| Summary: | Integer calculation error after JIT optimization. This may cause overflow or underflow, leading to exploitable vulnerability. | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | anbu1024 |
| Component: | JavaScriptCore | Assignee: | Yijia Huang <yijia_huang> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Critical | CC: | bfulgham, mark.lam, mcatanzaro, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
Pull request: https://github.com/apple/WebKit/pull/909 Pull request https://github.com/apple/WebKit/pull/909 is invalidated. This turned out to not be a security bug after all. Due to some unfortunate paperwork shuffle, this bug actually ended up being fixed in https://bugs.webkit.org/show_bug.cgi?id=264278. Sorry for the forward dupe, but https://bugs.webkit.org/show_bug.cgi?id=264278 tracks the fix. *** This bug has been marked as a duplicate of bug 264278 *** |
JSC version: afe912ce640a337086d106e4853c3dabae003a38 Build options: ``` ./Tools/Scripts/build-jsc --jsc-only --debug ``` Test case: ``` function foo(arg) { const x = /\s.\W/iu; x + x; const a = 0 | arg; const b = a + 0.1; const vvv = 1020000; const c = b >> x; return c; } let x = 3; let y = -2147483647; // 0x7fffffff let apple = foo(y); print("function call before JIT opt") print(apple); for(let i=0; i<200; i++) { foo(x); } let banana = foo(y); print("function call after JIT opt") print(banana); ``` Result: ``` function call before JIT opt -2147483646 function call after JIT opt -2147483647 ```