RESOLVED FIXED245464
CVE-2023-23496 Strength reduction analyzes RegEx.exec incorrectly and generate a hole for the result array 
https://bugs.webkit.org/show_bug.cgi?id=245464
Summary Strength reduction analyzes RegEx.exec incorrectly and generate a hole for th...
EntryHi
Reported 2022-09-21 00:01:07 PDT
function write() { let m = /ab(c)?d/.exec("abd") return m } noInline(write) let all = [] for(let i=0;i<300;i++){ all.push(write()) } let a = all[50] let b = all[100] print(Object.keys(a),a.length, describe(a)) print(Object.keys(b),b.length, describe(b)) With the above script as input to JSC, run JSC with the following parameters: ./jsc test.js --useConcurrentJIT=0 Variable a is the result for interpreter while b is the result for JIT. a.length == b.length, but Object.keys(a) != Object.keys(b). There is a hole in b. This may be caused by strength reduction in DFG JIT.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-09-28 00:02:16 PDT
<rdar://problem/100494428>
Michael Saboff
Comment 2 2022-10-31 16:13:53 PDT
It appears that capture groups that aren't matched are not added to the results array. Investigating further. The results length is correct, but the undefined entries aren't populated thus the holes. When the calling code accesses the results, the value is the same, "undefined". Investigating further.
Michael Saboff
Comment 3 2022-10-31 17:36:42 PDT
Pull request: https://github.com/WebKit/WebKit/pull/5988
Yusuke Suzuki
Comment 4 2022-10-31 18:43:03 PDT
non security issue.
EWS
Comment 5 2022-11-02 13:38:45 PDT
Committed 256241@main (b0b694fd099f): <https://commits.webkit.org/256241@main> Reviewed commits have been landed. Closing PR #5988 and removing active labels.
Michael Catanzaro
Comment 6 2023-01-30 11:04:02 PST
(In reply to Yusuke Suzuki from comment #4) > non security issue. Well https://support.apple.com/en-us/HT213600 says this is CVE-2023-23496, so... somebody requested a CVE for this.
Note You need to log in before you can comment on or make changes to this bug.