fix CVE-2023-28204 CVE-2023-32373 CVE-2023-32409

2023-05-29 09:16:09 +00:00 · 2023-05-29 09:16:09 +00:00 · 47818e499a
commit 47818e499a
parent 7110193e70
4 changed files with 178 additions and 1 deletions
--- a/backport-CVE-2023-28204.patch
+++ b/backport-CVE-2023-28204.patch
@ -0,0 +1,102 @@
+From e34edaa74575ee13efcebdb7672b949a743ab32a Mon Sep 17 00:00:00 2001
+From: Michael Saboff <msaboff@apple.com>
+Date: Mon, 3 Apr 2023 20:25:08 -0700
+Subject: [PATCH] [JSC] RegExpGlobalData::performMatch issue leading to OOB
+ read https://bugs.webkit.org/show_bug.cgi?id=254930 rdar://107436732
+
+Reviewed by Alexey Shvayka.
+
+Fixed two issues:
+1) In YarrInterpreter.cpp::matchAssertionBOL() we were advancing the string position for non-BMP
+   characters.  Since it is an assertion, we shouldn't advance the character position.
+   Made the same fix to matchAssertionEOL().
+2) In StringPrototype.cpp::replaceUsingRegExpSearch(), we need to advance past both elements of
+   a non-BMP character for the case where the RegExp match is empty.
+
+* JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js: New test.
+* Source/JavaScriptCore/runtime/StringPrototype.cpp:
+(JSC::replaceUsingRegExpSearch):
+* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
+(JSC::Yarr::Interpreter::InputStream::readCheckedDontAdvance):
+(JSC::Yarr::Interpreter::matchAssertionBOL):
+(JSC::Yarr::Interpreter::matchAssertionEOL):
+
+Canonical link: https://commits.webkit.org/259548.551@safari-7615-branch
+---
+ .../runtime/StringPrototype.cpp               | 10 ++++++++++
+ .../JavaScriptCore/yarr/YarrInterpreter.cpp   | 19 +++++++++++++++++--
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/Source/JavaScriptCore/runtime/StringPrototype.cpp b/Source/JavaScriptCore/runtime/StringPrototype.cpp
+index 08104b1d..459295f7 100644
+--- a/Source/JavaScriptCore/runtime/StringPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/StringPrototype.cpp
+@@ -603,6 +603,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
+                 startPosition++;
+                 if (startPosition > sourceLen)
+                     break;
+                if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
+                    startPosition++;
+                    if (startPosition > sourceLen)
+                        break;
+                }
+             }
+         }
+     } else {
+@@ -682,6 +687,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
+                 startPosition++;
+                 if (startPosition > sourceLen)
+                     break;
+                if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
+                    startPosition++;
+                    if (startPosition > sourceLen)
+                        break;
+                }
+             }
+         } while (global);
+     }
+diff --git a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
+index 95a848a1..d222e620 100644
+--- a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
+++ b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
+@@ -209,6 +209,21 @@ public:
+             }
+             return result;
+         }
+
+	int readCheckedDontAdvance(unsigned negativePositionOffest)
+        {
+            RELEASE_ASSERT(pos >= negativePositionOffest);
+            unsigned p = pos - negativePositionOffest;
+            ASSERT(p < length);
+            int result = input[p];
+            if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) {
+                if (atEnd())
+                    return -1;
+
+                result = U16_GET_SUPPLEMENTARY(result, input[p + 1]);
+            }
+            return result;
+        }
+         
+         int readSurrogatePairChecked(unsigned negativePositionOffset)
+         {
+@@ -482,13 +497,13 @@ public:
+ 
+     bool matchAssertionBOL(ByteTerm& term)
+     {
+-        return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition + 1)));
+        return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition + 1)));
+     }
+ 
+     bool matchAssertionEOL(ByteTerm& term)
+     {
+         if (term.inputPosition)
+-            return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition)));
+            return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition)));
+ 
+         return (input.atEnd()) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.read()));
+     }
+-- 
+2.33.0
+
--- a/backport-CVE-2023-32373.patch
+++ b/backport-CVE-2023-32373.patch
@ -0,0 +1,36 @@
+From 85fd2302d16a09a82d9a6e81eb286babb23c4b3c Mon Sep 17 00:00:00 2001
+From: Antoine Quint <graouts@webkit.org>
+Date: Mon, 22 May 2023 13:37:32 -0700
+Subject: [PATCH] Potential use-after-free in WebAnimation::commitStyles
+ https://bugs.webkit.org/show_bug.cgi?id=254840 rdar://107444873
+
+Reviewed by Dean Jackson and Darin Adler.
+
+Ensure that the animation's effect and target are kept alive for the duration of this method
+since it is possible that calling updateStyleIfNeeded() could call into JavaScript and thus
+these two pointers could be changed to a null value using the Web Animations API.
+
+* Source/WebCore/animation/WebAnimation.cpp:
+(WebCore::WebAnimation::commitStyles):
+
+Originally-landed-as: 259548.532@safari-7615-branch (1d6fe184ea53). rdar://107444873
+Canonical link: https://commits.webkit.org/264363@main
+---
+ Source/WebCore/animation/WebAnimation.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Source/WebCore/animation/WebAnimation.cpp b/Source/WebCore/animation/WebAnimation.cpp
+index 68ea47985807..ae20c79c36cf 100644
+--- a/Source/WebCore/animation/WebAnimation.cpp
+++ b/Source/WebCore/animation/WebAnimation.cpp
+@@ -1531,8 +1531,8 @@ ExceptionOr<void> WebAnimation::commitStyles()
+     // https://drafts.csswg.org/web-animations-1/#commit-computed-styles
+ 
+     // 1. Let targets be the set of all effect targets for animation effects associated with animation.
+-    auto* effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
+-    auto* target = effect ? effect->target() : nullptr;
+    RefPtr effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
+    RefPtr target = effect ? effect->target() : nullptr;
+ 
+     // 2. For each target in targets:
+     //
--- a/backport-CVE-2023-32409.patch
+++ b/backport-CVE-2023-32409.patch
@ -0,0 +1,32 @@
+From 54408f5746f2401721bd56d71de132a22b6f9856 Mon Sep 17 00:00:00 2001
+From: Mike Wyrzykowski <mwyrzykowski@apple.com>
+Date: Wed, 12 Apr 2023 17:30:56 -0700
+Subject: [PATCH] [WebGPU] RemoteBuffer unmap should check the input vector
+ https://bugs.webkit.org/show_bug.cgi?id=255350 <rdar://107947502>
+
+Reviewed by Myles C. Maxfield.
+
+Ensure data vector passed to unmap is valid for the currently
+mapped buffer.
+
+* Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp:
+(WebKit::RemoteBuffer::unmap):
+
+Canonical link: https://commits.webkit.org/262895@main
+---
+ Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp b/Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp
+index f533f5c30c32b..ec12ea2ac171b 100644
+--- a/Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp
+++ b/Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp
+@@ -79,7 +79,7 @@ void RemoteBuffer::getMappedRange(PAL::WebGPU::Size64 offset, std::optional<PAL:
+ 
+ void RemoteBuffer::unmap(Vector<uint8_t>&& data)
+ {
+-    if (!m_mappedRange)
+    if (!m_mappedRange || m_mappedRange->byteLength < data.size())
+         return;
+     ASSERT(m_isMapped);
+
--- a/webkit2gtk3.spec
+++ b/webkit2gtk3.spec
@ -14,7 +14,7 @@

 Name:           webkit2gtk3
 Version:        2.38.2
-Release:        3
+Release:        4
 Summary:        GTK web content engine library
 License:        LGPLv2
 URL:            https://www.webkitgtk.org/
@ -28,6 +28,10 @@ Patch0001:      0001-webkitgtk-add-loongarch.patch
 Patch0002:      webkitgtk-2.32.1-sw.patch
 %endif

+Patch6000:      backport-CVE-2023-28204.patch
+Patch6001:      backport-CVE-2023-32373.patch
+Patch6002:      backport-CVE-2023-32409.patch
+
 #Dependency
 BuildRequires:  bison
 BuildRequires:  bubblewrap
@ -563,6 +567,9 @@ popd
 %endif

 %changelog
+* Mon May 29 2023 zhangpan <zhangpan103@h-partners.com> - 2.38.2-4
+- fix CVE-2023-28204 CVE-2023-32373 CVE-2023-32409
+
 * Fri Mar 17 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 2.38.2-3
 - strip binary files