56804398a9
* gnu/packages/patches/webkitgtk-mitigate-spectre.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/webkit.scm (webkitgtk)[source]: Add patch.
107 lines
6 KiB
Diff
107 lines
6 KiB
Diff
Disable SharedArrayBuffers to mitigate Spectre. Based on:
|
|
|
|
https://trac.webkit.org/changeset/226386/webkit
|
|
|
|
Backported to webkitgtk-2.18.4 by Mark H Weaver <mhw@netris.org>
|
|
|
|
|
|
--- webkitgtk-2.18.4/Source/JavaScriptCore/runtime/JSGlobalObject.h.orig 2017-12-19 02:23:07.000000000 -0500
|
|
+++ webkitgtk-2.18.4/Source/JavaScriptCore/runtime/JSGlobalObject.h 2018-01-06 19:28:55.985066986 -0500
|
|
@@ -338,8 +338,10 @@
|
|
WriteBarrier<Structure> m_moduleLoaderStructure;
|
|
WriteBarrier<JSArrayBufferPrototype> m_arrayBufferPrototype;
|
|
WriteBarrier<Structure> m_arrayBufferStructure;
|
|
+#if ENABLE(SHARED_ARRAY_BUFFER)
|
|
WriteBarrier<JSArrayBufferPrototype> m_sharedArrayBufferPrototype;
|
|
WriteBarrier<Structure> m_sharedArrayBufferStructure;
|
|
+#endif
|
|
|
|
#define DEFINE_STORAGE_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \
|
|
WriteBarrier<capitalName ## Prototype> m_ ## lowerName ## Prototype; \
|
|
@@ -670,8 +672,13 @@
|
|
switch (sharingMode) {
|
|
case ArrayBufferSharingMode::Default:
|
|
return m_arrayBufferPrototype.get();
|
|
+#if ENABLE(SHARED_ARRAY_BUFFER)
|
|
case ArrayBufferSharingMode::Shared:
|
|
return m_sharedArrayBufferPrototype.get();
|
|
+#else
|
|
+ default:
|
|
+ return m_arrayBufferPrototype.get();
|
|
+#endif
|
|
}
|
|
}
|
|
Structure* arrayBufferStructure(ArrayBufferSharingMode sharingMode) const
|
|
@@ -679,8 +686,13 @@
|
|
switch (sharingMode) {
|
|
case ArrayBufferSharingMode::Default:
|
|
return m_arrayBufferStructure.get();
|
|
+#if ENABLE(SHARED_ARRAY_BUFFER)
|
|
case ArrayBufferSharingMode::Shared:
|
|
return m_sharedArrayBufferStructure.get();
|
|
+#else
|
|
+ default:
|
|
+ return m_arrayBufferStructure.get();
|
|
+#endif
|
|
}
|
|
RELEASE_ASSERT_NOT_REACHED();
|
|
return nullptr;
|
|
--- webkitgtk-2.18.4/Source/JavaScriptCore/runtime/JSGlobalObject.cpp.orig 2017-12-19 02:23:07.000000000 -0500
|
|
+++ webkitgtk-2.18.4/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2018-01-06 19:27:16.628574304 -0500
|
|
@@ -574,8 +574,10 @@
|
|
|
|
m_arrayBufferPrototype.set(vm, this, JSArrayBufferPrototype::create(vm, this, JSArrayBufferPrototype::createStructure(vm, this, m_objectPrototype.get()), ArrayBufferSharingMode::Default));
|
|
m_arrayBufferStructure.set(vm, this, JSArrayBuffer::createStructure(vm, this, m_arrayBufferPrototype.get()));
|
|
+#if ENABLE(SHARED_ARRAY_BUFFER)
|
|
m_sharedArrayBufferPrototype.set(vm, this, JSArrayBufferPrototype::create(vm, this, JSArrayBufferPrototype::createStructure(vm, this, m_objectPrototype.get()), ArrayBufferSharingMode::Shared));
|
|
m_sharedArrayBufferStructure.set(vm, this, JSArrayBuffer::createStructure(vm, this, m_sharedArrayBufferPrototype.get()));
|
|
+#endif
|
|
|
|
m_iteratorPrototype.set(vm, this, IteratorPrototype::create(vm, this, IteratorPrototype::createStructure(vm, this, m_objectPrototype.get())));
|
|
m_generatorPrototype.set(vm, this, GeneratorPrototype::create(vm, this, GeneratorPrototype::createStructure(vm, this, m_iteratorPrototype.get())));
|
|
@@ -620,10 +622,11 @@
|
|
|
|
JSArrayBufferConstructor* arrayBufferConstructor = JSArrayBufferConstructor::create(vm, JSArrayBufferConstructor::createStructure(vm, this, m_functionPrototype.get()), m_arrayBufferPrototype.get(), m_speciesGetterSetter.get(), ArrayBufferSharingMode::Default);
|
|
m_arrayBufferPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, arrayBufferConstructor, DontEnum);
|
|
+#if ENABLE(SHARED_ARRAY_BUFFER)
|
|
JSArrayBufferConstructor* sharedArrayBufferConstructor = nullptr;
|
|
sharedArrayBufferConstructor = JSArrayBufferConstructor::create(vm, JSArrayBufferConstructor::createStructure(vm, this, m_functionPrototype.get()), m_sharedArrayBufferPrototype.get(), m_speciesGetterSetter.get(), ArrayBufferSharingMode::Shared);
|
|
m_sharedArrayBufferPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, sharedArrayBufferConstructor, DontEnum);
|
|
-
|
|
+#endif
|
|
#define CREATE_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \
|
|
capitalName ## Constructor* lowerName ## Constructor = capitalName ## Constructor::create(vm, capitalName ## Constructor::createStructure(vm, this, m_functionPrototype.get()), m_ ## lowerName ## Prototype.get(), m_speciesGetterSetter.get()); \
|
|
m_ ## lowerName ## Prototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, lowerName ## Constructor, DontEnum); \
|
|
@@ -686,7 +689,9 @@
|
|
putDirectWithoutTransition(vm, vm.propertyNames->builtinNames().ArrayPrivateName(), arrayConstructor, DontEnum | DontDelete | ReadOnly);
|
|
|
|
putDirectWithoutTransition(vm, vm.propertyNames->ArrayBuffer, arrayBufferConstructor, DontEnum);
|
|
+#if ENABLE(SHARED_ARRAY_BUFFER)
|
|
putDirectWithoutTransition(vm, vm.propertyNames->SharedArrayBuffer, sharedArrayBufferConstructor, DontEnum);
|
|
+#endif
|
|
|
|
#define PUT_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \
|
|
putDirectWithoutTransition(vm, vm.propertyNames-> jsName, lowerName ## Constructor, DontEnum); \
|
|
@@ -1288,8 +1293,10 @@
|
|
|
|
visitor.append(thisObject->m_arrayBufferPrototype);
|
|
visitor.append(thisObject->m_arrayBufferStructure);
|
|
+#if ENABLE(SHARED_ARRAY_BUFFER)
|
|
visitor.append(thisObject->m_sharedArrayBufferPrototype);
|
|
visitor.append(thisObject->m_sharedArrayBufferStructure);
|
|
+#endif
|
|
|
|
#define VISIT_SIMPLE_TYPE(CapitalName, lowerName, properName, instanceType, jsName, prototypeBase) \
|
|
visitor.append(thisObject->m_ ## lowerName ## Prototype); \
|
|
--- webkitgtk-2.18.4/Source/WTF/wtf/Platform.h.orig 2017-10-16 08:18:56.000000000 -0400
|
|
+++ webkitgtk-2.18.4/Source/WTF/wtf/Platform.h 2018-01-06 19:29:52.897349199 -0500
|
|
@@ -1190,6 +1190,9 @@
|
|
#define HAVE_NS_ACTIVITY 1
|
|
#endif
|
|
|
|
+/* Disable SharedArrayBuffers until Spectre security concerns are mitigated. */
|
|
+#define ENABLE_SHARED_ARRAY_BUFFER 0
|
|
+
|
|
#if (OS(DARWIN) && USE(CG)) || (USE(FREETYPE) && !PLATFORM(GTK)) || (PLATFORM(WIN) && (USE(CG) || USE(CAIRO)))
|
|
#undef ENABLE_OPENTYPE_MATH
|
|
#define ENABLE_OPENTYPE_MATH 1
|