2 files changed, 66 insertions, 0 deletions
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23529.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23529.patch
new file mode 100644
index 0000000000..f2e9808ab4
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23529.patch
@@ -0,0 +1,65 @@
+CVE: CVE-2023-23529
+Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/6cc943c]
+With the help from webkit maillist, backport and rebase patch to fix
+CVE-2023-23529.
+https://lists.webkit.org/pipermail/webkit-gtk/2023-August/003931.html
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+From 6cc943c3323a1a1368934c812e5e8ec08f54dcd4 Mon Sep 17 00:00:00 2001
+From: Yusuke Suzuki <ysuzuki@apple.com>
+Date: Fri, 17 Feb 2023 10:39:19 -0800
+Subject: [PATCH] Cherry-pick 259548.63@safari-7615-branch (1b2eb138ef92).
+ rdar://105598149
+    [JSC] ToThis object folding should check if AbstractValue is always an object
+    https://bugs.webkit.org/show_bug.cgi?id=251944
+    rdar://105175786
+    Reviewed by Geoffrey Garen and Mark Lam.
+    ToThis can become Identity for strict mode if it is just primitive values or its object does not have toThis function overriding.
+    This is correct, but folding ToThis to Undefined etc. (not Identity) needs to check that an input only contains objects.
+    This patch adds appropriate checks to prevent from converting ToThis(GlobalObject | Int32) to Undefined for example.
+    * Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
+    (JSC::DFG::isToThisAnIdentity):
+    Canonical link: https://commits.webkit.org/259548.63@safari-7615-branch
+Canonical link: https://commits.webkit.org/260455@main
+---
+ .../JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h   | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+index 928328ffab826..82481455e651d 100644
+--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+@@ -209,7 +209,8 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue&
+         }
+     }
+ 
+-    if ((ecmaMode.isStrict() || (valueForNode.m_type && !(valueForNode.m_type & ~SpecObject))) && valueForNode.m_structure.isFinite()) {
+    bool onlyObjects = valueForNode.m_type && !(valueForNode.m_type & ~SpecObject);
+    if ((ecmaMode.isStrict() || onlyObjects) && valueForNode.m_structure.isFinite()) {
+         bool allStructuresAreJSScope = !valueForNode.m_structure.isClear();
+         bool overridesToThis = false;
+         valueForNode.m_structure.forEach([&](RegisteredStructure structure) {
+@@ -226,9 +227,13 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue&
+             // If all the structures are JSScope's ones, we know the details of JSScope::toThis() operation.
+             allStructuresAreJSScope &= structure->classInfo()->methodTable.toThis == JSScope::info()->methodTable.toThis;
+         });
+
+        // This is correct for strict mode even if this can have non objects, since the right semantics is Identity.
+         if (!overridesToThis)
+             return ToThisResult::Identity;
+-        if (allStructuresAreJSScope) {
+
+        // But this folding is available only if input is always an object.
+        if (onlyObjects && allStructuresAreJSScope) {
+             if (ecmaMode.isStrict())
+                 return ToThisResult::Undefined;
+             return ToThisResult::GlobalThis;
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index edd64b7b11..20f475bebd 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -21,6 +21,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
           file://CVE-2022-46699.patch \
           file://CVE-2022-42867.patch \
           file://CVE-2022-46700.patch \
+           file://CVE-2023-23529.patch \
           "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23529.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23529.patch new file mode 100644 index 0000000000..f2e9808ab4 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23529.patch
@@ -0,0 +1,65 @@
		1	CVE: CVE-2023-23529
		2	Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/6cc943c]
		3
		4	With the help from webkit maillist, backport and rebase patch to fix
		5	CVE-2023-23529.
		6
		7	https://lists.webkit.org/pipermail/webkit-gtk/2023-August/003931.html
		8
		9	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		10
		11	From 6cc943c3323a1a1368934c812e5e8ec08f54dcd4 Mon Sep 17 00:00:00 2001
		12	From: Yusuke Suzuki <ysuzuki@apple.com>
		13	Date: Fri, 17 Feb 2023 10:39:19 -0800
		14	Subject: [PATCH] Cherry-pick 259548.63@safari-7615-branch (1b2eb138ef92).
		15	rdar://105598149
		16
		17	[JSC] ToThis object folding should check if AbstractValue is always an object
		18	https://bugs.webkit.org/show_bug.cgi?id=251944
		19	rdar://105175786
		20
		21	Reviewed by Geoffrey Garen and Mark Lam.
		22
		23	ToThis can become Identity for strict mode if it is just primitive values or its object does not have toThis function overriding.
		24	This is correct, but folding ToThis to Undefined etc. (not Identity) needs to check that an input only contains objects.
		25	This patch adds appropriate checks to prevent from converting ToThis(GlobalObject \| Int32) to Undefined for example.
		26
		27	* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
		28	(JSC::DFG::isToThisAnIdentity):
		29
		30	Canonical link: https://commits.webkit.org/259548.63@safari-7615-branch
		31
		32	Canonical link: https://commits.webkit.org/260455@main
		33	---
		34	.../JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h \| 9 +++++++--
		35	1 file changed, 7 insertions(+), 2 deletions(-)
		36
		37	diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
		38	index 928328ffab826..82481455e651d 100644
		39	--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
		40	+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
		41	@@ -209,7 +209,8 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue&
		42	}
		43	}
		44
		45	- if ((ecmaMode.isStrict() \|\| (valueForNode.m_type && !(valueForNode.m_type & ~SpecObject))) && valueForNode.m_structure.isFinite()) {
		46	+ bool onlyObjects = valueForNode.m_type && !(valueForNode.m_type & ~SpecObject);
		47	+ if ((ecmaMode.isStrict() \|\| onlyObjects) && valueForNode.m_structure.isFinite()) {
		48	bool allStructuresAreJSScope = !valueForNode.m_structure.isClear();
		49	bool overridesToThis = false;
		50	valueForNode.m_structure.forEach([&](RegisteredStructure structure) {
		51	@@ -226,9 +227,13 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue&
		52	// If all the structures are JSScope's ones, we know the details of JSScope::toThis() operation.
		53	allStructuresAreJSScope &= structure->classInfo()->methodTable.toThis == JSScope::info()->methodTable.toThis;
		54	});
		55	+
		56	+ // This is correct for strict mode even if this can have non objects, since the right semantics is Identity.
		57	if (!overridesToThis)
		58	return ToThisResult::Identity;
		59	- if (allStructuresAreJSScope) {
		60	+
		61	+ // But this folding is available only if input is always an object.
		62	+ if (onlyObjects && allStructuresAreJSScope) {
		63	if (ecmaMode.isStrict())
		64	return ToThisResult::Undefined;
		65	return ToThisResult::GlobalThis;


diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index edd64b7b11..20f475bebd 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -21,6 +21,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
21	file://CVE-2022-46699.patch \	21	file://CVE-2022-46699.patch \
22	file://CVE-2022-42867.patch \	22	file://CVE-2022-42867.patch \
23	file://CVE-2022-46700.patch \	23	file://CVE-2022-46700.patch \
		24	file://CVE-2023-23529.patch \
24	"	25	"
25	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"	26	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
26		27