packages/firefox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!156 fix CVE-2020-26950

Browse Source 
From: @jackssir 
Reviewed-by: @starlet-dx 
Signed-off-by: @starlet-dx
This commit is contained in:
openeuler-ci-bot 2024-04-25 02:11:04 +00:00 committed by Gitee
commit d4cf889c2f
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 84 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
CVE-2020-26950.patch Normal file
View File

@ -0,0 +1,78 @@
From 9ed502c59c6456bf8984bb6de49472da69ef4c90 Mon Sep 17 00:00:00 2001
From: Ted Campbell <tcampbell@mozilla.com>
Date: Sat, 07 Nov 2020 05:36:31 +0000 (2020-11-07)
Subject: [PATCH] CVE-2020-26950
Simplify IonBuilder::createThisScripted. r=jandem,iain a=RyanVM
---
js/src/jit/IonBuilder.cpp | 31 ++++++++-----------------------
js/src/jit/IonIC.cpp | 8 ++++++++
2 files changed, 16 insertions(+), 23 deletions(-)
diff --git a/js/src/jit/IonBuilder.cpp b/js/src/jit/IonBuilder.cpp
index 1b2a62a268..865e7bb322 100644
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -5206,31 +5206,16 @@ MDefinition* IonBuilder::createThisScripted(MDefinition* callee,
// explicit operation in the bytecode, we cannot use resumeAfter().
// Getters may not override |prototype| fetching, so this operation is
// indeed idempotent.
- // - First try an idempotent property cache.
- // - Upon failing idempotent property cache, we can't use a non-idempotent
- // cache, therefore we fallback to CallGetProperty
- //
- // Note: both CallGetProperty and GetPropertyCache can trigger a GC,
- // and thus invalidation.
- MInstruction* getProto;
- if (!invalidatedIdempotentCache()) {
- MConstant* id = constant(StringValue(names().prototype));
- MGetPropertyCache* getPropCache =
- MGetPropertyCache::New(alloc(), newTarget, id,
- /* monitored = */ false);
- getPropCache->setIdempotent();
- getProto = getPropCache;
- } else {
- MCallGetProperty* callGetProp =
- MCallGetProperty::New(alloc(), newTarget, names().prototype);
- callGetProp->setIdempotent();
- getProto = callGetProp;
- }
- current->add(getProto);
-
+ // Note: GetPropertyCache can trigger a GC, and thus invalidation.
+ MConstant* id = constant(StringValue(names().prototype));
+ MGetPropertyCache* getPropCache =
+ MGetPropertyCache::New(alloc(), newTarget, id,
+ /* monitored = */ false);
+ getPropCache->setIdempotent();
+ current->add(getPropCache);
// Create this from prototype
MCreateThisWithProto* createThis =
- MCreateThisWithProto::New(alloc(), callee, newTarget, getProto);
+ MCreateThisWithProto::New(alloc(), callee, newTarget, getPropCache);
current->add(createThis);
return createThis;
diff --git a/js/src/jit/IonIC.cpp b/js/src/jit/IonIC.cpp
index 2c3ba44782..3cd06a13e7 100644
--- a/js/src/jit/IonIC.cpp
+++ b/js/src/jit/IonIC.cpp
@@ -216,6 +216,14 @@ bool IonGetPropertyIC::update(JSContext* cx, HandleScript outerScript,
if (outerScript->hasIonScript()) {
Invalidate(cx, outerScript);
}
+ // IonBuilder::createScriptedThis does not use InvalidedIdempotentCache
+ // flag so prevent bailout-loop by disabling Ion for the script.
+ MOZ_ASSERT(ic->kind() == CacheKind::GetProp);
+ if (idVal.toString()->asAtom().asPropertyName() == cx->names().prototype) {
+ if (val.isObject() && val.toObject().is<JSFunction>()) {
+ outerScript->disableIon();
+ }
+ }
// We will redo the potentially effectful lookup in Baseline.
return true;
--
2.27.0

7
firefox.spec
View File

@ -88,7 +88,7 @@
Summary: Mozilla Firefox Web browser Summary: Mozilla Firefox Web browser
Name: firefox Name: firefox
Version: 79.0 Version: 79.0
Release: 18 Release: 19
URL: https://www.mozilla.org/firefox/ URL: https://www.mozilla.org/firefox/
License: MPLv1.1 or GPLv2+ or LGPLv2+ License: MPLv1.1 or GPLv2+ or LGPLv2+
Source0: https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz Source0: https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz
@ -197,6 +197,7 @@ Patch653: CVE-2023-7104.patch
Patch654: CVE-2022-22755.patch Patch654: CVE-2022-22755.patch
Patch655: CVE-2022-1802.patch Patch655: CVE-2022-1802.patch
Patch656: CVE-2023-44488.patch Patch656: CVE-2023-44488.patch
Patch657: CVE-2020-26950.patch
%if %{?system_nss} %if %{?system_nss}
BuildRequires: pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version} BuildRequires: pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version}
@ -388,6 +389,7 @@ tar -xf %{SOURCE3}
%patch654 -p1 %patch654 -p1
%patch655 -p1 %patch655 -p1
%patch656 -p1 %patch656 -p1
%patch657 -p1
%{__rm} -f .mozconfig %{__rm} -f .mozconfig
%{__cp} %{SOURCE10} .mozconfig %{__cp} %{SOURCE10} .mozconfig
@ -836,6 +838,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
%endif %endif
%changelog %changelog
* Wed Apr 24 2024 lvfei <lvfei@kylinos.cn> - 79.0-19
- Fif CVE-2020-26950
* Fri Apr 19 2024 lvfei <lvfei@kylinos.cn> - 79.0-18 * Fri Apr 19 2024 lvfei <lvfei@kylinos.cn> - 79.0-18
- Fix CVE-2023-44488 - Fix CVE-2023-44488