spidermonkey52: backport patch for CVE-2018-12387 Don't inline push with more than 1 argument A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process. Bump PKGREVISIONdiff -r1.9 -r1.10 pkgsrc/lang/spidermonkey52/Makefile
(maya)
| @@ -1,57 +1,57 @@ | @@ -1,57 +1,57 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.9 2018/08/22 09:45:22 wiz Exp $ | 1 | # $NetBSD: Makefile,v 1.10 2018/10/03 18:58:22 maya Exp $ | |
| 2 | 2 | |||
| 3 | DISTNAME= mozjs-52.7.4 | 3 | DISTNAME= mozjs-52.7.4 | |
| 4 | PKGREVISION= 4 | 4 | PKGREVISION= 5 | |
| 5 | PKGNAME= ${DISTNAME:S/mozjs/spidermonkey52/} | 5 | PKGNAME= ${DISTNAME:S/mozjs/spidermonkey52/} | |
| 6 | CATEGORIES= lang | 6 | CATEGORIES= lang | |
| 7 | MASTER_SITES= https://queue.taskcluster.net/v1/task/YqG2fjJJSTGzGX090FjDYg/runs/0/artifacts/public/build/ | 7 | MASTER_SITES= https://queue.taskcluster.net/v1/task/YqG2fjJJSTGzGX090FjDYg/runs/0/artifacts/public/build/ | |
| 8 | EXTRACT_SUFX= .tar.bz2 | 8 | EXTRACT_SUFX= .tar.bz2 | |
| 9 | 9 | |||
| 10 | MAINTAINER= pkgsrc-users@NetBSD.org | 10 | MAINTAINER= pkgsrc-users@NetBSD.org | |
| 11 | HOMEPAGE= https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Releases/52 | 11 | HOMEPAGE= https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Releases/52 | |
| 12 | COMMENT= Standalone JavaScript implementation in C (major version 52) | 12 | COMMENT= Standalone JavaScript implementation in C (major version 52) | |
| 13 | LICENSE= mpl-2.0 | 13 | LICENSE= mpl-2.0 | |
| 14 | 14 | |||
| 15 | HAS_CONFIGURE= yes | 15 | HAS_CONFIGURE= yes | |
| 16 | USE_LANGUAGES= c c++ | 16 | USE_LANGUAGES= c c++ | |
| 17 | USE_TOOLS+= pkg-config perl gmake autoconf213 | 17 | USE_TOOLS+= pkg-config perl gmake autoconf213 | |
| 18 | AUTOCONF_REQD= 2.13 | 18 | AUTOCONF_REQD= 2.13 | |
| 19 | 19 | |||
| 20 | CONFIGURE_ARGS+= --prefix=${PREFIX} | 20 | CONFIGURE_ARGS+= --prefix=${PREFIX} | |
| 21 | CONFIGURE_ARGS+= --enable-readline | 21 | CONFIGURE_ARGS+= --enable-readline | |
| 22 | CONFIGURE_ARGS+= --with-system-icu | 22 | CONFIGURE_ARGS+= --with-system-icu | |
| 23 | CONFIGURE_ARGS+= --with-system-nspr | 23 | CONFIGURE_ARGS+= --with-system-nspr | |
| 24 | CONFIGURE_ARGS+= --with-system-zlib | 24 | CONFIGURE_ARGS+= --with-system-zlib | |
| 25 | CONFIGURE_ARGS+= --with-pthreads | 25 | CONFIGURE_ARGS+= --with-pthreads | |
| 26 | CONFIGURE_ARGS+= --disable-jemalloc | 26 | CONFIGURE_ARGS+= --disable-jemalloc | |
| 27 | 27 | |||
| 28 | CONFIGURE_DIRS= js/src | 28 | CONFIGURE_DIRS= js/src | |
| 29 | 29 | |||
| 30 | PKGCONFIG_OVERRIDE+= js/src/ctypes/libffi/libffi.pc.in | 30 | PKGCONFIG_OVERRIDE+= js/src/ctypes/libffi/libffi.pc.in | |
| 31 | PKGCONFIG_OVERRIDE+= js/src/js.pc.in | 31 | PKGCONFIG_OVERRIDE+= js/src/js.pc.in | |
| 32 | 32 | |||
| 33 | PYTHON_VERSIONS_ACCEPTED= 27 | 33 | PYTHON_VERSIONS_ACCEPTED= 27 | |
| 34 | PYTHON_FOR_BUILD_ONLY= yes | 34 | PYTHON_FOR_BUILD_ONLY= yes | |
| 35 | 35 | |||
| 36 | DEPENDS+= ${PYPKGPREFIX}-expat-[0-9]*:../../textproc/py-expat | 36 | DEPENDS+= ${PYPKGPREFIX}-expat-[0-9]*:../../textproc/py-expat | |
| 37 | 37 | |||
| 38 | .if ${MACHINE_ARCH} == "i386" | 38 | .if ${MACHINE_ARCH} == "i386" | |
| 39 | # Needs 8 byte atomics. | 39 | # Needs 8 byte atomics. | |
| 40 | CXXFLAGS+= -march=i586 | 40 | CXXFLAGS+= -march=i586 | |
| 41 | .endif | 41 | .endif | |
| 42 | 42 | |||
| 43 | # fails, does not find hg/git checkout | 43 | # fails, does not find hg/git checkout | |
| 44 | TEST_TARGET= check | 44 | TEST_TARGET= check | |
| 45 | 45 | |||
| 46 | pre-configure: | 46 | pre-configure: | |
| 47 | cd ${WRKSRC}/js/src && autoconf | 47 | cd ${WRKSRC}/js/src && autoconf | |
| 48 | 48 | |||
| 49 | post-install: | 49 | post-install: | |
| 50 | ${RM} ${DESTDIR}${PREFIX}/lib/libjs_static.ajs | 50 | ${RM} ${DESTDIR}${PREFIX}/lib/libjs_static.ajs | |
| 51 | 51 | |||
| 52 | .include "../../devel/nspr/buildlink3.mk" | 52 | .include "../../devel/nspr/buildlink3.mk" | |
| 53 | .include "../../devel/zlib/buildlink3.mk" | 53 | .include "../../devel/zlib/buildlink3.mk" | |
| 54 | .include "../../lang/python/tool.mk" | 54 | .include "../../lang/python/tool.mk" | |
| 55 | .include "../../textproc/icu/buildlink3.mk" | 55 | .include "../../textproc/icu/buildlink3.mk" | |
| 56 | .include "../../mk/readline.buildlink3.mk" | 56 | .include "../../mk/readline.buildlink3.mk" | |
| 57 | .include "../../mk/bsd.pkg.mk" | 57 | .include "../../mk/bsd.pkg.mk" |
| @@ -1,22 +1,23 @@ | @@ -1,22 +1,23 @@ | |||
| 1 | $NetBSD: distinfo,v 1.4 2018/05/19 12:38:28 youri Exp $ | 1 | $NetBSD: distinfo,v 1.5 2018/10/03 18:58:22 maya Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (mozjs-52.7.4.tar.bz2) = ff009853040bb46017204fda4ed69a79484fd321 | 3 | SHA1 (mozjs-52.7.4.tar.bz2) = ff009853040bb46017204fda4ed69a79484fd321 | |
| 4 | RMD160 (mozjs-52.7.4.tar.bz2) = 71ee71c2444d8b6a1b2b3c744c9f52a2b7129879 | 4 | RMD160 (mozjs-52.7.4.tar.bz2) = 71ee71c2444d8b6a1b2b3c744c9f52a2b7129879 | |
| 5 | SHA512 (mozjs-52.7.4.tar.bz2) = 7381f251ca9a4983d181eee2198f89b30505a0de636020e52c0c5b174f4d5cd19ca851222b6d8013bb657f2f1ce1ffcb54816eb928e481be2c9242f918d0125e | 5 | SHA512 (mozjs-52.7.4.tar.bz2) = 7381f251ca9a4983d181eee2198f89b30505a0de636020e52c0c5b174f4d5cd19ca851222b6d8013bb657f2f1ce1ffcb54816eb928e481be2c9242f918d0125e | |
| 6 | Size (mozjs-52.7.4.tar.bz2) = 30494311 bytes | 6 | Size (mozjs-52.7.4.tar.bz2) = 30494311 bytes | |
| 7 | SHA1 (patch-CVE-2018-12387) = a0e3198e1009db01bb5a39220764e7dcdfd52591 | |||
| 7 | SHA1 (patch-build_moz.configure_init.configure) = 63ed71d4269e8fbf990f44eecadca796991d5c1f | 8 | SHA1 (patch-build_moz.configure_init.configure) = 63ed71d4269e8fbf990f44eecadca796991d5c1f | |
| 8 | SHA1 (patch-config_gcc__hidden.h) = c2042035288e01601b6c240fb08c8a1f598b9dfd | 9 | SHA1 (patch-config_gcc__hidden.h) = c2042035288e01601b6c240fb08c8a1f598b9dfd | |
| 9 | SHA1 (patch-intl_icu_source_configure) = 1ff1be8ca68566e153219e15b8db696afd08b746 | 10 | SHA1 (patch-intl_icu_source_configure) = 1ff1be8ca68566e153219e15b8db696afd08b746 | |
| 10 | SHA1 (patch-js_src_gc_Memory.cpp) = b1bb0c3045163d586c0b4d731d0ed7c23f339f3c | 11 | SHA1 (patch-js_src_gc_Memory.cpp) = b1bb0c3045163d586c0b4d731d0ed7c23f339f3c | |
| 11 | SHA1 (patch-js_src_jsnativestack.cpp) = 3d0b06ccc3e24b408b97d01faa7758353f2edc85 | 12 | SHA1 (patch-js_src_jsnativestack.cpp) = 3d0b06ccc3e24b408b97d01faa7758353f2edc85 | |
| 12 | SHA1 (patch-js_src_old-configure_in) = 707cdb8a8ff9abaa7017be10bd2c5727d05b605b | 13 | SHA1 (patch-js_src_old-configure_in) = 707cdb8a8ff9abaa7017be10bd2c5727d05b605b | |
| 13 | SHA1 (patch-js_src_tests_update-test262.sh) = 10d73d95f4b849090bccb8fe656df79cbcea89f3 | 14 | SHA1 (patch-js_src_tests_update-test262.sh) = 10d73d95f4b849090bccb8fe656df79cbcea89f3 | |
| 14 | SHA1 (patch-js_src_threading_posix_Thread.cpp) = e490d04ed28ffd8b2e9901a24739ad19fe6759e0 | 15 | SHA1 (patch-js_src_threading_posix_Thread.cpp) = e490d04ed28ffd8b2e9901a24739ad19fe6759e0 | |
| 15 | SHA1 (patch-js_src_wasm_WasmSignalHandlers.cpp) = fd9b836d35d71103c3d8b628a6fe7c446bd4c7da | 16 | SHA1 (patch-js_src_wasm_WasmSignalHandlers.cpp) = fd9b836d35d71103c3d8b628a6fe7c446bd4c7da | |
| 16 | SHA1 (patch-memory_mozalloc_mozalloc__abort.cpp) = 610f7457f6a1993d26fcccd5730113bb48926d99 | 17 | SHA1 (patch-memory_mozalloc_mozalloc__abort.cpp) = 610f7457f6a1993d26fcccd5730113bb48926d99 | |
| 17 | SHA1 (patch-mfbt_Poison.cpp) = f4560e4552beeb70d0564e3fdfd908c5e0bd94c4 | 18 | SHA1 (patch-mfbt_Poison.cpp) = f4560e4552beeb70d0564e3fdfd908c5e0bd94c4 | |
| 18 | SHA1 (patch-mfbt_tests_TestPoisonArea.cpp) = 054441d4618bf630be6d6e71babdcdaa884f533a | 19 | SHA1 (patch-mfbt_tests_TestPoisonArea.cpp) = 054441d4618bf630be6d6e71babdcdaa884f533a | |
| 19 | SHA1 (patch-modules_fdlibm_src_math__private.h) = afa40802bfdb917d7906de486eb8882da426c9cf | 20 | SHA1 (patch-modules_fdlibm_src_math__private.h) = afa40802bfdb917d7906de486eb8882da426c9cf | |
| 20 | SHA1 (patch-mozglue_build_moz.build) = f35ffa1a54ccc4cd1ed7983aac792e334c9169b1 | 21 | SHA1 (patch-mozglue_build_moz.build) = f35ffa1a54ccc4cd1ed7983aac792e334c9169b1 | |
| 21 | SHA1 (patch-python_mozbuild_mozbuild_backend_recursivemake.py) = ffb59ddf2d95eb284d24dad3d3aedc7d7f5b5d96 | 22 | SHA1 (patch-python_mozbuild_mozbuild_backend_recursivemake.py) = ffb59ddf2d95eb284d24dad3d3aedc7d7f5b5d96 | |
| 22 | SHA1 (patch-python_mozbuild_mozbuild_configure_constants.py) = aed1c08cecc29e29edc8ccee98d032546814d6e4 | 23 | SHA1 (patch-python_mozbuild_mozbuild_configure_constants.py) = aed1c08cecc29e29edc8ccee98d032546814d6e4 |
$NetBSD: patch-CVE-2018-12387,v 1.1 2018/10/03 18:58:22 maya Exp $
From 64de926d460164d41269812742a1376ba7bafda6 Mon Sep 17 00:00:00 2001
From: Jan de Mooij <jdemooij@mozilla.com>
Date: Tue, 25 Sep 2018 12:33:42 +0200
Subject: [PATCH] Bug 1493903 - Don't inline push with more than 1 argument.
r=tcampbell
CVE-2018-12387
--- js/src/jit/MCallOptimize.cpp.orig 2018-04-28 01:04:03.000000000 +0000
+++ js/src/jit/MCallOptimize.cpp
@@ -818,6 +818,12 @@ IonBuilder::inlineArraySlice(CallInfo& c
return InliningStatus_NotInlined;
}
+ // XXX bug 1493903.
+ if (callInfo.argc() != 1) {
+ trackOptimizationOutcome(TrackedOutcome::CantInlineNativeBadForm);
+ return InliningStatus_NotInlined;
+ }
+
MDefinition* obj = convertUnboxedObjects(callInfo.thisArg());
// Ensure |this| and result are objects.