Summary: | DFG strength reduction on % operator should handle an INT_MIN divisor. | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | wjllz <1214wjllz> | ||||||||
Component: | JavaScriptCore | Assignee: | Mark Lam <mark.lam> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Normal | CC: | bfulgham, ews-watchlist, keith_miller, mark.lam, msaboff, product-security, rmorisset, saam, tzagallo, webkit-bug-importer | ||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||
Version: | WebKit Nightly Build | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Attachments: |
|
Description
wjllz
2021-09-17 00:20:57 PDT
The js code has some commit in it... which is wrong, I just changed another bug's poc, and forget delete it. I am so sorry for that part. But the bug is so simple(maybe...), hope it won't confuse u. By the way, the patch for the bug is simple, add a check like this(https://github.com/WebKit/WebKit/blob/main/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp#L166). if(m_node->child1()->child2()->asInt32() == INT_MIN){ break; // [+] don't optimize it, otherwise it will trigger integer overflow } hi. nobody care about this? (In reply to wjllz from comment #4) > hi. nobody care about this? We are looking into it and will respond soon. I apologize for the delay. (In reply to Brent Fulgham from comment #5) > (In reply to wjllz from comment #4) > > hi. nobody care about this? > > We are looking into it and will respond soon. I apologize for the delay. It's ok, It's my wrong. This is my first time try to report bug to safari, so I don't know I find the right way to report it. So I ask this question(comment 4)... I don't find any useful information about webkit's bounty system... so It make me confusion. Thanks for your reply. I'm currently investigating this issue. I'm not sure it's really a security issue yet, but will find out soon. This is not a security issue because there's no way to use the resultant integer to access memory. Any memory access based on the resultant integer thereafter will still do the needed bounds checks. Thanks for the bug report. Fix coming soon. Created attachment 439662 [details]
proposed patch.
Created attachment 439674 [details]
proposed patch.
Created attachment 439675 [details]
proposed patch.
Comment on attachment 439675 [details]
proposed patch.
r=me
Comment on attachment 439675 [details]
proposed patch.
Thanks for the review. Landing now.
Committed r283300 (242325@main): <https://commits.webkit.org/242325@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 439675 [details]. |