Bug 245464 (CVE-2023-23496)
| Summary: | Strength reduction analyzes RegEx.exec incorrectly and generate a hole for the result array | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | EntryHi <entryhii> |
| Component: | JavaScriptCore | Assignee: | Michael Saboff <msaboff> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bfulgham, mark.lam, mcatanzaro, msaboff, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Local Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
EntryHi
function write() {
let m = /ab(c)?d/.exec("abd")
return m
}
noInline(write)
let all = []
for(let i=0;i<300;i++){
all.push(write())
}
let a = all[50]
let b = all[100]
print(Object.keys(a),a.length, describe(a))
print(Object.keys(b),b.length, describe(b))
With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0
Variable a is the result for interpreter while b is the result for JIT. a.length == b.length, but Object.keys(a) != Object.keys(b).
There is a hole in b. This may be caused by strength reduction in DFG JIT.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/100494428>
Michael Saboff
It appears that capture groups that aren't matched are not added to the results array. Investigating further. The results length is correct, but the undefined entries aren't populated thus the holes. When the calling code accesses the results, the value is the same, "undefined".
Investigating further.
Michael Saboff
Pull request: https://github.com/WebKit/WebKit/pull/5988
Yusuke Suzuki
non security issue.
EWS
Committed 256241@main (b0b694fd099f): <https://commits.webkit.org/256241@main>
Reviewed commits have been landed. Closing PR #5988 and removing active labels.
Michael Catanzaro
(In reply to Yusuke Suzuki from comment #4)
> non security issue.
Well https://support.apple.com/en-us/HT213600 says this is CVE-2023-23496, so... somebody requested a CVE for this.