2 files changed, 137 insertions, 0 deletions
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch
new file mode 100644
index 0000000000..0752b9c0e2
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch
@@ -0,0 +1,136 @@
+From 28686e63de0d3d7270a49b0d6b656467bc4fbf68 Mon Sep 17 00:00:00 2001
+From: Justin Michaud <justin_michaud@apple.com>
+Date: Wed, 9 Nov 2022 19:20:41 -0800
+Subject: [PATCH] Error() ICs should not cache special properties.
+ https://bugs.webkit.org/show_bug.cgi?id=247699
+Reviewed by Yusuke Suzuki.
+HasOwnProperty/DeleteProperty are not always cacheable for special Error()
+properties like column. These special properties are materialized on-demand
+in materializeErrorInfoIfNeeded, but this function's behaviour can be changed
+by Error.stackTraceLimit without causing a structure transition or firing watchpoints.
+That is, we cannot cache property misses, and we cannot assume HasOwnProperty is deterministic
+for a given structure if we are using one of these properties.
+* Source/JavaScriptCore/runtime/ErrorInstance.cpp:
+(JSC::ErrorInstance::deleteProperty):
+* Source/JavaScriptCore/runtime/ErrorInstance.h:
+Canonical link: https://commits.webkit.org/256519@main
+CVE: CVE-2022-46699
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/28686e63de0d3d7270a49b0d6b656467bc4fbf68]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ JSTests/stress/delete-cache-error.js          | 19 ++++++++++++++++++
+ .../get-own-property-slot-cache-error.js      |  6 ++++++
+ JSTests/stress/get-property-cache-error.js    | 20 +++++++++++++++++++
+ .../JavaScriptCore/runtime/ErrorInstance.cpp  |  4 +++-
+ Source/JavaScriptCore/runtime/ErrorInstance.h |  3 ++-
+ 5 files changed, 50 insertions(+), 2 deletions(-)
+ create mode 100644 JSTests/stress/delete-cache-error.js
+ create mode 100644 JSTests/stress/get-own-property-slot-cache-error.js
+ create mode 100644 JSTests/stress/get-property-cache-error.js
+diff --git a/JSTests/stress/delete-cache-error.js b/JSTests/stress/delete-cache-error.js
+new file mode 100644
+index 000000000000..d77c09185a13
+--- /dev/null
+++ b/JSTests/stress/delete-cache-error.js
+@@ -0,0 +1,19 @@
+delete Error.stackTraceLimit
+
+// sourceURL is not materialized
+function cacheColumn(o) {
+    delete o.sourceURL
+}
+noInline(cacheColumn)
+
+for (let i = 0; i < 200; ++i) {
+    let e = Error()
+    cacheColumn(e)
+    if (e.sourceURL !== undefined)
+        throw "Test failed on iteration " + i + " " + e.sourceURL
+
+    if (i == 197) {
+        // now it is
+        Error.stackTraceLimit = 10
+    }
+}
+\ No newline at end of file
+diff --git a/JSTests/stress/get-own-property-slot-cache-error.js b/JSTests/stress/get-own-property-slot-cache-error.js
+new file mode 100644
+index 000000000000..f8202213bf79
+--- /dev/null
+++ b/JSTests/stress/get-own-property-slot-cache-error.js
+@@ -0,0 +1,6 @@
+delete Error.stackTraceLimit
+// GetOwnPropertySlot does not materializeErrorInfoIfNeeded because stackString is null.
+Object.hasOwn(Error(), "column")
+Error.stackTraceLimit = 10
+// Now it does
+Object.hasOwn(Error(), "column")
+\ No newline at end of file
+diff --git a/JSTests/stress/get-property-cache-error.js b/JSTests/stress/get-property-cache-error.js
+new file mode 100644
+index 000000000000..b35272ea6fe2
+--- /dev/null
+++ b/JSTests/stress/get-property-cache-error.js
+@@ -0,0 +1,20 @@
+// GetOwnPropertySlot does not materializeErrorInfoIfNeeded because stackString is null.
+delete Error.stackTraceLimit
+expected = undefined
+
+function cacheColumn(o) {
+    return o.column
+}
+noInline(cacheColumn)
+
+for (let i = 0; i < 1000; ++i) {
+    let val = cacheColumn(Error())
+    if (val !== expected)
+        throw "Test failed on iteration " + i + ": " + val
+
+    if (i == 900) {
+        // now it does
+        Error.stackTraceLimit = 10
+        expected = 32
+    }
+}
+\ No newline at end of file
+diff --git a/Source/JavaScriptCore/runtime/ErrorInstance.cpp b/Source/JavaScriptCore/runtime/ErrorInstance.cpp
+index ddf96869e84a..8e5373257d34 100644
+--- a/Source/JavaScriptCore/runtime/ErrorInstance.cpp
+++ b/Source/JavaScriptCore/runtime/ErrorInstance.cpp
+@@ -303,7 +303,9 @@ bool ErrorInstance::deleteProperty(JSCell* cell, JSGlobalObject* globalObject, P
+ {
+     VM& vm = globalObject->vm();
+     ErrorInstance* thisObject = jsCast<ErrorInstance*>(cell);
+-    thisObject->materializeErrorInfoIfNeeded(vm, propertyName);
+    bool materializedProperties = thisObject->materializeErrorInfoIfNeeded(vm, propertyName);
+    if (materializedProperties)
+        slot.disableCaching();
+     return Base::deleteProperty(thisObject, globalObject, propertyName, slot);
+ }
+diff --git a/Source/JavaScriptCore/runtime/ErrorInstance.h b/Source/JavaScriptCore/runtime/ErrorInstance.h
+index 28807b4ea33e..2afb153a7442 100644
+--- a/Source/JavaScriptCore/runtime/ErrorInstance.h
+++ b/Source/JavaScriptCore/runtime/ErrorInstance.h
+@@ -30,7 +30,8 @@ namespace JSC {
+ class ErrorInstance : public JSNonFinalObject {
+ public:
+     using Base = JSNonFinalObject;
+-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames | OverridesPut;
+
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames | OverridesPut | GetOwnPropertySlotIsImpureForPropertyAbsence;
+     static constexpr bool needsDestruction = true;
+     static void destroy(JSCell* cell)
+--
+2.40.0
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 02258f84e4..8f6514a82b 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -18,6 +18,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
           file://CVE-2022-32888.patch \
           file://CVE-2022-32923.patch \
           file://CVE-2022-46691.patch \
+           file://CVE-2022-46699.patch \
           "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch new file mode 100644 index 0000000000..0752b9c0e2 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch
@@ -0,0 +1,136 @@
		1	From 28686e63de0d3d7270a49b0d6b656467bc4fbf68 Mon Sep 17 00:00:00 2001
		2	From: Justin Michaud <justin_michaud@apple.com>
		3	Date: Wed, 9 Nov 2022 19:20:41 -0800
		4	Subject: [PATCH] Error() ICs should not cache special properties.
		5	https://bugs.webkit.org/show_bug.cgi?id=247699
		6
		7	Reviewed by Yusuke Suzuki.
		8
		9	HasOwnProperty/DeleteProperty are not always cacheable for special Error()
		10	properties like column. These special properties are materialized on-demand
		11	in materializeErrorInfoIfNeeded, but this function's behaviour can be changed
		12	by Error.stackTraceLimit without causing a structure transition or firing watchpoints.
		13
		14	That is, we cannot cache property misses, and we cannot assume HasOwnProperty is deterministic
		15	for a given structure if we are using one of these properties.
		16
		17	* Source/JavaScriptCore/runtime/ErrorInstance.cpp:
		18	(JSC::ErrorInstance::deleteProperty):
		19	* Source/JavaScriptCore/runtime/ErrorInstance.h:
		20
		21	Canonical link: https://commits.webkit.org/256519@main
		22
		23	CVE: CVE-2022-46699
		24
		25	Upstream-Status: Backport
		26	[https://github.com/WebKit/WebKit/commit/28686e63de0d3d7270a49b0d6b656467bc4fbf68]
		27
		28	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		29	---
		30	JSTests/stress/delete-cache-error.js \| 19 ++++++++++++++++++
		31	.../get-own-property-slot-cache-error.js \| 6 ++++++
		32	JSTests/stress/get-property-cache-error.js \| 20 +++++++++++++++++++
		33	.../JavaScriptCore/runtime/ErrorInstance.cpp \| 4 +++-
		34	Source/JavaScriptCore/runtime/ErrorInstance.h \| 3 ++-
		35	5 files changed, 50 insertions(+), 2 deletions(-)
		36	create mode 100644 JSTests/stress/delete-cache-error.js
		37	create mode 100644 JSTests/stress/get-own-property-slot-cache-error.js
		38	create mode 100644 JSTests/stress/get-property-cache-error.js
		39
		40	diff --git a/JSTests/stress/delete-cache-error.js b/JSTests/stress/delete-cache-error.js
		41	new file mode 100644
		42	index 000000000000..d77c09185a13
		43	--- /dev/null
		44	+++ b/JSTests/stress/delete-cache-error.js
		45	@@ -0,0 +1,19 @@
		46	+delete Error.stackTraceLimit
		47	+
		48	+// sourceURL is not materialized
		49	+function cacheColumn(o) {
		50	+ delete o.sourceURL
		51	+}
		52	+noInline(cacheColumn)
		53	+
		54	+for (let i = 0; i < 200; ++i) {
		55	+ let e = Error()
		56	+ cacheColumn(e)
		57	+ if (e.sourceURL !== undefined)
		58	+ throw "Test failed on iteration " + i + " " + e.sourceURL
		59	+
		60	+ if (i == 197) {
		61	+ // now it is
		62	+ Error.stackTraceLimit = 10
		63	+ }
		64	+}
		65	\ No newline at end of file
		66	diff --git a/JSTests/stress/get-own-property-slot-cache-error.js b/JSTests/stress/get-own-property-slot-cache-error.js
		67	new file mode 100644
		68	index 000000000000..f8202213bf79
		69	--- /dev/null
		70	+++ b/JSTests/stress/get-own-property-slot-cache-error.js
		71	@@ -0,0 +1,6 @@
		72	+delete Error.stackTraceLimit
		73	+// GetOwnPropertySlot does not materializeErrorInfoIfNeeded because stackString is null.
		74	+Object.hasOwn(Error(), "column")
		75	+Error.stackTraceLimit = 10
		76	+// Now it does
		77	+Object.hasOwn(Error(), "column")
		78	\ No newline at end of file
		79	diff --git a/JSTests/stress/get-property-cache-error.js b/JSTests/stress/get-property-cache-error.js
		80	new file mode 100644
		81	index 000000000000..b35272ea6fe2
		82	--- /dev/null
		83	+++ b/JSTests/stress/get-property-cache-error.js
		84	@@ -0,0 +1,20 @@
		85	+// GetOwnPropertySlot does not materializeErrorInfoIfNeeded because stackString is null.
		86	+delete Error.stackTraceLimit
		87	+expected = undefined
		88	+
		89	+function cacheColumn(o) {
		90	+ return o.column
		91	+}
		92	+noInline(cacheColumn)
		93	+
		94	+for (let i = 0; i < 1000; ++i) {
		95	+ let val = cacheColumn(Error())
		96	+ if (val !== expected)
		97	+ throw "Test failed on iteration " + i + ": " + val
		98	+
		99	+ if (i == 900) {
		100	+ // now it does
		101	+ Error.stackTraceLimit = 10
		102	+ expected = 32
		103	+ }
		104	+}
		105	\ No newline at end of file
		106	diff --git a/Source/JavaScriptCore/runtime/ErrorInstance.cpp b/Source/JavaScriptCore/runtime/ErrorInstance.cpp
		107	index ddf96869e84a..8e5373257d34 100644
		108	--- a/Source/JavaScriptCore/runtime/ErrorInstance.cpp
		109	+++ b/Source/JavaScriptCore/runtime/ErrorInstance.cpp
		110	@@ -303,7 +303,9 @@ bool ErrorInstance::deleteProperty(JSCell* cell, JSGlobalObject* globalObject, P
		111	{
		112	VM& vm = globalObject->vm();
		113	ErrorInstance* thisObject = jsCast<ErrorInstance*>(cell);
		114	- thisObject->materializeErrorInfoIfNeeded(vm, propertyName);
		115	+ bool materializedProperties = thisObject->materializeErrorInfoIfNeeded(vm, propertyName);
		116	+ if (materializedProperties)
		117	+ slot.disableCaching();
		118	return Base::deleteProperty(thisObject, globalObject, propertyName, slot);
		119	}
		120
		121	diff --git a/Source/JavaScriptCore/runtime/ErrorInstance.h b/Source/JavaScriptCore/runtime/ErrorInstance.h
		122	index 28807b4ea33e..2afb153a7442 100644
		123	--- a/Source/JavaScriptCore/runtime/ErrorInstance.h
		124	+++ b/Source/JavaScriptCore/runtime/ErrorInstance.h
		125	@@ -30,7 +30,8 @@ namespace JSC {
		126	class ErrorInstance : public JSNonFinalObject {
		127	public:
		128	using Base = JSNonFinalObject;
		129	- static constexpr unsigned StructureFlags = Base::StructureFlags \| OverridesGetOwnPropertySlot \| OverridesGetOwnSpecialPropertyNames \| OverridesPut;
		130	+
		131	+ static constexpr unsigned StructureFlags = Base::StructureFlags \| OverridesGetOwnPropertySlot \| OverridesGetOwnSpecialPropertyNames \| OverridesPut \| GetOwnPropertySlotIsImpureForPropertyAbsence;
		132	static constexpr bool needsDestruction = true;
		133
		134	static void destroy(JSCell* cell)
		135	--
		136	2.40.0


diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 02258f84e4..8f6514a82b 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -18,6 +18,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
18	file://CVE-2022-32888.patch \	18	file://CVE-2022-32888.patch \
19	file://CVE-2022-32923.patch \	19	file://CVE-2022-32923.patch \
20	file://CVE-2022-46691.patch \	20	file://CVE-2022-46691.patch \
		21	file://CVE-2022-46699.patch \
21	"	22	"
22	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"	23	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
23		24