239758 CVE-2023-35074 2022-04-26 00:16:06 -0700 Fix variable liveness for try catch in DFG 2024-01-02 08:21:53 -0800 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build PC Linux RESOLVED FIXED InRadar P2 Normal --- 1 zhunkibatu yijia_huang mark.lam mcatanzaro saam webkit-bug-importer yijia_huang ysuzuki oldest_to_newest 1864370 0 458335 zhunkibatu 2022-04-26 00:16:06 -0700 Created attachment 458335 the minimal poc The following PoC outputs differently before/after JIT compilation. function opt() { var b = false; var c = -b; try { throw ""; } catch(e) { } return c; } let before = opt(); print(1/before); //-Infinity for(var i=0;i<10000;i++){ opt(); } let afterJIT = opt(); print(1/afterJIT); //Infinity 1866061 1 webkit-bug-importer 2022-05-03 00:17:12 -0700 <rdar://problem/92654142> 1884405 2 ysuzuki 2022-07-15 16:43:46 -0700 Ah, this is caused by 230823. Backward propagation is running before catch live variable preservation. 1884410 3 ysuzuki 2022-07-15 16:46:47 -0700 Probably, we should insert catch-live-variable-insertion before backwards propagation. 1930879 4 yijia_huang 2023-02-03 08:32:25 -0800 Pull request: https://github.com/WebKit/WebKit/pull/9496 1930881 5 yijia_huang 2023-02-03 08:32:51 -0800 *** Bug 251411 has been marked as a duplicate of this bug. *** 1931013 6 ews-feeder 2023-02-03 14:36:12 -0800 Committed 259839@main (5e1033a7cd03): <https://commits.webkit.org/259839@main> Reviewed commits have been landed. Closing PR #9496 and removing active labels. 1981589 7 zhunkibatu 2023-09-30 20:03:08 -0700 According to acknowledgement, there seems a mistake here? WebKit Bugzilla: 239758 CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong Kim(@nevul37) 1981607 8 mcatanzaro 2023-10-01 06:24:05 -0700 Hm, I wonder if they're supposed to be credited on some *other* CVE instead. We can ask for this to be fixed. Who should this one be attributed to? "zhunkibatu"? 1981612 9 zhunkibatu 2023-10-01 09:25:27 -0700 "zhunki", please. 2002064 10 zhunkibatu 2023-12-26 19:49:00 -0800 Did you confirm who to aknowledge? 2002084 11 mcatanzaro 2023-12-27 05:36:44 -0800 Looks like I missed this. I'll notify Apple Product Security after the holidays. 2002509 12 mcatanzaro 2024-01-02 08:21:53 -0800 (In reply to Michael Catanzaro from comment #11) > Looks like I missed this. I'll notify Apple Product Security after the > holidays. Actually I contacted Apple Product Security on October 1, but haven't received a response yet. The ticket number is OE092404867716. They did respond to a similar request in another CVE, so my guess is they've lost track of this one. 458335 2022-04-26 00:16:06 -0700 2022-04-26 00:16:06 -0700 the minimal poc jsc_2.js text/javascript 235 zhunkibatu ZnVuY3Rpb24gb3B0KCkgewoJdmFyIGIgPSBmYWxzZTsKCXZhciBjID0gLWI7Cgl0cnkgewoJCXRo cm93ICIiOwoJfSBjYXRjaChlKSB7Cgl9CglyZXR1cm4gYzsKfQoKbGV0IGJlZm9yZSA9IG9wdCgp OwpwcmludCgxL2JlZm9yZSk7IC8vLUluZmluaXR5Cgpmb3IodmFyIGk9MDtpPDEwMDAwO2krKyl7 CglvcHQoKTsKfQoKbGV0IGFmdGVySklUID0gb3B0KCk7CnByaW50KDEvYWZ0ZXJKSVQpOyAvL0lu ZmluaXR5Cg==