126892345

Jonathan Bedard Tue, 14 May 2024 14:20:03 -0700

  Branch: refs/heads/safari-7619.1.9-branch
  Home:   https://github.com/WebKit/WebKit
  Commit: ffd05add7e28cf537460af8531a565449f7d2451
      
https://github.com/WebKit/WebKit/commit/ffd05add7e28cf537460af8531a565449f7d2451
  Author: Keith Miller <keith_mil...@apple.com>
  Date:   2024-04-23 (Tue, 23 Apr 2024)


  Changed paths:
    M Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h
    M Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp
    M Source/JavaScriptCore/jit/ThunkGenerators.cpp
    M Source/JavaScriptCore/llint/LLIntThunks.cpp
    M Source/JavaScriptCore/runtime/Options.cpp
    M Source/JavaScriptCore/runtime/OptionsList.h
    M Source/WTF/wtf/PtrTag.h
    M Source/WebKit/WebProcess/WebProcess.cpp
    M Tools/Scripts/run-jsc-stress-tests

  Log Message:
  -----------
  Cherry-pick f442fbe222f3. rdar://126892345

    Make it harder to get a PAC signing gadget in JIT code.
    https://bugs.webkit.org/show_bug.cgi?id=272750
    rdar://125596635

    Reviewed by Yusuke Suzuki.

    Right now if an attacker can control where code is allocated they can 
overlap code to create a PAC bypass.
    This patch makes that harder (in the WebContent process) by only allowing 
pacibsp and pacizb. This means
    that during arity fixup we now tag the return PC with pacizb. This is ok 
because we don't use the zero
    diversifier for anything. For reifying inlined call frames during OSR exit 
things are a bit more complicated.
    First we have be careful to only move signed return addresses into lr then 
untag them there. Also, we have
    to shuffle SP to point to where it would in reified frame. This means that 
there is technically live data
    below our SP, which on many OSes causes problems. Talking to our kernel 
folks however this isn't a problem
    as long as we don't have any signal handlers or run lldb expressions in 
this window. We don't use signal
    handlers in the WebContent process and this patch tries to limit/document 
the window of JIT code where lldb
    would trash the stack.

    * Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h:
    (JSC::MacroAssemblerARM64E::tagPtr):
    * Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp:
    (JSC::DFG::reifyInlinedCallFrames):
    (JSC::AssemblyHelpers::transferReturnPC):
    * Source/JavaScriptCore/jit/ThunkGenerators.cpp:
    (JSC::arityFixupGenerator):
    * Source/JavaScriptCore/llint/LLIntThunks.cpp:
    (JSC::LLInt::tagGateThunk):
    (JSC::LLInt::untagGateThunk):
    * Source/JavaScriptCore/runtime/OptionsList.h:
    * Source/WTF/wtf/PtrTag.h:
    * Source/WebKit/WebProcess/WebProcess.cpp:
    (WebKit::WebProcess::initializeProcess):
    * Tools/Scripts/run-jsc-stress-tests:

    Canonical link: https://commits.webkit.org/272448.948@safari-7618-branch

Canonical link: https://commits.webkit.org/277149.25@safari-7619.1.9-branch


  Commit: ab614cf472c0e019cbacff20ae26ed05544e50e1
      
https://github.com/WebKit/WebKit/commit/ab614cf472c0e019cbacff20ae26ed05544e50e1
  Author: Dan Robson <dtr_bugzi...@apple.com>
  Date:   2024-04-23 (Tue, 23 Apr 2024)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7619.1.9.4

Canonical link: https://commits.webkit.org/277149.26@safari-7619.1.9-branch


  Commit: 6fc6e82176b2526ebcf5732511330be579f0d922
      
https://github.com/WebKit/WebKit/commit/6fc6e82176b2526ebcf5732511330be579f0d922
  Author: Mohsin Qureshi <mohs...@apple.com>
  Date:   2024-04-24 (Wed, 24 Apr 2024)

  Changed paths:
    M Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h
    M Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp
    M Source/JavaScriptCore/jit/ThunkGenerators.cpp
    M Source/JavaScriptCore/llint/LLIntThunks.cpp
    M Source/JavaScriptCore/runtime/Options.cpp
    M Source/JavaScriptCore/runtime/OptionsList.h
    M Source/WTF/wtf/PtrTag.h
    M Source/WebKit/WebProcess/WebProcess.cpp
    M Tools/Scripts/run-jsc-stress-tests

  Log Message:
  -----------
  Revert "Cherry-pick f442fbe222f3. rdar://126892345"

This reverts commit ffd05add7e28cf537460af8531a565449f7d2451.


  Commit: a15239cf7ad116083a4c97e4ef318db0942de143
      
https://github.com/WebKit/WebKit/commit/a15239cf7ad116083a4c97e4ef318db0942de143
  Author: Mohsin Qureshi <mohs...@apple.com>
  Date:   2024-04-24 (Wed, 24 Apr 2024)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7619.1.9.5

Canonical link: https://commits.webkit.org/277149.28@safari-7619.1.9-branch


Compare: https://github.com/WebKit/WebKit/compare/ffd05add7e28%5E...a15239cf7ad1

To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [WebKit/WebKit] ffd05a: Cherry-pick f442fbe222f3. rdar://126892345

Reply via email to