From 29e9a09abb6cf93c6075c7d3c8ae5cc2e6b0ffe5 Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Thu, 5 Jan 2023 10:28:38 +0800 Subject: [PATCH 1/2] update to webkit2gtk3-2.36.7-1.el8_7.1 Signed-off-by: Zhao Hang --- 0001-webkitgtk-add-loongarch.patch | 11 ----- CVE-2022-42856.patch | 78 ++++++++++++++++++++++++++++++ dist | 2 +- webkit2gtk3.spec | 48 +++++++++++++++--- 4 files changed, 120 insertions(+), 19 deletions(-) delete mode 100644 0001-webkitgtk-add-loongarch.patch create mode 100644 CVE-2022-42856.patch diff --git a/0001-webkitgtk-add-loongarch.patch b/0001-webkitgtk-add-loongarch.patch deleted file mode 100644 index bcecd2d..0000000 --- a/0001-webkitgtk-add-loongarch.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- webkitgtk-2.28.4.orig/Source/WTF/wtf/dtoa/utils.h 2020-02-04 10:24:07.000000000 +0000 -+++ webkitgtk-2.28.4/Source/WTF/wtf/dtoa/utils.h 2021-01-20 05:38:56.527343750 +0000 -@@ -86,7 +86,7 @@ int main(int argc, char** argv) { - defined(__powerpc__) || defined(__ppc__) || defined(__ppc64__) || \ - defined(_POWER) || defined(_ARCH_PPC) || defined(_ARCH_PPC64) || \ - defined(__sparc__) || defined(__sparc) || defined(__s390__) || \ -- defined(__SH4__) || defined(__alpha__) || \ -+ defined(__SH4__) || defined(__alpha__) || defined(__loongarch64) || \ - defined(_MIPS_ARCH_MIPS32R2) || \ - defined(__AARCH64EL__) || defined(__aarch64__) || defined(__AARCH64EB__) || \ - defined(__riscv) || \ diff --git a/CVE-2022-42856.patch b/CVE-2022-42856.patch new file mode 100644 index 0000000..34f4d74 --- /dev/null +++ b/CVE-2022-42856.patch @@ -0,0 +1,78 @@ +From 98940f219ba0e3eb6d958af483b73dd9cc75c28c Mon Sep 17 00:00:00 2001 +From: Mark Lam +Date: Mon, 19 Dec 2022 17:32:15 -0800 +Subject: [PATCH] Cherry-pick 252432.839@safari-7614-branch (71cdc1c09ef1). + rdar://102531234 + + The provenType filtering in FTL's speculateRealNumber is incorrect. + https://bugs.webkit.org/show_bug.cgi?id=248266 + + + Reviewed by Justin Michaud. + + speculateRealNumber does a doubleEqual compare, which filters out double values which + are not NaN. NaN values will fall through to the `intCase` block. In the `intCase` block, + the isNotInt32() check there was given a proven type that wrongly filters out ~SpecFullDouble. + + Consider a scenario where the edge was proven to be { SpecInt32Only, SpecDoubleReal, + SpecDoublePureNaN }. SpecFullDouble is defined as SpecDoubleReal | SpecDoubleNaN, and + SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN. Hence, the filtering + of the proven type with ~SpecFullDouble means that isNotInt32() will effectively be given + a proven type of + + { SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { SpecDoubleReal, SpecDoublePureNaN } + + which yields + + { SpecInt32Only }. + + As a result, the compiler will think that that isNotIn32() check will always fail. This + is not correct if the actual incoming value for that edge is actually a PureNaN. In this + case, speculateRealNumber should have OSR exited, but it doesn't because it thinks that + the isNotInt32() check will always fail and elide the check altogether. + + In this patch, we fix this by replacing the ~SpecFullDouble with ~SpecDoubleReal. We also + rename the `intCase` block to `intOrNaNCase` to document what it actually handles. + + * JSTests/stress/speculate-real-number-in-object-is.js: Added. + (test.object_is_opt): + (test): + * Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): + + Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch + +Canonical link: https://commits.webkit.org/258113@main +--- + .../speculate-real-number-in-object-is.js | 22 +++++++++++++++++++ + Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp | 8 +++---- + 2 files changed, 26 insertions(+), 4 deletions(-) + create mode 100644 JSTests/stress/speculate-real-number-in-object-is.js + +diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp +index 3ba2d21b8072..18d13f1941bb 100644 +--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp ++++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp +@@ -20574,18 +20574,18 @@ IGNORE_CLANG_WARNINGS_END + LValue value = lowJSValue(edge, ManualOperandSpeculation); + LValue doubleValue = unboxDouble(value); + +- LBasicBlock intCase = m_out.newBlock(); ++ LBasicBlock intOrNaNCase = m_out.newBlock(); + LBasicBlock continuation = m_out.newBlock(); + + m_out.branch( + m_out.doubleEqual(doubleValue, doubleValue), +- usually(continuation), rarely(intCase)); ++ usually(continuation), rarely(intOrNaNCase)); + +- LBasicBlock lastNext = m_out.appendTo(intCase, continuation); ++ LBasicBlock lastNext = m_out.appendTo(intOrNaNCase, continuation); + + typeCheck( + jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber, +- isNotInt32(value, provenType(m_node->child1()) & ~SpecFullDouble)); ++ isNotInt32(value, provenType(m_node->child1()) & ~SpecDoubleReal)); + m_out.jump(continuation); + + m_out.appendTo(continuation, lastNext); diff --git a/dist b/dist index 0ee7539..9c0e36e 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8_6 +an8 diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec index 39aaec7..b8d8ca4 100644 --- a/webkit2gtk3.spec +++ b/webkit2gtk3.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 ## NOTE: Lots of files in various subdirectories have the same name (such as ## "LICENSE") so this short macro allows us to distinguish them by using their ## directory names (from the source tree) as prefixes for the files. @@ -13,7 +12,7 @@ Name: webkit2gtk3 Version: 2.36.7 -Release: 1%{anolis_release}%{?dist} +Release: 1%{?dist}.1 Summary: GTK Web content engine library License: LGPLv2 @@ -35,7 +34,8 @@ Patch1: aarch64-page-size.patch # https://bugs.webkit.org/show_bug.cgi?id=235367 Patch2: icu60.patch -Patch1000: 0001-webkitgtk-add-loongarch.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2153683 +Patch3: CVE-2022-42856.patch BuildRequires: bison BuildRequires: cmake @@ -306,12 +306,46 @@ export NINJA_STATUS="[%f/%t][%e] " %endif %changelog -* Fri Nov 4 2022 Liwei Ge - 2.36.7-1.0.1 -- Sync loongsons patch webkitgtk-add-loongarch.patch (XueZhixin) +* Wed Dec 21 2022 Michael Catanzaro - 2.36.7-1.1 +- Add patch for CVE-2022-42856 + Resolves: #2153735 -* Fri Sep 02 2022 Michael Catanzaro - 2.36.7-1 +* Wed Aug 24 2022 Michael Catanzaro - 2.36.7-1 - Update to 2.36.7 - Related: #2123429 + Related: #2061994 + +* Tue Aug 09 2022 Michael Catanzaro - 2.36.6-1 +- Update to 2.36.6 + Related: #2061994 + +* Tue Aug 02 2022 Michael Catanzaro - 2.36.5-2 +- Fix Eclipse after update to 2.36.5 + Related: #2061994 + +* Thu Jul 28 2022 Michael Catanzaro - 2.36.5-1 +- Update to 2.36.5 + Related: #2061994 + Resolves: #2099334 + +* Tue Jul 05 2022 Michael Catanzaro - 2.36.4-1 +- Update to 2.36.4 + Related: #2061994 + +* Thu Jun 02 2022 Michael Catanzaro - 2.36.3-1 +- Update to 2.36.3 +- Related: #2061994 +- Resolves: #2092748 + +* Wed May 18 2022 Michael Catanzaro - 2.36.2-1 +- Update to 2.36.2 + Related: #2061994 + +* Thu Apr 21 2022 Michael Catanzaro - 2.36.1-1 +- Update to 2.36.1 + Related: #2061994 +- Resolves: #2075492 +- Resolves: #2075494 +- Resolves: #2075496 * Thu Feb 17 2022 Michael Catanzaro - 2.34.6-1 - Update to 2.34.6 -- Gitee From ef6436c9f0bb0381a5e75a8de117d84dab16f057 Mon Sep 17 00:00:00 2001 From: mahailiang Date: Wed, 22 Sep 2021 12:19:06 -0400 Subject: [PATCH 2/2] Sync loongsons patch webkitgtk-add-loongarch.patch --- 0001-webkitgtk-add-loongarch.patch | 11 +++++++++++ webkit2gtk3.spec | 8 +++++++- 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 0001-webkitgtk-add-loongarch.patch diff --git a/0001-webkitgtk-add-loongarch.patch b/0001-webkitgtk-add-loongarch.patch new file mode 100644 index 0000000..bcecd2d --- /dev/null +++ b/0001-webkitgtk-add-loongarch.patch @@ -0,0 +1,11 @@ +--- webkitgtk-2.28.4.orig/Source/WTF/wtf/dtoa/utils.h 2020-02-04 10:24:07.000000000 +0000 ++++ webkitgtk-2.28.4/Source/WTF/wtf/dtoa/utils.h 2021-01-20 05:38:56.527343750 +0000 +@@ -86,7 +86,7 @@ int main(int argc, char** argv) { + defined(__powerpc__) || defined(__ppc__) || defined(__ppc64__) || \ + defined(_POWER) || defined(_ARCH_PPC) || defined(_ARCH_PPC64) || \ + defined(__sparc__) || defined(__sparc) || defined(__s390__) || \ +- defined(__SH4__) || defined(__alpha__) || \ ++ defined(__SH4__) || defined(__alpha__) || defined(__loongarch64) || \ + defined(_MIPS_ARCH_MIPS32R2) || \ + defined(__AARCH64EL__) || defined(__aarch64__) || defined(__AARCH64EB__) || \ + defined(__riscv) || \ diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec index b8d8ca4..4536465 100644 --- a/webkit2gtk3.spec +++ b/webkit2gtk3.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.2 ## NOTE: Lots of files in various subdirectories have the same name (such as ## "LICENSE") so this short macro allows us to distinguish them by using their ## directory names (from the source tree) as prefixes for the files. @@ -12,7 +13,7 @@ Name: webkit2gtk3 Version: 2.36.7 -Release: 1%{?dist}.1 +Release: 1%{anolis_release}%{?dist}.1 Summary: GTK Web content engine library License: LGPLv2 @@ -37,6 +38,8 @@ Patch2: icu60.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2153683 Patch3: CVE-2022-42856.patch +Patch1000: 0001-webkitgtk-add-loongarch.patch + BuildRequires: bison BuildRequires: cmake BuildRequires: flex @@ -306,6 +309,9 @@ export NINJA_STATUS="[%f/%t][%e] " %endif %changelog +* Thu Jan 05 2023 Liwei Ge - 2.36.7-1.0.2.1 +- Sync loongsons patch webkitgtk-add-loongarch.patch (XueZhixin) + * Wed Dec 21 2022 Michael Catanzaro - 2.36.7-1.1 - Add patch for CVE-2022-42856 Resolves: #2153735 -- Gitee