239758 – (CVE-2023-35074) Fix variable liveness for try catch in DFG

Bug 239758 (CVE-2023-35074) - Fix variable liveness for try catch in DFG

Summary: Fix variable liveness for try catch in DFG

Status:	RESOLVED FIXED

Alias:	CVE-2023-35074

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Local Build
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Yijia Huang

URL:
Keywords:	InRadar

Duplicates (1):	251411 (view as bug list)
Depends on:
Blocks:

Reported:	2022-04-26 00:16 PDT by zhunkibatu
Modified:	2024-01-02 08:21 PST (History)
CC List:	6 users (show)

See Also:

Attachments
the minimal poc (235 bytes, text/javascript) 2022-04-26 00:16 PDT, zhunkibatu	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description zhunkibatu 2022-04-26 00:16:06 PDT

Created attachment 458335 [details]
the minimal poc

The following PoC outputs differently before/after JIT compilation.


function opt() {
	var b = false;
	var c = -b;
	try {
		throw "";
	} catch(e) {
	}
	return c;
}

let before = opt();
print(1/before); //-Infinity

for(var i=0;i<10000;i++){
	opt();
}

let afterJIT = opt();
print(1/afterJIT); //Infinity

Comment 1 Radar WebKit Bug Importer 2022-05-03 00:17:12 PDT

<rdar://problem/92654142>

Comment 2 Yusuke Suzuki 2022-07-15 16:43:46 PDT

Ah, this is caused by 230823.
Backward propagation is running before catch live variable preservation.

Comment 3 Yusuke Suzuki 2022-07-15 16:46:47 PDT

Probably, we should insert catch-live-variable-insertion before backwards propagation.

Comment 4 Yijia Huang 2023-02-03 08:32:25 PST

Pull request: https://github.com/WebKit/WebKit/pull/9496

Comment 5 Yijia Huang 2023-02-03 08:32:51 PST

*** Bug 251411 has been marked as a duplicate of this bug. ***

Comment 6 EWS 2023-02-03 14:36:12 PST

Committed 259839@main (5e1033a7cd03): <https://commits.webkit.org/259839@main>

Reviewed commits have been landed. Closing PR #9496 and removing active labels.

Comment 7 zhunkibatu 2023-09-30 20:03:08 PDT

According to acknowledgement, there seems a mistake here?

WebKit Bugzilla: 239758
CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong Kim(@nevul37)

Comment 8 Michael Catanzaro 2023-10-01 06:24:05 PDT

Hm, I wonder if they're supposed to be credited on some *other* CVE instead.

We can ask for this to be fixed. Who should this one be attributed to? "zhunkibatu"?

Comment 9 zhunkibatu 2023-10-01 09:25:27 PDT

"zhunki", please.

Comment 10 zhunkibatu 2023-12-26 19:49:00 PST

Did you confirm who to aknowledge?

Comment 11 Michael Catanzaro 2023-12-27 05:36:44 PST

Looks like I missed this. I'll notify Apple Product Security after the holidays.

Comment 12 Michael Catanzaro 2024-01-02 08:21:53 PST

(In reply to Michael Catanzaro from comment #11)
> Looks like I missed this. I'll notify Apple Product Security after the
> holidays.

Actually I contacted Apple Product Security on October 1, but haven't received a response yet. The ticket number is OE092404867716.

They did respond to a similar request in another CVE, so my guess is they've lost track of this one.