Bug 196631

Summary: [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
Product: WebKit Reporter: Yusuke Suzuki <ysuzuki>
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch saam: review+

Yusuke Suzuki
Reported 2019-04-04 14:59:14 PDT
...
Attachments
Patch (2.40 KB, patch)
2019-04-04 17:31 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (6.38 KB, patch)
2019-04-04 18:14 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (6.21 KB, patch)
2019-04-04 18:19 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (17.93 KB, patch)
2019-04-04 19:10 PDT, Yusuke Suzuki 		saam: review+
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2019-04-04 17:31:15 PDT
Created attachment 366780 [details] Patch
Yusuke Suzuki
Comment 2 2019-04-04 17:48:37 PDT
Double prediction injection found this issue.
Yusuke Suzuki
Comment 3 2019-04-04 18:14:48 PDT
Created attachment 366783 [details] Patch
EWS Watchlist
Comment 4 2019-04-04 18:16:48 PDT
Attachment 366783 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/ChangeLog:11: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzer, fuzzer, fuzzer [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 6 files If any of these errors are false positives, please file a bug against check-webkit-style.
Yusuke Suzuki
Comment 5 2019-04-04 18:19:25 PDT
Created attachment 366784 [details] Patch
Yusuke Suzuki
Comment 6 2019-04-04 18:21:23 PDT
Comment on attachment 366784 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=366784&action=review > Source/JavaScriptCore/runtime/JSGlobalObject.cpp:257 > + RELEASE_AND_RETURN(scope, JSValue::encode(JSBoundFunction::create(vm, exec, globalObject, target, boundThis, boundArgs.isCell() ? jsCast<JSArray*>(boundArgs) : nullptr, length, name))); I'll change `name` part to `WTFMove(name)`
EWS Watchlist
Comment 7 2019-04-04 18:22:04 PDT
Attachment 366784 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/ChangeLog:15: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzer, fuzzer [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 6 files If any of these errors are false positives, please file a bug against check-webkit-style.
Saam Barati
Comment 8 2019-04-04 18:32:47 PDT
Comment on attachment 366784 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=366784&action=review > Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp:47 > + if (Options::injectDoublePredictionsForNumbers()) { > + if (original && mergeSpeculations(original, SpecBytecodeNumber) == SpecBytecodeNumber) > + return SpecBytecodeDouble; > + return original; > + } Can we make this a different fuzzer agent? It's no longer random.
Saam Barati
Comment 9 2019-04-04 18:33:36 PDT
Comment on attachment 366784 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=366784&action=review > Source/JavaScriptCore/runtime/Options.h:439 > + v(bool, injectDoublePredictionsForNumbers, false, Normal, nullptr) \ Then this can be called "useDoublePredictionFuzzerAgent" or something similar.
Yusuke Suzuki
Comment 10 2019-04-04 18:38:00 PDT
Comment on attachment 366784 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=366784&action=review >> Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp:47 >> + } > > Can we make this a different fuzzer agent? It's no longer random. Yeah, I'll change to do that.
Yusuke Suzuki
Comment 11 2019-04-04 19:10:42 PDT
Created attachment 366788 [details] Patch
EWS Watchlist
Comment 12 2019-04-04 19:13:35 PDT
Attachment 366788 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/ChangeLog:15: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzer, fuzzer, fuzzer, fuzzer [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 11 files If any of these errors are false positives, please file a bug against check-webkit-style.
Saam Barati
Comment 13 2019-04-04 19:18:03 PDT
Comment on attachment 366788 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=366788&action=review r=me > Source/JavaScriptCore/runtime/JSGlobalObject.cpp:251 > + int32_t length = lengthValue.toInt32(exec); Should assert it's a number. Maybe even isAnyInt and that it's within 32-bits? > Source/JavaScriptCore/runtime/JSGlobalObject.cpp:252 > + RETURN_IF_EXCEPTION(scope, { }); Should be an assert. > JSTests/stress/make-bound-function-should-not-assume-int32-length.js:1 > +//@ runDefault("--useDoublePredictionFuzzerAgent=1") maybe also concurrentJIT=0 to ensure we JIT?
Yusuke Suzuki
Comment 14 2019-04-04 20:08:18 PDT
Comment on attachment 366788 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=366788&action=review >> Source/JavaScriptCore/runtime/JSGlobalObject.cpp:251 >> + int32_t length = lengthValue.toInt32(exec); > > Should assert it's a number. Maybe even isAnyInt and that it's within 32-bits? Changed. >> Source/JavaScriptCore/runtime/JSGlobalObject.cpp:252 >> + RETURN_IF_EXCEPTION(scope, { }); > > Should be an assert. Fixed. >> JSTests/stress/make-bound-function-should-not-assume-int32-length.js:1 >> +//@ runDefault("--useDoublePredictionFuzzerAgent=1") > > maybe also concurrentJIT=0 to ensure we JIT? Sounds fine. Fixed.
Yusuke Suzuki
Comment 15 2019-04-04 21:17:51 PDT
Committed r243925: <https://trac.webkit.org/changeset/243925>
Radar WebKit Bug Importer
Comment 16 2019-04-04 21:18:58 PDT
<rdar://problem/49634426>
Note You need to log in before you can comment on or make changes to this bug.