Wed Oct 3 18:58:23 2018 UTC ()

spidermonkey52: backport patch for CVE-2018-12387

Don't inline push with more than 1 argument

A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process.

Bump PKGREVISION


(maya)

diff -r1.9 -r1.10 pkgsrc/lang/spidermonkey52/Makefile
diff -r1.4 -r1.5 pkgsrc/lang/spidermonkey52/distinfo
diff -r0 -r1.1 pkgsrc/lang/spidermonkey52/patches/patch-CVE-2018-12387

--- pkgsrc/lang/spidermonkey52/Attic/Makefile 2018/08/22 09:45:22 1.9
+++ pkgsrc/lang/spidermonkey52/Attic/Makefile 2018/10/03 18:58:22 1.10

 @@ -1,17 +1,17 @@
-# $NetBSD: Makefile,v 1.9 2018/08/22 09:45:22 wiz Exp $
+# $NetBSD: Makefile,v 1.10 2018/10/03 18:58:22 maya Exp $
 DISTNAME=	mozjs-52.7.4
-PKGREVISION=	4
+PKGREVISION=	5
 PKGNAME=	${DISTNAME:S/mozjs/spidermonkey52/}
 CATEGORIES=	lang
 MASTER_SITES=	https://queue.taskcluster.net/v1/task/YqG2fjJJSTGzGX090FjDYg/runs/0/artifacts/public/build/
 EXTRACT_SUFX=	.tar.bz2
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Releases/52
 COMMENT=	Standalone JavaScript implementation in C (major version 52)
 LICENSE=	mpl-2.0
 HAS_CONFIGURE=	yes
 USE_LANGUAGES=	c c++
 USE_TOOLS+=	pkg-config perl gmake autoconf213

--- pkgsrc/lang/spidermonkey52/Attic/distinfo 2018/05/19 12:38:28 1.4
+++ pkgsrc/lang/spidermonkey52/Attic/distinfo 2018/10/03 18:58:22 1.5

 @@ -1,19 +1,20 @@
-$NetBSD: distinfo,v 1.4 2018/05/19 12:38:28 youri Exp $
+$NetBSD: distinfo,v 1.5 2018/10/03 18:58:22 maya Exp $
 SHA1 (mozjs-52.7.4.tar.bz2) = ff009853040bb46017204fda4ed69a79484fd321
 RMD160 (mozjs-52.7.4.tar.bz2) = 71ee71c2444d8b6a1b2b3c744c9f52a2b7129879
 SHA512 (mozjs-52.7.4.tar.bz2) = 7381f251ca9a4983d181eee2198f89b30505a0de636020e52c0c5b174f4d5cd19ca851222b6d8013bb657f2f1ce1ffcb54816eb928e481be2c9242f918d0125e
 Size (mozjs-52.7.4.tar.bz2) = 30494311 bytes
 SHA1 (patch-CVE-2018-12387) = a0e3198e1009db01bb5a39220764e7dcdfd52591
 SHA1 (patch-build_moz.configure_init.configure) = 63ed71d4269e8fbf990f44eecadca796991d5c1f
 SHA1 (patch-config_gcc__hidden.h) = c2042035288e01601b6c240fb08c8a1f598b9dfd
 SHA1 (patch-intl_icu_source_configure) = 1ff1be8ca68566e153219e15b8db696afd08b746
 SHA1 (patch-js_src_gc_Memory.cpp) = b1bb0c3045163d586c0b4d731d0ed7c23f339f3c
 SHA1 (patch-js_src_jsnativestack.cpp) = 3d0b06ccc3e24b408b97d01faa7758353f2edc85
 SHA1 (patch-js_src_old-configure_in) = 707cdb8a8ff9abaa7017be10bd2c5727d05b605b
 SHA1 (patch-js_src_tests_update-test262.sh) = 10d73d95f4b849090bccb8fe656df79cbcea89f3
 SHA1 (patch-js_src_threading_posix_Thread.cpp) = e490d04ed28ffd8b2e9901a24739ad19fe6759e0
 SHA1 (patch-js_src_wasm_WasmSignalHandlers.cpp) = fd9b836d35d71103c3d8b628a6fe7c446bd4c7da
 SHA1 (patch-memory_mozalloc_mozalloc__abort.cpp) = 610f7457f6a1993d26fcccd5730113bb48926d99
 SHA1 (patch-mfbt_Poison.cpp) = f4560e4552beeb70d0564e3fdfd908c5e0bd94c4
 SHA1 (patch-mfbt_tests_TestPoisonArea.cpp) = 054441d4618bf630be6d6e71babdcdaa884f533a
 SHA1 (patch-modules_fdlibm_src_math__private.h) = afa40802bfdb917d7906de486eb8882da426c9cf

$NetBSD: patch-CVE-2018-12387,v 1.1 2018/10/03 18:58:22 maya Exp $

From 64de926d460164d41269812742a1376ba7bafda6 Mon Sep 17 00:00:00 2001
From: Jan de Mooij <jdemooij@mozilla.com>
Date: Tue, 25 Sep 2018 12:33:42 +0200
Subject: [PATCH] Bug 1493903 - Don't inline push with more than 1 argument.
 r=tcampbell

CVE-2018-12387

--- js/src/jit/MCallOptimize.cpp.orig	2018-04-28 01:04:03.000000000 +0000
+++ js/src/jit/MCallOptimize.cpp
@@ -818,6 +818,12 @@ IonBuilder::inlineArraySlice(CallInfo& c
         return InliningStatus_NotInlined;
     }
 
+    // XXX bug 1493903.
+    if (callInfo.argc() != 1) {
+        trackOptimizationOutcome(TrackedOutcome::CantInlineNativeBadForm);
+        return InliningStatus_NotInlined;
+    }
+
     MDefinition* obj = convertUnboxedObjects(callInfo.thisArg());
 
     // Ensure |this| and result are objects.