Bug 239758 (CVE-2023-35074)

Summary: Fix variable liveness for try catch in DFG
Product: WebKit Reporter: zhunkibatu
Component: JavaScriptCoreAssignee: Yijia Huang <yijia_huang>
Status: RESOLVED FIXED    
Severity: Normal CC: mark.lam, mcatanzaro, saam, webkit-bug-importer, yijia_huang, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
the minimal poc none

Description zhunkibatu 2022-04-26 00:16:06 PDT
Created attachment 458335 [details]
the minimal poc

The following PoC outputs differently before/after JIT compilation.


function opt() {
	var b = false;
	var c = -b;
	try {
		throw "";
	} catch(e) {
	}
	return c;
}

let before = opt();
print(1/before); //-Infinity

for(var i=0;i<10000;i++){
	opt();
}

let afterJIT = opt();
print(1/afterJIT); //Infinity
Comment 1 Radar WebKit Bug Importer 2022-05-03 00:17:12 PDT
<rdar://problem/92654142>
Comment 2 Yusuke Suzuki 2022-07-15 16:43:46 PDT
Ah, this is caused by 230823.
Backward propagation is running before catch live variable preservation.
Comment 3 Yusuke Suzuki 2022-07-15 16:46:47 PDT
Probably, we should insert catch-live-variable-insertion before backwards propagation.
Comment 4 Yijia Huang 2023-02-03 08:32:25 PST
Pull request: https://github.com/WebKit/WebKit/pull/9496
Comment 5 Yijia Huang 2023-02-03 08:32:51 PST
*** Bug 251411 has been marked as a duplicate of this bug. ***
Comment 6 EWS 2023-02-03 14:36:12 PST
Committed 259839@main (5e1033a7cd03): <https://commits.webkit.org/259839@main>

Reviewed commits have been landed. Closing PR #9496 and removing active labels.
Comment 7 zhunkibatu 2023-09-30 20:03:08 PDT
According to acknowledgement, there seems a mistake here?

WebKit Bugzilla: 239758
CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong Kim(@nevul37)
Comment 8 Michael Catanzaro 2023-10-01 06:24:05 PDT
Hm, I wonder if they're supposed to be credited on some *other* CVE instead.

We can ask for this to be fixed. Who should this one be attributed to? "zhunkibatu"?
Comment 9 zhunkibatu 2023-10-01 09:25:27 PDT
"zhunki", please.
Comment 10 zhunkibatu 2023-12-26 19:49:00 PST
Did you confirm who to aknowledge?
Comment 11 Michael Catanzaro 2023-12-27 05:36:44 PST
Looks like I missed this. I'll notify Apple Product Security after the holidays.
Comment 12 Michael Catanzaro 2024-01-02 08:21:53 PST
(In reply to Michael Catanzaro from comment #11)
> Looks like I missed this. I'll notify Apple Product Security after the
> holidays.

Actually I contacted Apple Product Security on October 1, but haven't received a response yet. The ticket number is OE092404867716.

They did respond to a similar request in another CVE, so my guess is they've lost track of this one.