[webkit-changes] [WebKit/WebKit] cae26b: GC can run during B3::generate now, causing UAF in...

Fri Jan 5 15:21:40 PST 2024

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: cae26b36ccb9cf7c1e507b01dd8537efabd12194
      https://github.com/WebKit/WebKit/commit/cae26b36ccb9cf7c1e507b01dd8537efabd12194
  Author: Justin Michaud <justin_michaud at apple.com>
  Date:   2024-01-05 (Fri, 05 Jan 2024)

  Changed paths:
    A JSTests/stress/gc-b3.js
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp
    M Source/JavaScriptCore/dfg/DFGPlan.cpp

  Log Message:
  -----------
  GC can run during B3::generate now, causing UAF in patchpoints
https://bugs.webkit.org/show_bug.cgi?id=267112
rdar://120195529

Reviewed by Yusuke Suzuki.

Consider what happens when GC runs here:
{
    SetForScope disallowFreeze { state.graph.m_frozenValuesAreFinalized, true };
    GraphSafepoint safepoint(state.graph, safepointResult);

    // HERE

    B3::generate(*state.proc, jit);
}

We can see our global object and a bunch of plan state get collected.

Inside FTLLowerDFGToB3, we read the following pointers:

```
jit.codeBlock()->globalObjectFor(semanticNodeOrigin)
codeBlock()->inferredName() / hash(), which read ownerExecutable()
state->jitCode
``

The first case is fixed by this patch. The second case only happens when
dumping code. The third is not managed by the GC.

It is possible that we read more, but these were the cases that jumped out
to me.

We just add an early return to globalObjectFor to avoid reading the
freed value.

* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::globalObjectFor):
* Source/JavaScriptCore/dfg/DFGPlan.cpp:
(JSC::DFG::Plan::cancel):
* Source/JavaScriptCore/ftl/FTLCompile.cpp:
(JSC::FTL::compile):

Canonical link: https://commits.webkit.org/272710@main