[webkit-changes] [WebKit/WebKit] 265dbd: BBQJIT array operations should mask index to 32 bits

Fri, 23 May 2025 09:27:13 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 265dbd5abf60768af43aa05d63ffdf410a639c4d
      
https://github.com/WebKit/WebKit/commit/265dbd5abf60768af43aa05d63ffdf410a639c4d
  Author: Daniel Liu <[email protected]>
  Date:   2025-05-23 (Fri, 23 May 2025)

  Changed paths:
    A JSTests/wasm/stress/array-get-large-i64-index.js
    M Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp

  Log Message:
  -----------
  BBQJIT array operations should mask index to 32 bits
https://bugs.webkit.org/show_bug.cgi?id=291506
rdar://149185657

Reviewed by Keith Miller.

BBQ array operations (get/set) assume that the index passed
in will be 32 bits. While this is correct by spec behavior,
we do not check that the upper 32 bits of the value are set
to zero, but use the value directly. This creates potential
OOB opportunities, where we can influence the upper 32 bits
of the pointer to index out of bounds. To fix this, we must
mask off the upper 32 bits of the index value before it can
be used in a load/store.

* JSTests/wasm/stress/array-get-large-i64-index.js: Added.
* Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayGet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArraySet):

Originally-landed-as: 341845413761. rdar://151714953
Canonical link: https://commits.webkit.org/295344@main


  Commit: ea12648d42e449a418713ece46edbfc04c730eee
      
https://github.com/WebKit/WebKit/commit/ea12648d42e449a418713ece46edbfc04c730eee
  Author: Alex Christensen <[email protected]>
  Date:   2025-05-23 (Fri, 23 May 2025)

  Changed paths:
    M Source/WebCore/platform/network/AdvancedPrivacyProtections.h
    M Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm
    M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
    M Source/WebKit/UIProcess/API/Cocoa/WKWebpagePreferences.mm
    M Source/WebKit/UIProcess/API/Cocoa/WKWebpagePreferencesPrivate.h

  Log Message:
  -----------
  Add _WKWebsiteNetworkConnectionIntegrityPolicy that sets 
NSURLRequest._privacyProxyFailClosed
rdar://148272889

Reviewed by Matthew Finkel.

_WKWebsiteNetworkConnectionIntegrityPolicyFailClosed sets 
NSURLRequest._privacyProxyFailClosedForUnreachableHosts
and now _WKWebsiteNetworkConnectionIntegrityPolicyFailClosedForAllHosts sets 
NSURLRequest._privacyProxyFailClosed

* Source/WebCore/platform/network/AdvancedPrivacyProtections.h:
* Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:
(WebKit::NetworkDataTaskCocoa::NetworkDataTaskCocoa):
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
* Source/WebKit/UIProcess/API/Cocoa/WKWebpagePreferences.mm:
(-[WKWebpagePreferences _networkConnectionIntegrityPolicy]):
(-[WKWebpagePreferences _setNetworkConnectionIntegrityPolicy:]):
* Source/WebKit/UIProcess/API/Cocoa/WKWebpagePreferencesPrivate.h:

Originally-landed-as: 289651.389@safari-7621-branch (afb420d51889). 
rdar://151713096
Canonical link: https://commits.webkit.org/295345@main


  Commit: 8dcc8724492e6ddf42ed12b353c752a01ec92b70
      
https://github.com/WebKit/WebKit/commit/8dcc8724492e6ddf42ed12b353c752a01ec92b70
  Author: Chris Dumez <[email protected]>
  Date:   2025-05-23 (Fri, 23 May 2025)

  Changed paths:
    M 
Source/ThirdParty/libwebrtc/Source/third_party/abseil-cpp/absl/strings/escaping.cc
    M 
Source/ThirdParty/libwebrtc/Source/third_party/abseil-cpp/absl/strings/escaping_test.cc

  Log Message:
  -----------
  Potential 'ubsan' issue commited to upstream abseil-cpp
https://bugs.webkit.org/show_bug.cgi?id=291266
rdar://148800846

Reviewed by Jean-Yves Avenard.

Cherry-pick 1eba4dcaa15899cba045a79b464e45a87a9fb8bd from upsteam:
```
Refactor absl::CUnescape() to use direct string output instead of pointer/size.

This fixes a UBSAN failure where an offset was being added to NULL and
allows for additional memory safety checks present in hardened
libc++/Abseil. The version of absl::CUnescape() that used pointer/size
is no longer needed.
```

* 
Source/ThirdParty/libwebrtc/Source/third_party/abseil-cpp/absl/strings/escaping.cc:
* 
Source/ThirdParty/libwebrtc/Source/third_party/abseil-cpp/absl/strings/escaping_test.cc:

Originally-landed-as: 289651.409@safari-7621-branch (ba3ff35ea286). 
rdar://151715415
Canonical link: https://commits.webkit.org/295346@main


Compare: https://github.com/WebKit/WebKit/compare/1d88cd372a58...8dcc8724492e

To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to