RESOLVED FIXED 239758
CVE-2023-35074 Fix variable liveness for try catch in DFG 
https://bugs.webkit.org/show_bug.cgi?id=239758
Summary Fix variable liveness for try catch in DFG
zhunkibatu
Reported 2022-04-26 00:16:06 PDT
Created attachment 458335 [details] the minimal poc The following PoC outputs differently before/after JIT compilation. function opt() { var b = false; var c = -b; try { throw ""; } catch(e) { } return c; } let before = opt(); print(1/before); //-Infinity for(var i=0;i<10000;i++){ opt(); } let afterJIT = opt(); print(1/afterJIT); //Infinity
Attachments
the minimal poc (235 bytes, text/javascript)
2022-04-26 00:16 PDT, zhunkibatu 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-05-03 00:17:12 PDT
<rdar://problem/92654142>
Yusuke Suzuki
Comment 2 2022-07-15 16:43:46 PDT
Ah, this is caused by 230823. Backward propagation is running before catch live variable preservation.
Yusuke Suzuki
Comment 3 2022-07-15 16:46:47 PDT
Probably, we should insert catch-live-variable-insertion before backwards propagation.
Yijia Huang
Comment 4 2023-02-03 08:32:25 PST
Pull request: https://github.com/WebKit/WebKit/pull/9496
Yijia Huang
Comment 5 2023-02-03 08:32:51 PST
*** Bug 251411 has been marked as a duplicate of this bug. ***
EWS
Comment 6 2023-02-03 14:36:12 PST
Committed 259839@main (5e1033a7cd03): <https://commits.webkit.org/259839@main> Reviewed commits have been landed. Closing PR #9496 and removing active labels.
zhunkibatu
Comment 7 2023-09-30 20:03:08 PDT
According to acknowledgement, there seems a mistake here? WebKit Bugzilla: 239758 CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong Kim(@nevul37)
Michael Catanzaro
Comment 8 2023-10-01 06:24:05 PDT
Hm, I wonder if they're supposed to be credited on some *other* CVE instead. We can ask for this to be fixed. Who should this one be attributed to? "zhunkibatu"?
zhunkibatu
Comment 9 2023-10-01 09:25:27 PDT
"zhunki", please.
zhunkibatu
Comment 10 2023-12-26 19:49:00 PST
Did you confirm who to aknowledge?
Michael Catanzaro
Comment 11 2023-12-27 05:36:44 PST
Looks like I missed this. I'll notify Apple Product Security after the holidays.
Michael Catanzaro
Comment 12 2024-01-02 08:21:53 PST
(In reply to Michael Catanzaro from comment #11) > Looks like I missed this. I'll notify Apple Product Security after the > holidays. Actually I contacted Apple Product Security on October 1, but haven't received a response yet. The ticket number is OE092404867716. They did respond to a similar request in another CVE, so my guess is they've lost track of this one.
Note You need to log in before you can comment on or make changes to this bug.