Bug 278497 (CVE-2024-54479)
| Summary: | [WASM] Check subtyping in both directions for mutable globals and tables | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | David Degazio <d_degazio> |
| Component: | WebAssembly | Assignee: | David Degazio <d_degazio> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | mcatanzaro, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
David Degazio
Per the spec, a mutable global of type a only matches another mutable global of type b if a <= b *and* vice versa. Ditto for tables, two tables' reference types need to be subtypes of each other, not just one way. Currently we only check subtyping in one direction, which means we can break the intended subtyping rules, and for instance import a mutable non-nullable global as nullable and illegally set it to null.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/134450707>
David Degazio
Pull request: https://github.com/WebKit/WebKit/pull/32557
David Degazio
Pull request: https://github.com/WebKit/WebKit/pull/32562
EWS
Committed 282682@main (f95652711d7e): <https://commits.webkit.org/282682@main>
Reviewed commits have been landed. Closing PR #32562 and removing active labels.