1234 - WebKit: JSC: Incorrect scope register handling in DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry) - project-zero

Starred by 2 users

Status:	Fixed
Owner:	lokihardt@google.com
Closed:	Jul 24
Cc:	project-...@google.com
Deadline-90 Vendor-Apple Deadline-Grace CCProjectZeroMembers Severity-High Product-WebKit Finder-lokihardt Reported-2017-Apr-10 CVE-2017-7018

WebKit: JSC: Incorrect scope register handling in DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry)

Project Member Reported by lokihardt@google.com, Apr 10 2017

Back to list

Here's a snippet of DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry).

void flush(InlineStackEntry* inlineStackEntry)
{
	...
    if (m_graph.needsScopeRegister())
        flush(m_codeBlock->scopeRegister()); <<--- (a)
}

At (a), it should flush the scope register of |inlineStackEntry->m_codeBlock| instead of |m_codeBlock|. But it doesn't. As a result, the scope register of |inlineStackEntry->m_codeBlock| may have an incorrect offset in the stack layout phase.

PoC:
function f() {
    (function () {
    	eval('1');
    	f();
    }());

    throw 1;
}

f();



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

Project Member Comment 1 by lokihardt@google.com, Apr 10 2017

WebKit Tracker: https://bugs.webkit.org/show_bug.cgi?id=170661

Project Member Comment 2 by lokihardt@google.com, Jun 28

Labels: Deadline-Grace

Project Member Comment 3 by lokihardt@google.com, Jul 13

Labels: CVE-2017-7018

Comment 4 Deleted

Project Member Comment 5 by lokihardt@google.com, Jul 24

My analysis was a little wrong. They fixed this just by inserting 6 characters: "flushDirect(m_codeBlock->scopeRegister());".

Project Member Comment 6 by lokihardt@google.com, Jul 24

Labels: -Restrict-View-Commit
Status: Fixed

► Sign in to add a comment