[webkit-changes] [WebKit/WebKit] cae26b: GC can run during B3::generate now, causing UAF in...
Justin Michaud
noreply at github.com
Fri Jan 5 15:21:40 PST 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: cae26b36ccb9cf7c1e507b01dd8537efabd12194
https://github.com/WebKit/WebKit/commit/cae26b36ccb9cf7c1e507b01dd8537efabd12194
Author: Justin Michaud <justin_michaud at apple.com>
Date: 2024-01-05 (Fri, 05 Jan 2024)
Changed paths:
A JSTests/stress/gc-b3.js
M Source/JavaScriptCore/bytecode/CodeBlock.cpp
M Source/JavaScriptCore/dfg/DFGPlan.cpp
Log Message:
-----------
GC can run during B3::generate now, causing UAF in patchpoints
https://bugs.webkit.org/show_bug.cgi?id=267112
rdar://120195529
Reviewed by Yusuke Suzuki.
Consider what happens when GC runs here:
{
SetForScope disallowFreeze { state.graph.m_frozenValuesAreFinalized, true };
GraphSafepoint safepoint(state.graph, safepointResult);
// HERE
B3::generate(*state.proc, jit);
}
We can see our global object and a bunch of plan state get collected.
Inside FTLLowerDFGToB3, we read the following pointers:
```
jit.codeBlock()->globalObjectFor(semanticNodeOrigin)
codeBlock()->inferredName() / hash(), which read ownerExecutable()
state->jitCode
``
The first case is fixed by this patch. The second case only happens when
dumping code. The third is not managed by the GC.
It is possible that we read more, but these were the cases that jumped out
to me.
We just add an early return to globalObjectFor to avoid reading the
freed value.
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::globalObjectFor):
* Source/JavaScriptCore/dfg/DFGPlan.cpp:
(JSC::DFG::Plan::cancel):
* Source/JavaScriptCore/ftl/FTLCompile.cpp:
(JSC::FTL::compile):
Canonical link: https://commits.webkit.org/272710@main
More information about the webkit-changes
mailing list