[oe-core][kirkstone][PATCH V2 1/6] webkitgtk: fix CVE-2022-46691

[oe-core][kirkstone][PATCH V2 1/6] webkitgtk: fix CVE-2022-46691

[Yogita Urade]

A memory consumption issue was addressed with improved memory handling.
This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS
15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing
maliciously crafted web content may lead to arbitrary code execution.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-46691
https://support.apple.com/en-us/HT213531

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 .../webkit/webkitgtk/CVE-2022-46691.patch     | 43 +++++++++++++++++++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
new file mode 100644
index 0000000000..ff9df40433
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
@@ -0,0 +1,43 @@
+From fd57a49d07c9c285780495344073350182fd7c7c Mon Sep 17 00:00:00 2001
+From: Yijia Huang <hyjorc1@gmail.com>
+Date: Mon, 10 Oct 2022 15:42:34 -0700
+Subject: [PATCH] [JSC] Should model BigInt with side effects
+ https://bugs.webkit.org/show_bug.cgi?id=246291 rdar://100494823
+
+Reviewed by Yusuke Suzuki.
+
+Operations with two BigInt operands have side effects,
+which should not be hoisted from loops.
+
+* Source/JavaScriptCore/dfg/DFGClobberize.cpp:
+(JSC::DFG::doesWrites):
+* Source/JavaScriptCore/dfg/DFGClobberize.h:
+(JSC::DFG::clobberize):
+
+Canonical link: https://commits.webkit.org/255368@main
+
+CVE: CVE-2022-46691
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/fd57a49d07c9c285780495344073350182fd7c7c]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ Source/JavaScriptCore/dfg/DFGClobberize.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h
+index 0363ab20dcd8..4b1bcfea1fd7 100644
+--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
++++ b/Source/JavaScriptCore/dfg/DFGClobberize.h
+@@ -811,6 +811,8 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
+     case ValueBitRShift:
+         // FIXME: this use of single-argument isBinaryUseKind would prevent us from specializing (for example) for a HeapBigInt left-operand and a BigInt32 right-operand.
+         if (node->isBinaryUseKind(AnyBigIntUse) || node->isBinaryUseKind(BigInt32Use) || node->isBinaryUseKind(HeapBigIntUse)) {
++            read(World);
++            write(SideState);
+             def(PureValue(node));
+             return;
+         }
+--
+2.40.0
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 1dac4f5677..02258f84e4 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
            file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \
            file://CVE-2022-32888.patch \
            file://CVE-2022-32923.patch \
+           file://CVE-2022-46691.patch \
            "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
 
-- 
2.40.0

[oe-core][kirkstone][PATCH V2 2/6] webkitgtk: fix CVE-2022-46699

[Yogita Urade]

A memory corruption issue was addressed with improved state management.
This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS
16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web
content may lead to arbitrary code execution.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-46699
https://support.apple.com/en-us/HT213537

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 .../webkit/webkitgtk/CVE-2022-46699.patch     | 136 ++++++++++++++++++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
 2 files changed, 137 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch
new file mode 100644
index 0000000000..0752b9c0e2
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch
@@ -0,0 +1,136 @@
+From 28686e63de0d3d7270a49b0d6b656467bc4fbf68 Mon Sep 17 00:00:00 2001
+From: Justin Michaud <justin_michaud@apple.com>
+Date: Wed, 9 Nov 2022 19:20:41 -0800
+Subject: [PATCH] Error() ICs should not cache special properties.
+ https://bugs.webkit.org/show_bug.cgi?id=247699
+
+Reviewed by Yusuke Suzuki.
+
+HasOwnProperty/DeleteProperty are not always cacheable for special Error()
+properties like column. These special properties are materialized on-demand
+in materializeErrorInfoIfNeeded, but this function's behaviour can be changed
+by Error.stackTraceLimit without causing a structure transition or firing watchpoints.
+
+That is, we cannot cache property misses, and we cannot assume HasOwnProperty is deterministic
+for a given structure if we are using one of these properties.
+
+* Source/JavaScriptCore/runtime/ErrorInstance.cpp:
+(JSC::ErrorInstance::deleteProperty):
+* Source/JavaScriptCore/runtime/ErrorInstance.h:
+
+Canonical link: https://commits.webkit.org/256519@main
+
+CVE: CVE-2022-46699
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/28686e63de0d3d7270a49b0d6b656467bc4fbf68]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ JSTests/stress/delete-cache-error.js          | 19 ++++++++++++++++++
+ .../get-own-property-slot-cache-error.js      |  6 ++++++
+ JSTests/stress/get-property-cache-error.js    | 20 +++++++++++++++++++
+ .../JavaScriptCore/runtime/ErrorInstance.cpp  |  4 +++-
+ Source/JavaScriptCore/runtime/ErrorInstance.h |  3 ++-
+ 5 files changed, 50 insertions(+), 2 deletions(-)
+ create mode 100644 JSTests/stress/delete-cache-error.js
+ create mode 100644 JSTests/stress/get-own-property-slot-cache-error.js
+ create mode 100644 JSTests/stress/get-property-cache-error.js
+
+diff --git a/JSTests/stress/delete-cache-error.js b/JSTests/stress/delete-cache-error.js
+new file mode 100644
+index 000000000000..d77c09185a13
+--- /dev/null
++++ b/JSTests/stress/delete-cache-error.js
+@@ -0,0 +1,19 @@
++delete Error.stackTraceLimit
++
++// sourceURL is not materialized
++function cacheColumn(o) {
++    delete o.sourceURL
++}
++noInline(cacheColumn)
++
++for (let i = 0; i < 200; ++i) {
++    let e = Error()
++    cacheColumn(e)
++    if (e.sourceURL !== undefined)
++        throw "Test failed on iteration " + i + " " + e.sourceURL
++
++    if (i == 197) {
++        // now it is
++        Error.stackTraceLimit = 10
++    }
++}
+\ No newline at end of file
+diff --git a/JSTests/stress/get-own-property-slot-cache-error.js b/JSTests/stress/get-own-property-slot-cache-error.js
+new file mode 100644
+index 000000000000..f8202213bf79
+--- /dev/null
++++ b/JSTests/stress/get-own-property-slot-cache-error.js
+@@ -0,0 +1,6 @@
++delete Error.stackTraceLimit
++// GetOwnPropertySlot does not materializeErrorInfoIfNeeded because stackString is null.
++Object.hasOwn(Error(), "column")
++Error.stackTraceLimit = 10
++// Now it does
++Object.hasOwn(Error(), "column")
+\ No newline at end of file
+diff --git a/JSTests/stress/get-property-cache-error.js b/JSTests/stress/get-property-cache-error.js
+new file mode 100644
+index 000000000000..b35272ea6fe2
+--- /dev/null
++++ b/JSTests/stress/get-property-cache-error.js
+@@ -0,0 +1,20 @@
++// GetOwnPropertySlot does not materializeErrorInfoIfNeeded because stackString is null.
++delete Error.stackTraceLimit
++expected = undefined
++
++function cacheColumn(o) {
++    return o.column
++}
++noInline(cacheColumn)
++
++for (let i = 0; i < 1000; ++i) {
++    let val = cacheColumn(Error())
++    if (val !== expected)
++        throw "Test failed on iteration " + i + ": " + val
++
++    if (i == 900) {
++        // now it does
++        Error.stackTraceLimit = 10
++        expected = 32
++    }
++}
+\ No newline at end of file
+diff --git a/Source/JavaScriptCore/runtime/ErrorInstance.cpp b/Source/JavaScriptCore/runtime/ErrorInstance.cpp
+index ddf96869e84a..8e5373257d34 100644
+--- a/Source/JavaScriptCore/runtime/ErrorInstance.cpp
++++ b/Source/JavaScriptCore/runtime/ErrorInstance.cpp
+@@ -303,7 +303,9 @@ bool ErrorInstance::deleteProperty(JSCell* cell, JSGlobalObject* globalObject, P
+ {
+     VM& vm = globalObject->vm();
+     ErrorInstance* thisObject = jsCast<ErrorInstance*>(cell);
+-    thisObject->materializeErrorInfoIfNeeded(vm, propertyName);
++    bool materializedProperties = thisObject->materializeErrorInfoIfNeeded(vm, propertyName);
++    if (materializedProperties)
++        slot.disableCaching();
+     return Base::deleteProperty(thisObject, globalObject, propertyName, slot);
+ }
+
+diff --git a/Source/JavaScriptCore/runtime/ErrorInstance.h b/Source/JavaScriptCore/runtime/ErrorInstance.h
+index 28807b4ea33e..2afb153a7442 100644
+--- a/Source/JavaScriptCore/runtime/ErrorInstance.h
++++ b/Source/JavaScriptCore/runtime/ErrorInstance.h
+@@ -30,7 +30,8 @@ namespace JSC {
+ class ErrorInstance : public JSNonFinalObject {
+ public:
+     using Base = JSNonFinalObject;
+-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames | OverridesPut;
++
++    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames | OverridesPut | GetOwnPropertySlotIsImpureForPropertyAbsence;
+     static constexpr bool needsDestruction = true;
+
+     static void destroy(JSCell* cell)
+--
+2.40.0
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 02258f84e4..8f6514a82b 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -18,6 +18,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
            file://CVE-2022-32888.patch \
            file://CVE-2022-32923.patch \
            file://CVE-2022-46691.patch \
+           file://CVE-2022-46699.patch \
            "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
 
-- 
2.40.0

[oe-core][kirkstone][PATCH V2 3/6] webkitgtk: fix CVE-2022-42867

[Yogita Urade]

A use after free issue was addressed with improved memory management.
This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS
16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web
content may lead to arbitrary code execution.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-42867
https://support.apple.com/en-us/HT213537

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 .../webkit/webkitgtk/CVE-2022-42867.patch     | 104 ++++++++++++++++++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
 2 files changed, 105 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch
new file mode 100644
index 0000000000..bf06809051
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch
@@ -0,0 +1,104 @@
+From f67a882170609d15836204a689dc552322fbe653 Mon Sep 17 00:00:00 2001
+From: Yogita Urade <yogita.urade@windriver.com>
+Date: Wed, 7 Jun 2023 08:15:11 +0000
+Subject: [oe-core][kirkstone][PATCH 1/1] RenderElement::updateFillImages
+ should take pointer arguments  like other similar functions
+ https://bugs.webkit.org/show_bug.cgi?id=247317  rdar://100273147
+
+Reviewed by Alan Baradlay.
+
+* Source/WebCore/rendering/RenderElement.cpp:
+(WebCore::RenderElement::updateFillImages):
+(WebCore::RenderElement::styleDidChange):
+* Source/WebCore/rendering/RenderElement.h:
+
+Canonical link: https://commits.webkit.org/256215@main
+
+CVE: CVE-2022-42867
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/091a04e55c801ac6ba13f4b328fbee2eece853fc]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ Source/WebCore/rendering/RenderElement.cpp | 27 ++++++++++++++--------
+ Source/WebCore/rendering/RenderElement.h   |  2 +-
+ 2 files changed, 19 insertions(+), 10 deletions(-)
+
+diff --git a/Source/WebCore/rendering/RenderElement.cpp b/Source/WebCore/rendering/RenderElement.cpp
+index da43bf3d..931686b8 100644
+--- a/Source/WebCore/rendering/RenderElement.cpp
++++ b/Source/WebCore/rendering/RenderElement.cpp
+@@ -358,7 +358,7 @@ inline bool RenderElement::shouldRepaintForStyleDifference(StyleDifference diff)
+     return diff == StyleDifference::Repaint || (diff == StyleDifference::RepaintIfTextOrBorderOrOutline && hasImmediateNonWhitespaceTextChildOrBorderOrOutline());
+ }
+
+-void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer& newLayers)
++void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer* newLayers)
+ {
+     auto fillImagesAreIdentical = [](const FillLayer* layer1, const FillLayer* layer2) -> bool {
+         if (layer1 == layer2)
+@@ -379,7 +379,7 @@ void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer
+     };
+
+     auto isRegisteredWithNewFillImages = [&]() -> bool {
+-        for (auto* layer = &newLayers; layer; layer = layer->next()) {
++        for (auto* layer = newLayers; layer; layer = layer->next()) {
+             if (layer->image() && !layer->image()->hasClient(*this))
+                 return false;
+         }
+@@ -388,11 +388,11 @@ void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer
+
+     // If images have the same characteristics and this element is already registered as a
+     // client to the new images, there is nothing to do.
+-    if (fillImagesAreIdentical(oldLayers, &newLayers) && isRegisteredWithNewFillImages())
++    if (fillImagesAreIdentical(oldLayers, newLayers) && isRegisteredWithNewFillImages())
+         return;
+
+     // Add before removing, to avoid removing all clients of an image that is in both sets.
+-    for (auto* layer = &newLayers; layer; layer = layer->next()) {
++    for (auto* layer = newLayers; layer; layer = layer->next()) {
+         if (layer->image())
+             layer->image()->addClient(*this);
+     }
+@@ -937,11 +937,20 @@ static inline bool areCursorsEqual(const RenderStyle* a, const RenderStyle* b)
+
+ void RenderElement::styleDidChange(StyleDifference diff, const RenderStyle* oldStyle)
+ {
+-    updateFillImages(oldStyle ? &oldStyle->backgroundLayers() : nullptr, m_style.backgroundLayers());
+-    updateFillImages(oldStyle ? &oldStyle->maskLayers() : nullptr, m_style.maskLayers());
+-    updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, m_style.borderImage().image());
+-    updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, m_style.maskBoxImage().image());
+-    updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, m_style.shapeOutside());
++    auto registerImages = [this](auto* style, auto* oldStyle) {
++        if (!style && !oldStyle)
++            return;
++        updateFillImages(oldStyle ? &oldStyle->backgroundLayers() : nullptr, style ? &style->backgroundLayers() : nullptr);
++        updateFillImages(oldStyle ? &oldStyle->maskLayers() : nullptr, style ? &style->maskLayers() : nullptr);
++        updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, style ? style->borderImage().image() : nullptr);
++        updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, style ? style->maskBoxImage().image() : nullptr);
++        updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, style ? style->shapeOutside() : nullptr);
++    };
++
++    registerImages(&style(), oldStyle);
++
++    // Are there other pseudo-elements that need the resources to be registered?
++    registerImages(style().getCachedPseudoStyle(PseudoId::FirstLine), oldStyle ? oldStyle->getCachedPseudoStyle(PseudoId::FirstLine) : nullptr);
+
+     SVGRenderSupport::styleChanged(*this, oldStyle);
+
+diff --git a/Source/WebCore/rendering/RenderElement.h b/Source/WebCore/rendering/RenderElement.h
+index f376cecb..d6ba2cdf 100644
+--- a/Source/WebCore/rendering/RenderElement.h
++++ b/Source/WebCore/rendering/RenderElement.h
+@@ -349,7 +349,7 @@ private:
+     bool shouldRepaintForStyleDifference(StyleDifference) const;
+     bool hasImmediateNonWhitespaceTextChildOrBorderOrOutline() const;
+
+-    void updateFillImages(const FillLayer*, const FillLayer&);
++    void updateFillImages(const FillLayer*, const FillLayer*);
+     void updateImage(StyleImage*, StyleImage*);
+     void updateShapeImage(const ShapeValue*, const ShapeValue*);
+
+--
+2.35.5
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 8f6514a82b..062f209932 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
            file://CVE-2022-32923.patch \
            file://CVE-2022-46691.patch \
            file://CVE-2022-46699.patch \
+           file://CVE-2022-42867.patch \
            "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
 
-- 
2.40.0

[oe-core][kirkstone][PATCH V2 4/6] webkitgtk: fix CVE-2022-42856

[Yogita Urade]

A type confusion issue was addressed with improved state handling.
This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1,
iOS 15.7.2 and iPadOS 15.7.2, iOS 16.1.2. Processing maliciously
crafted web content may lead to arbitrary code execution. Apple is
aware of a report that this issue may have been actively exploited
against versions of iOS released before iOS 15.1.

References:
https://support.apple.com/en-us/HT213531

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 .../webkit/webkitgtk/CVE-2022-42856.patch     | 110 ++++++++++++++++++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
 2 files changed, 111 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
new file mode 100644
index 0000000000..97d58c955a
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
@@ -0,0 +1,110 @@
+From 71cdc1c09ef199db74b2b60ed5de781250d96a56 Mon Sep 17 00:00:00 2001
+From: Mark Lam <mark.lam@apple.com>
+Date: Wed, 23 Nov 2022 13:48:49 -0800
+Subject: [PATCH] The provenType filtering in FTL's speculateRealNumber is
+ incorrect. https://bugs.webkit.org/show_bug.cgi?id=248266
+ <rdar://problem/102531234>
+
+Reviewed by Justin Michaud.
+
+speculateRealNumber does a doubleEqual compare, which filters out double values which
+are not NaN.  NaN values will fall through to the `intCase` block.  In the `intCase` block,
+the isNotInt32() check there was given a proven type that wrongly filters out ~SpecFullDouble.
+
+Consider a scenario where the edge was proven to be { SpecInt32Only, SpecDoubleReal,
+SpecDoublePureNaN }.  SpecFullDouble is defined as SpecDoubleReal | SpecDoubleNaN, and
+SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN.  Hence, the filtering
+of the proven type with ~SpecFullDouble means that isNotInt32() will effectively be given
+a proven type of
+
+    { SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { SpecDoubleReal, SpecDoublePureNaN }
+
+which yields
+
+    { SpecInt32Only }.
+
+As a result, the compiler will think that that isNotIn32() check will always fail.  This
+is not correct if the actual incoming value for that edge is actually a PureNaN.  In this
+case, speculateRealNumber should have OSR exited, but it doesn't because it thinks that
+the isNotInt32() check will always fail and elide the check altogether.
+
+In this patch, we fix this by replacing the ~SpecFullDouble with ~SpecDoubleReal.  We also
+rename the `intCase` block to `intOrNaNCase` to document what it actually handles.
+
+* JSTests/stress/speculate-real-number-in-object-is.js: Added.
+(test.object_is_opt):
+(test):
+* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
+(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+
+Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch
+
+CVE: CVE-2022-42856
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/71cdc1c09ef199db74b2b60ed5de781250d96a56]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ .../speculate-real-number-in-object-is.js     | 22 +++++++++++++++++++
+ Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp |  8 +++----
+ 2 files changed, 26 insertions(+), 4 deletions(-)
+ create mode 100644 JSTests/stress/speculate-real-number-in-object-is.js
+
+diff --git a/JSTests/stress/speculate-real-number-in-object-is.js b/JSTests/stress/speculate-real-number-in-object-is.js
+new file mode 100644
+index 000000000000..0b10799954da
+--- /dev/null
++++ b/JSTests/stress/speculate-real-number-in-object-is.js
+@@ -0,0 +1,22 @@
++function test() {
++    function object_is_opt(value) {
++        const tmp = {p0: value};
++
++        if (Object.is(value, NaN))
++            return 0;
++
++        return value;
++    }
++
++    object_is_opt(NaN);
++
++    for (let i = 0; i < 0x20000; i++)
++        object_is_opt(1.1);
++
++    return isNaN(object_is_opt(NaN));
++}
++
++resultIsNaN = test();
++if (resultIsNaN)
++    throw "FAILED";
++
+diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
+index 8621b554d578..588298eba350 100644
+--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
++++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
+@@ -20285,18 +20285,18 @@ IGNORE_CLANG_WARNINGS_END
+         LValue value = lowJSValue(edge, ManualOperandSpeculation);
+         LValue doubleValue = unboxDouble(value);
+
+-        LBasicBlock intCase = m_out.newBlock();
++        LBasicBlock intOrNaNCase = m_out.newBlock();
+         LBasicBlock continuation = m_out.newBlock();
+
+         m_out.branch(
+             m_out.doubleEqual(doubleValue, doubleValue),
+-            usually(continuation), rarely(intCase));
++            usually(continuation), rarely(intOrNaNCase));
+
+-        LBasicBlock lastNext = m_out.appendTo(intCase, continuation);
++        LBasicBlock lastNext = m_out.appendTo(intOrNaNCase, continuation);
+
+         typeCheck(
+             jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber,
+-            isNotInt32(value, provenType(m_node->child1()) & ~SpecFullDouble));
++            isNotInt32(value, provenType(m_node->child1()) & ~SpecDoubleReal));
+         m_out.jump(continuation);
+
+         m_out.appendTo(continuation, lastNext);
+--
+2.35.5
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 062f209932..cf1b8b2cc0 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -20,6 +20,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
            file://CVE-2022-46691.patch \
            file://CVE-2022-46699.patch \
            file://CVE-2022-42867.patch \
+           file://CVE-2022-42856.patch \
            "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
 
-- 
2.40.0

[oe-core][kirkstone][PATCH V2 5/6] webkitgtk: fix CVE-2023-23517 CVE-2023-23518

[Yogita Urade]

The issue was addressed with improved memory handling.
This issue is fixed in macOS Ventura 13.2, macOS Monterey
12.6.3, tvOS 16.3, Safari 16.3, watchOS 9.3, iOS 16.3 and
iPadOS 16.3, macOS Big Sur 11.7.3. Processing maliciously
crafted web content may lead to arbitrary code execution.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-23517
https://support.apple.com/en-us/HT213638
https://bugs.webkit.org/show_bug.cgi?id=248268
https://github.com/WebKit/WebKit/pull/6756

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 .../CVE-2023-23517-CVE-2023-23518.patch       | 131 ++++++++++++++++++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
 2 files changed, 132 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch
new file mode 100644
index 0000000000..721f045e0d
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch
@@ -0,0 +1,131 @@
+From f44648f07471b6c34f61993baa8997f7519a18a1 Mon Sep 17 00:00:00 2001
+From: Youenn Fablet <youennf@gmail.com>
+Date: Mon, 28 Nov 2022 00:43:35 -0800
+Subject: [PATCH] Type getter is not needed for internal ReadableStream sources
+ https://bugs.webkit.org/show_bug.cgi?id=248268 rdar://102338913
+
+Reviewed by Eric Carlson.
+
+Make ReadableStreamSource method privates.
+In ReadableStream, use @getters instead of private getters to allow getting private values from prototype.
+Covered by added test.
+
+* LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt: Added.
+* LayoutTests/http/wpt/fetch/fetch-stream-source.html: Added.
+* Source/WebCore/Modules/streams/ReadableStream.js:
+(initializeReadableStream):
+* Source/WebCore/Modules/streams/ReadableStreamSource.idl:
+* Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h:
+(WebCore::IDLOperationReturningPromise::call):
+
+Canonical link: https://commits.webkit.org/257063@main
+
+CVE: CVE-2023-23517 CVE-2023-23518
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/f44648f07471b6c34f61993baa8997f7519a18a1]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ .../fetch/fetch-stream-source-expected.txt    |  3 +++
+ .../http/wpt/fetch/fetch-stream-source.html   | 24 +++++++++++++++++++
+ .../WebCore/Modules/streams/ReadableStream.js |  4 ++--
+ .../Modules/streams/ReadableStreamSource.idl  |  8 +++----
+ .../js/JSDOMOperationReturningPromise.h       |  4 +++-
+ 5 files changed, 36 insertions(+), 7 deletions(-)
+ create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
+ create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source.html
+
+diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
+new file mode 100644
+index 000000000000..856ea8180ca2
+--- /dev/null
++++ b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
+@@ -0,0 +1,3 @@
++
++PASS Only JS streams should check type
++
+diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source.html b/LayoutTests/http/wpt/fetch/fetch-stream-source.html
+new file mode 100644
+index 000000000000..fbebfa5e524f
+--- /dev/null
++++ b/LayoutTests/http/wpt/fetch/fetch-stream-source.html
+@@ -0,0 +1,24 @@
++<!doctype html>
++<html>
++  <head>
++    <meta charset="utf-8">
++    <title>Fetch and source</title>
++    <script src="/resources/testharness.js"></script>
++    <script src="/resources/testharnessreport.js"></script>
++  </head>
++  <body>
++    <script>
++promise_test(async () => {
++    let counter = 0;
++    Object.prototype.__defineGetter__("type", function() {
++        counter++;
++    });
++
++    const response = await fetch('/');
++    const fetchReadableStream = response.body;
++    const [r1, r2] = fetchReadableStream.tee();
++    assert_equals(counter, 0);
++}, "Only JS streams should check type");
++    </script>
++  </body>
++</html>
+diff --git a/Source/WebCore/Modules/streams/ReadableStream.js b/Source/WebCore/Modules/streams/ReadableStream.js
+index ddef56ecd460..7f0def325d84 100644
+--- a/Source/WebCore/Modules/streams/ReadableStream.js
++++ b/Source/WebCore/Modules/streams/ReadableStream.js
+@@ -48,10 +48,10 @@ function initializeReadableStream(underlyingSource, strategy)
+
+     // FIXME: We should introduce https://streams.spec.whatwg.org/#create-readable-stream.
+     // For now, we emulate this with underlyingSource with private properties.
+-    if (@getByIdDirectPrivate(underlyingSource, "pull") !== @undefined) {
++    if (underlyingSource.@pull !== @undefined) {
+         const size = @getByIdDirectPrivate(strategy, "size");
+         const highWaterMark = @getByIdDirectPrivate(strategy, "highWaterMark");
+-        @setupReadableStreamDefaultController(this, underlyingSource, size, highWaterMark !== @undefined ? highWaterMark : 1, @getByIdDirectPrivate(underlyingSource, "start"), @getByIdDirectPrivate(underlyingSource, "pull"), @getByIdDirectPrivate(underlyingSource, "cancel"));
++        @setupReadableStreamDefaultController(this, underlyingSource, size, highWaterMark !== @undefined ? highWaterMark : 1, underlyingSource.@start, underlyingSource.@pull, underlyingSource.@cancel);
+         return this;
+     }
+
+diff --git a/Source/WebCore/Modules/streams/ReadableStreamSource.idl b/Source/WebCore/Modules/streams/ReadableStreamSource.idl
+index cce9ea37ce80..ae7f1403b8ac 100644
+--- a/Source/WebCore/Modules/streams/ReadableStreamSource.idl
++++ b/Source/WebCore/Modules/streams/ReadableStreamSource.idl
+@@ -30,10 +30,10 @@
+     LegacyNoInterfaceObject,
+     SkipVTableValidation
+ ] interface ReadableStreamSource {
+-    [Custom] Promise<undefined> start(ReadableStreamDefaultController controller);
+-    [Custom] Promise<undefined> pull(ReadableStreamDefaultController controller);
+-    undefined cancel(any reason);
++    [Custom, PrivateIdentifier] Promise<undefined> start(ReadableStreamDefaultController controller);
++    [Custom, PrivateIdentifier] Promise<undefined> pull(ReadableStreamDefaultController controller);
++    [PrivateIdentifier] undefined cancel(any reason);
+
+     // Place holder to keep the controller linked to the source.
+-    [CachedAttribute, CustomGetter] readonly attribute any controller;
++    [CachedAttribute, CustomGetter, PrivateIdentifier] readonly attribute any controller;
+ };
+diff --git a/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h b/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h
+index c4d1513ad5c4..1dda9d3834f7 100644
+--- a/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h
++++ b/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h
+@@ -43,8 +43,10 @@ public:
+             if constexpr (shouldThrow != CastedThisErrorBehavior::Assert) {
+                 if (UNLIKELY(!thisObject))
+                     return rejectPromiseWithThisTypeError(promise.get(), JSClass::info()->className, operationName);
+-            } else
++            } else {
++                UNUSED_PARAM(operationName);
+                 ASSERT(thisObject);
++            }
+
+             ASSERT_GC_OBJECT_INHERITS(thisObject, JSClass::info());
+
+--
+2.40.0
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index cf1b8b2cc0..69663c1cb7 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -21,6 +21,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
            file://CVE-2022-46699.patch \
            file://CVE-2022-42867.patch \
            file://CVE-2022-42856.patch \
+           file://CVE-2023-23517-CVE-2023-23518.patch \
            "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
 
-- 
2.40.0

[oe-core][kirkstone][PATCH V2 6/6] webkitgtk: fix CVE-2022-46700

[Yogita Urade]

A memory corruption issue was addressed with improved input validation.
This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS
15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing
maliciously crafted web content may lead to arbitrary code execution.

References:
https://support.apple.com/en-us/HT213531
https://bugs.webkit.org/show_bug.cgi?id=247562
https://github.com/WebKit/WebKit/pull/6266

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 .../webkit/webkitgtk/CVE-2022-46700.patch     | 67 +++++++++++++++++++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |  1 +
 2 files changed, 68 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch
new file mode 100644
index 0000000000..242b8337fa
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch
@@ -0,0 +1,67 @@
+From 86fbeb6fcd638e2350b09a43dde355f9830e75da Mon Sep 17 00:00:00 2001
+From: David Degazio <d_degazio@apple.com>
+Date: Tue, 8 Nov 2022 19:54:33 -0800
+Subject: [PATCH] Intl.Locale.prototype.hourCycles leaks empty JSValue to
+ script https://bugs.webkit.org/show_bug.cgi?id=247562 rdar://102031379
+
+Reviewed by Mark Lam.
+
+We currently don't check if IntlLocale::hourCycles returns a null JSArray, which allows it
+to be encoded as an empty JSValue and exposed to user code. This patch throws a TypeError
+when udatpg_open returns a failed status.
+
+* JSTests/stress/intl-locale-invalid-hourCycles.js: Added.
+(main):
+* Source/JavaScriptCore/runtime/IntlLocale.cpp:
+(JSC::IntlLocale::hourCycles):
+
+Canonical link: https://commits.webkit.org/256473@main
+
+CVE:CVE-2022-46700
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/86fbeb6fcd638e2350b09a43dde355f9830e75da]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ JSTests/stress/intl-locale-invalid-hourCycles.js | 12 ++++++++++++
+ Source/JavaScriptCore/runtime/IntlLocale.cpp     |  4 +++-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+ create mode 100644 JSTests/stress/intl-locale-invalid-hourCycles.js
+
+diff --git a/JSTests/stress/intl-locale-invalid-hourCycles.js b/JSTests/stress/intl-locale-invalid-hourCycles.js
+new file mode 100644
+index 000000000000..7b94eb844764
+--- /dev/null
++++ b/JSTests/stress/intl-locale-invalid-hourCycles.js
+@@ -0,0 +1,12 @@
++function main() {
++    const v24 = new Intl.Locale("trimEnd", { 'numberingSystem': "foobar" });
++    let empty = v24.hourCycles;
++    print(empty);
++}
++
++try {
++    main();
++} catch (e) {
++    if (!(e instanceof TypeError))
++        throw e;
++}
+diff --git a/Source/JavaScriptCore/runtime/IntlLocale.cpp b/Source/JavaScriptCore/runtime/IntlLocale.cpp
+index c3c346163a18..bef424727a8a 100644
+--- a/Source/JavaScriptCore/runtime/IntlLocale.cpp
++++ b/Source/JavaScriptCore/runtime/IntlLocale.cpp
+@@ -632,8 +632,10 @@ JSArray* IntlLocale::hourCycles(JSGlobalObject* globalObject)
+
+     UErrorCode status = U_ZERO_ERROR;
+     auto generator = std::unique_ptr<UDateTimePatternGenerator, ICUDeleter<udatpg_close>>(udatpg_open(m_localeID.data(), &status));
+-    if (U_FAILURE(status))
++    if (U_FAILURE(status)) {
++        throwTypeError(globalObject, scope, "invalid locale"_s);
+         return nullptr;
++    }
+
+     // Use "j" skeleton and parse pattern to retrieve the configured hour-cycle information.
+     constexpr const UChar skeleton[] = { 'j', 0 };
+--
+2.40.0
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 69663c1cb7..e9dd0d0a8d 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -22,6 +22,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
            file://CVE-2022-42867.patch \
            file://CVE-2022-42856.patch \
            file://CVE-2023-23517-CVE-2023-23518.patch \
+           file://CVE-2022-46700.patch \
            "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
 
-- 
2.40.0

Re: [oe-core][kirkstone][PATCH V2 4/6] webkitgtk: fix CVE-2022-42856

[Steve Sakoman]

On Fri, Jun 9, 2023 at 4:09 AM Urade, Yogita via
lists.openembedded.org
<Yogita.Urade=windriver.com@lists.openembedded.org> wrote:
>
> A type confusion issue was addressed with improved state handling.
> This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1,
> iOS 15.7.2 and iPadOS 15.7.2, iOS 16.1.2. Processing maliciously
> crafted web content may lead to arbitrary code execution. Apple is
> aware of a report that this issue may have been actively exploited
> against versions of iOS released before iOS 15.1.
>
> References:
> https://support.apple.com/en-us/HT213531
>
> Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> ---
>  .../webkit/webkitgtk/CVE-2022-42856.patch     | 110 ++++++++++++++++++
>  meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
>  2 files changed, 111 insertions(+)
>  create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
>
> diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
> new file mode 100644
> index 0000000000..97d58c955a
> --- /dev/null
> +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
> @@ -0,0 +1,110 @@
> +From 71cdc1c09ef199db74b2b60ed5de781250d96a56 Mon Sep 17 00:00:00 2001
> +From: Mark Lam <mark.lam@apple.com>
> +Date: Wed, 23 Nov 2022 13:48:49 -0800
> +Subject: [PATCH] The provenType filtering in FTL's speculateRealNumber is
> + incorrect. https://bugs.webkit.org/show_bug.cgi?id=248266
> + <rdar://problem/102531234>
> +
> +Reviewed by Justin Michaud.
> +
> +speculateRealNumber does a doubleEqual compare, which filters out double values which
> +are not NaN.  NaN values will fall through to the `intCase` block.  In the `intCase` block,
> +the isNotInt32() check there was given a proven type that wrongly filters out ~SpecFullDouble.
> +
> +Consider a scenario where the edge was proven to be { SpecInt32Only, SpecDoubleReal,
> +SpecDoublePureNaN }.  SpecFullDouble is defined as SpecDoubleReal | SpecDoubleNaN, and
> +SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN.  Hence, the filtering
> +of the proven type with ~SpecFullDouble means that isNotInt32() will effectively be given
> +a proven type of
> +
> +    { SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { SpecDoubleReal, SpecDoublePureNaN }
> +
> +which yields
> +
> +    { SpecInt32Only }.
> +
> +As a result, the compiler will think that that isNotIn32() check will always fail.  This
> +is not correct if the actual incoming value for that edge is actually a PureNaN.  In this
> +case, speculateRealNumber should have OSR exited, but it doesn't because it thinks that
> +the isNotInt32() check will always fail and elide the check altogether.
> +
> +In this patch, we fix this by replacing the ~SpecFullDouble with ~SpecDoubleReal.  We also
> +rename the `intCase` block to `intOrNaNCase` to document what it actually handles.
> +
> +* JSTests/stress/speculate-real-number-in-object-is.js: Added.
> +(test.object_is_opt):
> +(test):
> +* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
> +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
> +
> +Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch
> +
> +CVE: CVE-2022-42856
> +
> +Upstream-Status: Backport
> +[https://github.com/WebKit/WebKit/commit/71cdc1c09ef199db74b2b60ed5de781250d96a56]
> +
> +Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> +---
> + .../speculate-real-number-in-object-is.js     | 22 +++++++++++++++++++
> + Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp |  8 +++----
> + 2 files changed, 26 insertions(+), 4 deletions(-)
> + create mode 100644 JSTests/stress/speculate-real-number-in-object-is.js
> +
> +diff --git a/JSTests/stress/speculate-real-number-in-object-is.js b/JSTests/stress/speculate-real-number-in-object-is.js
> +new file mode 100644
> +index 000000000000..0b10799954da
> +--- /dev/null
> ++++ b/JSTests/stress/speculate-real-number-in-object-is.js
> +@@ -0,0 +1,22 @@
> ++function test() {
> ++    function object_is_opt(value) {
> ++        const tmp = {p0: value};
> ++
> ++        if (Object.is(value, NaN))
> ++            return 0;
> ++
> ++        return value;
> ++    }
> ++
> ++    object_is_opt(NaN);
> ++
> ++    for (let i = 0; i < 0x20000; i++)
> ++        object_is_opt(1.1);
> ++
> ++    return isNaN(object_is_opt(NaN));
> ++}
> ++
> ++resultIsNaN = test();
> ++if (resultIsNaN)
> ++    throw "FAILED";
> ++
> +diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
> +index 8621b554d578..588298eba350 100644
> +--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
> ++++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
> +@@ -20285,18 +20285,18 @@ IGNORE_CLANG_WARNINGS_END
> +         LValue value = lowJSValue(edge, ManualOperandSpeculation);
> +         LValue doubleValue = unboxDouble(value);
> +
> +-        LBasicBlock intCase = m_out.newBlock();
> ++        LBasicBlock intOrNaNCase = m_out.newBlock();
> +         LBasicBlock continuation = m_out.newBlock();
> +
> +         m_out.branch(
> +             m_out.doubleEqual(doubleValue, doubleValue),
> +-            usually(continuation), rarely(intCase));
> ++            usually(continuation), rarely(intOrNaNCase));
> +
> +-        LBasicBlock lastNext = m_out.appendTo(intCase, continuation);
> ++        LBasicBlock lastNext = m_out.appendTo(intOrNaNCase, continuation);
> +
> +         typeCheck(
> +             jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber,
> +-            isNotInt32(value, provenType(m_node->child1()) & ~SpecFullDouble));
> ++            isNotInt32(value, provenType(m_node->child1()) & ~SpecDoubleReal));
> +         m_out.jump(continuation);
> +
> +         m_out.appendTo(continuation, lastNext);
> +--
> +2.35.5
> diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> index 062f209932..cf1b8b2cc0 100644
> --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> @@ -20,6 +20,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
>             file://CVE-2022-46691.patch \
>             file://CVE-2022-46699.patch \
>             file://CVE-2022-42867.patch \
> +           file://CVE-2022-42856.patch \

The patch fails to apply at build time:

ERROR: webkitgtk-2.36.8-r0 do_patch: Applying patch
'CVE-2022-42856.patch' on target directory
'/home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/webkitgtk/2.36.8-r0/webkitgtk-2.36.8'
CmdError('quilt --quiltrc
/home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/webkitgtk/2.36.8-r0/recipe-sysroot-native/etc/quiltrc
push', 0, 'stdout: Applying patch CVE-2022-42856.patch
patching file JSTests/stress/speculate-real-number-in-object-is.js
patching file Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Hunk #1 FAILED at 20285.
1 out of 1 hunk FAILED -- rejects in file
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Patch CVE-2022-42856.patch does not apply (enforce with -f)

stderr: ')
ERROR: Logfile of failure stored in:
/home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/webkitgtk/2.36.8-r0/temp/log.do_patch.313789
ERROR: Task (/home/steve/builds/poky-contrib-kirkstone/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb:do_patch)
failed with exit code '1'

Steve

>             "
>  SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
>
> --
> 2.40.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#182554): https://lists.openembedded.org/g/openembedded-core/message/182554
> Mute This Topic: https://lists.openembedded.org/mt/99429024/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [oe-core][kirkstone][PATCH V2 4/6] webkitgtk: fix CVE-2022-42856

[Steve Sakoman]

On Fri, Jun 9, 2023 at 5:54 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> On Fri, Jun 9, 2023 at 4:09 AM Urade, Yogita via
> lists.openembedded.org
> <Yogita.Urade=windriver.com@lists.openembedded.org> wrote:
> >
> > A type confusion issue was addressed with improved state handling.
> > This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1,
> > iOS 15.7.2 and iPadOS 15.7.2, iOS 16.1.2. Processing maliciously
> > crafted web content may lead to arbitrary code execution. Apple is
> > aware of a report that this issue may have been actively exploited
> > against versions of iOS released before iOS 15.1.
> >
> > References:
> > https://support.apple.com/en-us/HT213531
> >
> > Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> > ---
> >  .../webkit/webkitgtk/CVE-2022-42856.patch     | 110 ++++++++++++++++++
> >  meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
> >  2 files changed, 111 insertions(+)
> >  create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
> >
> > diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
> > new file mode 100644
> > index 0000000000..97d58c955a
> > --- /dev/null
> > +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42856.patch
> > @@ -0,0 +1,110 @@
> > +From 71cdc1c09ef199db74b2b60ed5de781250d96a56 Mon Sep 17 00:00:00 2001
> > +From: Mark Lam <mark.lam@apple.com>
> > +Date: Wed, 23 Nov 2022 13:48:49 -0800
> > +Subject: [PATCH] The provenType filtering in FTL's speculateRealNumber is
> > + incorrect. https://bugs.webkit.org/show_bug.cgi?id=248266
> > + <rdar://problem/102531234>
> > +
> > +Reviewed by Justin Michaud.
> > +
> > +speculateRealNumber does a doubleEqual compare, which filters out double values which
> > +are not NaN.  NaN values will fall through to the `intCase` block.  In the `intCase` block,
> > +the isNotInt32() check there was given a proven type that wrongly filters out ~SpecFullDouble.
> > +
> > +Consider a scenario where the edge was proven to be { SpecInt32Only, SpecDoubleReal,
> > +SpecDoublePureNaN }.  SpecFullDouble is defined as SpecDoubleReal | SpecDoubleNaN, and
> > +SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN.  Hence, the filtering
> > +of the proven type with ~SpecFullDouble means that isNotInt32() will effectively be given
> > +a proven type of
> > +
> > +    { SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { SpecDoubleReal, SpecDoublePureNaN }
> > +
> > +which yields
> > +
> > +    { SpecInt32Only }.
> > +
> > +As a result, the compiler will think that that isNotIn32() check will always fail.  This
> > +is not correct if the actual incoming value for that edge is actually a PureNaN.  In this
> > +case, speculateRealNumber should have OSR exited, but it doesn't because it thinks that
> > +the isNotInt32() check will always fail and elide the check altogether.
> > +
> > +In this patch, we fix this by replacing the ~SpecFullDouble with ~SpecDoubleReal.  We also
> > +rename the `intCase` block to `intOrNaNCase` to document what it actually handles.
> > +
> > +* JSTests/stress/speculate-real-number-in-object-is.js: Added.
> > +(test.object_is_opt):
> > +(test):
> > +* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
> > +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
> > +
> > +Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch
> > +
> > +CVE: CVE-2022-42856
> > +
> > +Upstream-Status: Backport
> > +[https://github.com/WebKit/WebKit/commit/71cdc1c09ef199db74b2b60ed5de781250d96a56]
> > +
> > +Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> > +---
> > + .../speculate-real-number-in-object-is.js     | 22 +++++++++++++++++++
> > + Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp |  8 +++----
> > + 2 files changed, 26 insertions(+), 4 deletions(-)
> > + create mode 100644 JSTests/stress/speculate-real-number-in-object-is.js
> > +
> > +diff --git a/JSTests/stress/speculate-real-number-in-object-is.js b/JSTests/stress/speculate-real-number-in-object-is.js
> > +new file mode 100644
> > +index 000000000000..0b10799954da
> > +--- /dev/null
> > ++++ b/JSTests/stress/speculate-real-number-in-object-is.js
> > +@@ -0,0 +1,22 @@
> > ++function test() {
> > ++    function object_is_opt(value) {
> > ++        const tmp = {p0: value};
> > ++
> > ++        if (Object.is(value, NaN))
> > ++            return 0;
> > ++
> > ++        return value;
> > ++    }
> > ++
> > ++    object_is_opt(NaN);
> > ++
> > ++    for (let i = 0; i < 0x20000; i++)
> > ++        object_is_opt(1.1);
> > ++
> > ++    return isNaN(object_is_opt(NaN));
> > ++}
> > ++
> > ++resultIsNaN = test();
> > ++if (resultIsNaN)
> > ++    throw "FAILED";
> > ++
> > +diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
> > +index 8621b554d578..588298eba350 100644
> > +--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
> > ++++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
> > +@@ -20285,18 +20285,18 @@ IGNORE_CLANG_WARNINGS_END
> > +         LValue value = lowJSValue(edge, ManualOperandSpeculation);
> > +         LValue doubleValue = unboxDouble(value);
> > +
> > +-        LBasicBlock intCase = m_out.newBlock();
> > ++        LBasicBlock intOrNaNCase = m_out.newBlock();
> > +         LBasicBlock continuation = m_out.newBlock();
> > +
> > +         m_out.branch(
> > +             m_out.doubleEqual(doubleValue, doubleValue),
> > +-            usually(continuation), rarely(intCase));
> > ++            usually(continuation), rarely(intOrNaNCase));
> > +
> > +-        LBasicBlock lastNext = m_out.appendTo(intCase, continuation);
> > ++        LBasicBlock lastNext = m_out.appendTo(intOrNaNCase, continuation);
> > +
> > +         typeCheck(
> > +             jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber,
> > +-            isNotInt32(value, provenType(m_node->child1()) & ~SpecFullDouble));
> > ++            isNotInt32(value, provenType(m_node->child1()) & ~SpecDoubleReal));
> > +         m_out.jump(continuation);
> > +
> > +         m_out.appendTo(continuation, lastNext);
> > +--
> > +2.35.5
> > diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> > index 062f209932..cf1b8b2cc0 100644
> > --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> > +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> > @@ -20,6 +20,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
> >             file://CVE-2022-46691.patch \
> >             file://CVE-2022-46699.patch \
> >             file://CVE-2022-42867.patch \
> > +           file://CVE-2022-42856.patch \

I wasn't able to take this patch due to the below error.  Please
submit a v2 with this corrected.

Thanks!

Steve

> The patch fails to apply at build time:
>
> ERROR: webkitgtk-2.36.8-r0 do_patch: Applying patch
> 'CVE-2022-42856.patch' on target directory
> '/home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/webkitgtk/2.36.8-r0/webkitgtk-2.36.8'
> CmdError('quilt --quiltrc
> /home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/webkitgtk/2.36.8-r0/recipe-sysroot-native/etc/quiltrc
> push', 0, 'stdout: Applying patch CVE-2022-42856.patch
> patching file JSTests/stress/speculate-real-number-in-object-is.js
> patching file Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
> Hunk #1 FAILED at 20285.
> 1 out of 1 hunk FAILED -- rejects in file
> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
> Patch CVE-2022-42856.patch does not apply (enforce with -f)
>
> stderr: ')
> ERROR: Logfile of failure stored in:
> /home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/webkitgtk/2.36.8-r0/temp/log.do_patch.313789
> ERROR: Task (/home/steve/builds/poky-contrib-kirkstone/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb:do_patch)
> failed with exit code '1'
>
> Steve
>
> >             "
> >  SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
> >
> > --
> > 2.40.0
> >
> >
> >
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#182565): https://lists.openembedded.org/g/openembedded-core/message/182565
> Mute This Topic: https://lists.openembedded.org/mt/99429024/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [oe-core][kirkstone][PATCH V2 5/6] webkitgtk: fix CVE-2023-23517 CVE-2023-23518

[Steve Sakoman]

I wasn't able to take this patch because it too failed during do_patch
at build time.  Please submit a v2 with this corrected.

I was able to take the other patches in this series though, so you
only need to submit v2 for the two that I wasn't able to take.

Steve

On Fri, Jun 9, 2023 at 4:09 AM Urade, Yogita via
lists.openembedded.org
<Yogita.Urade=windriver.com@lists.openembedded.org> wrote:
>
> The issue was addressed with improved memory handling.
> This issue is fixed in macOS Ventura 13.2, macOS Monterey
> 12.6.3, tvOS 16.3, Safari 16.3, watchOS 9.3, iOS 16.3 and
> iPadOS 16.3, macOS Big Sur 11.7.3. Processing maliciously
> crafted web content may lead to arbitrary code execution.
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-23517
> https://support.apple.com/en-us/HT213638
> https://bugs.webkit.org/show_bug.cgi?id=248268
> https://github.com/WebKit/WebKit/pull/6756
>
> Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> ---
>  .../CVE-2023-23517-CVE-2023-23518.patch       | 131 ++++++++++++++++++
>  meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
>  2 files changed, 132 insertions(+)
>  create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch
>
> diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch
> new file mode 100644
> index 0000000000..721f045e0d
> --- /dev/null
> +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch
> @@ -0,0 +1,131 @@
> +From f44648f07471b6c34f61993baa8997f7519a18a1 Mon Sep 17 00:00:00 2001
> +From: Youenn Fablet <youennf@gmail.com>
> +Date: Mon, 28 Nov 2022 00:43:35 -0800
> +Subject: [PATCH] Type getter is not needed for internal ReadableStream sources
> + https://bugs.webkit.org/show_bug.cgi?id=248268 rdar://102338913
> +
> +Reviewed by Eric Carlson.
> +
> +Make ReadableStreamSource method privates.
> +In ReadableStream, use @getters instead of private getters to allow getting private values from prototype.
> +Covered by added test.
> +
> +* LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt: Added.
> +* LayoutTests/http/wpt/fetch/fetch-stream-source.html: Added.
> +* Source/WebCore/Modules/streams/ReadableStream.js:
> +(initializeReadableStream):
> +* Source/WebCore/Modules/streams/ReadableStreamSource.idl:
> +* Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h:
> +(WebCore::IDLOperationReturningPromise::call):
> +
> +Canonical link: https://commits.webkit.org/257063@main
> +
> +CVE: CVE-2023-23517 CVE-2023-23518
> +
> +Upstream-Status: Backport
> +[https://github.com/WebKit/WebKit/commit/f44648f07471b6c34f61993baa8997f7519a18a1]
> +
> +Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> +---
> + .../fetch/fetch-stream-source-expected.txt    |  3 +++
> + .../http/wpt/fetch/fetch-stream-source.html   | 24 +++++++++++++++++++
> + .../WebCore/Modules/streams/ReadableStream.js |  4 ++--
> + .../Modules/streams/ReadableStreamSource.idl  |  8 +++----
> + .../js/JSDOMOperationReturningPromise.h       |  4 +++-
> + 5 files changed, 36 insertions(+), 7 deletions(-)
> + create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
> + create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source.html
> +
> +diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
> +new file mode 100644
> +index 000000000000..856ea8180ca2
> +--- /dev/null
> ++++ b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
> +@@ -0,0 +1,3 @@
> ++
> ++PASS Only JS streams should check type
> ++
> +diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source.html b/LayoutTests/http/wpt/fetch/fetch-stream-source.html
> +new file mode 100644
> +index 000000000000..fbebfa5e524f
> +--- /dev/null
> ++++ b/LayoutTests/http/wpt/fetch/fetch-stream-source.html
> +@@ -0,0 +1,24 @@
> ++<!doctype html>
> ++<html>
> ++  <head>
> ++    <meta charset="utf-8">
> ++    <title>Fetch and source</title>
> ++    <script src="/resources/testharness.js"></script>
> ++    <script src="/resources/testharnessreport.js"></script>
> ++  </head>
> ++  <body>
> ++    <script>
> ++promise_test(async () => {
> ++    let counter = 0;
> ++    Object.prototype.__defineGetter__("type", function() {
> ++        counter++;
> ++    });
> ++
> ++    const response = await fetch('/');
> ++    const fetchReadableStream = response.body;
> ++    const [r1, r2] = fetchReadableStream.tee();
> ++    assert_equals(counter, 0);
> ++}, "Only JS streams should check type");
> ++    </script>
> ++  </body>
> ++</html>
> +diff --git a/Source/WebCore/Modules/streams/ReadableStream.js b/Source/WebCore/Modules/streams/ReadableStream.js
> +index ddef56ecd460..7f0def325d84 100644
> +--- a/Source/WebCore/Modules/streams/ReadableStream.js
> ++++ b/Source/WebCore/Modules/streams/ReadableStream.js
> +@@ -48,10 +48,10 @@ function initializeReadableStream(underlyingSource, strategy)
> +
> +     // FIXME: We should introduce https://streams.spec.whatwg.org/#create-readable-stream.
> +     // For now, we emulate this with underlyingSource with private properties.
> +-    if (@getByIdDirectPrivate(underlyingSource, "pull") !== @undefined) {
> ++    if (underlyingSource.@pull !== @undefined) {
> +         const size = @getByIdDirectPrivate(strategy, "size");
> +         const highWaterMark = @getByIdDirectPrivate(strategy, "highWaterMark");
> +-        @setupReadableStreamDefaultController(this, underlyingSource, size, highWaterMark !== @undefined ? highWaterMark : 1, @getByIdDirectPrivate(underlyingSource, "start"), @getByIdDirectPrivate(underlyingSource, "pull"), @getByIdDirectPrivate(underlyingSource, "cancel"));
> ++        @setupReadableStreamDefaultController(this, underlyingSource, size, highWaterMark !== @undefined ? highWaterMark : 1, underlyingSource.@start, underlyingSource.@pull, underlyingSource.@cancel);
> +         return this;
> +     }
> +
> +diff --git a/Source/WebCore/Modules/streams/ReadableStreamSource.idl b/Source/WebCore/Modules/streams/ReadableStreamSource.idl
> +index cce9ea37ce80..ae7f1403b8ac 100644
> +--- a/Source/WebCore/Modules/streams/ReadableStreamSource.idl
> ++++ b/Source/WebCore/Modules/streams/ReadableStreamSource.idl
> +@@ -30,10 +30,10 @@
> +     LegacyNoInterfaceObject,
> +     SkipVTableValidation
> + ] interface ReadableStreamSource {
> +-    [Custom] Promise<undefined> start(ReadableStreamDefaultController controller);
> +-    [Custom] Promise<undefined> pull(ReadableStreamDefaultController controller);
> +-    undefined cancel(any reason);
> ++    [Custom, PrivateIdentifier] Promise<undefined> start(ReadableStreamDefaultController controller);
> ++    [Custom, PrivateIdentifier] Promise<undefined> pull(ReadableStreamDefaultController controller);
> ++    [PrivateIdentifier] undefined cancel(any reason);
> +
> +     // Place holder to keep the controller linked to the source.
> +-    [CachedAttribute, CustomGetter] readonly attribute any controller;
> ++    [CachedAttribute, CustomGetter, PrivateIdentifier] readonly attribute any controller;
> + };
> +diff --git a/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h b/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h
> +index c4d1513ad5c4..1dda9d3834f7 100644
> +--- a/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h
> ++++ b/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h
> +@@ -43,8 +43,10 @@ public:
> +             if constexpr (shouldThrow != CastedThisErrorBehavior::Assert) {
> +                 if (UNLIKELY(!thisObject))
> +                     return rejectPromiseWithThisTypeError(promise.get(), JSClass::info()->className, operationName);
> +-            } else
> ++            } else {
> ++                UNUSED_PARAM(operationName);
> +                 ASSERT(thisObject);
> ++            }
> +
> +             ASSERT_GC_OBJECT_INHERITS(thisObject, JSClass::info());
> +
> +--
> +2.40.0
> diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> index cf1b8b2cc0..69663c1cb7 100644
> --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> @@ -21,6 +21,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
>             file://CVE-2022-46699.patch \
>             file://CVE-2022-42867.patch \
>             file://CVE-2022-42856.patch \
> +           file://CVE-2023-23517-CVE-2023-23518.patch \
>             "
>  SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
>
> --
> 2.40.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#182555): https://lists.openembedded.org/g/openembedded-core/message/182555
> Mute This Topic: https://lists.openembedded.org/mt/99429027/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [oe-core][kirkstone][PATCH V2 5/6] webkitgtk: fix CVE-2023-23517 CVE-2023-23518

[Urade, Yogita]

On 19-06-2023 19:33, Steve Sakoman wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> I wasn't able to take this patch because it too failed during do_patch
> at build time.  Please submit a v2 with this corrected.
>
> I was able to take the other patches in this series though, so you
> only need to submit v2 for the two that I wasn't able to take.
>
> Steve

Thanks Steve!

I'll submit V2 for these two patches.

Regards,
Yogita
>
> On Fri, Jun 9, 2023 at 4:09 AM Urade, Yogita via
> lists.openembedded.org
> <Yogita.Urade=windriver.com@lists.openembedded.org> wrote:
>> The issue was addressed with improved memory handling.
>> This issue is fixed in macOS Ventura 13.2, macOS Monterey
>> 12.6.3, tvOS 16.3, Safari 16.3, watchOS 9.3, iOS 16.3 and
>> iPadOS 16.3, macOS Big Sur 11.7.3. Processing maliciously
>> crafted web content may lead to arbitrary code execution.
>>
>> References:
>> https://nvd.nist.gov/vuln/detail/CVE-2023-23517
>> https://support.apple.com/en-us/HT213638
>> https://bugs.webkit.org/show_bug.cgi?id=248268
>> https://github.com/WebKit/WebKit/pull/6756
>>
>> Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
>> ---
>>   .../CVE-2023-23517-CVE-2023-23518.patch       | 131 ++++++++++++++++++
>>   meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
>>   2 files changed, 132 insertions(+)
>>   create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch
>>
>> diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch
>> new file mode 100644
>> index 0000000000..721f045e0d
>> --- /dev/null
>> +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch
>> @@ -0,0 +1,131 @@
>> +From f44648f07471b6c34f61993baa8997f7519a18a1 Mon Sep 17 00:00:00 2001
>> +From: Youenn Fablet <youennf@gmail.com>
>> +Date: Mon, 28 Nov 2022 00:43:35 -0800
>> +Subject: [PATCH] Type getter is not needed for internal ReadableStream sources
>> + https://bugs.webkit.org/show_bug.cgi?id=248268 rdar://102338913
>> +
>> +Reviewed by Eric Carlson.
>> +
>> +Make ReadableStreamSource method privates.
>> +In ReadableStream, use @getters instead of private getters to allow getting private values from prototype.
>> +Covered by added test.
>> +
>> +* LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt: Added.
>> +* LayoutTests/http/wpt/fetch/fetch-stream-source.html: Added.
>> +* Source/WebCore/Modules/streams/ReadableStream.js:
>> +(initializeReadableStream):
>> +* Source/WebCore/Modules/streams/ReadableStreamSource.idl:
>> +* Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h:
>> +(WebCore::IDLOperationReturningPromise::call):
>> +
>> +Canonical link: https://commits.webkit.org/257063@main
>> +
>> +CVE: CVE-2023-23517 CVE-2023-23518
>> +
>> +Upstream-Status: Backport
>> +[https://github.com/WebKit/WebKit/commit/f44648f07471b6c34f61993baa8997f7519a18a1]
>> +
>> +Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
>> +---
>> + .../fetch/fetch-stream-source-expected.txt    |  3 +++
>> + .../http/wpt/fetch/fetch-stream-source.html   | 24 +++++++++++++++++++
>> + .../WebCore/Modules/streams/ReadableStream.js |  4 ++--
>> + .../Modules/streams/ReadableStreamSource.idl  |  8 +++----
>> + .../js/JSDOMOperationReturningPromise.h       |  4 +++-
>> + 5 files changed, 36 insertions(+), 7 deletions(-)
>> + create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
>> + create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source.html
>> +
>> +diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
>> +new file mode 100644
>> +index 000000000000..856ea8180ca2
>> +--- /dev/null
>> ++++ b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
>> +@@ -0,0 +1,3 @@
>> ++
>> ++PASS Only JS streams should check type
>> ++
>> +diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source.html b/LayoutTests/http/wpt/fetch/fetch-stream-source.html
>> +new file mode 100644
>> +index 000000000000..fbebfa5e524f
>> +--- /dev/null
>> ++++ b/LayoutTests/http/wpt/fetch/fetch-stream-source.html
>> +@@ -0,0 +1,24 @@
>> ++<!doctype html>
>> ++<html>
>> ++  <head>
>> ++    <meta charset="utf-8">
>> ++    <title>Fetch and source</title>
>> ++    <script src="/resources/testharness.js"></script>
>> ++    <script src="/resources/testharnessreport.js"></script>
>> ++  </head>
>> ++  <body>
>> ++    <script>
>> ++promise_test(async () => {
>> ++    let counter = 0;
>> ++    Object.prototype.__defineGetter__("type", function() {
>> ++        counter++;
>> ++    });
>> ++
>> ++    const response = await fetch('/');
>> ++    const fetchReadableStream = response.body;
>> ++    const [r1, r2] = fetchReadableStream.tee();
>> ++    assert_equals(counter, 0);
>> ++}, "Only JS streams should check type");
>> ++    </script>
>> ++  </body>
>> ++</html>
>> +diff --git a/Source/WebCore/Modules/streams/ReadableStream.js b/Source/WebCore/Modules/streams/ReadableStream.js
>> +index ddef56ecd460..7f0def325d84 100644
>> +--- a/Source/WebCore/Modules/streams/ReadableStream.js
>> ++++ b/Source/WebCore/Modules/streams/ReadableStream.js
>> +@@ -48,10 +48,10 @@ function initializeReadableStream(underlyingSource, strategy)
>> +
>> +     // FIXME: We should introduce https://streams.spec.whatwg.org/#create-readable-stream.
>> +     // For now, we emulate this with underlyingSource with private properties.
>> +-    if (@getByIdDirectPrivate(underlyingSource, "pull") !== @undefined) {
>> ++    if (underlyingSource.@pull !== @undefined) {
>> +         const size = @getByIdDirectPrivate(strategy, "size");
>> +         const highWaterMark = @getByIdDirectPrivate(strategy, "highWaterMark");
>> +-        @setupReadableStreamDefaultController(this, underlyingSource, size, highWaterMark !== @undefined ? highWaterMark : 1, @getByIdDirectPrivate(underlyingSource, "start"), @getByIdDirectPrivate(underlyingSource, "pull"), @getByIdDirectPrivate(underlyingSource, "cancel"));
>> ++        @setupReadableStreamDefaultController(this, underlyingSource, size, highWaterMark !== @undefined ? highWaterMark : 1, underlyingSource.@start, underlyingSource.@pull, underlyingSource.@cancel);
>> +         return this;
>> +     }
>> +
>> +diff --git a/Source/WebCore/Modules/streams/ReadableStreamSource.idl b/Source/WebCore/Modules/streams/ReadableStreamSource.idl
>> +index cce9ea37ce80..ae7f1403b8ac 100644
>> +--- a/Source/WebCore/Modules/streams/ReadableStreamSource.idl
>> ++++ b/Source/WebCore/Modules/streams/ReadableStreamSource.idl
>> +@@ -30,10 +30,10 @@
>> +     LegacyNoInterfaceObject,
>> +     SkipVTableValidation
>> + ] interface ReadableStreamSource {
>> +-    [Custom] Promise<undefined> start(ReadableStreamDefaultController controller);
>> +-    [Custom] Promise<undefined> pull(ReadableStreamDefaultController controller);
>> +-    undefined cancel(any reason);
>> ++    [Custom, PrivateIdentifier] Promise<undefined> start(ReadableStreamDefaultController controller);
>> ++    [Custom, PrivateIdentifier] Promise<undefined> pull(ReadableStreamDefaultController controller);
>> ++    [PrivateIdentifier] undefined cancel(any reason);
>> +
>> +     // Place holder to keep the controller linked to the source.
>> +-    [CachedAttribute, CustomGetter] readonly attribute any controller;
>> ++    [CachedAttribute, CustomGetter, PrivateIdentifier] readonly attribute any controller;
>> + };
>> +diff --git a/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h b/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h
>> +index c4d1513ad5c4..1dda9d3834f7 100644
>> +--- a/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h
>> ++++ b/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h
>> +@@ -43,8 +43,10 @@ public:
>> +             if constexpr (shouldThrow != CastedThisErrorBehavior::Assert) {
>> +                 if (UNLIKELY(!thisObject))
>> +                     return rejectPromiseWithThisTypeError(promise.get(), JSClass::info()->className, operationName);
>> +-            } else
>> ++            } else {
>> ++                UNUSED_PARAM(operationName);
>> +                 ASSERT(thisObject);
>> ++            }
>> +
>> +             ASSERT_GC_OBJECT_INHERITS(thisObject, JSClass::info());
>> +
>> +--
>> +2.40.0
>> diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
>> index cf1b8b2cc0..69663c1cb7 100644
>> --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
>> +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
>> @@ -21,6 +21,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
>>              file://CVE-2022-46699.patch \
>>              file://CVE-2022-42867.patch \
>>              file://CVE-2022-42856.patch \
>> +           file://CVE-2023-23517-CVE-2023-23518.patch \
>>              "
>>   SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
>>
>> --
>> 2.40.0
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#182555): https://lists.openembedded.org/g/openembedded-core/message/182555
>> Mute This Topic: https://lists.openembedded.org/mt/99429027/3620601
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>