[webkit-changes] [WebKit/WebKit] 2d1655: [YARR] ParenContext Use-After-Free via incomplete ...

Mon, 13 Apr 2026 12:56:01 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 2d16551f697d84bbc0f75eb40df04ad181c12159
      
https://github.com/WebKit/WebKit/commit/2d16551f697d84bbc0f75eb40df04ad181c12159
  Author: Yusuke Suzuki <[email protected]>
  Date:   2026-04-13 (Mon, 13 Apr 2026)

  Changed paths:
    A JSTests/stress/yarr-jit-paren-context-head-uaf.js
    M Source/JavaScriptCore/yarr/YarrJIT.cpp

  Log Message:
  -----------
  [YARR] ParenContext Use-After-Free via incomplete context clearing with 
control of the instruction pointer
https://bugs.webkit.org/show_bug.cgi?id=311716
rdar://174303892

Reviewed by Yijia Huang.

The previous fix (310115@main) introduced clearInnerParenContextHeadSlots to
set nullptr to stale parenContextHead pointers after restoreParenContext.
However, it was incomplete in two ways:

1. It only walked the current group's inner disjunction tree, missing sibling
   and ancestor-sibling groups whose parenContextHead frame slots are also
   restored by restoreParenContext (which restores a global frame range from
   subpatternBaseFrameLocation+4 through m_parenContextSizes.frameSlots()).
   This needs to be cleared since these siblings will be used after the
   current group gets done.

2. It only applied to the Greedy/NonGreedy backtrack path, missing the
   FixedCount backtrack path which has the same global restore semantics.

Both issues allowed restoreParenContext to reinstate parenContextHead pointers
to ParenContext objects that had been freed and recycled via the free list
during a later iteration. Dereferencing these stale pointers caused UAF.

Replace clearInnerParenContextHeadSlots with clearParenContextHeadSlotsInRange,
which walks the entire pattern tree and set nullptr to every Greedy/NonGreedy
parenContextHead whose frame slot falls within the restored range. Apply it to
both FixedCount and Greedy/NonGreedy backtrack paths.

Test: JSTests/stress/yarr-jit-paren-context-head-uaf.js
* JSTests/stress/yarr-jit-paren-context-head-uaf.js: Added.
(shouldBe):
(testPoCPattern):
(testIsCopyPlusNonGreedy):
(testIsCopyInsideFixedCount):
(testSiblingGroups):
(testAncestorSiblingGroups):
(testGreedyCopyWithCaptures):
(testBoundedNonGreedyCopy):
(testDeepNesting):
(testStress):
(testOriginalRegressionPatterns):
* Source/JavaScriptCore/yarr/YarrJIT.cpp:

Canonical link: https://commits.webkit.org/311137@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to