[webkit-changes] [WebKit/WebKit] aac4cb: ARM64EHash should be using the PAC DA key instead ...

Thu Dec 14 17:57:57 PST 2023

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: aac4cb050d4e9641f427de285f145034c317456f
      https://github.com/WebKit/WebKit/commit/aac4cb050d4e9641f427de285f145034c317456f
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2023-12-14 (Thu, 14 Dec 2023)

  Changed paths:
    M Source/JavaScriptCore/assembler/AssemblerBuffer.h
    M Source/WTF/wtf/PtrTag.h

  Log Message:
  -----------
  ARM64EHash should be using the PAC DA key instead of DB.
https://bugs.webkit.org/show_bug.cgi?id=262938
rdar://116679398

Reviewed by Justin Michaud.

Currently, it uses the PAC DB key.  However, the PAC DB key is already used by for the
PACCage for protecting TypedArray vector pointers.  Using the PAC DA key instead would
ensure that there is no collision between the "namespace"s of PACCage pointers and
ARM64EHash intermediate values.

* Source/JavaScriptCore/assembler/AssemblerBuffer.h:
(JSC::ARM64EHash::nextValue):
(JSC::ARM64EHash::currentHash):
(JSC::ARM64EHash::setUpdatedHash):
* Source/WTF/wtf/PtrTag.h:
(WTF::untagInt):
(WTF::tagInt):

Originally-landed-as: 267815.228 at safari-7617-branch (4eda4ebd52c1). rdar://119592222
Canonical link: https://commits.webkit.org/272087@main

  Commit: 3a900e192fe7c22dccc007fde344d3a373476175
      https://github.com/WebKit/WebKit/commit/3a900e192fe7c22dccc007fde344d3a373476175
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2023-12-14 (Thu, 14 Dec 2023)

  Changed paths:
    M LayoutTests/fast/storage/serialized-script-value.html
    M Source/WebCore/bindings/js/SerializedScriptValue.cpp

  Log Message:
  -----------
  An Array index in CloneSerializer and CloneDeserializer can be confused for NonIndexPropertiesTag.
https://bugs.webkit.org/show_bug.cgi?id=262616
rdar://116034413

Reviewed by Keith Miller, Sihui Liu and Chris Dumez.

CloneSerializer and CloneDeserializer were previously using NonIndexPropertiesTag as the terminator of
the indexed property section of an Array.  However, NonIndexPropertiesTag's encoding is 0xFFFFFFFD,
which is less than MAX_ARRAY_INDEX (0xFFFFFFFE) i.e. an index of 0xFFFFFFFD can be confused for the
NonIndexPropertiesTag, resulting type confusion.

This patch changes the structure of a serialized Array to always terminate its indexed property section
with a TerminatorTag (0xFFFFFFFF) first before looking for either a NonIndexPropertiesTag or another
TerminatorTag.  The presence of a NonIndexPropertiesTag after the 1st TerminatorTag indicates the
presence of a non-indexed properties section.  The presense of a TerminatorTag immediately after the
1st TerminatorTag indicates that the non-indexed properties section is empty.

Also updated the comment describing the shape of a serialized Array, and rebased a test.

* LayoutTests/fast/storage/serialized-script-value.html:
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneSerializer::serialize):
(WebCore::CloneDeserializer::deserialize):

Originally-landed-as: 267815.202 at safari-7617-branch (401705903095). rdar://119592509
Canonical link: https://commits.webkit.org/272088@main

  Commit: 71fb0a3d44470a2bd8bcfe161c2e3ba71577f090
      https://github.com/WebKit/WebKit/commit/71fb0a3d44470a2bd8bcfe161c2e3ba71577f090
  Author: Nisha Jain <nisha_jain at apple.com>
  Date:   2023-12-14 (Thu, 14 Dec 2023)

  Changed paths:
    A LayoutTests/cssom/crash-font-family-invalid-expected.html
    A LayoutTests/cssom/crash-font-family-invalid.html
    M Source/WebCore/style/StyleBuilderCustom.h

  Log Message:
  -----------
  jsc_fuz/wktr: segfault with .attributeStyleMap.set('font-family', new CSSKeywordValue('x'))
https://bugs.webkit.org/show_bug.cgi?id=262487
rdar://115283280

Reviewed by Chris Dumez.

Invalid CSS value for CSS "Font-family" property has to be handled by returning instead of causing ASSERT.

Test: cssom/crash-font-family-invalid.html

* Source/WebCore/style/StyleBuilderCustom.h:
  (BuilderCustom::applyValueFontFamily) : Replaced 'ASSERT' with 'return' while handling "Font-family" property.
* LayoutTests/cssom/crash-font-family-invalid-expected.html: Added test case expected file.
* LayoutTests/cssom/crash-font-family-invalid.html: Added test case.

Originally-landed-as: 267815.169 at safari-7617-branch (6834321e777d). rdar://119592492
Canonical link: https://commits.webkit.org/272089@main

  Commit: f97d0403a8c4581558a9fd80424f4c404f090f19
      https://github.com/WebKit/WebKit/commit/f97d0403a8c4581558a9fd80424f4c404f090f19
  Author: Alan Baradlay <zalan at apple.com>
  Date:   2023-12-14 (Thu, 14 Dec 2023)

  Changed paths:
    A LayoutTests/fast/text/hyphen-with-overflowing-out-of-flow-expected.txt
    A LayoutTests/fast/text/hyphen-with-overflowing-out-of-flow.html
    M Source/WebCore/layout/formattingContexts/inline/InlineContentBreaker.cpp

  Log Message:
  -----------
  [IFC] An opaque inline item should never be an overflowing run candidate
https://bugs.webkit.org/show_bug.cgi?id=262341
<rdar://115867974>

Reviewed by Simon Fraser.

An opaque inline item (e.g. out-of-flow box) should never be considered as the _overflowing_ run.

* LayoutTests/fast/text/hyphen-with-overflowing-out-of-flow-expected.txt: Added.
* LayoutTests/fast/text/hyphen-with-overflowing-out-of-flow.html: Added.
* Source/WebCore/layout/formattingContexts/inline/InlineContentBreaker.cpp:
(WebCore::Layout::InlineContentBreaker::tryHyphenationAcrossOverflowingInlineTextItems const):
(WebCore::Layout::InlineContentBreaker::processOverflowingContentWithText const):

Originally-landed-as: 267815.121 at safari-7617-branch (e5a35fa9d60b). rdar://119593365
Canonical link: https://commits.webkit.org/272090@main

  Commit: 409d5d995c040906e77e23376d2a61ceedb50206
      https://github.com/WebKit/WebKit/commit/409d5d995c040906e77e23376d2a61ceedb50206
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-12-14 (Thu, 14 Dec 2023)

  Changed paths:
    M Source/JavaScriptCore/runtime/ArrayBufferView.h
    M Source/JavaScriptCore/runtime/DataView.cpp
    M Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h
    M Source/JavaScriptCore/runtime/JSDataView.cpp
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h

  Log Message:
  -----------
  [JSC] Add extra hardening about incorrectly configured shared growable typed array view
https://bugs.webkit.org/show_bug.cgi?id=262338
rdar://116168654

Reviewed by Mark Lam.

This is adding extra hardening against wrongly configured shared growable typed array view materialization from SerializedScriptValue.
This pattern must not happen from normal execution. This happens only when the current process gets a bug which can emit arbitrary serialized
data. And since SharedArrayBuffer cannot be sent to the other process, this issue is confined in the current process. Given that the attacker
is already getting a way to create arbitrary serialized data, probably this does not add much additionally, but just adding hardening for now
as an extra safety.

* Source/JavaScriptCore/runtime/ArrayBufferView.h:
(JSC::ArrayBufferView::verifySubRangeLength):
* Source/JavaScriptCore/runtime/DataView.cpp:
(JSC::DataView::wrappedAs):
* Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::tryCreate):
(JSC::GenericTypedArrayView<Adaptor>::wrappedAs):
* Source/JavaScriptCore/runtime/JSDataView.cpp:
(JSC::JSDataView::create):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::create):

Originally-landed-as: 267815.120 at safari-7617-branch (ac9f4e07603c). rdar://119594133
Canonical link: https://commits.webkit.org/272091@main

Compare: https://github.com/WebKit/WebKit/compare/cb966fb5714c...409d5d995c04