Bug 239758 (CVE-2023-35074)

Summary:

Fix variable liveness for try catch in DFG

Product:

WebKit

Reporter:

zhunkibatu

Component:

JavaScriptCore

Assignee:

Yijia Huang <yijia_huang>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

mark.lam, mcatanzaro, saam, webkit-bug-importer, yijia_huang, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

OS:

Linux

Attachments:

Description	Flags
the minimal poc	none

Description zhunkibatu 2022-04-26 00:16:06 PDT

Created attachment 458335 [details]
the minimal poc

The following PoC outputs differently before/after JIT compilation.


function opt() {
	var b = false;
	var c = -b;
	try {
		throw "";
	} catch(e) {
	}
	return c;
}

let before = opt();
print(1/before); //-Infinity

for(var i=0;i<10000;i++){
	opt();
}

let afterJIT = opt();
print(1/afterJIT); //Infinity

Comment 1 Radar WebKit Bug Importer 2022-05-03 00:17:12 PDT

<rdar://problem/92654142>

Comment 2 Yusuke Suzuki 2022-07-15 16:43:46 PDT

Ah, this is caused by 230823.
Backward propagation is running before catch live variable preservation.

Comment 3 Yusuke Suzuki 2022-07-15 16:46:47 PDT

Probably, we should insert catch-live-variable-insertion before backwards propagation.

Comment 4 Yijia Huang 2023-02-03 08:32:25 PST

Pull request: https://github.com/WebKit/WebKit/pull/9496

Comment 5 Yijia Huang 2023-02-03 08:32:51 PST

*** Bug 251411 has been marked as a duplicate of this bug. ***

Comment 6 EWS 2023-02-03 14:36:12 PST

Committed 259839@main (5e1033a7cd03): <https://commits.webkit.org/259839@main>

Reviewed commits have been landed. Closing PR #9496 and removing active labels.

Comment 7 zhunkibatu 2023-09-30 20:03:08 PDT

According to acknowledgement, there seems a mistake here?

WebKit Bugzilla: 239758
CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong Kim(@nevul37)

Comment 8 Michael Catanzaro 2023-10-01 06:24:05 PDT

Hm, I wonder if they're supposed to be credited on some *other* CVE instead.

We can ask for this to be fixed. Who should this one be attributed to? "zhunkibatu"?

Comment 9 zhunkibatu 2023-10-01 09:25:27 PDT

"zhunki", please.

Comment 10 zhunkibatu 2023-12-26 19:49:00 PST

Did you confirm who to aknowledge?

Comment 11 Michael Catanzaro 2023-12-27 05:36:44 PST

Looks like I missed this. I'll notify Apple Product Security after the holidays.

Comment 12 Michael Catanzaro 2024-01-02 08:21:53 PST

(In reply to Michael Catanzaro from comment #11)
> Looks like I missed this. I'll notify Apple Product Security after the
> holidays.

Actually I contacted Apple Product Security on October 1, but haven't received a response yet. The ticket number is OE092404867716.

They did respond to a similar request in another CVE, so my guess is they've lost track of this one.