From 91ab75e381006d27379c7d4323d3e14aad88f70a Mon Sep 17 00:00:00 2001
From: lvfei <lvfei@kylinos.cn>
Date: Wed, 24 Apr 2024 13:50:29 +0800
Subject: [PATCH] fix CVE-2020-26950

(cherry picked from commit b0eaf62362f31be14d48926c35414908fe540c5b)
---
 CVE-2020-26950.patch | 78 ++++++++++++++++++++++++++++++++++++++++++++
 firefox.spec         |  7 +++-
 2 files changed, 84 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2020-26950.patch

diff --git a/CVE-2020-26950.patch b/CVE-2020-26950.patch
new file mode 100644
index 0000000..ba8b371
--- /dev/null
+++ b/CVE-2020-26950.patch
@@ -0,0 +1,78 @@
+From 9ed502c59c6456bf8984bb6de49472da69ef4c90 Mon Sep 17 00:00:00 2001
+From: Ted Campbell <tcampbell@mozilla.com>
+Date: Sat, 07 Nov 2020 05:36:31 +0000 (2020-11-07)
+Subject: [PATCH] CVE-2020-26950
+
+Simplify IonBuilder::createThisScripted. r=jandem,iain a=RyanVM
+
+---
+ js/src/jit/IonBuilder.cpp | 31 ++++++++-----------------------
+ js/src/jit/IonIC.cpp      |  8 ++++++++
+ 2 files changed, 16 insertions(+), 23 deletions(-)
+
+diff --git a/js/src/jit/IonBuilder.cpp b/js/src/jit/IonBuilder.cpp
+index 1b2a62a268..865e7bb322 100644
+--- a/js/src/jit/IonBuilder.cpp
++++ b/js/src/jit/IonBuilder.cpp
+@@ -5206,31 +5206,16 @@ MDefinition* IonBuilder::createThisScripted(MDefinition* callee,
+   // explicit operation in the bytecode, we cannot use resumeAfter().
+   // Getters may not override |prototype| fetching, so this operation is
+   // indeed idempotent.
+-  // - First try an idempotent property cache.
+-  // - Upon failing idempotent property cache, we can't use a non-idempotent
+-  //   cache, therefore we fallback to CallGetProperty
+-  //
+-  // Note: both CallGetProperty and GetPropertyCache can trigger a GC,
+-  //       and thus invalidation.
+-  MInstruction* getProto;
+-  if (!invalidatedIdempotentCache()) {
+-    MConstant* id = constant(StringValue(names().prototype));
+-    MGetPropertyCache* getPropCache =
+-        MGetPropertyCache::New(alloc(), newTarget, id,
+-                               /* monitored = */ false);
+-    getPropCache->setIdempotent();
+-    getProto = getPropCache;
+-  } else {
+-    MCallGetProperty* callGetProp =
+-        MCallGetProperty::New(alloc(), newTarget, names().prototype);
+-    callGetProp->setIdempotent();
+-    getProto = callGetProp;
+-  }
+-  current->add(getProto);
+-
++   // Note: GetPropertyCache can trigger a GC, and thus invalidation.
++  MConstant* id = constant(StringValue(names().prototype));
++  MGetPropertyCache* getPropCache =
++      MGetPropertyCache::New(alloc(), newTarget, id,
++                              /* monitored = */ false);
++  getPropCache->setIdempotent();
++  current->add(getPropCache); 
+   // Create this from prototype
+   MCreateThisWithProto* createThis =
+-      MCreateThisWithProto::New(alloc(), callee, newTarget, getProto);
++                MCreateThisWithProto::New(alloc(), callee, newTarget, getPropCache);
+   current->add(createThis);
+ 
+   return createThis;
+diff --git a/js/src/jit/IonIC.cpp b/js/src/jit/IonIC.cpp
+index 2c3ba44782..3cd06a13e7 100644
+--- a/js/src/jit/IonIC.cpp
++++ b/js/src/jit/IonIC.cpp
+@@ -216,6 +216,14 @@ bool IonGetPropertyIC::update(JSContext* cx, HandleScript outerScript,
+     if (outerScript->hasIonScript()) {
+       Invalidate(cx, outerScript);
+     }
++    // IonBuilder::createScriptedThis does not use InvalidedIdempotentCache
++    // flag so prevent bailout-loop by disabling Ion for the script.
++    MOZ_ASSERT(ic->kind() == CacheKind::GetProp);
++    if (idVal.toString()->asAtom().asPropertyName() == cx->names().prototype) {
++      if (val.isObject() && val.toObject().is<JSFunction>()) {
++        outerScript->disableIon();
++      }
++    }
+ 
+     // We will redo the potentially effectful lookup in Baseline.
+     return true;
+-- 
+2.27.0
+
diff --git a/firefox.spec b/firefox.spec
index 2054b7b..3344e8a 100644
--- a/firefox.spec
+++ b/firefox.spec
@@ -88,7 +88,7 @@
 Summary:             Mozilla Firefox Web browser
 Name:                firefox
 Version:             79.0
-Release:             18
+Release:             19
 URL:                 https://www.mozilla.org/firefox/
 License:             MPLv1.1 or GPLv2+ or LGPLv2+
 Source0:             https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz
@@ -197,6 +197,7 @@ Patch653:            CVE-2023-7104.patch
 Patch654:            CVE-2022-22755.patch
 Patch655:            CVE-2022-1802.patch
 Patch656:            CVE-2023-44488.patch
+Patch657:            CVE-2020-26950.patch
 
 %if %{?system_nss}
 BuildRequires:       pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version}
@@ -388,6 +389,7 @@ tar -xf %{SOURCE3}
 %patch654 -p1
 %patch655 -p1
 %patch656 -p1
+%patch657 -p1
 
 %{__rm} -f .mozconfig
 %{__cp} %{SOURCE10} .mozconfig
@@ -836,6 +838,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %endif
 
 %changelog
+* Wed Apr 24 2024 lvfei <lvfei@kylinos.cn> - 79.0-19
+- Fif CVE-2020-26950
+
 * Fri Apr 19 2024 lvfei <lvfei@kylinos.cn> - 79.0-18
 - Fix CVE-2023-44488
 
-- 
Gitee