Bug 263758 (CVE-2024-54658)

Summary: Integer calculation error after JIT optimization. This may cause overflow or underflow, leading to exploitable vulnerability.
Product: WebKit Reporter: anbu1024
Component: JavaScriptCoreAssignee: Yijia Huang <yijia_huang>
Status: RESOLVED DUPLICATE    
Severity: Critical CC: bfulgham, mark.lam, mcatanzaro, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Linux   

anbu1024
Reported 2023-10-26 19:10:28 PDT
JSC version: afe912ce640a337086d106e4853c3dabae003a38 Build options: ``` ./Tools/Scripts/build-jsc --jsc-only --debug ``` Test case: ``` function foo(arg) { const x = /\s.\W/iu; x + x; const a = 0 | arg; const b = a + 0.1; const vvv = 1020000; const c = b >> x; return c; } let x = 3; let y = -2147483647; // 0x7fffffff let apple = foo(y); print("function call before JIT opt") print(apple); for(let i=0; i<200; i++) { foo(x); } let banana = foo(y); print("function call after JIT opt") print(banana); ``` Result: ``` function call before JIT opt -2147483646 function call after JIT opt -2147483647 ```
Attachments
Radar WebKit Bug Importer
Comment 1 2023-10-26 19:10:48 PDT
Yijia Huang
Comment 2 2023-11-02 16:37:19 PDT
Mark Lam
Comment 3 2024-03-19 09:13:36 PDT
Pull request https://github.com/apple/WebKit/pull/909 is invalidated. This turned out to not be a security bug after all. Due to some unfortunate paperwork shuffle, this bug actually ended up being fixed in https://bugs.webkit.org/show_bug.cgi?id=264278.
Mark Lam
Comment 4 2024-03-19 09:14:30 PDT
Sorry for the forward dupe, but https://bugs.webkit.org/show_bug.cgi?id=264278 tracks the fix. *** This bug has been marked as a duplicate of bug 264278 ***
Note You need to log in before you can comment on or make changes to this bug.