. We should introduce a new locationn kind for EnumeratorNextUpdateIndexAndMode.
+
+    * JSTests/stress/heap-location-collision-dfg-clobberize.js: Added.
+    (foo):
+    * Source/JavaScriptCore/dfg/DFGClobberize.h:
+    (JSC::DFG::clobberize):
+    * Source/JavaScriptCore/dfg/DFGHeapLocation.cpp:
+    (WTF::printInternal):
+    * Source/JavaScriptCore/dfg/DFGHeapLocation.h:
+
+    Canonical link: https://commits.webkit.org/263909@main
+
+Canonical link: https://commits.webkit.org/260527.376@webkitglib/2.40
+
+CVE: CVE-2023-32439
+
+Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/ebefb9e]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ .../stress/heap-location-collision-dfg-clobberize.js | 12 ++++++++++++
+ Source/JavaScriptCore/dfg/DFGClobberize.h            |  7 ++++---
+ Source/JavaScriptCore/dfg/DFGHeapLocation.cpp        |  4 ++++
+ Source/JavaScriptCore/dfg/DFGHeapLocation.h          |  1 +
+ 4 files changed, 21 insertions(+), 3 deletions(-)
+ create mode 100644 JSTests/stress/heap-location-collision-dfg-clobberize.js
+
+diff --git a/JSTests/stress/heap-location-collision-dfg-clobberize.js b/JSTests/stress/heap-location-collision-dfg-clobberize.js
+new file mode 100644
+index 00000000..ed40601e
+--- /dev/null
++++ b/JSTests/stress/heap-location-collision-dfg-clobberize.js
+@@ -0,0 +1,12 @@
++//@ runDefault("--watchdog=300", "--watchdog-exception-ok")
++const arr = [0];
++
++function foo() {
++    for (let _ in arr) {
++        0 in arr;
++        while(1);
++    }
++}
++
++
++foo();
+diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h
+index f96e21d2..af3e864b 100644
+--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
++++ b/Source/JavaScriptCore/dfg/DFGClobberize.h
+@@ -371,6 +371,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
+
+         read(JSObject_butterfly);
+         ArrayMode mode = node->arrayMode();
++        LocationKind locationKind = node->op() == EnumeratorNextUpdateIndexAndMode ? EnumeratorNextUpdateIndexAndModeLoc : HasIndexedPropertyLoc;
+         switch (mode.type()) {
+         case Array::ForceExit: {
+             write(SideState);
+@@ -380,7 +381,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
+             if (mode.isInBounds()) {
+                 read(Butterfly_publicLength);
+                 read(IndexedInt32Properties);
+-                def(HeapLocation(HasIndexedPropertyLoc, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
++                def(HeapLocation(locationKind, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+                 return;
+             }
+             break;
+@@ -390,7 +391,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
+             if (mode.isInBounds()) {
+                 read(Butterfly_publicLength);
+                 read(IndexedDoubleProperties);
+-                def(HeapLocation(HasIndexedPropertyLoc, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
++                def(HeapLocation(locationKind, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+                 return;
+             }
+             break;
+@@ -400,7 +401,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
+             if (mode.isInBounds()) {
+                 read(Butterfly_publicLength);
+                 read(IndexedContiguousProperties);
+-                def(HeapLocation(HasIndexedPropertyLoc, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
++                def(HeapLocation(locationKind, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+                 return;
+             }
+             break;
+diff --git a/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp b/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
+index 0661e5b8..698a6d4b 100644
+--- a/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
++++ b/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
+@@ -134,6 +134,10 @@ void printInternal(PrintStream& out, LocationKind kind)
+         out.print("HasIndexedPorpertyLoc");
+         return;
+
++    case EnumeratorNextUpdateIndexAndModeLoc:
++        out.print("EnumeratorNextUpdateIndexAndModeLoc");
++        return;
++
+     case IndexedPropertyDoubleLoc:
+         out.print("IndexedPropertyDoubleLoc");
+         return;
+diff --git a/Source/JavaScriptCore/dfg/DFGHeapLocation.h b/Source/JavaScriptCore/dfg/DFGHeapLocation.h
+index 40fb7167..7238491b 100644
+--- a/Source/JavaScriptCore/dfg/DFGHeapLocation.h
++++ b/Source/JavaScriptCore/dfg/DFGHeapLocation.h
+@@ -46,6 +46,7 @@ enum LocationKind {
+     DirectArgumentsLoc,
+     GetterLoc,
+     GlobalVariableLoc,
++    EnumeratorNextUpdateIndexAndModeLoc,
+     HasIndexedPropertyLoc,
+     IndexedPropertyDoubleLoc,
+     IndexedPropertyDoubleSaneChainLoc,
+--
+2.40.0
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 10fcd0813a..f4b8456749 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -23,6 +23,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
            file://CVE-2022-46700.patch \
            file://CVE-2023-23529.patch \
            file://CVE-2022-48503.patch \
+           file://CVE-2023-32439.patch \
            "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"