278497 – (CVE-2024-54479) [WASM] Check subtyping in both directions for mutable globals and tables

RESOLVED FIXED278497

CVE-2024-54479 [WASM] Check subtyping in both directions for mutable globals and tables

https://bugs.webkit.org/show_bug.cgi?id=278497

Summary [WASM] Check subtyping in both directions for mutable globals and tables

David Degazio

Reported 2024-08-21 15:40:51 PDT

Per the spec, a mutable global of type a only matches another mutable global of type b if a <= b *and* vice versa. Ditto for tables, two tables' reference types need to be subtypes of each other, not just one way. Currently we only check subtyping in one direction, which means we can break the intended subtyping rules, and for instance import a mutable non-nullable global as nullable and illegally set it to null.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2024-08-21 15:41:02 PDT

<rdar://problem/134450707>

David Degazio

Comment 2 2024-08-21 15:50:26 PDT

Pull request: https://github.com/WebKit/WebKit/pull/32557

David Degazio

Comment 3 2024-08-21 16:16:34 PDT

Pull request: https://github.com/WebKit/WebKit/pull/32562

EWS

Comment 4 2024-08-23 16:48:40 PDT

Committed 282682@main (f95652711d7e): <https://commits.webkit.org/282682@main> Reviewed commits have been landed. Closing PR #32562 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebAssembly

Assignee

David Degazio

Reported

2024-08-21 15:40 PDT

Modified

2024-12-11 16:43 PST History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks