[webkit-changes] [WebKit/WebKit] aac4cb: ARM64EHash should be using the PAC DA key instead ...
Yusuke Suzuki
noreply at github.com
Thu Dec 14 17:57:57 PST 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: aac4cb050d4e9641f427de285f145034c317456f
https://github.com/WebKit/WebKit/commit/aac4cb050d4e9641f427de285f145034c317456f
Author: Mark Lam <mark.lam at apple.com>
Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths:
M Source/JavaScriptCore/assembler/AssemblerBuffer.h
M Source/WTF/wtf/PtrTag.h
Log Message:
-----------
ARM64EHash should be using the PAC DA key instead of DB.
https://bugs.webkit.org/show_bug.cgi?id=262938
rdar://116679398
Reviewed by Justin Michaud.
Currently, it uses the PAC DB key. However, the PAC DB key is already used by for the
PACCage for protecting TypedArray vector pointers. Using the PAC DA key instead would
ensure that there is no collision between the "namespace"s of PACCage pointers and
ARM64EHash intermediate values.
* Source/JavaScriptCore/assembler/AssemblerBuffer.h:
(JSC::ARM64EHash::nextValue):
(JSC::ARM64EHash::currentHash):
(JSC::ARM64EHash::setUpdatedHash):
* Source/WTF/wtf/PtrTag.h:
(WTF::untagInt):
(WTF::tagInt):
Originally-landed-as: 267815.228 at safari-7617-branch (4eda4ebd52c1). rdar://119592222
Canonical link: https://commits.webkit.org/272087@main
Commit: 3a900e192fe7c22dccc007fde344d3a373476175
https://github.com/WebKit/WebKit/commit/3a900e192fe7c22dccc007fde344d3a373476175
Author: Mark Lam <mark.lam at apple.com>
Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths:
M LayoutTests/fast/storage/serialized-script-value.html
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
An Array index in CloneSerializer and CloneDeserializer can be confused for NonIndexPropertiesTag.
https://bugs.webkit.org/show_bug.cgi?id=262616
rdar://116034413
Reviewed by Keith Miller, Sihui Liu and Chris Dumez.
CloneSerializer and CloneDeserializer were previously using NonIndexPropertiesTag as the terminator of
the indexed property section of an Array. However, NonIndexPropertiesTag's encoding is 0xFFFFFFFD,
which is less than MAX_ARRAY_INDEX (0xFFFFFFFE) i.e. an index of 0xFFFFFFFD can be confused for the
NonIndexPropertiesTag, resulting type confusion.
This patch changes the structure of a serialized Array to always terminate its indexed property section
with a TerminatorTag (0xFFFFFFFF) first before looking for either a NonIndexPropertiesTag or another
TerminatorTag. The presence of a NonIndexPropertiesTag after the 1st TerminatorTag indicates the
presence of a non-indexed properties section. The presense of a TerminatorTag immediately after the
1st TerminatorTag indicates that the non-indexed properties section is empty.
Also updated the comment describing the shape of a serialized Array, and rebased a test.
* LayoutTests/fast/storage/serialized-script-value.html:
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneSerializer::serialize):
(WebCore::CloneDeserializer::deserialize):
Originally-landed-as: 267815.202 at safari-7617-branch (401705903095). rdar://119592509
Canonical link: https://commits.webkit.org/272088@main
Commit: 71fb0a3d44470a2bd8bcfe161c2e3ba71577f090
https://github.com/WebKit/WebKit/commit/71fb0a3d44470a2bd8bcfe161c2e3ba71577f090
Author: Nisha Jain <nisha_jain at apple.com>
Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths:
A LayoutTests/cssom/crash-font-family-invalid-expected.html
A LayoutTests/cssom/crash-font-family-invalid.html
M Source/WebCore/style/StyleBuilderCustom.h
Log Message:
-----------
jsc_fuz/wktr: segfault with .attributeStyleMap.set('font-family', new CSSKeywordValue('x'))
https://bugs.webkit.org/show_bug.cgi?id=262487
rdar://115283280
Reviewed by Chris Dumez.
Invalid CSS value for CSS "Font-family" property has to be handled by returning instead of causing ASSERT.
Test: cssom/crash-font-family-invalid.html
* Source/WebCore/style/StyleBuilderCustom.h:
(BuilderCustom::applyValueFontFamily) : Replaced 'ASSERT' with 'return' while handling "Font-family" property.
* LayoutTests/cssom/crash-font-family-invalid-expected.html: Added test case expected file.
* LayoutTests/cssom/crash-font-family-invalid.html: Added test case.
Originally-landed-as: 267815.169 at safari-7617-branch (6834321e777d). rdar://119592492
Canonical link: https://commits.webkit.org/272089@main
Commit: f97d0403a8c4581558a9fd80424f4c404f090f19
https://github.com/WebKit/WebKit/commit/f97d0403a8c4581558a9fd80424f4c404f090f19
Author: Alan Baradlay <zalan at apple.com>
Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths:
A LayoutTests/fast/text/hyphen-with-overflowing-out-of-flow-expected.txt
A LayoutTests/fast/text/hyphen-with-overflowing-out-of-flow.html
M Source/WebCore/layout/formattingContexts/inline/InlineContentBreaker.cpp
Log Message:
-----------
[IFC] An opaque inline item should never be an overflowing run candidate
https://bugs.webkit.org/show_bug.cgi?id=262341
<rdar://115867974>
Reviewed by Simon Fraser.
An opaque inline item (e.g. out-of-flow box) should never be considered as the _overflowing_ run.
* LayoutTests/fast/text/hyphen-with-overflowing-out-of-flow-expected.txt: Added.
* LayoutTests/fast/text/hyphen-with-overflowing-out-of-flow.html: Added.
* Source/WebCore/layout/formattingContexts/inline/InlineContentBreaker.cpp:
(WebCore::Layout::InlineContentBreaker::tryHyphenationAcrossOverflowingInlineTextItems const):
(WebCore::Layout::InlineContentBreaker::processOverflowingContentWithText const):
Originally-landed-as: 267815.121 at safari-7617-branch (e5a35fa9d60b). rdar://119593365
Canonical link: https://commits.webkit.org/272090@main
Commit: 409d5d995c040906e77e23376d2a61ceedb50206
https://github.com/WebKit/WebKit/commit/409d5d995c040906e77e23376d2a61ceedb50206
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths:
M Source/JavaScriptCore/runtime/ArrayBufferView.h
M Source/JavaScriptCore/runtime/DataView.cpp
M Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h
M Source/JavaScriptCore/runtime/JSDataView.cpp
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
Log Message:
-----------
[JSC] Add extra hardening about incorrectly configured shared growable typed array view
https://bugs.webkit.org/show_bug.cgi?id=262338
rdar://116168654
Reviewed by Mark Lam.
This is adding extra hardening against wrongly configured shared growable typed array view materialization from SerializedScriptValue.
This pattern must not happen from normal execution. This happens only when the current process gets a bug which can emit arbitrary serialized
data. And since SharedArrayBuffer cannot be sent to the other process, this issue is confined in the current process. Given that the attacker
is already getting a way to create arbitrary serialized data, probably this does not add much additionally, but just adding hardening for now
as an extra safety.
* Source/JavaScriptCore/runtime/ArrayBufferView.h:
(JSC::ArrayBufferView::verifySubRangeLength):
* Source/JavaScriptCore/runtime/DataView.cpp:
(JSC::DataView::wrappedAs):
* Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::tryCreate):
(JSC::GenericTypedArrayView<Adaptor>::wrappedAs):
* Source/JavaScriptCore/runtime/JSDataView.cpp:
(JSC::JSDataView::create):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::create):
Originally-landed-as: 267815.120 at safari-7617-branch (ac9f4e07603c). rdar://119594133
Canonical link: https://commits.webkit.org/272091@main
Compare: https://github.com/WebKit/WebKit/compare/cb966fb5714c...409d5d995c04
More information about the webkit-changes
mailing list