[webkit-changes] [WebKit/WebKit] 60edab: Versioning.
Jonathan Bedard
noreply at github.com
Tue May 14 14:28:32 PDT 2024
Branch: refs/heads/safari-7619.1.11.111-branch
Home: https://github.com/WebKit/WebKit
Commit: 60edaba8a9087df0a89766b74d81a5c22d1390ec
https://github.com/WebKit/WebKit/commit/60edaba8a9087df0a89766b74d81a5c22d1390ec
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-05-03 (Fri, 03 May 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7619.1.11.111.1
Canonical link: https://commits.webkit.org/278096.6@safari-7619.1.11.111-branch
Commit: 1574b2f9833c2cd553c7046756f810bbf2db8d2a
https://github.com/WebKit/WebKit/commit/1574b2f9833c2cd553c7046756f810bbf2db8d2a
Author: Keith Miller <keith_miller at apple.com>
Date: 2024-05-03 (Fri, 03 May 2024)
Changed paths:
M Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h
M Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp
M Source/JavaScriptCore/jit/ThunkGenerators.cpp
M Source/JavaScriptCore/llint/LLIntThunks.cpp
M Source/JavaScriptCore/runtime/Options.cpp
M Source/JavaScriptCore/runtime/OptionsList.h
M Source/WTF/wtf/PtrTag.h
M Source/WebKit/WebProcess/WebProcess.cpp
M Tools/Scripts/run-jsc-stress-tests
Log Message:
-----------
Cherry-pick f442fbe222f3. rdar://125596635
Make it harder to get a PAC signing gadget in JIT code.
https://bugs.webkit.org/show_bug.cgi?id=272750
rdar://125596635
Reviewed by Yusuke Suzuki.
Right now if an attacker can control where code is allocated they can overlap code to create a PAC bypass.
This patch makes that harder (in the WebContent process) by only allowing pacibsp and pacizb. This means
that during arity fixup we now tag the return PC with pacizb. This is ok because we don't use the zero
diversifier for anything. For reifying inlined call frames during OSR exit things are a bit more complicated.
First we have be careful to only move signed return addresses into lr then untag them there. Also, we have
to shuffle SP to point to where it would in reified frame. This means that there is technically live data
below our SP, which on many OSes causes problems. Talking to our kernel folks however this isn't a problem
as long as we don't have any signal handlers or run lldb expressions in this window. We don't use signal
handlers in the WebContent process and this patch tries to limit/document the window of JIT code where lldb
would trash the stack.
* Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h:
(JSC::MacroAssemblerARM64E::tagPtr):
* Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::reifyInlinedCallFrames):
(JSC::AssemblyHelpers::transferReturnPC):
* Source/JavaScriptCore/jit/ThunkGenerators.cpp:
(JSC::arityFixupGenerator):
* Source/JavaScriptCore/llint/LLIntThunks.cpp:
(JSC::LLInt::tagGateThunk):
(JSC::LLInt::untagGateThunk):
* Source/JavaScriptCore/runtime/OptionsList.h:
* Source/WTF/wtf/PtrTag.h:
* Source/WebKit/WebProcess/WebProcess.cpp:
(WebKit::WebProcess::initializeProcess):
* Tools/Scripts/run-jsc-stress-tests:
Canonical link: https://commits.webkit.org/272448.948@safari-7618-branch
Commit: f13b66e06c476ae22146e6b5d1de07448227bf47
https://github.com/WebKit/WebKit/commit/f13b66e06c476ae22146e6b5d1de07448227bf47
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-05-06 (Mon, 06 May 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7619.1.11.111.2
Canonical link: https://commits.webkit.org/278096.8@safari-7619.1.11.111-branch
Compare: https://github.com/WebKit/WebKit/compare/60edaba8a908%5E...f13b66e06c47
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list