New issue
Advanced search Search tips
Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Jun 7
Cc:



Sign in to add a comment

WebKit: Info leak in WebAssembly Compilation

Project Member Reported by natashenka@google.com, Mar 5

Issue description

There is an out-of-bounds read when compiling WebAssembly source buffers in WebKit. When a source buffer is compiled, it is first copied into a read-only buffer by the functuion getWasmBufferFromValue. This function returns the code buffer as follows:

return arrayBufferView ? static_cast<uint8_t*>(arrayBufferView->vector()) : static_cast<uint8_t*>(arrayBuffer->impl()->data());

If the source buffer is a view (DataView or TypedArray), arrayBufferView->vector() is returned. The vector() method returns the start of the data in the buffer, including any offset. However, the function createSourceBufferFromValue copies the output of this function as follows:

memcpy(result.data(), data + byteOffset, byteSize);

This means that if the buffer is a view, the offset is added to the buffer twice before this is copied. This could allow memory off the heap to be read out of the source buffer, either though parsing exceptions or data sections when they are copied. A minimal PoC for the issue is:

var b2 = new ArrayBuffer(1000);
var view = new Int8Array(b2, 700);
var mod = new WebAssembly.Module(a);

An HTML file the consistently crashes Safari is attached.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 
glob2.html
402 bytes View Download
Project Member

Comment 1 by natashenka@google.com, Mar 5

Description: Show this description
Project Member

Comment 2 by natashenka@google.com, May 30

Labels: CVE-2018-4222
Project Member

Comment 3 by natashenka@google.com, May 31

Apple requested an extension until June 17 for this bug
Project Member

Comment 4 by natashenka@google.com, Jun 7

Labels: -Restrict-View-Commit Deadline-Exceeded Deadline-Grace
Status: Fixed (was: New)
This has been fixed, so unrestricting https://support.apple.com/en-us/HT208848

Sign in to add a comment