New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 1545 link

Starred by 3 users

Issue metadata

Status: Fixed
Last visit > 30 days ago
Closed: Jun 2018

Sign in to add a comment

WebKit: Info leak in WebAssembly Compilation

Project Member Reported by, Mar 5 2018

Issue description

There is an out-of-bounds read when compiling WebAssembly source buffers in WebKit. When a source buffer is compiled, it is first copied into a read-only buffer by the functuion getWasmBufferFromValue. This function returns the code buffer as follows:

return arrayBufferView ? static_cast<uint8_t*>(arrayBufferView->vector()) : static_cast<uint8_t*>(arrayBuffer->impl()->data());

If the source buffer is a view (DataView or TypedArray), arrayBufferView->vector() is returned. The vector() method returns the start of the data in the buffer, including any offset. However, the function createSourceBufferFromValue copies the output of this function as follows:

memcpy(, data + byteOffset, byteSize);

This means that if the buffer is a view, the offset is added to the buffer twice before this is copied. This could allow memory off the heap to be read out of the source buffer, either though parsing exceptions or data sections when they are copied. A minimal PoC for the issue is:

var b2 = new ArrayBuffer(1000);
var view = new Int8Array(b2, 700);
var mod = new WebAssembly.Module(a);

An HTML file the consistently crashes Safari is attached.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

402 bytes View Download
Project Member

Comment 1 by, Mar 5 2018

Description: Show this description
Project Member

Comment 2 by, May 30 2018

Labels: CVE-2018-4222
Project Member

Comment 3 by, May 31 2018

Apple requested an extension until June 17 for this bug
Project Member

Comment 4 by, Jun 7 2018

Labels: -Restrict-View-Commit Deadline-Exceeded Deadline-Grace
Status: Fixed (was: New)
This has been fixed, so unrestricting

Sign in to add a comment