Bug 263758 (CVE-2024-54658)
| Summary: | Integer calculation error after JIT optimization. This may cause overflow or underflow, leading to exploitable vulnerability. | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | anbu1024 |
| Component: | JavaScriptCore | Assignee: | Yijia Huang <yijia_huang> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Critical | CC: | bfulgham, mark.lam, mcatanzaro, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
anbu1024
JSC version:
afe912ce640a337086d106e4853c3dabae003a38
Build options:
```
./Tools/Scripts/build-jsc --jsc-only --debug
```
Test case:
```
function foo(arg) {
const x = /\s.\W/iu;
x + x;
const a = 0 | arg;
const b = a + 0.1;
const vvv = 1020000;
const c = b >> x;
return c;
}
let x = 3;
let y = -2147483647; // 0x7fffffff
let apple = foo(y);
print("function call before JIT opt")
print(apple);
for(let i=0; i<200; i++) {
foo(x);
}
let banana = foo(y);
print("function call after JIT opt")
print(banana);
```
Result:
```
function call before JIT opt
-2147483646
function call after JIT opt
-2147483647
```
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/117563215>
Yijia Huang
Pull request: https://github.com/apple/WebKit/pull/909
Mark Lam
Pull request https://github.com/apple/WebKit/pull/909 is invalidated.
This turned out to not be a security bug after all. Due to some unfortunate paperwork shuffle, this bug actually ended up being fixed in https://bugs.webkit.org/show_bug.cgi?id=264278.
Mark Lam
Sorry for the forward dupe, but https://bugs.webkit.org/show_bug.cgi?id=264278 tracks the fix.
*** This bug has been marked as a duplicate of bug 264278 ***