[webkit-changes] [WebKit/WebKit] ffd05a: Cherry-pick f442fbe222f3. rdar://126892345

Jonathan Bedard noreply at github.com
Tue May 14 14:19:34 PDT 2024 

  Branch: refs/heads/safari-7619.1.9-branch
  Home:   https://github.com/WebKit/WebKit
  Commit: ffd05add7e28cf537460af8531a565449f7d2451
      https://github.com/WebKit/WebKit/commit/ffd05add7e28cf537460af8531a565449f7d2451
  Author: Keith Miller <keith_miller at apple.com>
  Date:   2024-04-23 (Tue, 23 Apr 2024)

  Changed paths:
    M Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h
    M Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp
    M Source/JavaScriptCore/jit/ThunkGenerators.cpp
    M Source/JavaScriptCore/llint/LLIntThunks.cpp
    M Source/JavaScriptCore/runtime/Options.cpp
    M Source/JavaScriptCore/runtime/OptionsList.h
    M Source/WTF/wtf/PtrTag.h
    M Source/WebKit/WebProcess/WebProcess.cpp
    M Tools/Scripts/run-jsc-stress-tests

  Log Message:
  -----------
  Cherry-pick f442fbe222f3. rdar://126892345

    Make it harder to get a PAC signing gadget in JIT code.
    https://bugs.webkit.org/show_bug.cgi?id=272750
    rdar://125596635

    Reviewed by Yusuke Suzuki.

    Right now if an attacker can control where code is allocated they can overlap code to create a PAC bypass.
    This patch makes that harder (in the WebContent process) by only allowing pacibsp and pacizb. This means
    that during arity fixup we now tag the return PC with pacizb. This is ok because we don't use the zero
    diversifier for anything. For reifying inlined call frames during OSR exit things are a bit more complicated.
    First we have be careful to only move signed return addresses into lr then untag them there. Also, we have
    to shuffle SP to point to where it would in reified frame. This means that there is technically live data
    below our SP, which on many OSes causes problems. Talking to our kernel folks however this isn't a problem
    as long as we don't have any signal handlers or run lldb expressions in this window. We don't use signal
    handlers in the WebContent process and this patch tries to limit/document the window of JIT code where lldb
    would trash the stack.

    * Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h:
    (JSC::MacroAssemblerARM64E::tagPtr):
    * Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp:
    (JSC::DFG::reifyInlinedCallFrames):
    (JSC::AssemblyHelpers::transferReturnPC):
    * Source/JavaScriptCore/jit/ThunkGenerators.cpp:
    (JSC::arityFixupGenerator):
    * Source/JavaScriptCore/llint/LLIntThunks.cpp:
    (JSC::LLInt::tagGateThunk):
    (JSC::LLInt::untagGateThunk):
    * Source/JavaScriptCore/runtime/OptionsList.h:
    * Source/WTF/wtf/PtrTag.h:
    * Source/WebKit/WebProcess/WebProcess.cpp:
    (WebKit::WebProcess::initializeProcess):
    * Tools/Scripts/run-jsc-stress-tests:

    Canonical link: https://commits.webkit.org/272448.948@safari-7618-branch

Canonical link: https://commits.webkit.org/277149.25@safari-7619.1.9-branch


  Commit: ab614cf472c0e019cbacff20ae26ed05544e50e1
      https://github.com/WebKit/WebKit/commit/ab614cf472c0e019cbacff20ae26ed05544e50e1
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2024-04-23 (Tue, 23 Apr 2024)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7619.1.9.4

Canonical link: https://commits.webkit.org/277149.26@safari-7619.1.9-branch


  Commit: 6fc6e82176b2526ebcf5732511330be579f0d922
      https://github.com/WebKit/WebKit/commit/6fc6e82176b2526ebcf5732511330be579f0d922
  Author: Mohsin Qureshi <mohsinq at apple.com>
  Date:   2024-04-24 (Wed, 24 Apr 2024)

  Changed paths:
    M Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h
    M Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp
    M Source/JavaScriptCore/jit/ThunkGenerators.cpp
    M Source/JavaScriptCore/llint/LLIntThunks.cpp
    M Source/JavaScriptCore/runtime/Options.cpp
    M Source/JavaScriptCore/runtime/OptionsList.h
    M Source/WTF/wtf/PtrTag.h
    M Source/WebKit/WebProcess/WebProcess.cpp
    M Tools/Scripts/run-jsc-stress-tests

  Log Message:
  -----------
  Revert "Cherry-pick f442fbe222f3. rdar://126892345"

This reverts commit ffd05add7e28cf537460af8531a565449f7d2451.


  Commit: a15239cf7ad116083a4c97e4ef318db0942de143
      https://github.com/WebKit/WebKit/commit/a15239cf7ad116083a4c97e4ef318db0942de143
  Author: Mohsin Qureshi <mohsinq at apple.com>
  Date:   2024-04-24 (Wed, 24 Apr 2024)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7619.1.9.5

Canonical link: https://commits.webkit.org/277149.28@safari-7619.1.9-branch


Compare: https://github.com/WebKit/WebKit/compare/ffd05add7e28%5E...a15239cf7ad1

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list