2 files changed, 129 insertions, 0 deletions
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch
new file mode 100644
index 0000000000..5c240011e0
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch
@@ -0,0 +1,128 @@
+CVE: CVE-2023-32439
+Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/ebefb9e]
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+From ebefb9e6b7e7440ab6bb29452f4ac6350bd8b975 Mon Sep 17 00:00:00 2001
+From: Yijia Huang <yijia_huang@apple.com>
+Date: Wed, 10 May 2023 09:41:48 -0700
+Subject: [PATCH] Cherry-pick 263909@main (52fe95e5805c).
+ https://bugs.webkit.org/show_bug.cgi?id=256567
+    EnumeratorNextUpdateIndexAndMode and HasIndexedProperty should have different heap location kinds
+    https://bugs.webkit.org/show_bug.cgi?id=256567
+    rdar://109089013
+    Reviewed by Yusuke Suzuki.
+    EnumeratorNextUpdateIndexAndMode and HasIndexedProperty are different DFG nodes. However,
+    they might introduce the same heap location kind in DFGClobberize.h which might lead to
+    hash collision. We should introduce a new locationn kind for EnumeratorNextUpdateIndexAndMode.
+    * JSTests/stress/heap-location-collision-dfg-clobberize.js: Added.
+    (foo):
+    * Source/JavaScriptCore/dfg/DFGClobberize.h:
+    (JSC::DFG::clobberize):
+    * Source/JavaScriptCore/dfg/DFGHeapLocation.cpp:
+    (WTF::printInternal):
+    * Source/JavaScriptCore/dfg/DFGHeapLocation.h:
+    Canonical link: https://commits.webkit.org/263909@main
+Canonical link: https://commits.webkit.org/260527.376@webkitglib/2.40
+---
+ .../stress/heap-location-collision-dfg-clobberize.js | 12 ++++++++++++
+ Source/JavaScriptCore/dfg/DFGClobberize.h            |  7 ++++---
+ Source/JavaScriptCore/dfg/DFGHeapLocation.cpp        |  4 ++++
+ Source/JavaScriptCore/dfg/DFGHeapLocation.h          |  1 +
+ 4 files changed, 21 insertions(+), 3 deletions(-)
+ create mode 100644 JSTests/stress/heap-location-collision-dfg-clobberize.js
+diff --git a/JSTests/stress/heap-location-collision-dfg-clobberize.js b/JSTests/stress/heap-location-collision-dfg-clobberize.js
+new file mode 100644
+index 000000000000..ed40601ea37f
+--- /dev/null
+++ b/JSTests/stress/heap-location-collision-dfg-clobberize.js
+@@ -0,0 +1,12 @@
+//@ runDefault("--watchdog=300", "--watchdog-exception-ok")
+const arr = [0];
+
+function foo() {
+    for (let _ in arr) {
+        0 in arr;
+        while(1);
+    }
+}
+
+
+foo();
+diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h
+index e4db64155316..5ec334787c0c 100644
+--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
+++ b/Source/JavaScriptCore/dfg/DFGClobberize.h
+@@ -383,6 +383,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
+ 
+         read(JSObject_butterfly);
+         ArrayMode mode = node->arrayMode();
+        LocationKind locationKind = node->op() == EnumeratorNextUpdateIndexAndMode ? EnumeratorNextUpdateIndexAndModeLoc : HasIndexedPropertyLoc;
+         switch (mode.type()) {
+         case Array::ForceExit: {
+             write(SideState);
+@@ -392,7 +393,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
+             if (mode.isInBounds()) {
+                 read(Butterfly_publicLength);
+                 read(IndexedInt32Properties);
+-                def(HeapLocation(HasIndexedPropertyLoc, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+                def(HeapLocation(locationKind, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+                 return;
+             }
+             break;
+@@ -402,7 +403,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
+             if (mode.isInBounds()) {
+                 read(Butterfly_publicLength);
+                 read(IndexedDoubleProperties);
+-                def(HeapLocation(HasIndexedPropertyLoc, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+                def(HeapLocation(locationKind, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+                 return;
+             }
+             break;
+@@ -412,7 +413,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
+             if (mode.isInBounds()) {
+                 read(Butterfly_publicLength);
+                 read(IndexedContiguousProperties);
+-                def(HeapLocation(HasIndexedPropertyLoc, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+                def(HeapLocation(locationKind, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+                 return;
+             }
+             break;
+diff --git a/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp b/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
+index 0661e5b826b7..698a6d4b6062 100644
+--- a/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
+++ b/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
+@@ -134,6 +134,10 @@ void printInternal(PrintStream& out, LocationKind kind)
+         out.print("HasIndexedPorpertyLoc");
+         return;
+ 
+    case EnumeratorNextUpdateIndexAndModeLoc:
+        out.print("EnumeratorNextUpdateIndexAndModeLoc");
+        return;
+
+     case IndexedPropertyDoubleLoc:
+         out.print("IndexedPropertyDoubleLoc");
+         return;
+diff --git a/Source/JavaScriptCore/dfg/DFGHeapLocation.h b/Source/JavaScriptCore/dfg/DFGHeapLocation.h
+index 40fb71673284..7238491b02c9 100644
+--- a/Source/JavaScriptCore/dfg/DFGHeapLocation.h
+++ b/Source/JavaScriptCore/dfg/DFGHeapLocation.h
+@@ -46,6 +46,7 @@ enum LocationKind {
+     DirectArgumentsLoc,
+     GetterLoc,
+     GlobalVariableLoc,
+    EnumeratorNextUpdateIndexAndModeLoc,
+     HasIndexedPropertyLoc,
+     IndexedPropertyDoubleLoc,
+     IndexedPropertyDoubleSaneChainLoc,
+-- 
+2.34.1
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb b/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb
index 5e8adf50fc..4cef133c19 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb
@@ -14,6 +14,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \
           file://reproducibility.patch \
           file://0d3344e17d258106617b0e6d783d073b188a2548.patch \
           file://d318bb461f040b90453bc4e100dcf967243ecd98.patch \
+           file://CVE-2023-32439.patch \
           "
 SRC_URI[sha256sum] = "1c614c9589389db1a79ea9ba4293bbe8ac3ab0a2234cac700935fae0724ad48b"

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch new file mode 100644 index 0000000000..5c240011e0 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch
@@ -0,0 +1,128 @@
		1	CVE: CVE-2023-32439
		2
		3	Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/ebefb9e]
		4
		5	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		6
		7	From ebefb9e6b7e7440ab6bb29452f4ac6350bd8b975 Mon Sep 17 00:00:00 2001
		8	From: Yijia Huang <yijia_huang@apple.com>
		9	Date: Wed, 10 May 2023 09:41:48 -0700
		10	Subject: [PATCH] Cherry-pick 263909@main (52fe95e5805c).
		11	https://bugs.webkit.org/show_bug.cgi?id=256567
		12
		13	EnumeratorNextUpdateIndexAndMode and HasIndexedProperty should have different heap location kinds
		14	https://bugs.webkit.org/show_bug.cgi?id=256567
		15	rdar://109089013
		16
		17	Reviewed by Yusuke Suzuki.
		18
		19	EnumeratorNextUpdateIndexAndMode and HasIndexedProperty are different DFG nodes. However,
		20	they might introduce the same heap location kind in DFGClobberize.h which might lead to
		21	hash collision. We should introduce a new locationn kind for EnumeratorNextUpdateIndexAndMode.
		22
		23	* JSTests/stress/heap-location-collision-dfg-clobberize.js: Added.
		24	(foo):
		25	* Source/JavaScriptCore/dfg/DFGClobberize.h:
		26	(JSC::DFG::clobberize):
		27	* Source/JavaScriptCore/dfg/DFGHeapLocation.cpp:
		28	(WTF::printInternal):
		29	* Source/JavaScriptCore/dfg/DFGHeapLocation.h:
		30
		31	Canonical link: https://commits.webkit.org/263909@main
		32
		33	Canonical link: https://commits.webkit.org/260527.376@webkitglib/2.40
		34	---
		35	.../stress/heap-location-collision-dfg-clobberize.js \| 12 ++++++++++++
		36	Source/JavaScriptCore/dfg/DFGClobberize.h \| 7 ++++---
		37	Source/JavaScriptCore/dfg/DFGHeapLocation.cpp \| 4 ++++
		38	Source/JavaScriptCore/dfg/DFGHeapLocation.h \| 1 +
		39	4 files changed, 21 insertions(+), 3 deletions(-)
		40	create mode 100644 JSTests/stress/heap-location-collision-dfg-clobberize.js
		41
		42	diff --git a/JSTests/stress/heap-location-collision-dfg-clobberize.js b/JSTests/stress/heap-location-collision-dfg-clobberize.js
		43	new file mode 100644
		44	index 000000000000..ed40601ea37f
		45	--- /dev/null
		46	+++ b/JSTests/stress/heap-location-collision-dfg-clobberize.js
		47	@@ -0,0 +1,12 @@
		48	+//@ runDefault("--watchdog=300", "--watchdog-exception-ok")
		49	+const arr = [0];
		50	+
		51	+function foo() {
		52	+ for (let _ in arr) {
		53	+ 0 in arr;
		54	+ while(1);
		55	+ }
		56	+}
		57	+
		58	+
		59	+foo();
		60	diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h
		61	index e4db64155316..5ec334787c0c 100644
		62	--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
		63	+++ b/Source/JavaScriptCore/dfg/DFGClobberize.h
		64	@@ -383,6 +383,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
		65
		66	read(JSObject_butterfly);
		67	ArrayMode mode = node->arrayMode();
		68	+ LocationKind locationKind = node->op() == EnumeratorNextUpdateIndexAndMode ? EnumeratorNextUpdateIndexAndModeLoc : HasIndexedPropertyLoc;
		69	switch (mode.type()) {
		70	case Array::ForceExit: {
		71	write(SideState);
		72	@@ -392,7 +393,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
		73	if (mode.isInBounds()) {
		74	read(Butterfly_publicLength);
		75	read(IndexedInt32Properties);
		76	- def(HeapLocation(HasIndexedPropertyLoc, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
		77	+ def(HeapLocation(locationKind, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
		78	return;
		79	}
		80	break;
		81	@@ -402,7 +403,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
		82	if (mode.isInBounds()) {
		83	read(Butterfly_publicLength);
		84	read(IndexedDoubleProperties);
		85	- def(HeapLocation(HasIndexedPropertyLoc, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
		86	+ def(HeapLocation(locationKind, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
		87	return;
		88	}
		89	break;
		90	@@ -412,7 +413,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
		91	if (mode.isInBounds()) {
		92	read(Butterfly_publicLength);
		93	read(IndexedContiguousProperties);
		94	- def(HeapLocation(HasIndexedPropertyLoc, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
		95	+ def(HeapLocation(locationKind, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
		96	return;
		97	}
		98	break;
		99	diff --git a/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp b/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
		100	index 0661e5b826b7..698a6d4b6062 100644
		101	--- a/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
		102	+++ b/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
		103	@@ -134,6 +134,10 @@ void printInternal(PrintStream& out, LocationKind kind)
		104	out.print("HasIndexedPorpertyLoc");
		105	return;
		106
		107	+ case EnumeratorNextUpdateIndexAndModeLoc:
		108	+ out.print("EnumeratorNextUpdateIndexAndModeLoc");
		109	+ return;
		110	+
		111	case IndexedPropertyDoubleLoc:
		112	out.print("IndexedPropertyDoubleLoc");
		113	return;
		114	diff --git a/Source/JavaScriptCore/dfg/DFGHeapLocation.h b/Source/JavaScriptCore/dfg/DFGHeapLocation.h
		115	index 40fb71673284..7238491b02c9 100644
		116	--- a/Source/JavaScriptCore/dfg/DFGHeapLocation.h
		117	+++ b/Source/JavaScriptCore/dfg/DFGHeapLocation.h
		118	@@ -46,6 +46,7 @@ enum LocationKind {
		119	DirectArgumentsLoc,
		120	GetterLoc,
		121	GlobalVariableLoc,
		122	+ EnumeratorNextUpdateIndexAndModeLoc,
		123	HasIndexedPropertyLoc,
		124	IndexedPropertyDoubleLoc,
		125	IndexedPropertyDoubleSaneChainLoc,
		126	--
		127	2.34.1
		128


diff --git a/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb b/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb index 5e8adf50fc..4cef133c19 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb
@@ -14,6 +14,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \
14	file://reproducibility.patch \	14	file://reproducibility.patch \
15	file://0d3344e17d258106617b0e6d783d073b188a2548.patch \	15	file://0d3344e17d258106617b0e6d783d073b188a2548.patch \
16	file://d318bb461f040b90453bc4e100dcf967243ecd98.patch \	16	file://d318bb461f040b90453bc4e100dcf967243ecd98.patch \
		17	file://CVE-2023-32439.patch \
17	"	18	"
18	SRC_URI[sha256sum] = "1c614c9589389db1a79ea9ba4293bbe8ac3ab0a2234cac700935fae0724ad48b"	19	SRC_URI[sha256sum] = "1c614c9589389db1a79ea9ba4293bbe8ac3ab0a2234cac700935fae0724ad48b"
19		20