[webkit-changes] [WebKit/WebKit] cf373f: Fix WASM inlining UAF
Justin Michaud
noreply at github.com
Tue Mar 7 20:58:25 PST 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: cf373f0fc0d0c70de65eba6b01a49665edb2dc2c
https://github.com/WebKit/WebKit/commit/cf373f0fc0d0c70de65eba6b01a49665edb2dc2c
Author: Justin Michaud <justin_michaud at apple.com>
Date: 2023-03-07 (Tue, 07 Mar 2023)
Changed paths:
M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
M Source/JavaScriptCore/wasm/WasmFunctionParser.h
Log Message:
-----------
Fix WASM inlining UAF
https://bugs.webkit.org/show_bug.cgi?id=253550
rdar://106390154
Reviewed by Yusuke Suzuki.
B3IRGenerator cannot be stored in a Vector because its pointer needs
to be protected against moving.
This is caught by simple-inline-exception-inlinee-catch-with-tag-arg.wat
in asan, aggressive-inline mode.
* Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::emitInlineDirectCall):
Canonical link: https://commits.webkit.org/261357@main
More information about the webkit-changes
mailing list