How to use JavaScript array extensions integer overflow vulnerabilities in WebKit-a vulnerability warning-the black bar safety net

I will be in this article to tell you about the vulnerability, CVE-2017-2536/ZDI-17-358, which is a typical plastic overflow vulnerability, when the system is in the calculation of the allocated space size, the vulnerability will likely lead to a heap buffer overflow. We not only give you a“snappy”vulnerability PoC, and we also design for Safari 10.1 full use of loopholes in the programme, so everything will be very interesting!

Note: This function was originally in order to allow JavaScriptCore to better deal with the ECMAScript 6 extended operation and design, but saelo in February of this year found in which the presence of security issues.

Vulnerability analysis

Below is the JavaScript in an array of extended operation when build a new array of the use to the code:

SLOW_PATH_DECL(slow_path_new_array_with_spread)
{
BEGIN();
int numItems = pc[3]. u. operand;
ASSERT(numItems >= 0);
const BitVector& bitVector = exec->codeBlock()->unlinkedCodeBlock()->bitVector(pc[4]. u. unsignedValue);
Whether the* values = bitwise_cast<Whether the*>(&OP(2));
// [[ 1 ]]
unsigned arraySize = 0;
for (int i = 0; i < numItems; i++) {
if (bitVector. get(i)) {
Whether the value = values [–i];
JSFixedArray* array = jsCast<JSFixedArray*>(value);
arraySize += array->size();
} else
arraySize += 1;
}
JSGlobalObject* globalObject = exec->lexicalGlobalObject();
Structure* structure = globalObject->arrayStructureForIndexingTypeDuringallocation(ArrayWithContiguous);
JSArray* result = JSArray::tryCreateForInitializationPrivate(vm, structure, arraySize);
CHECK_EXCEPTION();
// [[ 2 ]]
unsigned index = 0;
for (int i = 0; i < numItems; i++) {
Whether the value = values [–i];
if (bitVector. get(i)) {
// We are spreading.
JSFixedArray* array = jsCast<JSFixedArray*>(value);
for (unsigned i = 0; i < array->size(); i++) {
RELEASE_ASSERT(array->get(i));
result->initializeIndex(vm, index, array->get(i));
++index;
}
} else {
// We are not spreading.
result->initializeIndex(vm, index, value);
++index;
}
}
RETURN(result);
}
Please see the above code labeled[[1]]part, the function first computes an output array of length size, the program will later in[[2]]for space allocation and initialization. However, in this case the calculated array length of space is likely to occur the overflow, and causing a similar array is allocated.

Because JSObject::initializeIndex does not perform any boundary detection, in order to confirm this, Please first have a look below this paragraph of code:

/* … /
case ALL_CONTIGUOUS_INDEXING_TYPES: {
ASSERT(i < a butterfly->publicLength());
ASSERT(i < a butterfly->vectorLength());
butterfly->contiguous()[i]. set(vm, this, v);
break;
}
/ … */
If the data occurs cross-border, so this time there will be a heap buffer overflow problem. This vulnerability can be through the following script code to trigger:

var a = new Array(0x7fffffff);
var x = [13, 37, …a, …a];
In this case, a length of 0 the JSArray object will be created, and then to the JSArray object in the copy of the 2^32 elements in, our browser don’t want to see such things happen.

Of course, you want to solve this problem also is not difficult. We only need to add one for the plastic overflow detection function of the time can fix this problem. 【Bug fix plan

Exploit

Although the above given PoC code will many times use an array, but the JavaScriptCore will still be in every time the array expansion operation is assigned a JSFixedArray objects, see the labels[[2]]The following code. As a result, the system will allocate about forty billion a JSValues object, these JSValues object will occupy approximately 32GiB of RAM space. But fortunately, due to the macOS kernel introduced page compression function, so this problem does not on macOS

Platform to generate a greater impact, but for other platforms, the attacker can in a minute or so to successfully trigger this vulnerability, and therefore its impact is still relatively serious.

[1] [2] next