From 7f56a52acada71740b37e2c42b252f94760df438 Mon Sep 17 00:00:00 2001 From: Renbo Date: Fri, 22 Mar 2024 16:46:02 +0800 Subject: [PATCH 1/2] update to webkit2gtk3-2.40.5-1.1 Signed-off-by: Renbo --- CVE-2023-42917.patch | 80 ++++++++++++++++++++++++++++++++++++++++++++ webkit2gtk3.spec | 12 ++++--- 2 files changed, 87 insertions(+), 5 deletions(-) create mode 100644 CVE-2023-42917.patch diff --git a/CVE-2023-42917.patch b/CVE-2023-42917.patch new file mode 100644 index 0000000..a638b86 --- /dev/null +++ b/CVE-2023-42917.patch @@ -0,0 +1,80 @@ +From 00352dd86bfa102b6e4b792120e3ef3498a27d1e Mon Sep 17 00:00:00 2001 +From: Russell Epstein +Date: Fri, 17 Nov 2023 15:48:32 -0800 +Subject: [PATCH] Cherry-pick b0a755e34426. + https://bugs.webkit.org/show_bug.cgi?id=265067 + + Race condition between JSObject::getDirectConcurrently users and Structure::flattenDictionaryStructure + https://bugs.webkit.org/show_bug.cgi?id=265067 + rdar://118548733 + + Reviewed by Justin Michaud and Mark Lam. + + Like Array shift/unshift, flattenDictionaryStructure is the other code which can shrink butterfly for named properties (no other code does it). + Compiler threads rely on the fact that normally named property storage never shrunk. And we should catch this exceptional case by taking a cellLock + in the compiler thread. But flattenDictionaryStructure is not taking cellLock correctly. + + This patch computes afterOutOfLineCapacity first to detect that whether this flattening will shrink the butterfly. + And if it is, then we take a cellLock. We do not need to take it if we do not shrink the butterfly. + + * Source/JavaScriptCore/runtime/Structure.cpp: + (JSC::Structure::flattenDictionaryStructure): + + Canonical link: https://commits.webkit.org/267815.577@safari-7617-branch + + Canonical link: https://commits.webkit.org/265870.632@safari-7616.2.9.10-branch +--- + Source/JavaScriptCore/runtime/Structure.cpp | 28 +++++++++++++++------ + 1 file changed, 21 insertions(+), 7 deletions(-) + +diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp +index 2922e2478794c..9d094e2c8adc8 100644 +--- a/Source/JavaScriptCore/runtime/Structure.cpp ++++ b/Source/JavaScriptCore/runtime/Structure.cpp +@@ -913,17 +913,31 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object) + checkOffsetConsistency(); + ASSERT(isDictionary()); + ASSERT(object->structure() == this); +- +- GCSafeConcurrentJSLocker locker(m_lock, vm); +- +- object->setStructureIDDirectly(id().nuke()); +- WTF::storeStoreFence(); + ++ Locker cellLocker(NoLockingNecessary); ++ ++ PropertyTable* table = nullptr; + size_t beforeOutOfLineCapacity = this->outOfLineCapacity(); ++ size_t afterOutOfLineCapacity = beforeOutOfLineCapacity; + if (isUncacheableDictionary()) { +- PropertyTable* table = propertyTableOrNull(); ++ table = propertyTableOrNull(); + ASSERT(table); ++ PropertyOffset maxOffset = invalidOffset; ++ if (unsigned propertyCount = table->size()) ++ maxOffset = offsetForPropertyNumber(propertyCount - 1, m_inlineCapacity); ++ afterOutOfLineCapacity = outOfLineCapacity(maxOffset); ++ } + ++ // This is the only case we shrink butterfly in this function. We should take a cell lock to protect against concurrent access to the butterfly. ++ if (beforeOutOfLineCapacity != afterOutOfLineCapacity) ++ cellLocker = Locker { object->cellLock() }; ++ ++ GCSafeConcurrentJSLocker locker(m_lock, vm); ++ ++ object->setStructureIDDirectly(id().nuke()); ++ WTF::storeStoreFence(); ++ ++ if (isUncacheableDictionary()) { + size_t propertyCount = table->size(); + + // Holds our values compacted by insertion order. This is OK since GC is deferred. +@@ -955,7 +969,7 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object) + setDictionaryKind(NoneDictionaryKind); + setHasBeenFlattenedBefore(true); + +- size_t afterOutOfLineCapacity = this->outOfLineCapacity(); ++ ASSERT(this->outOfLineCapacity() == afterOutOfLineCapacity); + + if (object->butterfly() && beforeOutOfLineCapacity != afterOutOfLineCapacity) { + ASSERT(beforeOutOfLineCapacity > afterOutOfLineCapacity); diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec index 1465b61..8d5381c 100644 --- a/webkit2gtk3.spec +++ b/webkit2gtk3.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 ## NOTE: Lots of files in various subdirectories have the same name (such as ## "LICENSE") so this short macro allows us to distinguish them by using their ## directory names (from the source tree) as prefixes for the files. @@ -8,12 +7,11 @@ Name: webkit2gtk3 Version: 2.40.5 -Release: 1%{anolis_release}%{?dist} +Release: 1%{?dist}.1 Summary: GTK Web content engine library License: LGPLv2 URL: http://www.webkitgtk.org/ -ExcludeArch: loongarch64 Source0: http://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz Source1: https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz.asc # Use the keys from https://webkitgtk.org/verifying.html @@ -33,6 +31,9 @@ Patch2: glib-dep.patch # Partial revert of https://github.com/WebKit/WebKit/pull/6087 Patch3: gstreamer-1.16.1.patch +# https://github.com/WebKit/WebKit/commit/00352dd86bfa102b6e4b792120e3ef3498a27d1e +Patch4: CVE-2023-42917.patch + BuildRequires: bison BuildRequires: cmake BuildRequires: flex @@ -295,8 +296,9 @@ export NINJA_STATUS="[%f/%t][%e] " %{_datadir}/gir-1.0/JavaScriptCore-4.0.gir %changelog -* Tue Jan 16 2024 Bo Ren 2.40.5-1.0.1 -- Exclude loongarch64 +* Tue Dec 05 2023 Michael Catanzaro - 2.40.5-1.1 +- Add patch for CVE-2023-42917 + Resolves: RHEL-18172 * Tue Aug 01 2023 Michael Catanzaro - 2.40.5-1 - Upgrade to 2.40.5. Also, disable JIT -- Gitee From 4d70b1294b00fb7f7ea1b79505560b61564386ff Mon Sep 17 00:00:00 2001 From: Renbo Date: Tue, 16 Jan 2024 17:10:45 +0800 Subject: [PATCH 2/2] Exclude loongarch64 Signed-off-by: Renbo --- webkit2gtk3.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec index 8d5381c..07b5b9e 100644 --- a/webkit2gtk3.spec +++ b/webkit2gtk3.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 ## NOTE: Lots of files in various subdirectories have the same name (such as ## "LICENSE") so this short macro allows us to distinguish them by using their ## directory names (from the source tree) as prefixes for the files. @@ -7,11 +8,12 @@ Name: webkit2gtk3 Version: 2.40.5 -Release: 1%{?dist}.1 +Release: 1%{anolis_release}%{?dist}.1 Summary: GTK Web content engine library License: LGPLv2 URL: http://www.webkitgtk.org/ +ExcludeArch: loongarch64 Source0: http://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz Source1: https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz.asc # Use the keys from https://webkitgtk.org/verifying.html @@ -296,6 +298,9 @@ export NINJA_STATUS="[%f/%t][%e] " %{_datadir}/gir-1.0/JavaScriptCore-4.0.gir %changelog +* Fri Mar 22 2024 Bo Ren 2.40.5-1.0.1.1 +- Exclude loongarch64 + * Tue Dec 05 2023 Michael Catanzaro - 2.40.5-1.1 - Add patch for CVE-2023-42917 Resolves: RHEL-18172 -- Gitee