The following patch adds a USE flag for qt-webkit/qt-webkit-4.5.1-r1 to enable or disable JavaScript JIT (enabled by default). I'm not sure if this flag should be arch-dependant: currently JIT is availabe on x86 only, but more archs to come (amd64 at least). --- x11-libs/qt-webkit/qt-webkit-4.5.1-r1.ebuild 2009-09-12 04:06:48.000000000 +0800 +++ x11-libs/qt-webkit/qt-webkit-4.5.1-r1.ebuild 2009-09-30 17:26:00.000000000 +0800 @@ -8,7 +8,7 @@ DESCRIPTION="The Webkit module for the Qt toolkit" SLOT="4" KEYWORDS="~alpha amd64 ~arm hppa ~ia64 ~mips ppc ~ppc64 -sparc x86 ~x86-fbsd" -IUSE="kde" +IUSE="+jit kde" DEPEND="~x11-libs/qt-core-${PV}[debug=,ssl] ~x11-libs/qt-gui-${PV}[debug=] @@ -29,6 +29,7 @@ qt4-build_src_prepare # Security patch from upstream, bug 281821 epatch "${FILESDIR}"/webkit-CVE-2009-1725.patch + use jit || epatch "${FILESDIR}"/${PV}-disable-jit.patch } src_configure() { --- /dev/null 2009-09-30 11:23:31.371765162 +0800 +++ x11-libs/qt-webkit/files/4.5.1-disable-jit.patch 2009-08-27 20:16:20.000000000 +0800 @@ -0,0 +1,23 @@ +--- qt-x11-opensource-src-4.5.1/src/3rdparty/webkit/JavaScriptCore/JavaScriptCore.pri.orig 2009-08-27 20:12:27.000000000 +0800 ++++ qt-x11-opensource-src-4.5.1/src/3rdparty/webkit/JavaScriptCore/JavaScriptCore.pri 2009-08-27 20:13:42.000000000 +0800 +@@ -13,20 +13,6 @@ + LIBS += -lwinmm + } + +-# Disable the JIT due to numerous observed miscompilations :( +-CONFIG(release):isEqual(QT_ARCH,i386) { +- JIT_DEFINES = ENABLE_JIT ENABLE_WREC ENABLE_JIT_OPTIMIZE_CALL ENABLE_JIT_OPTIMIZE_PROPERTY_ACCESS ENABLE_JIT_OPTIMIZE_ARITHMETIC +- # Require gcc >= 4.1 +- linux-g++*:greaterThan(QT_GCC_MAJOR_VERSION,3):greaterThan(QT_GCC_MINOR_VERSION,0) { +- DEFINES += $$JIT_DEFINES WTF_USE_JIT_STUB_ARGUMENT_VA_LIST +- QMAKE_CXXFLAGS += -fno-stack-protector +- QMAKE_CFLAGS += -fno-stack-protector +- } +- win32-msvc* { +- DEFINES += $$JIT_DEFINES WTF_USE_JIT_STUB_ARGUMENT_REGISTER +- } +-} +- + win32-msvc*: INCLUDEPATH += $$PWD/os-win32 + wince* { + INCLUDEPATH += $$PWD/os-wince
Why? Some more background info would be nice.
(In reply to comment #1) > Why? Some more background info would be nice. JIT requires executable stack pages, and any process performing JavaScript on hardened kernels will require to run with PAX_MPROTECT disabled. This may allow easier code execution exploits to work (without the need in pure ret2libc-style stack preparations, that is harder). Apart from that the JIT itself can be vulnerable.
*** This bug has been marked as a duplicate of bug 285792 ***